Please help, am I infected?

Hello, could anyone please help me,

Avast Server 4.8 scans my Windows Home Server overnight, I have woken up this morning with it reporting that icwtutor.exe was infected with Infection: Win32:Spware-gen[Spy] and it has moved it to the chest.

Is this another false positive?

Regards

Carl.

please let us know much about your computer can you make hijack log or eset sysinspector log :wink:

Try creating a new folder on your
“C” drive, name it “suspicious”. Move the file from the chest to this folder. Upload it from the folder to www.virustotal.com (multi-online scanning service), takes about 1-4 minutes, post the URL of the results page, please.

On the face of it, it could be a FP, it’s name is legitimate. We’ll see.

[edit] url corrected.

it is virustotal.com not virustotal.org . take care of these typos.

nmb

Thanks, nmb. Brain fart, rather than typo. :-[

Brain fart ??? whats that?

I know the other fart ;D

nmb

Cranial flattus. Hot gas comes out instead of anything remotely intelligent.
Somewhat similar to a “senior moment”. :smiley:

I had exactly the same issue this morning. I’d be surprised if the contents of the file have changed since the last scan. The file that is “infected” is the compressed .ex_ in c:\windows\i386, rather than the live executable.

As suggested, I ran the file by VirusTotal. Avast and GData report “Win32:Spyware-gen”, but all other engines record it as clean

http://www.virustotal.com/analisis/17a007fd293a9eb09c1857adc98fc21b5f2f2df4fef0d94071ff2955c0d91e8a-1255090164

Gary

compress the file in password protected zip.

send it to virus@avast.com with false positive as the subject and in the body put the password, the link to this topic.

or

go to avast chest > user files > browse for the file > add and click email to avast icon(it’ll be uploaded and not emailed) > do a manual update of avast virus database.

Hope it’ll be fixed.

nmb

I have now sent the false-positive report to Avast.

Gary

Sorry for the lack of detail initially :-[ I posted a quick topic prior to leaving for work, which is where I’m posting from at the moment.

Thanks to GaryL for your input :slight_smile: it looks like a false positive then? :-\

Hello chewie,

upload your file to vt as GaryL has done. so that we can confirm whether it is a fp or not.

nmb

Hi nmb :slight_smile:

I uploaded the file and got the following reply

File has already been analysed:
MD5: 006b0ca72b3508ab20b2db96c9e3458d
First received: 2009.10.09 12:09:24 UTC
Date: 2009.10.09 12:09:24 UTC [<1D]
Results: 2/41
Permalink: http://www.virustotal.com/analisis/17a007fd293a9eb09c1857adc98fc21b5f2f2df4fef0d94071ff2955c0d91e8a-1255090164

Carl.

Chewie, you could also send the false positive report to Avast, or just wait for the next Avast VPS update, when it should be corrected.
Following the next update, try scanning it from within the chest, or the Suspicious folder. If it scans clean, that is confirmation it was a FP, and it can be restored to original location from the chest, and deleted from the suspicious folder.
Avast are pretty good about fixing FP’s fast when reported.

Thanks for your input Tarq57 :slight_smile: I have also now sent the false-positive report to Avast.