Possible False Positive? msmsgsin.exe

Avast Free Antivirus / Premium Security
1

I ran a quick scan around 15 minutes ago and it found something. It said msmsgsin.exe was infected with Win32:Malware-gen, the infected file’s location was C:\Program Files\Messenger. Can someone tell me if this is a FP or not. An in case this helps I noticed in the Virus Chest that under the “Last changed” column it says it was last changed 8/2/2001. I dunno if that helps any or not but I thought I’d just throw that out there.

2

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect*
That will stop the File System Shield scanning any file you put in that folder.

3

Thanks for the quick reply, I uploaded it to virustotal an I’m waiting for it to start scanning it, it’s queued at 69 atm. I’ll reply with the results soon.

4

3/44 detected Win32:Malware-gen, those three we’re Avast/Avast5/GData. Full results are posted below.

Antivirus Version Last Update Result
AhnLab-V3 2011.09.17.00 2011.09.17 -
AntiVir 7.11.14.223 2011.09.16 -
Antiy-AVL 2.0.3.7 2011.09.17 -
Avast 4.8.1351.0 2011.09.17 Win32:Malware-gen
Avast5 5.0.677.0 2011.09.17 Win32:Malware-gen
AVG 10.0.0.1190 2011.09.17 -
BitDefender 7.2 2011.09.17 -
ByteHero 1.0.0.1 2011.09.13 -
CAT-QuickHeal 11.00 2011.09.16 -
ClamAV 0.97.0.0 2011.09.17 -
Commtouch 5.3.2.6 2011.09.17 -
Comodo 10141 2011.09.17 -
DrWeb 5.0.2.03300 2011.09.17 -
Emsisoft 5.1.0.11 2011.09.17 -
eSafe 7.0.17.0 2011.09.15 -
eTrust-Vet 36.1.8566 2011.09.17 -
F-Prot 4.6.2.117 2011.09.17 -
F-Secure 9.0.16440.0 2011.09.17 -
Fortinet 4.3.370.0 2011.09.17 -
GData 22 2011.09.17 Win32:Malware-gen
Ikarus T3.1.1.107.0 2011.09.17 -
Jiangmin 13.0.900 2011.09.17 -
K7AntiVirus 9.113.5150 2011.09.17 -
Kaspersky 9.0.0.837 2011.09.17 -
McAfee 5.400.0.1158 2011.09.17 -
McAfee-GW-Edition 2010.1D 2011.09.16 -
Microsoft 1.7604 2011.09.17 -
NOD32 6471 2011.09.17 -
Norman 6.07.11 2011.09.17 -
nProtect 2011-09-17.01 2011.09.17 -
Panda 10.0.3.5 2011.09.17 -
PCTools 8.0.0.5 2011.09.17 -
Prevx 3.0 2011.09.17 -
Rising 23.75.04.02 2011.09.16 -
Sophos 4.69.0 2011.09.17 -
SUPERAntiSpyware 4.40.0.1006 2011.09.17 -
Symantec 20111.2.0.82 2011.09.17 -
TheHacker 6.7.0.1.298 2011.09.17 -
TrendMicro 9.500.0.1008 2011.09.17 -
TrendMicro-HouseCall 9.500.0.1008 2011.09.17 -
VBA32 3.12.16.4 2011.09.16 -
VIPRE 10503 2011.09.17 -
ViRobot 2011.9.17.4674 2011.09.17 -
VirusBuster 14.0.218.0 2011.09.17 -

Additional information
MD5 : 8ad17f33bdcc0ea294e074e0e74cad3b
SHA1 : 81b4608a3e11a24157e9c22ac45ff1b12d8c476e
SHA256: 27d6644771a935ec0547258dff56bbfba151f2addf09c51b1edc6a9a3207d2c5

5

Report a possible FP here: http://www.avast.com/contact-form.php?loadStyles

6

Thanks, I filled it out an even put the link to this thread in the comments.

7

You’re welcome…!

8

I’d also like to add that I just ran a full scan and it found 3 more files infected with the same thing. But there’s good news, they we’re detected in the system restore folder an all 3 are the same size as the msmsgsin.exe. So it seems to just be part of the above FP.

9

Coincidence perhaps, but nothing to confirm, you would need to check the MD5 hash of the files to say if they are the same:

  • Infected Restore Points
    There really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore.

  • Worst case scenario it isn’t infected and you delete it, you can’t use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.

  • So if there is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.