Possible FP's ?

Im using 4.8.1356 Pro edition (Trial) VPS is 091008-0

and I got infected by the following:

  1. Win32:Adloader-AC [Trj]
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report0d4768df\WER5E37.tmp.hdmp

2.Win32:Faker-J [Spy]
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report0ddf9c6d\WER936A.tmp.hdmp

3.Win32:Adloader-AC [Trj]
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report04c20482\WERFA38.tmp.hdmp

Are these legit? Or false positives? I would run the by virus total but they are in the virus chest.

I clicked the email to Alwil Software in the chest but nothing happens.

darklegend, that’s funny, I used the same name when I played quake3 when I was a kid (I was part of the legend clan, I was so proooud. ;D )

Anyway, you can run them by virustotal.com, but you have to tell avast to allow an exception folder (such as c:\exclude) then restore the files from the quarantine to this folder. Then you can upload them to virustotal to give them a check.

If you’re unsure how to do this, have a search around the forums, or wait for DavidR or Tech to respond, I’m a little inebriated due to fight with girlfriend to explain. It’s not too difficult once you do it a few times though.

good luck.

Lol, I have had this name for a long time now… since original xbox lol. Anyway, Sorry to hear that you had a fight =(, And yeh I’ll wait for another response as I don’t care to just let these “potential threats” run amidst my system =).

Well the .hdmp are dump files for techies (see http://www.fileinfo.com/extension/hdmp), so it would depend on what you were doing at the time they were created. I don’t know if it is possible that the reason for the dump was malware related, speculation I’m afraid.

However, these files are text files, so I’m not even sure they could be autoloaders, I would think it is more likely that a text string in the content of the file matches a signature, a possible false positive (FP). So checking at VT is advisable.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

Ok thanks for your help. I did as you said (though I had to put them into a zipped .rar because they were too big for VT to scan by themselves… about 26+ MBytes.)

This is what VT found, Only 2 AV’s found anything. One being Avast of course and the other PCTools.

I included all 3 of those files into this one zip folder

http://www.virustotal.com/analisis/ecc04c100f49e2997fd2537c3ca63d267a21473620b7a14d9f37b30e301af80c-1255118319

so, are these FP’s ?

You can’t upload multiple files to VT, simply packing them in a .rar, etc. won’t work as VT can only report the findings of the scan on the single file, so only one detection would be shown and you wouldn’t know which file in the .rar was responsible.

So one of those files (the first detection in the scan) would appear to be a probable FP as only two detections.

Given that it is likely that the others are the same, so I would send the .rar (as per the instructions in the link in my last post) with all samples to avast for further analysis as possible FPs.

Ok I will. But at the moment I’m thinking… whether or not it is a FP I don’t think it matters.It’s a dump file, so I could delete them and be ok right? Nothing really depends on those to work right?

Yes you could delete them as they are effectively redundant, but what that doesn’t do is to help fine tune the avast detections so that it doesn’t happen again or to others.

Right, Well I sent them for analysis though. Thanks a bunch for your help :smiley:

You’re welcome, thanks for helping to improve detections.