[SOLVED] False positive: Rootkit or Adware ?

Avast 4.8 Home Edition
VPS: 28/04/2008 - 080428-0

I was just scanning an exe installer a friend wanted me to have a look at (I swear :).
Avast said it was a Trojan. (see attachment)
I uploaded it to http://virusscan.jotti.org/ (to scan it by a pile of scanners - including Avast) and mostly either nothing was detected or just Adware. (See attachment).

Perhaps this is not exactly a false positive, but perhaps Avast is being a little over zealous calling it a Trojan - whereas on the online version it detected nothing.

I tend to believe its just adware, but have the word “Rootkit” hang over you is rather off putting.

Also the results from the virusTotal scan are here:

http://www.virustotal.com/analisis/9b24b9c3380ffc9bd89eeaa943490627

I presume these links stay alive for some time ?

Well the alert was for Malware Was Found so not quite the same as a detection with the anti-rootkit scan. Though the rootkit-gen malware name is a little off-putting, the -gen I believe indicates that this is a generic signature trying to catch many fish with the one hook so to speak, so there is a possibility that is is not a god detection or a misnamed detection which should be an adware one.

Though there are many VT detections there is a great spread of what it might be but a majority going for mywebsearch, I would have to think even on these results do I want that program or is there another that does the same task without the mywebsearch ?

However, I think it requires further analysis and should be sent to avast.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and possible false positive or misnamed malware in the subject.

Cool I have sent it off to that email address.

Well I continue my praise for Avast cause it certainly did alert me (which is more than I can say for a lot out there - I’m looking at you AVG !!), which gave me a fighting chance of dodging the possibility of copping (at the very least) annoying stuff like MyWebSearch.

I figured if it would help Avast be a little more accurate (if possible/warranted in this case), then I’d try to report it.

Cheers.

No problem, glad I could help.

Welcome to the forums.

Well I got this message from an Avast virus analyst:
“False positive alert has been fixed in last VPS update 080429-1.”

So scanning that file now gives no alert whatsoever, not even ad-ware. So I guess that is good :slight_smile:

You are honoured to get message from one of the analysts ;D