Virus alert is it false positive.

Hi all,

I received a virus alert after an update the virus was named as athcfg11Res.dll (Win32:Trojan-gen), it was found in my system 32 folder and also local temp folder with various {c01 etc} addresses. I removed them all to virus vault, but now my Tp- link wn620g wireless utility will not run. I uninstalled it but now avast will not let me reinstall it, when i run the CD avast kicks in with virus warning

File name C:\DOCUME~1\scott\LOCALS~1\Temp{33A685B7-68CD-4E00-9B43-D640099C394F}{28006915-2739-4EBE-B5E8-49B25D32EB33}\athcfg11res.dll

Malware name Win32:Trojan-gen {Other}

Malware type Virus/Worm

VPS version 080922-0, 22/09/2008

any help would be gratefully received.

thanks,

scott.

in the last few months I noted that Avast is finding a lot of FP as virus, what I suggest to do is NEVER cancel a file when avast say is infected, just put in the chest, this must be the first option, when is in the chest you never have problem and have the time to investigate if is really a virus or just a FP.
Last week while scanning my pc, avast found 4-5 files infected, io put them in the chest and waiting for the new update. After 2-3 days and two updates I restore all the files from the chest and make new scanning, nothing was founded, so, they were FP.

Hi, antonpaco. Please start a new thread.

Scott2b, Upload the file to VirusTotal and post results.

Hi Jtaylor83,

hope I’ve done this correctly and this is the information you need. I ran the CD again then navigated to the folder from the web page, the alert directed me.

I’ve also noticed that ashServ.exe is using over 50% of my CPU all the time.

here’s the link to the results this is the first time I analysed it.
http://www.virustotal.com/analisis/3bbf723fad592cc57c3b33f9b6a85255

the above link is no longer working but it showed no viruses as opposed to the bottom link which shows 2 instances.

I run the program again now it shows

http://www.virustotal.com/analisis/8fa8bd79efd7b5b6467ced6a221d3569

look forward to hearing back from you.

Scott :slight_smile:

Neither of your VT links work, I don’t know if this is just a VT server issue or mot.

A forum search for athcfg reveals this recent topic on the same problem.

Also see http://forum.avast.com/index.php?topic=38786.0

The ashServ.exe is the main scanning engine so if it is scanning (the avast icon would be rotating) the CPU activity would be up. What sensitivity do you have the Standard Shield set to (Normal is the default), High would be scanning much more files so I would expect to see more activity/CPU use.

hi, DavidR,

I’ve reposted the link to virustotal site but as stated in the post you linked me to it does look like a false positive. I will report this to avast also.

In the scan shows under avast and GData.
http://www.virustotal.com/analisis/8fa8bd79efd7b5b6467ced6a221d3569

Looks like the previous links expired as they are only kept for a limited time.

It does look like an FP as GData uses avast as one of its two scanners, so effectively it is only avast detecting it.

If it is indeed a false positive (certainly seems that way), see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

Hi folks,

Here is the evaluation of this file:
MODULE ID: 184653 | Parents: 0 | Children: 0 | THREAT LEVEL: In Review
COMPANY NAME: Atheros Communications, Inc.
FILE ATTRIBUTES: Archive, Compressed
FILE DESCRIPTION: ACAPI RES DLL
FILE FOLDER: %SYSTEM%
FILE NAME: athcfg11res.dll
FILE SIZE: 77,824 KB
FILE VERSION: 4.1.0.148
INTERNAL NAME: ACAPIRES
MD5 SIGNATURE: 1e5a947e34e31fa8a63e0dffceb83e37
ORIGINAL FILE NAME: athcfg11res.dll
PRODUCT NAME: Atheros Configuration API Res Dynamic Link Library
PRODUCT VERSION: 4.1.0.148
SPECIAL FOLDER: SYSTEM
and the results from VirScan:
http://virscan.org/report/32bbe510ef218eac841b7a2e138cced2.html

Seems a false positive of a compressed file,

polonus

Hi Guys,

Big thanks to all for the help polonus, DavidR & Jtaylor83.
Ive emailed a copy of the file to avast but as I suspected I think it is a false positive. We will have to wait to see what comes back I’ve also emailed a link to this thread.

will let you all know what the outcome is.

thanks again

Scott.

Thanks for the feed back and taking the time to improve detections.

If you have a copy in the chest, periodically scan it from within the chest (after VPS updates) and when no longer detected remove the exclusions and restore the file from the chest.

Hi Guys,

Received an email back from avast they say the fp will be fixed on next vps update.

Lets hope that’s it fixed.

I do have the file in the vault so will check from there.

and thanks again for the help. :smiley:

No problem, glad I could help.