Virus tool infected?

I recently did an online scan with F-secure, as part of a Castlecops.com cleanup check, it identified both instances of the Avast virus removal tool as containing worms. (W32/Network worm) . Selected it to clean automatically, it did, the virus removal tool still appears to work.
Was it likely these were actual infections? Or more likely false positives? i have the scan report in both notepad or wordpad, if anyone needs to check. (If so, please include an instruction on how to add it to the post).

Do you mean avast Cleaner http://www.avast.com/i_idt_171.html ?

Totally false positives… that tool is clean. Can you report this to F-Secure company? Thanks.

What filename exactly was reported as infected?

Tech, that link doesn’t work for me, I mean http://www.avast.com/eng/avast-virus-cleaner.html
I submitted the report to F-secure, thinking it was a fp, will they also need a plain text message? Interestingly, after cleaning, the tool still appears to operate. Made me wonder if it is possible it may have been infected. I never for a second though it was an infection.

igor, the file name is aswclnr.exe. I’ve downloaded it seperately from the main application, and copied it to two folders. Both were described as carrying this w32network worm.

Please submit the alleged infected file to http://virusscan.jotti.org to see if any other scanners also report it is being infected.

File submitted, came up not infected.
Could it be that is was infected, (by outside means-not inherently) but cleaned by F secure?
Unable to post screenshot, exceeds 200kb.

It sure could be. Luckely there is a way to find out. Download the file again, have f-secure scan it (without choosing to clean it if it finds it infected).

If f-secure again marks it is being infected, send it again to jotti to see what the others say about it.

To me it sure looks like at false positive and this way we will know if other scanners have the same problem so we can tell them.

Takes about 15min to install the F-secure online scanner. You want me to do that? Or do you just want me to repeat the jotti test?
At jotti it was scanned by a number of scanners, including F-secure, and came up clean.

It is a online scanner, it doesn’t need to install anything except a little for the activx part. But that should still be on your system, unless you removed it manually. But please take the time since we have to find out if it really is a FP by f-secure as we suspect.

It should be, but when I first went to the site it installed just over 20mb to the temporary files. Which I clean regularly. So it’s not there anymore. The ActiveX probably is.
I’ll do it and scan again, be at least 20min.

OK, done that, 2 “viruses” found, same as before. FP’s, I’m pretty sure now. Got to go to work, I’ll be back in a few hours.
I believe the previous jotti scans are applicable.
(Although the screenshot indicates “disinfect”, I re-selected it to “none” prior to submitting/finishing.

I’ve tested right now and it’s working ::slight_smile:

Tarq57, look the file scanned by Dr. Web…

I don’t doubt the files are OK. Submitted them to F-secure from the options on the online scan page, which doesn’t allow for additional plain text comments. Do you want me to contact them about this? Bound to be a contact somewhere on their site.

Update: Have emailed a question about this to F-secure in Helsinki, with the file concerned attached.

Update: Reply from F-secure.

Hello,

Subject: False positive
Description:
Two instances of the Avast! virus cleaning tool described as w32/network worm.
Sorry, couldn’t work out how to password protect the archive.

I can not reproduce this false alarm with our Multi-Scanner. So the
problem is most likely fixed in the latest anti-virus updates. Please
make sure that you have the latest (today’s) updates and scan this file
again.

Please note that our contact point currently is:
http://support.f-secure.com/enu/home/contactus/

Regards,

Will try another scan in a day or two, and see what happens.

ok, well done sofar.

Sorry, forgot about this for a time, scanned today, all OK.