Win 32:Dropper-gen [Drp] - False positive?

I’m confused a bit in that all of a sudden today avast! said a program I’ve been using for years is infected with this Win32:Dropper-gen [Drp]. The program was open and I clicked on it to load a file, avast! warning popped up, grabbed the file, and moved it to the Chest. I tried using the EXE file from a flash drive thinking no way that could be infected, and avast! did the same thing with that (I copied the EXE from the flash driver to the computer desktop and tried to re-install from there).

I’m running that exact same program on another computer with avast! and it’s running fine. The program never has updates, just newer versions that I don’t upgrade to (my version is free and they don’t offer another free version that’s this good). I ask avast! to set it as an exception so I can use it and sent it in to avast! as a false positive, but how can I be sure it is? It’s a transcription program by NCH Software. I use this program every single day, all day, and cannot do my work without it.

I ran a quick scan by Malwarebytes and it found nothing. I’m running a deeper scan through them right now.

Any suggestions? Does it sound like a false positive?

report and upload the file to avast lab so they can correct it

Pondus, in the chest when I chose to restore and set an exception a form also popped up to report to avast! as a false positive. I did that. Is there something else I should do?

Nope, you’re fine after that.

Just to add this…I did an online Virus Total scan of the install exe and file exe for this program from NCH Software (Express Scribe). The install exe is the one that came from my flash drive that’s been there for three months. Out of 46 antivirus program, these are the only two that “found” something.

The Install EXE gave me these 2 issues. The other 44 AVs found nothing:

Avast Win32:Dropper-gen [Drp] 20140317
ESET-NOD32 a variant of Win32/Toolbar.Conduit.I 20140318

The program EXE gave me these 3. The other 47 AV programs found nothing.

Avast Win32:Dropper-gen [Drp] 20140318
Baidu-International Adware.Win32.Conduit.I 20140317
ESET-NOD32 a variant of Win32/Toolbar.Conduit.I 20140318

And thanks Michael!

Pam

when posting VT scan results, you should post link to the scan result, bc we are missing all the extra file info VT give

Pondus, here are the links.

To install the program:
https://www.virustotal.com/en/file/4b9135280f3f1349908c55611878eb1605eb783d61abb839814e4fbf00471bef/analysis/1395123844/

To run the program once installed (scribe . exe):
https://www.virustotal.com/en/file/d4369fee08af23737acd44688d12f7fc779231dd9d2de7e0532534d0b85bc658/analysis/1395124000/

Housecall shoes a trojan on the exe that runs the program on this scan, but it didn’t on the scan I ran earlier. AND I downloaded Housecall and ran a quick scan…it found nothing.

The file to install the program is one I’ve used for at least five years. It’s been on my flash drive. And it’s on another computer that is not showing these results.

seems like FP

First submission 2009-12-16 07:58:33 UTC ( 4 years, 3 months ago )

CopyrightNCH Software Publisher NCH Software Internal name Scribe File version 5.01 Description Express Scribe Signature verification Signed file, verified signature Signing date 10:35 PM 12/14/2009

First submission 2009-12-29 21:41:16 UTC ( 4 years, 2 months ago )

CopyrightNCH Software Publisher NCH Software Internal name Scribe File version 5.01 Description Express Scribe

Thanks, Pondus! :slight_smile:

It is alerting as a PUP on the conduit toolbar thingy

Thanks essexboy. Had no idea that’s what that was.! It’s definitely not an unwanted program!

That is why PUP detection is turned off, if you want to keep the toolbar then it is up to you. Conduit has a so-so reputation with its toolbars and search engine :slight_smile:

is a false positive
Already fixed in VPS 140319-1

https://www.virustotal.com/en/file/4b9135280f3f1349908c55611878eb1605eb783d61abb839814e4fbf00471bef/analysis/

https://www.virustotal.com/en/file/d4369fee08af23737acd44688d12f7fc779231dd9d2de7e0532534d0b85bc658/analysis/

Actually, essexboy, I don’t even see any kind of toolbar at all that hasn’t always been there or is out of the ordinary.

Great to hear it’s been fixed, jefferson!

~Pam