Hello,

Avast has found a virus, although I think it may be a false positive as only Avast and GData pick it up at Virscan.org. Any help would be much appreciated.

I am using Windows 7 Home Premium with all the recent updates installed and Avast 4.8 Home Edition.

File name: C:\Program Files (x86)\Common Files\supportsoft\bin\avmanagerunified.dll[UPX]
Malware name: Win32:Malware-gen
Malware type: Virus/Worm
VPS version:091206-1, 06/12/2009

When I click ‘Move to chest’ or ‘Move/Rename’ I get the following error:

“avast!: The system cannot find the file specified
Cannot process “C:\Program Files (x86)\Common Files\supportsoft\bin\avmanagerunified.dll[UPX]” file”

The results from Virscan.org:

VirSCAN.org Scanned Report :
Scanned time : 2009/12/07 21:51:16 (CST)
Scanner results: 5% Scanner(s) (2/37) found malware!
File Name : avmanagerunified.dll
File Size : 321024 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : c9191d1c5b248032563e07b654499bfa
SHA1 : d4d0e4aa86760f031952b4c0a2b4fe5929395df4
Online report : http://virscan.org/report/527510013014f5741e12c8122be6d94a.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091207190313 2009-12-07 4.14 -
AhnLab V3 2009.12.07.00 2009.12.07 2009-12-07 1.00 -
AntiVir 8.2.1.102 7.10.1.174 2009-12-07 0.53 -
Antiy 2.0.18 20091204.3347676 2009-12-04 0.02 -
Arcavir 2009 200912070703 2009-12-07 0.17 -
Authentium 5.1.1 200912061651 2009-12-06 1.49 -
AVAST! 4.7.4 091206-1 2009-12-06 0.16 Win32:Malware-gen
AVG 8.5.288 270.14.97/2550 2009-12-07 1.37 -
BitDefender 7.81008.4703066 7.29343 2009-12-07 4.12 -
CA (VET) 35.1.0 7158 2009-12-04 12.26 -
ClamAV 0.95.2 10116 2009-12-07 0.37 -
Comodo 3.13 3167 2009-12-07 1.60 -
CP Secure 1.3.0.5 2009.12.04 2009-12-04 0.55 -
Dr.Web 4.44.0.9170 2009.12.07 2009-12-07 7.52 -
F-Prot 4.4.4.56 20091206 2009-12-06 1.39 -
F-Secure 7.02.73807 2009.12.07.08 2009-12-07 0.45 -
Fortinet 11.133- 11.133 2009-12-07 0.41 -
GData 19.9207/19.609 20091207 2009-12-07 6.65 Win32:Malware-gen [Engine:B]
ViRobot 20091207 2009.12.07 2009-12-07 0.41 -
Ikarus T3.1.01.74 2009.12.07.74663 2009-12-07 4.31 -
JiangMin 13.0.900 2009.12.02 2009-12-02 4.87 -
Kaspersky 5.5.10 2009.12.07 2009-12-07 0.36 -
KingSoft 2009.2.5.15 2009.12.7.15 2009-12-07 0.68 -
McAfee 5.3.00 5824 2009-12-06 3.37 -
Microsoft 1.5302 2009.12.07 2009-12-07 8.90 -
Norman 6.01.09 6.01.00 2009-12-07 4.02 -
Panda 9.05.01 2009.12.06 2009-12-06 2.19 -
Trend Micro 9.000-1003 6.676.02 2009-12-07 0.13 -
Quick Heal 10.00 2009.12.07 2009-12-07 1.33 -
Rising 20.0 22.25.00.06 2009-12-07 1.49 -
Sophos 3.02.0 4.48 2009-12-07 5.27 -
Sunbelt 3.9.2381.2 5547 2009-12-06 2.62 -
Symantec 1.3.0.24 20091206.005 2009-12-06 0.18 -
nProtect 20091203.01 6487164 2009-12-03 5.30 -
The Hacker 6.5.0.2 v00086 2009-12-05 1.28 -
VBA32 3.12.12.0 20091206.2021 2009-12-06 2.42 -
VirusBuster 4.5.11.10 10.115.2/2003706 2009-12-07 3.19 -

Thank you.

Hi vinzi, welcome to the forum

From the scan report, I’d be inclined to say it is a FP (GDATA uses avast! as one of it’s detections so it is technically one detection.)

Just for kicks, could you please upload it to www.virustotal.com (it uses more scanners, and apparently more updated programs…avast! 4.7.4…we are at 4.8.x now…)

Please could you report the file as being a false positive to ALWIL? It should help others that have been affected.

---

You could also send the file in a password protected archive to virus(at)avast(dot)com with 'potential false positive' in the subject line and the password in the email body.

or

You could add the file to the user files of the virus chest and send it from there:

Right click avast icon in taskbar -->click start avast antivirus -->right click scanner background → click virus chest → navigate to user files → click add files →
right click file -->email to alwil software.

NOTE:
The file will actually be uploaded when the next update is performed (you can do a manual update to initiate the sending)

---

You could also add a link to this thread and some more information when you do.

-Scott-

Hello Scott,

Thanks for the prompt response.

I have submitted the file via User Files of the Virus Chest.

I noticed http://forum.avast.com/index.php?topic=51926.0, I am also using a Dell, a Dell Inspiron 545 desktop. It seems that this False Positive may be something to do with Dell.

Virustotal.com (https://www.virustotal.com/analisis/811180f967d5f3bc2d126ad2e000e4bfee03379ecf188a3ecfee2b3385fd4ec3-1260193663):

File avmanagerunified.dll received on 2009.12.07 13:47:43 (UTC)
Current status: finished

Result: 2/41 (4.88%)
Loading server information…
Your file is queued in position: 4.
Estimated start time is between 70 and 100 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they’re generated.
Compact Print results Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click “request” so the system sends you a notification when the scan is finished. Email:

Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.07 -
AhnLab-V3 5.0.0.2 2009.12.07 -
AntiVir 7.9.1.102 2009.12.07 -
Antiy-AVL 2.0.3.7 2009.12.07 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.06 Win32:Malware-gen
AVG 8.5.0.426 2009.12.07 -
BitDefender 7.2 2009.12.07 -
CAT-QuickHeal 10.00 2009.12.07 -
ClamAV 0.94.1 2009.12.07 -
Comodo 3103 2009.12.01 -
DrWeb 5.0.0.12182 2009.12.07 -
eSafe 7.0.17.0 2009.12.06 -
eTrust-Vet 35.1.7162 2009.12.07 -
F-Prot 4.5.1.85 2009.12.06 -
F-Secure 9.0.15370.0 2009.12.07 -
Fortinet 4.0.14.0 2009.12.07 -
GData 19 2009.12.07 Win32:Malware-gen
Ikarus T3.1.1.74.0 2009.12.07 -
Jiangmin 13.0.900 2009.12.02 -
K7AntiVirus 7.10.913 2009.12.07 -
Kaspersky 7.0.0.125 2009.12.07 -
McAfee 5824 2009.12.06 -
McAfee+Artemis 5824 2009.12.06 -
McAfee-GW-Edition 6.8.5 2009.12.07 -
Microsoft 1.5302 2009.12.07 -
NOD32 4667 2009.12.07 -
Norman 6.03.02 2009.12.07 -
nProtect 2009.1.8.0 2009.12.07 -
Panda 10.0.2.2 2009.12.06 -
PCTools 7.0.3.5 2009.12.07 -
Prevx 3.0 2009.12.07 -
Rising 22.25.00.09 2009.12.07 -
Sophos 4.48.0 2009.12.07 -
Sunbelt 3.2.1858.2 2009.12.06 -
Symantec 1.4.4.12 2009.12.07 -
TheHacker 6.5.0.2.086 2009.12.05 -
TrendMicro 9.100.0.1001 2009.12.07 -
VBA32 3.12.12.0 2009.12.07 -
ViRobot 2009.12.7.2074 2009.12.07 -
VirusBuster 5.0.21.0 2009.12.06 -
Additional information
File size: 321024 bytes
MD5…: c9191d1c5b248032563e07b654499bfa
SHA1…: d4d0e4aa86760f031952b4c0a2b4fe5929395df4
SHA256: 811180f967d5f3bc2d126ad2e000e4bfee03379ecf188a3ecfee2b3385fd4ec3
ssdeep: 6144:XRNH5j/2DJUTYZya9xCRq7X3ultznXXMVF0PpjHbkDx73ixJxqKK:XF/sJU
La9pj3uHzHMbseDF3ixmZ

PEiD…: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1db7a0
timedatestamp…: 0x4574bdd4 (Tue Dec 05 00:31:16 2006)
machinetype…: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x18d000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x18e000 0x4e000 0x4da00 7.88 e36194b708fbe9196eb1bafb55abf525
.rsrc 0x1dc000 0x1000 0x800 3.67 e1d010686f8da3f31bd68ac06d7680fe

( 11 imports )

KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect
ADVAPI32.dll: RegCloseKey
MSVCP60.dll: __Xlen@std@@YAXXZ
MSVCRT.dll: atol
ole32.dll: OleRun
OLEAUT32.dll: -
OPSWATAVCommon.dll: __0CRegKey@@QAE@XZ
SHELL32.dll: SHGetFolderPathA
SHLWAPI.dll: PathAddBackslashA
USER32.dll: SetFocus
VERSION.dll: VerQueryValueA

( 7 exports )
AVManagerObjectCreate, AVManagerObjectCreate2, AVManagerObjectFree, AVManagerObjectFree2, AVObjectCreate, AVObjectFree, GetSdkVersion

RDS…: NSRL Reference Data Set

pdfid.: -
trid…: Win64 Executable Generic (52.5%)
UPX compressed Win32 Executable (18.7%)
Win32 EXE Yoda’s Crypter (16.3%)
Win32 Executable Generic (5.2%)
Win32 Dynamic Link Library (generic) (4.6%)
packers (Avast): UPX
packers (Kaspersky): PE_Patch.UPX, UPX
sigcheck:
publisher…: OPSWAT, Inc.
copyright…: (c) OPSWAT, Inc. All rights reserved.
product…: n/a
description…: n/a
original name: AVManagerUnified.dll
internal name: AVManagerUnified
file version.: 2, 3, 1, 1
comments…: n/a
signers…: -
signing date.: -
verified…: Unsigned

packers (F-Prot): UPX

Thanks again.

Yep, I think it is a Dell thing. I have just found a copy in an old windows installation that I have (I am also using a Dell), so I will email it to them also.

-Scott-

Just hooked up my new Dell Studio 540 and got the same virus notification. I am using Windows 7 Home Premium 64 bit. & Avast 4.8 Home Edition.
I have attached the .txt file with the info.
When I try to move it to chest, I get a popup saying the file cannot be found.

Ok, as said above, it is likely to be a False positive.

For now, I would click on the ‘No action’ option, as the other options don’t work.
This will (IIRC) block the file from loading, but leave it where it is. Then when the FP is corrected, it will be ok.

Definitely a Dell thing…

-Scott-

Hello,
thank you for notice, fixed in VPS 091207-0.

Milos

thanks for quick response

Hello Milos,

That was very quick

Confirmed, is scanned clean now.

To the other users, you can do a manual update to get the fixed VPS.

-Scott-

Hi JoanTilley,

This is a slightly old, small(ish) false positive issue that was corrected.
I have a dell and I have no troubles at all. Although I have seen a thread about Win 7, avast! and Dells. Specifically the 64 bit version I think.
http://forum.avast.com/index.php?topic=52087.msg451055#msg451055

I would suggest that if you are having issues that you would like some help with, start a new thread and those here will try to help if they can.

-Scott-

To Milos - Alwil team

The fix doesn’t seem being complete. VPS 100117-1 on release 4.8.1351 (Win XP) reports it again. Other behaviour: re-appearing upgea.bak file (23kB) in user\Local Settings\Temp directory. I’ll make regular error report when returning home. Please check.

Whilst it shouldn’t make a difference, your program version is out of date, so I would suggest that you update to avast 4.8.1368.

Does your file that is being detected by avast have the same MD5: c9191d1c5b248032563e07b654499bfa number as this ?
If not it is a different version.