i’m new here, and trying a very fast learning curve…i just did a full system scan (the quick scan found 0 threats or viruses) and came up with two infected files…the info messages are: xpnetdg.exe and expnetdiag.exe win32:malware-gen (for both) c:\windows\softwaredistributiondownl… and c:\windows$ntservicepackuninstall$…looks like they’ve been on the computer (‘last changed’ is the phrase in the message window) since '06. can one or more of you well-experienced computer folks explain what the nature of these beasts is…?? thanks! charles p.s. also there is a message that the risk is ‘severe’…
Hi and welcome to the forum,
I would recommend that you check the files using Jotti (http://virusscan.jotti.org/en-gb) which will give a more definitive answer to whether they truely are infected; to my knowledge these are folders for rolling back files on your computer and are therefore most likely false positives.
Please let us know the results of the jotti scan and we can take it from there.
Best,
Adam
You could also check the offending/suspect file at: VirusTotal - Multi engine (41) on-line virus scanners, so more than Jotti and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect*
That will stop the File System Shield scanning any file you put in that folder.
I have the same problem showing up today. Here are the results from VirusTotal:
http://www.virustotal.com/reanalisis.html?de1996b3694914cb1700739773fd88bf3236e5b5c3c2a68792a8df91c37e2875-1280430847
http://www.virustotal.com/reanalisis.html?de1996b3694914cb1700739773fd88bf3236e5b5c3c2a68792a8df91c37e2875-1280430944
Thanks for any help that you can give me.
I also used Jotti and it showed Nothing Found.
I don’t believe Jotti isn’t as good as VT, if for no other reason that it has less scanners. Though I would have thought that avast would show up, but I don’t know if Jotti uses the Linux version of avast which would make a difference.
If only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.
Send the sample to avast as a False Positive:
Open the chest and right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update.
- In the meantime (if you accept the risk), add it to the exclusions lists:
File System Shield, Expert Settings, Exclusions, Add and
avast Settings, Exclusions
Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.
I too have just had these files reported, I scanned last night and all was OK.
But this evening I got xpnetdiag.exe reported
I suspect FP
I sent it in so I’ll see what they say. I am just going to leave it in the Chest for now. Thank you for your help.
If you suspect it, then confirm it at virustotal and send the sample to avast so that it can be analysed and the signature corrected.
OK, thanks for that.
Periodically scan the file within the chest (after signature updates) and when it is no longer detected, Restore it from the chest. Confirm that the file has been restored to the original location and you can delete the copy that remains in the chest.
Latest definitions now scanning clean again
Thanks for the feedback.
I, too, had xpnetdiag.exe identified as Malware-gen. I looked in some forums and they said if it wasn’t in the right folder, it probably is a virus. It wasn’t where it should have been so I quanintined it. I extracted it from Quarintine and had VirusTotal look at it and all came back with nothing found. I’m leaving them in Quarintine anyway for the time being, but here comes a really dumb question. I now have the file in quarintine and the extracted one. I scanned the extracted one again with Avast and it comes up clean. Is this because it was extracted and not moved> And what do I do with it now.
No the extraction is just a copy of what is in the chest, scan the file within the chest and you will see it too shouldn’t be detected. Then you can Restore it as outlined in my Reply #8 and you can also remove the file you extracted to the temp location.
All clear here. I have restored the 2 files. Thanks for the help.
No problem, glad I could help.
A belated welcome to the forums.