I just updated my “Avast” virus definitions and ran a scan and got several hits I presume these are false positives, here is a copy of the logs.

01/02/2008 5:08:34 PM Dennis 5400 Sign of "Win32:Agent-RNO [trj]" has been found in "C:\WinBuilder\Projects\Tools\WimUtil.exe" file. 01/02/2008 5:14:54 PM SYSTEM 1900 Sign of "Win32:Agent-RNO [trj]" has been found in "C:\WinBuilder\Projects\Tools\WimUtil.exe" file. 01/02/2008 5:30:28 PM Dennis 5400 Sign of "Win32:Agent-RNO [trj]" has been found in "K:\Downloads Jan 2 2008\VistaPe stuff\WinBuilder\Projects\Tools\WimUtil.exe" file. 01/02/2008 5:47:32 PM Dennis 5952 Sign of "Win32:Agent-RNO [trj]" has been found in "C:\WinBuilder\ISO\VistaPE.iso\sources\boot.wim" file. 01/02/2008 5:48:02 PM Dennis 5952 Sign of "Win32:Agent-RNO [trj]" has been found in "C:\WinBuilder\ISO\VistaPE.iso" file. 01/02/2008 5:48:54 PM Dennis 4420 Sign of "Win32:Agent-RNO [trj]" has been found in "C:\WinBuilder\Target\VistaPE\sources\boot.wim" file. 01/02/2008 7:17:54 PM SYSTEM 1964 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Windows\System32\conime.exe (C:\Windows\System32\conime.exe) returning error, 00000005.

Has anybody else experienced this?

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.

If it is indeed a false positive, add it to the exclusions lists: Standard Shield, Customize, Advanced, Add and Program Settings, Exclusions Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive in the subject.

Or you can send it from the chest (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

virustotal was dead for a few days (i don’t know if it is fully available for all geo-IP locations now), you can try also http:// virusscan.jotti.org

VT is up now, I just uploaded a test file.

Hi guys, appreciate the help I am on dial-up so I sent the smallest file this is the result see below not picked up by too many others. Also one of the files that had a hit was VistaPe it was of course too large for me to upload.

Antivirus Version Last Update Result
AhnLab-V3 2008.2.6.10 2008.02.05 -
AntiVir 7.6.0.62 2008.02.06 -
Authentium 4.93.8 2008.02.05 -
Avast 4.7.1098.0 2008.02.06 Win32:Agent-RNO
AVG 7.5.0.516 2008.02.06 -
BitDefender 7.2 2008.02.06 -
CAT-QuickHeal 9.00 2008.02.04 -
ClamAV 0.92 2008.02.06 -
DrWeb 4.44.0.09170 2008.02.06 -
eSafe 7.0.15.0 2008.01.28 suspicious Trojan/Worm
eTrust-Vet 31.3.5512 2008.02.05 -
Ewido 4.0 2008.02.06 -
FileAdvisor 1 2008.02.06 -
Fortinet 3.14.0.0 2008.02.06 -
F-Prot 4.4.2.54 2008.02.05 -
F-Secure 6.70.13260.0 2008.02.06 -
Ikarus T3.1.1.20 2008.02.06 Win32.HLLW.Spreader.17
Kaspersky 7.0.0.125 2008.02.06 -
McAfee 5224 2008.02.06 -
Microsoft 1.3204 2008.02.06 -
NOD32v2 2853 2008.02.06 -
Norman 5.80.02 2008.02.06 -
Panda 9.0.0.4 2008.02.05 -
Prevx1 V2 2008.02.06 Heuristic: Suspicious File With Anti-Security Technology
Rising 20.29.22.00 2008.01.30 -
Sophos 4.26.0 2008.02.06 -
Sunbelt 2.2.907.0 2008.02.05 -
Symantec 10 2008.02.06 -
TheHacker 6.2.9.210 2008.02.06 -
VBA32 3.12.6.0 2008.02.06 -
VirusBuster 4.3.26:9 2008.02.06 -
Webwasher-Gateway 6.6.2 2008.02.06 -
Additional information
File size: 666398 bytes