Solved: Avast - real malware or false postives?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

DKTaber

Thread Starter
Joined
Oct 26, 2001
Messages
2,871
This morning while running simultaneous scans with Malwarebytes and SuperAntiSpyware, Avast popped up a "Threat Detected" message on the file dds.scr. It was in my Downloads folder. I have never heard of it and did not intentionally download it, so let Avast put it in the Virus Chest.

A subsequent boot scan additional infected files. Specifically,

A0005880.scr - in a system restore file
A0005885.scr - in a system restore file
errorfix.exe - in the Downloads folder
FFDShow_Setup.exe - in the Downloads folder

I discovered (from Bleeping Computer) that errorfix is a PUP. But what about the others? I assume the .scr files are screen savers or something similar. FFDShow is a codec file, I think. Is it also a PUP? Yes? No? If they're infected, why did Avast allow them to be downloaded instead of blocking them?
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
118,074
The file dds.scr is not really a screen saver, it's the download for DDS by sUBs that you must have downloaded at some point to check for malware.

Files in system restore are renamed so it's difficult to know what they were but with those are surely related to DDS.

ErrorFix is more than a PUP:

http://www.bleepingcomputer.com/startups/ErrorFix-24928.html
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
118,074
Please tell me you're not running scans with MBAM and SAS at the same time, although that's what simultaneously means. :)
 

DKTaber

Thread Starter
Joined
Oct 26, 2001
Messages
2,871
Please tell me you're not running scans with MBAM and SAS at the same time, although that's what simultaneously means. :)
Have to tell you that I did. I've done that on occasion for at least a half dozen years. Never had a problem, and it appears doing that had nothing to do with the malware found.

What about FFDShow? Isn't that just codecs? If so, is that a false positive?
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
118,074
Have to tell you that I did. I've done that on occasion for at least a half dozen years. Never had a problem, and it appears doing that had nothing to do with the malware found.
I think it very well could have since it's what triggered Avast to alert.
What about FFDShow? Isn't that just codecs? If so, is that a false positive?
Looks like some kind of video decoder but seems to be detected more for its adware component as a PUA:

http://www.sophos.com/en-us/threat-...adware-and-puas/iBryte Optimum Installer.aspx
 

DKTaber

Thread Starter
Joined
Oct 26, 2001
Messages
2,871
I think it very well could have since it's what triggered Avast to alert.
Looks like some kind of video decoder but seems to be detected more for its adware component as a PUA:

http://www.sophos.com/en-us/threat-...adware-and-puas/iBryte Optimum Installer.aspx
I haven't the foggiest what the difference is between a PUP and PUA. I've not gotten any ads as the result of installing the codecs. . . but perhaps I should uninstall them and use K-Lite or somebody else.
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
118,074
PUP or PUA are interchangeable. Potentially Unwanted Program or Potentially Unwanted Application. :)

When did you download it and from where?
 

DKTaber

Thread Starter
Joined
Oct 26, 2001
Messages
2,871
. . .When did you download it and from where?
Don't remember exactly, but I think I got errorfix.exe from a link in a post on a forum. . . may even have been TSG. FFDShow was downloaded because a video in an e-mail would not play because I was missing some codec and it suggested FFDShow.
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
118,074
Well it is my opinion that the only false positive is dds.scr and subsequently the ones in system restore but it's up to you whether or not you wish to keep the others. :)
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
118,074
It doesn't make any changes to the system. It just reports running processes (similar to HijackThis but in much greater detail), various keys in the registry, services, installed programs, etc. See an example here of the two logs it creates:

http://forums.techguy.org/8298872-post17.html
 

DKTaber

Thread Starter
Joined
Oct 26, 2001
Messages
2,871
Well it is my opinion that the only false positive is dds.scr . . .. :)
Cookie: For your "security knowledge base", I submitted dds.scr to Jotti online scanner. Both Avast and G-Data (2 AVs that have extremely good ratings) identified this file as containing Win32:Malware-gen. ClamAV (which I've never heard of) also identified it as malware, but as a PUA.Win32.Packer.Upx-53. So, IMO, it IS either malware or was infected.

Another observation: I have no understanding of how this happens, but when I first deleted dds.scr (sent it to the recycle bin), it changed it's name to Dc2.scr (that's the file that was in the recycle bin, NOT dds.scr) and that's when Avast reacted and quarantined it. In order to have Jotti scan it, I had to first restore dds.scr from quarantine. After the Jotti result described above, I deleted it (again sending it to the recycle bin). This time the file wound up in the bin as Dc30.scr. So each time I delete it, it changes its name. I'm not a virus expert, but when a file does that, it suggests to me that it's trying to hide or avoid being identified by AV programs. IOW, it's malware.
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
118,074
Malware-gen is a common detection based on heuristics with a wide margin for false positives. I just downloaded DDS and ran it through jotti and only got the ClamAV one but that is common too because the files are "packed".

Avast goes back and forth with detecting the tools we use as malware. Sometimes they do, sometimes they don't.

The fact that it changed names indicates that your Recycle Bin may be corrupt. It's common for those names to change but only at the command prompt level. If you viewed the contents of the Recycle Bin through a command prompt that's what you would see but I don't believe it should be displaying that way.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top