1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Avast - real malware or false postives?

Discussion in 'General Security' started by DKTaber, Feb 1, 2013.

Thread Status:
Not open for further replies.
Advertisement
  1. DKTaber

    DKTaber Thread Starter

    Joined:
    Oct 26, 2001
    Messages:
    2,871
    This morning while running simultaneous scans with Malwarebytes and SuperAntiSpyware, Avast popped up a "Threat Detected" message on the file dds.scr. It was in my Downloads folder. I have never heard of it and did not intentionally download it, so let Avast put it in the Virus Chest.

    A subsequent boot scan additional infected files. Specifically,

    A0005880.scr - in a system restore file
    A0005885.scr - in a system restore file
    errorfix.exe - in the Downloads folder
    FFDShow_Setup.exe - in the Downloads folder

    I discovered (from Bleeping Computer) that errorfix is a PUP. But what about the others? I assume the .scr files are screen savers or something similar. FFDShow is a codec file, I think. Is it also a PUP? Yes? No? If they're infected, why did Avast allow them to be downloaded instead of blocking them?
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    113,928
    The file dds.scr is not really a screen saver, it's the download for DDS by sUBs that you must have downloaded at some point to check for malware.

    Files in system restore are renamed so it's difficult to know what they were but with those are surely related to DDS.

    ErrorFix is more than a PUP:

    http://www.bleepingcomputer.com/startups/ErrorFix-24928.html
     
  3. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    113,928
    Please tell me you're not running scans with MBAM and SAS at the same time, although that's what simultaneously means. :)
     
  4. DKTaber

    DKTaber Thread Starter

    Joined:
    Oct 26, 2001
    Messages:
    2,871
    Have to tell you that I did. I've done that on occasion for at least a half dozen years. Never had a problem, and it appears doing that had nothing to do with the malware found.

    What about FFDShow? Isn't that just codecs? If so, is that a false positive?
     
  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    113,928
    I think it very well could have since it's what triggered Avast to alert.
    Looks like some kind of video decoder but seems to be detected more for its adware component as a PUA:

    http://www.sophos.com/en-us/threat-...adware-and-puas/iBryte Optimum Installer.aspx
     
  6. DKTaber

    DKTaber Thread Starter

    Joined:
    Oct 26, 2001
    Messages:
    2,871
    I haven't the foggiest what the difference is between a PUP and PUA. I've not gotten any ads as the result of installing the codecs. . . but perhaps I should uninstall them and use K-Lite or somebody else.
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    113,928
    PUP or PUA are interchangeable. Potentially Unwanted Program or Potentially Unwanted Application. :)

    When did you download it and from where?
     
  8. DKTaber

    DKTaber Thread Starter

    Joined:
    Oct 26, 2001
    Messages:
    2,871
    Don't remember exactly, but I think I got errorfix.exe from a link in a post on a forum. . . may even have been TSG. FFDShow was downloaded because a video in an e-mail would not play because I was missing some codec and it suggested FFDShow.
     
  9. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    113,928
    Well it is my opinion that the only false positive is dds.scr and subsequently the ones in system restore but it's up to you whether or not you wish to keep the others. :)
     
  10. DKTaber

    DKTaber Thread Starter

    Joined:
    Oct 26, 2001
    Messages:
    2,871
    What does ddr.scr do?
     
  11. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    113,928
    It doesn't make any changes to the system. It just reports running processes (similar to HijackThis but in much greater detail), various keys in the registry, services, installed programs, etc. See an example here of the two logs it creates:

    http://forums.techguy.org/8298872-post17.html
     
  12. DKTaber

    DKTaber Thread Starter

    Joined:
    Oct 26, 2001
    Messages:
    2,871
    OK, thanks.
     
  13. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    113,928
    You're welcome. :)
     
  14. DKTaber

    DKTaber Thread Starter

    Joined:
    Oct 26, 2001
    Messages:
    2,871
    Cookie: For your "security knowledge base", I submitted dds.scr to Jotti online scanner. Both Avast and G-Data (2 AVs that have extremely good ratings) identified this file as containing Win32:Malware-gen. ClamAV (which I've never heard of) also identified it as malware, but as a PUA.Win32.Packer.Upx-53. So, IMO, it IS either malware or was infected.

    Another observation: I have no understanding of how this happens, but when I first deleted dds.scr (sent it to the recycle bin), it changed it's name to Dc2.scr (that's the file that was in the recycle bin, NOT dds.scr) and that's when Avast reacted and quarantined it. In order to have Jotti scan it, I had to first restore dds.scr from quarantine. After the Jotti result described above, I deleted it (again sending it to the recycle bin). This time the file wound up in the bin as Dc30.scr. So each time I delete it, it changes its name. I'm not a virus expert, but when a file does that, it suggests to me that it's trying to hide or avoid being identified by AV programs. IOW, it's malware.
     
  15. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    113,928
    Malware-gen is a common detection based on heuristics with a wide margin for false positives. I just downloaded DDS and ran it through jotti and only got the ClamAV one but that is common too because the files are "packed".

    Avast goes back and forth with detecting the tools we use as malware. Sometimes they do, sometimes they don't.

    The fact that it changed names indicates that your Recycle Bin may be corrupt. It's common for those names to change but only at the command prompt level. If you viewed the contents of the Recycle Bin through a command prompt that's what you would see but I don't believe it should be displaying that way.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1087834

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice