Is this really malware or a false positive?


Avast reports as a win32 malware-gen and put in the virus chest. What do I do with this? I am a total novice with this stuff.
Asked Jan 14 '15 at 8:08
This is a virus I've been removing from multiple computers over the past few weeks. I am passing you some information on the Vosteran, but also the only way I personally have found to totally clean computers of it. virus facts Type: Browser Hijacker. C:\PROGRAMDATA\1078601655\BITC48D.tmp is one of most common locators for this. virus is a browser hijacker that replaces homepage and search provider If you have noticed virus on any of your browsers you should immediately get rid of it. Hijackers and adware like virus install some of their components as regular windows programs as well as additional software. You may notice programs appear such as MiPony and multiple others. Google Chrome is a magnet for Ghost Viruses. It no longer just stores in cache it now hides tool bars. Make sure and keep anti-virus updated and run on scheduled time. Clean cache frequently. Close all windows before downloading any virus or malware tool. Turn off antivirus for malware downloads and only download from original site. I use Kaspersky Total Secure anti-virus on computers. Kaspersky Reports very easy to read. Scan deepest possible scan. Vault everything it pulls. Malwarebytes download full free trial version set deepest scan. Run full scan. Download malwarebytes ResASSASSIN-removes malware registry keys. Download malwarebytes FileASSASSIN-Removes viruses locked files. This program allows you to select the file that won't vault or delete. You add line it deletes it. Each line you add until complete virus is gone. - pay it forward 114 months ago
Add a comment

1 Answer

Avast is very aggressive about malware detection and comes up with a large number of false positives in my experience, especially when heuristics are used for detection.  As a result, it will often flag installers, updaters, and patchers, or elements of them such as their *.tmp files as some form of malicious software, such as a generic malware (malware-gen) or a generic trojan horse (win32.troj.gen) or something similar.  While most of them would typically be false positives, you can't simply assume that it is a false positive.  So you need to learn how to figure out how likely it is that something is a false positive or a true positive detection.  I'll try to help you with that first, then talk about what you can do in this specific case.

The first thing to keep in mind is that avast and some other scanners and definition sets will detect the contents of virus chests from other antivirus software and still flag it.  For example, I use COMODO for my primary AV, and herdProtect scans the COMODO virus chest and detects contents as malicious, even though it isn't capable of harming my system anymore due to being locked away in the COMODO virus chest.  So if you get a detection and it points to a directory that you know is the virus chest for another one of your AV scanners, then this can be treated as a false positive.  It may be that it really is malicious software, but it's already locked away and you don't need to do anything more with it.

The second thing to pay attention to is any detections that happen when you're installing new software or updating or patching software on your system.  A lot of installers and updaters will recommend that you disable AV software because they know it can make a false positive detection and interrupt or fully break the installation.  But if you haven't disabled your AV software, then any detections that come up during the installation/update should be considered against how much you trust the software itself.  If you're installing software that you know is legitimate and can be trusted, then there is a high chance that detection is a false positive and you can ignore the detection.  If you're not sure if the software is trustworthy, then you should cancel the installer/updater and research the software itself to see if others have learned if it's malicious or not.

Third are detections after making a new installation or update while your AV real-time protection was disabled.  Anything that the AV would have detected during the installation is likely to still be detected after the fact when you next run a scan.  Again, if you trust the program that created the file that's being detected, then you can ignore the detection as a false positive, otherwise you should do more research.

You should also keep in mind that if you do any software pirating (not generally recommended), then most cracks, keygens, and patchers will be detected as malicious software.  There is a large number of disreputable sites that offer supposed cracks, keygens, and patchers that a) don't work, and b) are actually malicious, so many such detections are legitimate true positives and should not be ignored.  There are other sites, that are reputable and there are certain groups dedicated to software pirating that are similarly trustworthy, but unless you're deep into the scene you really won't know which is which.  If you're not sure, assume it is a true positive detection and treat it as such.

Regarding temporary files, such as those with the *.tmp extension, they should typically not be doing anything on your system except when an installer or updater is running.  So if a *tmp file is detected by real-time protection when you're installing or updating something, you can treat it as mentioned above based on if you trust the software or not.  But if real-time protection when a full AV scan is not running detects a *.tmp file as malicious, that can be a sign that the *.tmp file or it's parent software is trying to do something on your system in the background.  That would be a sign that it may actually be malicious software and the detection could be a true and legitimate positive detection.

Beyond that, any detections that are not "generic" are almost certainly true positives.  But if you have your scanner set up to detect PUPs, anything detected specifically as a PUP of some kind you should look closely to see if it is software that you deliberately installed and want to keep, or if it is something you did not install.  If you didn't install it yourself, then it is probably not wanted.

Now what you can do about it...

Any false positives you can simply add to ignore/exclusion lists and they shouldn't be detected again.

Any legitimate *.tmp files should typically expire and be deleted on their own eventually, but they could be detected by AV at every scan until that happens, so if you trust the program that created it, you can add the file to your exclusion/ignore list.  But *.tmp files shouldn't usually be necessary for the software once the installation or update is complete, so in most cases you can quarantine them without any adverse effects.

Any legitimate true positives, or if you're unsure and want to be cautious, should be quarantined.  The exception here would be PUPs, which I would recommend ignoring once (do not add to exclusion/ignore list), and try to uninstall the software using normal software uninstall methods (I recommend Revo Uninstaller at moderate level), and then after you've uninstalled or attempted to uninstall normally, reboot, and re-scan with AV.  If it's still detected after you've tried to uninstall, then use the AV software to quarantine or delete it.

Now as to your specific detection, there isn't enough information to determine if this is a false positive or not, based on what you've posted.  It is possible that this is a remnant of an installer or updater and is a false positive.  You can try to get a better idea by thinking of what you were doing when the detection was made.  Was it detected while you were trying to install or update something?  If so, were you installing or updating something that you trust?  If so, than it is most likely a false positive.

On the other hand, if you were not installing or updating anything at the time and you were simply running a system scan, then you need to think about anything you've installed or updated after the previous scan you made, but before the new scan that detected the file.  You then need to try and find out if this file is related to any of those installations or updates.  You can go to the folder "C:\ProgramData\1078601655\" where the detected file was found and look at the other files present in that folder to see if anything has a file name that you can identify as part of a specific program.

If you still can't figure it out for sure, than the best thing to do would be to quarantine the file, which was already done anyway if I'm reading your post right.

If you decide it was a false positive, then you want to see if the program it's related to is working correctly or not even though the file was quarantined.  If it works fine, you can leave the file in the virus chest.  If the program isn't working right anymore, then you can restore the file from the virus chest back to the original location, and try to force an update or repair of the software.  You might have to uninstall and re-install the software, but that's not usually necessary.

I hope that helps you out.  Good luck.

Answered Jan 14 '15 at 13:54
Add a comment

Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.

Your Answer

Not the answer you're looking for? Ask your own question.