Spyware, Viruses, & Security

Alert

AVG anti-virus mistakes Windows system file for a trojan

by Carol~ Forum moderator / March 14, 2013 7:53 AM PDT

On Thursday morning, the protection programs of AVG incorrectly identified the Windows system file wintrust.dll as a trojan of type "Generic32.FJU". Under certain circumstances, the virus hunting software has also labelled programs as malware if they attempted to access the supposed trojan DLL. The solution is a virus signature update.

Only Windows XP systems were affected by the problem. Users who deleted the file from their system could not boot their computers any more. In this case, to help restore the system, boot it with the Rescue CD and take wintrust.dll from a still functioning system and copy that to C:\Windows\System32\. At least, according to AVG, the anti-virus software did not automatically delete or quarantine the wintrust.dll file, though other files will have to be moved back into place.

The company says it fixed the problem by 12:45 on the same day with updates to virus database number 567 for AVG 9 and 2012 editions and virus database number 6174 for the current 2013 edition.

http://www.h-online.com/security/news/item/AVG-anti-virus-software-mistakes-Windows-system-file-for-a-trojan-1823171.html

Post a reply
Discussion is locked
You are posting a reply to: AVG anti-virus mistakes Windows system file for a trojan
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: AVG anti-virus mistakes Windows system file for a trojan
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
False Positive Result
by mchainmchain / March 14, 2013 8:01 PM PDT

Users of any a/v product, not just AVG, need to be aware that sometimes a virus definition update will contain an erroneous definition file that will target a Windows system file.

Just because an a/v says a Windows system file is detected as malicious does not mean it actually is, especially when it is a Windows system file. All a/v vendors have made this mistake at one time or another, but the real problem is that some users will not use a service such as Virus Total dot com to confirm the detection before deleting/quarantining the file; the fact that panic and haste and lack of awareness of a service such as VirusTotal sometimes gets an user into a bind that cannot be gotten out of.

So, do not panic if your a/v detects a file as malicious. Take your time to investigate first (use a second computer or Google the file in question from there if that would be safer).

Compounding the issue is the fact that deletion of any file will make it disappear forever. A case in point would be notepad.exe, a windows system file, you remove that by deleting, you will not be able to get notepad to run again no matter what you try to do.

If any question, always quarantine after, but use the link posted below. Do not reboot, (you may need that file to have Windows restart or operate properly) and upload and scan your file.

You can check with 40 + virus scanners here and make your best call here: https://www.virustotal.com/en/

If only your a/v alerts or even only one or two others, then likely to be a false positive and can be ignored. If, you did quarantine, you now have the option of restoring that file but you cannot restore if you choose to delete.

Collapse -
Re: false positive
by Kees_B Forum moderator / March 14, 2013 8:25 PM PDT

I had just the same this week with the free version of Avira. Suddenly it found jraid.sys in a folder with windows drivers suspect.

But - very nicely! - it suggested itself it was a false positive and asked me to submit it to them so they could analyse it. I first had a look at the file myself and found it to be a Microsoft file last changed in 2006 (it happened on my old XP system), so very, very unlikely to contain malware. So I submitted it to them (midnight CET) and 4 hours later (4 AM CEt) got an answer from their analysis software or analysis team that it was a false positive indeed.
I don't like all that popups the free version of Avira gives, so I don't run it on my main PC (I've got Avast there), but this was a very good experience! Couldn't be better, given that false positives can't be excluded.

The only issue I found that it was unclear how to submit that file. But a quick google search led to the right page on the Avira site, so that was a minor issue.

Kees

Popular Forums
icon
Computer Help 47,885 discussions
icon
Computer Newbies 10,322 discussions
icon
iPhones, iPods, & iPads 3,188 discussions
icon
Security 30,333 discussions
icon
TVs & Home Theaters 20,177 discussions
icon
HDTV Picture Setting 1,932 discussions
icon
Phones 15,713 discussions
icon
Windows 7 6,210 discussions
icon
Networking & Wireless 14,510 discussions

Tech for the holiday

Find recipes for July 4 with these foodie apps

The Fourth of July means fireworks, fun and food. If you're planning on a barbecue this weekend, we've got the apps to help you find holiday-inspired recipes.