Avira Support Forum

Hello !!!

My antivir found since yesterday this Trojan horse TR/Crypt.XPACK.Gen. I tried to repair the infected file in safety mod with AV, no result. The file was send to the quarantine, but i need this file in order to a program run correctly.

So i restored the file, i ignore the AV warning, and i scanned my harddisk with an online antivirus : the trojan was not found.

I remember that i had a lot of false positive with AV few weeks or month ago, and i ask if this trojan could be a new false positive ?

I tried with the heuristic set to low, (scan and guard) the trojan still detected.

My report :



AntiVir PersonalEdition Classic
Report file date: dimanche 30 mars 2008 11:20

Scanning for 1169688 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: xxxxxxxxxxxx
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: Alain
Computer name: DELL5150

Version information:
BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 07/09/2007 22:20:52
AVSCAN.DLL : 7.0.6.0 49192 Bytes 07/09/2007 22:20:52
LUKE.DLL : 7.0.5.3 147496 Bytes 07/09/2007 22:20:54
LUKERES.DLL : 7.0.6.1 10280 Bytes 07/09/2007 22:20:54
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 06:54:13
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 07/03/2008 19:05:46
ANTIVIR2.VDF : 7.0.3.85 434176 Bytes 27/03/2008 19:01:35
ANTIVIR3.VDF : 7.0.3.92 20480 Bytes 28/03/2008 19:02:07
AVEWIN32.DLL : 7.6.0.78 3408384 Bytes 28/03/2008 19:02:07
AVWINLL.DLL : 1.0.0.7 14376 Bytes 19/04/2007 20:10:05
AVPREF.DLL : 7.0.2.2 25640 Bytes 07/09/2007 22:20:52
AVREP.DLL : 7.0.0.1 155688 Bytes 19/04/2007 20:10:08
AVPACK32.DLL : 7.6.0.3 360488 Bytes 16/01/2008 18:36:35
AVREG.DLL : 7.0.1.6 30760 Bytes 07/09/2007 22:20:52
AVARKT.DLL : 1.0.0.20 278568 Bytes 07/09/2007 22:20:49
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 07/09/2007 22:20:49
NETNT.DLL : 7.0.0.0 7720 Bytes 19/04/2007 20:10:07
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/09/2007 22:20:42
RCTEXT.DLL : 7.0.62.0 86056 Bytes 07/09/2007 22:20:42
SQLITE3.DLL : 3.3.17.1 339968 Bytes 07/09/2007 22:20:55

Configuration settings for the scan:
Jobname..........................: ShlExt
Configuration file...............: C:\DOCUME~1\Alain\LOCALS~1\Temp\9412ed49.avp
Logging..........................: low
Primary action...................: repair
Secondary action.................: quarantine
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: off
Scan registry....................: off
Search for rootkits..............: off
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: dimanche 30 mars 2008 11:20

Starting the file scan:

Begin scan in 'C:\Program Files\AGEod's American Civil War\AGESettings.exe'
C:\Program Files\AGEod's American Civil War\AGESettings.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was moved to '48345bbd.qua'!

End of the scan: dimanche 30 mars 2008 11:20
Used time: 00:04 min

The scan has been done completely.

0 Scanning directories
1 Files were scanned
1 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
1 files were moved to quarantine
0 files were renamed
0 Files cannot be scanned
0 Files not concerned
0 Archives were scanned
0 Warnings
0 Notes

Sorry : i forgot the most important word : thanks ! :]

Hello boudi,


Welcome to the forum board, if you feel this is defiantly a false positive then you can add it to your Guard exceptions list, I would also send it to the Avira virus lab here for analysis under the heading Suspected false positive (not malware). And if it is a FP then Avira will fix it through an update.


Regards
Barrie

Ok thank you, i sent the file now.

I'm waiting for the result. During this time i put again the suspiscious file in the quarantine.

It's certainly a false positive.

Agesetting.exe is a program of the game American Civil War.

Look at this thread, found in the official forum of the game :

All users of antivir and American Civil war players have a false alert since two days i suppose.

http://www.ageod.com/forums/showthread.php?t=8368

Hi boudi,


This good news, and thank you for the feed back, also have you heard back from the lab yet re your submission?

Regards
Barrie

Yes, yesterday, it's a false positive ! I'm impressed by your fastness for answer.

Your are very serious and efficient, thanks !

Hi boudi,

No problem, I am just pleased it has been fixed for you safe surfing.

Regards
Barrie