A-Squared Found TWO Trojans That AVAST! Missed

I have AVAST! on my computers and it runs every morning at 2:00am… It updates all the time so it has the most current definitions, etc…

It has come up clean every time… but my computer was still running very slowly and acting strangely…

So, I went back to an old program I like to use called A-SQUARED by Emsi Soft… I think it’s a pretty good program.

I updated it’s definitions and ran a scan… VOILA! It found TWO Trojans that AVAST! Missed

[b]Trojan.Win32.Patcher.fl!A2

  • c:\WINDOWS$NtServicePackUninstall$\ntkrnlmp.exe.ooo[/b]

and

[b]Trojan.Win32.Genome.gofh!A2

  • c:\WINDOWS\System32\dllcache\find.exe
  • c:\WINDOWS\System32\find.exe[/b]

Wonder why AVAST! didn’t pick up on these?

Haven’t tried to remove them yet… (Scan isn’t quite finished) … I’ll let you know how that goes as soon as I can.

Most likely because they’re all false positives?

Found this comment from somebody who had Genome:

ESO March 3rd, 2010 at 11:02 pm 2

I’m not sure why it’s labeled “LOW RISK” – when I quarantined this last night it took important drivers with it, and crashed my machine.

Mine is labeled “HIGH RISK” … wonder if I should quarantine or remove it when the time comes? ???

Which means that “trojans” most likely were legimate system files without which drivers failed to work.

Check files a-squared detects as trojans at virustotal.com

Cool. Thanks… I’ll try that.

Incidentally, I was able to quarantine them without any trouble… :-\

I went to VirusTotal and ran it through… Do you want me to post what it says? (There’s a BUNCH of stuff.)

This is the first thing I see…

File has already been analysed: MD5: 626309040459c3915997ef98ec1c8d40 First received: 2009.05.22 20:37:29 UTC Date: 2010.02.24 19:34:40 UTC [>28D] Results: 0/41 Permalink: analisis/f5227376ec2b6a4fc3b4a01ee2bc6b9fd01b1cabf5f2cd6dc68d2f8ec5d3f7c5-1267040080
I click on the permalink and this is the first thing I see...
File ntoskrnl.exe received on 2010.02.24 19:34:40 (UTC) Current status: finished Result: 0/41 (0.00%)

When you are presented with the “this file has been scanned before,” or words to that effect always have VT rescan it as that permalink shows the last scan was over a month ago, which is a very long time in virus terms. However since it has the same MD5 as the one you uploaded, 0/41 is a pretty clear indication of a false positive by a-squared.

Just post the link (URL) to the virustotal results page, the one that appears in the browser address bar.

http://www.virustotal.com/analisis/f5227376ec2b6a4fc3b4a01ee2bc6b9fd01b1cabf5f2cd6dc68d2f8ec5d3f7c5-1267040080

Yes, a big fat false positive by a-squared (on your system) but strangely (well not so strange) it isn’t detected by a-squared on that set of results. Here is why, as I said it is an old submission “File ntoskrnl.exe received on 2010.02.24” and you really should have had VT scan the file again.

This looks like a-squared have updated their virus database and now detect that file as infected (still I believe an FP if no other scanners detect anything), a-squared does have a lot of false positives.