Avast 5

Hi Guys,
I recently purchased Avast 5 Internet Security and after running a full scan, results all clear, out of curiosity, I then ran SAS free and it picked up “Trojan Agent Gen-Cryptor Egun” Surely Avast 5 IS should have picked this up?

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

Looks like,

C:\APPS\ISPSELEC\ISPSELEC.EXE
it’s in the SAS quarantine bin

would interesting if you could submit it to virus total
http://www.virustotal.com/

Would if I could find it, I found the SAS folder, but can’t see the quarantine folder,is it a hidden folder? :-\

Double click the SAS tray icon, Manage Quarantine, see image, that will allow you to restore and be able to upload to virustotal (VT) for scanning and post the URL for the results page.

If there are multiple detections on VT - Send the sample to avast as a Undetected Malware:
Open the chest and right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update.

Afterwards adding it to the avast chest, run SAS again and allow it to be quarantined again.

Done

http://www.virustotal.com/analisis/f4bb15c9c192933a87db2f3c2644f74248ceb18caa7365126789027782694658-1253568512

so there’s nothing ??? >> SAS FP probably

Whilst this does look like an FP, the file name doesn’t match that reported by you first off, when you restore it from the SAS Quarantine, you should get the original file name that you reported, C:\APPS\ISPSELEC\ISPSELEC.EXE from that location and upload that. So I don;t know what SAS has done with the original file name ?

Well I ran SAS again, sure enough it picked it up, here it is in the quarantine folder

http://i100.photobucket.com/albums/m13/bruno99xx/EasyCapture1.jpg

BTW, I scanned the folder with Avast, no results

That is the point of a quarantine folder it should encrypt the contents to keep prying eyes out, blocking the file from being run. If you highlight the file in the quarantine and select restore, that should send the file back to the original location with the original file name. That is why I expressed surprise at the file name you uploaded to VT, so I don’t know if you sent the right one.

Now you need to ensure that the right one gets sent to VT and scanned and if it comes back as clean, then you could on the next scan exclude it from future scans. However, before doing that I would look at another anti-malware scanner as a further step and see what that finds, if anything.

MalwareBytes Anti-Malware (MBAM), On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

Thanks for the help David, I’ll give that a go tomorrow :wink:

You’re welcome, until then.

Hi Guys,

I ran MBAM and it did’nt pick it up,nor did Spybot S&D, Avast 5, and just for the hell of it, windows defender

http://i100.photobucket.com/albums/m13/bruno99xx/smiley.jpg

FP you reckon?

Highly likely it is an FP, so when you next run an SAS scan You can elect to Ignore/exclude this file in future. Ideally you should send/report this sample to SAS as an FP .