When I ran avast! 4.8 - Home Edition today using thorough scan with scan archive files on, I discovered a trojan by the name of Win32:Downloader-BKV. The infected file is called IWD2CustomDll.exe, and is currently quarantined in the virus chest.
The file itself is a mod for Icewind Dale II and it was downloaded from this site specializing in CRPGs (Computer Role-Playing Games): http://www.sorcerers.net/.
Now, I’m not sure if it’s a false positive or not, so I’m keeping it in quarantine until someone more knowledgeable can confirm it. I’m 100% sure that I haven’t actually run the file, so does that mean it hasn’t activated on my computer (if it’s indeed a trojan)?
I haven’t noticed anything suspicious going on with my computer at least. I have run Ad-Aware SE Personal, COMODO Firewall Pro scanner and Spybot - Search & Destroy, all w/ the latest definition files, but none of them showed any harmful entries.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
The avast detection isn’t listed either (a common issue with VT’s database not being as up to date as the users), so that would add another detection to the list.
Most of the detections are by signature rather than generic or heuristics.
Googling the malware name often returns poor results because there is no standardisation or convention on malware naming, a search on the file name is often more productive.
However it is worth submitting to avast for additional analysis.
I do see avast! detection on VT, fourth from the top. See screenshot below. I’m currently deep scanning my system with SAS and MBAM, I’ll post again after they’re done.
Your action should be send it to the chest as previously mentioned (if not already there), never delete (you have no more options) and sibmit the sample from the chest as a possible false positive as in the link in my first reply.
You should allow MBAM to quarantine the two Registry Data Items Infected that it found.
Edit: Having said that MBAM didn’t show the values that are in the entries, (see image of my values in the data column). Most of the time this will be 0x00000001 (1), which means show and 0x00000000 (0) which means hide.
Now they should only be set to (0) if you manually changed the settings in Start Properties or the registry. You can check the values in the registry by manually following the registry path given by MBAM using the regedit (from the Run window) and report your findings.
Yes, I’ve already sent the file to avast, and I was referring to deleting it from the chest afterwards (where it has been all along aside from scan tests). I included this topic’s link with the file sent.
As for the MBAM findings, they proved to be my own customizing of the start menu. Nothing to worry about there.
Should I just wait for a reply from avast now or what?
Why delete it it might be a valid file and you have to leave it in the chest so you can scan it periodically ‘in’ the chest, when it is no longer detected (the virus signatures will have been updated if it truly was an FP), then you can restore it, remove any exclusions you might have created for it and then delete it from the chest.
@DavidR
Because I don’t have any real need for the file, as it doesn’t count among the mods I use for the previously mentioned game. It’s just a piece that I had archived, and therefore non-essential.
Edit: Plus, I know where I can download the file when I want to check if it was a false alarm later. In fact the link is in my first post, should anyone else want to confirm it for themselves.
@Spiritsongs
I know they did, but it’s possible to update the definitions manually, which is what I have done so far. I consider the 2008 version a bloated piece of software, so I don’t use it. Spybot - S&D is my primary spyware scanner anyway.
Yes, I run SAS and MBAM when wyrmrider suggested it. I’ll probably replace Ad-Aware with SuperAntiSpyware, as it seems to have good scanning accuracy from what I’ve read about it.