I have found Win32:Trojan-gen in the C:\WINDOWS\System32\con.eaa file. Avast home was unable to scan it, maybe because the name “con” is reserved to the system. After renaming it to aaacon.eaa, avast home detected it.
How exactly did you scan the original file?
-
- The standard boot-scheduled avast-home wasn’t able to find it
-
- From M$ explorer, I clicked on the file with right button and “scan con.eaa”. No answer was given by avast.
-
- Then I renamed it with dos prompt: ren \?\C:\WINDOWS\system32\con.eaa xcon.eaa. I have never seen this UNC syntax, but this UNC is the same i found in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs where the trojan is started
-
- Now from M$ explorer, I clicked on the file with right button and “scan xcon.eaa”. Avast told me that the file is a Win32:Trojan-gen
I’m curious about this behavior… strange, isn’t it? :
I’ll check it (and hopefully improve somehow).