found 2 files in my temp appdata folder

Lotan · April 7, 2016, 8:01pm

https://virustotal.com/en/file/5c8242f1822dfab6f730623c91bf16118315b2154b050932c1a39fe2932862b7/analysis/1460059053/
and
https://virustotal.com/en/file/ad04cebdeb9e4d8a8fa0051ea509a0239f56005b3743f4e26fd76739f9071730/analysis/1460058939/

not detected by avast but thankfully i dont think it did anything to my computer as theyve been there for a while inactive virus total reads them as ransomware

Eddy · April 7, 2016, 8:05pm

Please submit them to avast :
https://www.avast.com/faq.php?article=AVKB258

Lotan · April 7, 2016, 8:11pm

should i upload my logs to see if my pc is ok?

Pondus · April 7, 2016, 8:16pm

First submission 2015-12-22 18:24:42 UTC ( 3 months, 2 weeks ago )

CopyrightCopyright © 2015 Product SHandler Original name SHandler.exe Internal name SHandler.exe File version 1.0.0.0 Description SHandler

First submission 2015-12-22 18:24:41 UTC ( 3 months, 2 weeks ago )

CopyrightCopyright © 2015 Product MWorker Original name MWorker.exe Internal name MWorker.exe File version 1.7.4.3 Description MWorker

This old and so few detections … could be FP

Lotan · April 7, 2016, 8:25pm

they were named VersionChecker.exe and VersionUpdater.exe and they both had a config file with them with the same name except .config at the end. I have no idea what they belonged to and according to the properties they were created on my pc on the 25th of march at 9:16am and the closest internet thing i did was accidently open the onedrive website by clicking the tray icon at 9:08. and this was right after i did a reinstall of windows as well.

Pondus · April 7, 2016, 8:38pm

This is what Avira say

132348382 VersionChecker.exe 15 KB KNOWN CLEAN
132348383 VersionUpdater.exe 16 KB KNOWN CLEAN

will ask F-Secure if “VersionUpdater.exe” is a false positive

Lotan · April 7, 2016, 8:47pm

so its a false positive then? i just freaked out when virus total said it was ransomware and the other was an AV disabler as ransomware is my biggest fear.

Pondus · April 7, 2016, 8:54pm

yepp, you see AegisLab call it ransomware and the other is called Application.AVDisable all those AV using that name are using Bitdefender AV engine so there is actually only two detections on that file

almost, if you click the additional information tab and scroll to the bottom you will also see TrendMicro detect it as suspicious and also suspicious by F-Secure second engine

Pondus · April 8, 2016, 5:51am

This is the message from F-Secure

==================================================================
The sample you submitted was found to be riskware and it’s properly detected as Application.AVDisable.C

So one of those files some will detect and others dont

Scanning the files at metadefender.com there AegisLab give a different detection name - DangerousObject.Multi.Gen.lHXk

Lotan · April 8, 2016, 5:55am

what does that mean?

Pondus · April 8, 2016, 5:57am

Riskware / Dangerous object a program that can be used for good or bad so detected because of what it can do

found 2 files in my temp appdata folder

================================================================== The sample you submitted was found to be riskware and it’s properly detected as Application.AVDisable.C

Announcements

==================================================================
The sample you submitted was found to be riskware and it’s properly detected as Application.AVDisable.C