How to interpret virus detection

Hi,

my Avast (2015.10.0.2208 with signatures 150216-0) reports suspicious activity (see attachment). There are 2 files mentioned: One is the “object” (ctfxwlauncher) and one the “process” (rundll32). Now which one is the actual virus? Or what is so suspicious about them? Explicit scanning of both files did not find anything.

Thanks in advance,
Alex

win32:Evo-Gen [susp] = Suspicious … a on access detection only and will not show in any scan

Process is the one starting the activity and Object is the detected file

upload (ctfxwlauncher.exe) and test file here www.virustotal.com if tested before, click rescan for a fresh result
post link to scan result here

Thanks for your quick reply and the explanation.
I’ve already tested the file on virustotal before. Here’s the result:
https://www.virustotal.com/de/file/4b74e3aa3ade083f03984e87f8d67da72d9a7bbaaacef23dd1dd28dcfcd14dca/analysis/1424096044/

Rundll32 is also clean.
I’ll have to check what it is executing next time the issue appears. Maybe some explorer plugin or the like.

Alex

You can report a possible FP here: https://www.avast.com/contact-us.php?subject=VIRUS-FILE

But if it’s the interaction between rundll32 and ctfxwlauncher that is suspicious, then reporting ctfxwlauncher as FP could be misleading, couldn’t it? I think I’ll rather do some more investigation before.

Thanks,
Alex

  1. Not really, as the guys in the viruslab have always the final word. :wink:
  2. Well, that’s up to you.

ctfxwlauncher.exe First submission 2013-11-13 01:07:14 UTC ( 1 year, 3 months ago )

Hi Pondus,

sorry, but may I ask you to explain what your last post is supposed to tell me? I don’t get it.

Alex

there should be lots of detections on a file that old if it was infected, if very new it may not be detected yet

example … very old malware, file infector sality

First submission 2010-03-16 17:20:01 UTC ( 4 years, 11 months ago )
https://www.virustotal.com/en/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/

this was new 5 days ago … fake FedEx mail attachment
https://www.virustotal.com/en/file/6dce201592cabc16afa0775cabea10377d7a3f7e7aacba777e2fbd3fae54aafc/analysis/1423616065/

two days later
https://www.virustotal.com/en/file/6dce201592cabc16afa0775cabea10377d7a3f7e7aacba777e2fbd3fae54aafc/analysis/

Good point. So my intention was right to look for a different cause.