MBAM scan sent Win32: Malware-gen to Avast Virus chest

I need a bit of help again. I ran MBAM and SAS on 3 User accounts starting with my Admin. Acct.- MBAM scan sent to Avast Virus Chest - C:\Program Files\csengine 16.exe - Last changed: 6/23/2000 - Virus: Win 32: Malware-gen.

When I bought this Dell PC, I tried installing an old security program Cyber Sentinel version 1.0.6.006 (Windows 98 program that I had used on a previous Windows XP PC). I have installed in Add/Remove Programs a later version 3.5.9.0 of Cyber Sentinel that I had purchased as a on-line d/l to keep “Content” clean on the PC. Up till today, I have not had any problems for over 2 years with the later version. Belarc Advisor does report that I have some parts of Cyber Sentinel v 1.0.6.006 remaining in a folder. I don’t want to actually dig into the registry to make changes as I don’t know if deleting the csengine 16.exe will have any effect on the later version 3.5.9.0 (csengine 32.exe) as MBAM and SAS are reporting no malware at present. (csengine 32.exe is the only program showing in my On-line Armor firewall.)

I scanned the old program remains (Last Changed 6/23/2000) in the virus chest and it reports it as a virus along with having done a virus scan after. So, I now have 3 listings in the Chest since doing a Quick AV Scan showing as viruses.

Could this be a FP and if so, what steps would I have to go through. In the past, I have excluded an entry from being scanned. Seems I had to create a Suspect C folder, but the old memory is not too clear as it has been a while. I don’t have any idea if the old Suspect C folder has to be deleted or can you just add entries to the old folder.

I’m using Avast! Free AV v5.0.462.

Thanks, Ron

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect* That will stop the File System Shield scanning any file you put in that folder.

If you have the old suspect folder just ensure that it is excluded from scans whilst you have files in it.

Hi DavidR,

I submitted both files to VirusTotal and added the C:\Suspect folder to My Exclusions. From what I see and if I understand what I read; the files were Suspect back in 2007.

So, I guess a new scan should not show the excluded folder items.

Do I Delete or Restore the 3 items within the Chest???

I had problems with the scan bar showing 100% at the start of a Quick Scan and I was curious before if the Progress Bar was working; hence I had ran a scan before that caused the Restored finding. The scan bar is working as it should now.

Thanks again, DavidR.

What were the URLs for the results of the two VT scans ?

I can’t comment on why ‘you understand on what you read’ as I can’t see what you read, which is why we always ask to see the results.

So I can’t advise what to do with the 3 files in the chest, as again I haven’t any information on what they are; malware name, file name, original location and of course the results of the VT scans.

Virus Chest files have been submitted to virus lab on next upload.

C:\Program Files\csengine 16.exe - 6/23/2000 1:44:40 PM - Win 32: Malware-gen

VirusTotal reports File has already been analysed.
First received: 2007.05.11
Date: 2007.07.18
Results: 2/32

A0222462.exe - C:\System Volume Information_restore(2… - 6/23/2000 1:44:40 PM - Win 32: Malware-gen

I hope this is the information you need. I was trying to copy and paste the info from the chest, but Firefox would not allow me to copy & paste to my reply. ??

Ron

Unfortunately not as the information from the virustotal results aren’t there.

Now if that is what you were referring to firefox not allowing you to copy and paste, it won’t be firefox blocking that more like the forums software, but I don’t know as I don’t know what you were trying to copy and paste.

Again it is is the VT results all you need do is copy the URL in the address bar, see image.
If the only two detections were avast and GData then it is likely that they were false positive detections.

I ran another scan and Suspect exclusions folder has not excluded items from being scanned. I now have (9) entries shown in the Chest. Help! I’m getting deeper and deeper here. I’ll submit to VirusTotal findings again and will copy the URL results.

I thought for sure that the scan would not pick up the items with being excluded.

Hope this is what you want. I submitted the findings yesterday.

http://www.virustotal.com/reanalisis.html?d74c00cb4dfa5091aaba1b426f6a4ea678300f99e9ad40f3d18e15d6647c2011-1270646998

This is the page for the restore
http://www.virustotal.com/reanalisis.html?d74c00cb4dfa5091aaba1b426f6a4ea678300f99e9ad40f3d18e15d6647c2011-1270647265

I had to create a new sub folder as the Suspect folder only had two old entries shown. Hence, that was why the scan found it again. I suppose I’ll have to exclude the new folder entries.

What other scan have you run, avast or mbam ?

If you run avast on-demand scans whilst you have files in the suspect folder, yes avast will find them, because the exclusion you have done is specifically for the file system shield so that you can extract them from the chest and upload to virus total.

It will not exclude them from on-demand scans. If you want it to do that you would need to add the exclusion to the Main avast Settings, Exclusions.

It doesn’t matter that you not have 9 files in the chest, you are no deeper than before, you just have duplicates in the chest.

David, that new sub folder I created is listed as (C:\C Suspect\C Suspect*). I didn’t know if you could make the folder C:\C Suspect 1 or another number to show a difference in folders. I added the folder to be excluded from scans.

Yesterday, I submitted the (2) virus items to the virus lab.

Right, from your VT results the copy in the system restore’s restore point is basically an exact copy of what was removed the csengine16.exe only with a different name allocated by system restore when it creates the restore point. So that one can be deleted as we only have the original to be concerned with.

The csengine16.exe has 5 of 39 detections, 3 of which are avast/gdata, counts really as 1 detection. The other 2 detections have the same malware name (W32/VB-Backdoor-HRS-based!Maximus) and I believe they may be using the same signature database and that too looks like a generic/heuristic signature which are prone to false positive.

So the upshot is that I think there is a strong probability that this is an FP and you should send the sample to avast from the chest for analysis on the single file csengine16.exe.

I don’t know how you are copying and pasting the URL, as it doesn’t show the displayed information, you have to have the file re-analysed rather than just viewing the results, see images.

New MBAM scan done after getting latest updates and PC is clean.

Objects infected: 0

(No Malicious Items detected.)

Ron

You really are making life hard for yourself, there is/was no need to create another suspect folder if you already had one use that and just ensure that one is excluded.

Please reread my post on the creation and exclusion of this folder (I have made some Bold text to try to make it clearer), as you have come up with some weird concoction, you are creating a folder called Suspect in the C:\ drive not a folder called C Suspect.

DavidR, my friend, you have the greatest of patience to put up with a dummy like me. Being a retired Printer-Compositor of 40 yrs for a well known Ticket Printing Co. here in the USA, I find the English language confusing at times. LOL I did not have my original folder named as Suspect and have renamed it. I understand better with the Bold Print after re-reading as to the name of the folder and have made one folder (Suspect) and extracted the 2 new files to the folder that were in the Chest.

I was making the mistake of opening the Suspect folder to check the items and the two new items were being sent to the Virus Chest by MBAM. I also had removed the Restore Items from the Chest and they were sent back to the chest after running a Quick Scan again. Opening the folder to check the items is why they were not being excluded.

I ran a new AV scan to see if the excluded items would appear as being found and the scan found “No Threats”. This has been a learning experience for me.

Do I wait a few days or longer with new virus definitions being downloaded to do a scan of each item in the Virus Chest with having submitted them to the Virus Lab?? I don’t want to Delete or Restore what is in the chest and be back to threats showing again.

I think I’ll print out this entire thread for later reference. Thanks DavidR.

Ron

You’re welcome.

If MBAM was alerting you would obviously need to add the folder to its exclusions, but it would be sending them to its ‘Quarantine.’ By calling it a virus chest, confused me, not too difficult ;D

Now that you have uploaded the files to VirusTotal the Suspect folder has served its purpose and you can remove the file you sent to it (provided you have the copies in the avast chest).

Leave the Suspect folder where it is and the exclusion in the file system shield. So, should you need to repeat the process you aren’t starting from scratch, all you need do is extract the file from the avast chest and upload to virustotal is you have any doubts about a detection.

Received new virus definition 100410-1 today (Saturday - 04/10/2010) and scans were done on the (2) remaining items that were stored in the Chest. No Virus was found when items were scanned. Both items were deleted afterwards. Ran a quick scan and No Threats were found.

Thanks to the Alwil Team for their fast work checking on the FP that was found on Tuesday - 04/06/2010.

Also, Thanks again to DavidR.

Posting (for my printout) this info for any future problems when encountering a virus needing to be reported.