Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\All Users\Start Menu\Programs\Nero 7 Ultra Edition\Tools\License Repair.exe” file.
I received this after latest update when i did a standard scan update 090812-0
I have sent it to alwil through the chest for it to be analyzed.
I also tried to send it to Jotti’s malware and Virus total but i get file is empty (0 bytes)
I also run scans with malwarebytes antimalware and superantimalware, which all showed clean.
I think it may be a false positive, only guessing though.
It could be what the file does it may be considered some sort of key generator, which may be considered a trojan.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic, virustotal results, etc. might help and false positivein the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already in the chest) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
Send it from the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.
I tried to upload it to virustotal , but i got this file is empty (0 bytes). Waited 10 minutes and nothing happened. That was before i placed it in the chest. So i will leave it there for a couple of days.
This may sound a very silly question,but i assume if i want to test the file for any virus alert i will have to restore the file back to the original place From the Avast vault. :-[
That (0 byte size) is most likely because avast is blocking the upload, see below for what I normally suggest to be able to upload to VT.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
If you want to test the file, you scan it from within the chest.
Does seem like that it is a virus and not a false alarm.
Nero itself is being a pain if i boot the computer it will want to install and for no reason even after been using the comp for a while, it will just tries to install itself.
Have to use task manager to end task.
Below is what appears in event viewer.
Product: Nero 7 Ultra Edition – Error 1706. No valid source could be found for product Nero 7 Ultra Edition. Windows Installer cannot continue.
For more information, see Help and Support Center at
If i had a disk i would just uninstall and reinstall, maybe i will have to just uninstall Nero to!!! (EDIT) remove virus and install a free CD?DVD burning software
However, if you look at the various malware names as I said in my first reply they too appear to be detecting based on it being some sort of key generator; others are also using generic or heuristic signatures which are more prone to FP.
So if this came from Nero and or a legit source and the key repair file is a legit function then the jury is still out and worth sending avast for further analysis.
Another analysis site is, http://anubis.iseclab.org/?action=home this is a detailed analysis of what the file actually does, post the URL of the results.
Well the activity seems strange if it is a legit tool, but you didn’t answer the question about the source and this is I feel the crucial element.
Summary:
- Performs Registry Activities:
The executable reads and modifies registry values. It also creates and
monitors registry keys.
Whilst it may be necessary to repair a (singular) license key but modifying registry values and creating and monitors registry keys to me seems a bit over the top, but that could be anti-piracy. Which again brings me back to the question on legitimate source ?
Hi
Yes as far as i know it is legit as i had a new motherboard, cpu installed into the computer at a computer shop and they installed nero 7 on the comp after they reinstalled windows etc.
This was in April 2007.
I have not added anything to nero and just the a few days before i used nero and had no warnings about any viruses.
I only received this warning when i did a standard scan on Aug 13 up to then all scan was clean.
I would treat it as suspect then as you can’t confirm the origin, normally you get Nero on an OEM CD when you buy an Optical drive, so that could have been the source, but not certainty.
I have sent the sample twice, so hopefully Alwil has received it.
I have now uninstalled Nero 7 as when i rebooted today the computer took a long time booting, as nero wanted to start, comp kept locking up and i had to continue ending task.
I also got rid of my restore points rebooted, scanned with Avast all clear.
Computer now booting with out any problems.
I will either buy a burning program or download a free one, as i really only need basics.
Another one for me to check out Thanks .: L’ arc :.
Hi +AdDicT+
you are right there is one built in, which i have used occasionally, but feel that there is a lot more which allows you to even do the basics things easier. Boils down to individual choice.
You could also check it out with hijackthis to see if there are any remnants of nero (wanting to start, is an indication there are some registry entries left).
Hi once again DavidR
I have had no hassles since i uninstalled Nero7 ;D
I will thank you once again for your assistance.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:45 PM, on 8/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Other than the comments below I don’t see anything obvious and no traces of Nero.
This shows an old version and as such vulnerable to exploit:
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.
Is Outpost running ?
As a HJT analysis doesn’t detect it, but that may be because Outpost Free (?) but the file names are the same as for the Pro version, but would have different functionality.
Since removed Nero no problems
I am using Adobe reader 8 and it has the latest security fix, I did not install Adobe reader 9 because of Acrobat com and Adobe Air.
I check the secunia site regularly and i have just done a check now all clear. I used to have the version that was installed on your computer. Got the odd strange thing with it, the last Straw was when it said i have uninstalled Avast and was no longer showing as being installed.
Yep Outpost Free is running and is showing up in Windows Security.
The fact that you have adobe 8 (regardless of it being up to date) is still vulnerable so if you are going to use it then you should be using the latest version. Now if that comes with additional bloat that you don’t want, I would have though it was an opt-out/in thing. If not then I would be considering a different PDF reader; I gave up on adobe acrobat years ago in favour of a less bloated option, FoxIt PDF Reader, there are others.