Sign of "Win32:Trojan-gen {Other}"

Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\All Users\Start Menu\Programs\Nero 7 Ultra Edition\Tools\License Repair.exe” file.

I received this after latest update when i did a standard scan update 090812-0
I have sent it to alwil through the chest for it to be analyzed.
I also tried to send it to Jotti’s malware and Virus total but i get file is empty (0 bytes)
I also run scans with malwarebytes antimalware and superantimalware, which all showed clean.

I think it may be a false positive, only guessing though.

It could be what the file does it may be considered some sort of key generator, which may be considered a trojan.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic, virustotal results, etc. might help and false positivein the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already in the chest) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

Hi DavidR
Thanks for you reply :wink:

I have sent the file via the chest earlier.

I tried to upload it to virustotal , but i got this file is empty (0 bytes). Waited 10 minutes and nothing happened. That was before i placed it in the chest. So i will leave it there for a couple of days.

This may sound a very silly question,but i assume if i want to test the file for any virus alert i will have to restore the file back to the original place From the Avast vault. :-[

That (0 byte size) is most likely because avast is blocking the upload, see below for what I normally suggest to be able to upload to VT.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If you want to test the file, you scan it from within the chest.

Hi DavidR
It worked like a charm
http://www.virustotal.com/analisis/28ad4b4c44e8d55589af4250d2225366ac6a5b49cc3df9a4a244b729e94ef6e5-1250275494

Does seem like that it is a virus and not a false alarm.

Nero itself is being a pain if i boot the computer it will want to install and for no reason even after been using the comp for a while, it will just tries to install itself.
Have to use task manager to end task.

Below is what appears in event viewer.
Product: Nero 7 Ultra Edition – Error 1706. No valid source could be found for product Nero 7 Ultra Edition. Windows Installer cannot continue.

For more information, see Help and Support Center at
If i had a disk i would just uninstall and reinstall, maybe i will have to just uninstall Nero to!!! (EDIT) remove virus and install a free CD?DVD burning software

You help very much appreciated :wink:

You’re welcome.

However, if you look at the various malware names as I said in my first reply they too appear to be detecting based on it being some sort of key generator; others are also using generic or heuristic signatures which are more prone to FP.

So if this came from Nero and or a legit source and the key repair file is a legit function then the jury is still out and worth sending avast for further analysis.

Another analysis site is, http://anubis.iseclab.org/?action=home this is a detailed analysis of what the file actually does, post the URL of the results.

Hi
I have ran the analysis and below is the result
http://anubis.iseclab.org/?action=result&task_id=133cc35af72cfd854750e32750feb41ff&format=txt

Pete

Well the activity seems strange if it is a legit tool, but you didn’t answer the question about the source and this is I feel the crucial element.

Summary: - Performs Registry Activities: The executable reads and modifies registry values. It also creates and monitors registry keys.

Whilst it may be necessary to repair a (singular) license key but modifying registry values and creating and monitors registry keys to me seems a bit over the top, but that could be anti-piracy. Which again brings me back to the question on legitimate source ?

Hi
Yes as far as i know it is legit as i had a new motherboard, cpu installed into the computer at a computer shop and they installed nero 7 on the comp after they reinstalled windows etc.
This was in April 2007.
I have not added anything to nero and just the a few days before i used nero and had no warnings about any viruses.
I only received this warning when i did a standard scan on Aug 13 up to then all scan was clean.

Does this help.

I would treat it as suspect then as you can’t confirm the origin, normally you get Nero on an OEM CD when you buy an Optical drive, so that could have been the source, but not certainty.

Lets see what avast make of it in analysis.

I have sent the sample twice, so hopefully Alwil has received it.
I have now uninstalled Nero 7 as when i rebooted today the computer took a long time booting, as nero wanted to start, comp kept locking up and i had to continue ending task.
I also got rid of my restore points rebooted, scanned with Avast all clear.
Computer now booting with out any problems.

I will either buy a burning program or download a free one, as i really only need basics.

Pete

I like CDBurnerXP:
http://cdburnerxp.se

You may also try this one:

Burn Aware

Eh?

I thought all PCs have their burning capabilities made from the factory^^

Mine does a good job of burning pics, musics, vids and even DVDs^^

Anyway, u could try those free programs posted by YoKenny and Larc^^

-AnimeLover^^

I check it out thanks YoKenny

Another one for me to check out Thanks .: L’ arc :.

Hi +AdDicT+
you are right there is one built in, which i have used occasionally, but feel that there is a lot more which allows you to even do the basics things easier. Boils down to individual choice.

You could also check it out with hijackthis to see if there are any remnants of nero (wanting to start, is an indication there are some registry entries left).

Hi once again DavidR :wink:
I have had no hassles since i uninstalled Nero7 ;D
I will thank you once again for your assistance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:45 PM, on 8/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {B99F805C-F0B1-48EA-8C8B-753BFCBED913} - (no file)
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [Sony Ericsson PC Suite] “C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” /startoptions
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM..\Run: [OutpostFeedBack] “C:\Program Files\Agnitum\Outpost Firewall\feedback.exe” /dump:os_startup
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKCU..\Run: [EPSON Stylus TX200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEFP.EXE /FU “C:\DOCUME~1\Owner\LOCALS~1\Temp\E_S16D.tmp” /EF “HKCU”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Update Notifier.lnk = C:\Documents and Settings\Owner\Desktop\updatenotifier.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1218804096593
O16 - DPF: {F1D54B0B-B6EA-43B5-BD26-A79D3DBF47E3} (Multidownx Control) - http://bigpondmusic.com/activex/multidownx.cab
O17 - HKLM\System\CS1\Services\Tcpip..{41E23405-52DC-43B7-B745-D24B02E0A322}: NameServer = 139.134.5.51 139.134.2.190
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


End of file - 6512 bytes

Other than the comments below I don’t see anything obvious and no traces of Nero.

This shows an old version and as such vulnerable to exploit:
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”

I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.

Is Outpost running ?
As a HJT analysis doesn’t detect it, but that may be because Outpost Free (?) but the file names are the same as for the Pro version, but would have different functionality.

Since removed Nero no problems
I am using Adobe reader 8 and it has the latest security fix, I did not install Adobe reader 9 because of Acrobat com and Adobe Air.

I check the secunia site regularly and i have just done a check now all clear. I used to have the version that was installed on your computer. Got the odd strange thing with it, the last Straw was when it said i have uninstalled Avast and was no longer showing as being installed.

Yep Outpost Free is running and is showing up in Windows Security.

Thanks for your assistance :wink:

You’re welcome.

The fact that you have adobe 8 (regardless of it being up to date) is still vulnerable so if you are going to use it then you should be using the latest version. Now if that comes with additional bloat that you don’t want, I would have though it was an opt-out/in thing. If not then I would be considering a different PDF reader; I gave up on adobe acrobat years ago in favour of a less bloated option, FoxIt PDF Reader, there are others.