SOFTWARE.OLD .... is it a trojan or an FP

system · November 29, 2009, 1:38am

I could use some guidance right now. I ran a complete system scan today with avast, and something was found:

C:\Windows\System32\config\RegBack\SOFTWARE.OLD

Avast says this is a Win32:Dialer-DW [Trj]

I moved it to the chest, which was the recommended action. I tried to upload the file to VirusTotal and Jotti, but was initially unsuccessful. It turns out, the file is too big. It’s over 30 MB, which is uncommonly large for malware, right? So I eventually got the idea to zip the file, then send it. It zipped to just over 6MB and I sucessfully submited it to both VirusTotal and Jotti. Out of all the scans ran on both sites, the only scanner that reported a problem with the file was the Avast scanner. So I’m not sure what to think. Could my zipping of the file prevented it from being detected as malware by the other scanners on VirusTotal and Jotti?

Additional Information:
[]Ran Avast’s rootkit detector. Came back clean.
[]Ran NOD 32’s online scanner (full system scan). Came back clean. I was sure to leave an extracted copy of the suspected file in a normal folder, so NOD32 could scan it.
[]Scanned the file with SuperAntispyware. Clean.
[]Scanned the file with MBAM. Clean.

I am a very cautious computer user. In recent years, I pretty much never got a genuine malware infection. I also run the following scans at least 3 times/week: Avast,SAS,MBAM,Defender. I run spybot S&D fairly often too. And I scan with Windows Malicious Software Removal Tool about once every two weeks (full scan).

Also, I’m going to do a boot scan with avast too, and full scans with SAS,MBAM,Defender,and the Windows malware removal tool. All of the copies of this file which I extracted from the virus chest for testing purposes, have been sent back to the virus chest.

I want to hear what you guys think is going on with this file, and what steps you recommend I take next. Thank you for reading.

PTRPRO · November 29, 2009, 5:09pm

The answer is in the “Virus & Worms” Avast Forum.

PTRPRO · November 29, 2009, 5:29pm

Sorry, didn’t complete. Look for post by “No More Infection”.

system · November 29, 2009, 7:24pm

Hi Corday. I searched many times trying to find the post by “No More Infection” and I couldn’t find it. Please locate the thread for me and post a link. Thanks in advance.

PTRPRO · November 29, 2009, 8:02pm

avast! translator
avast! Technical

Offline Offline

Gender: Male
Spain Spain

Posts: 47062

Personal Message (Offline)

Re: Infected with Win32:Dialer-DW [Trj] and don’t know what to do next.
« Reply #1 on: August 08, 2009, 01:55:55 PM »

Send to Chest is “cleaning” the computer the safest way. Files into Chest are safe to be kept for further analysis.
Next steps could be the general cleaning procedure:

Clean your temporary files.
Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
Clean your Hosts file (replacing it) with HostsMan tool.
Disable System Restore and then reenable it again.
Immunize your system with SpywareBlaster.
Check if you have insecure applications with Secunia Software Inspector.

system · November 30, 2009, 1:09am

Thank you Corday! That post seems like sound advice. I think I may have seen it before, and followed some of its steps. That may have been where I saw the avast antirootkit app first recommended. There were a few threads I found on the forum before I posted, when I was trying to figure out what was going on with the SOFTWARE.OLD file.

At this point though, I’m trying to determine if the file is malicious or an FP. Given the information I posted earlier, what is your opinion?

I’ll probably follow the other steps recommended if only for the reason that they may help me ascertain the nature of the SOFTWARE.OLD file. But if the consensus is that it’s malicious, I’ll most likely just initialize my harddrive. It is incredibly rare for my system to get infected, so I wipe it if it is infected. I’d rather not go through that trouble though, so I hope the file is legit.

system · November 30, 2009, 3:14pm

Judging by the responses in these threads, it MAY be an FP:
(I found these by searching for C:\Windows\System32\config\RegBack\SOFTWARE.OLD)

http://forum.avast.com/index.php?topic=34045
http://forum.avast.com/index.php?topic=36719

I would follow these instructions (from the second thread) and see if it is a FP:

DavidR post:9:

These:
6/29/2008 12:48:24 AM admin 3668 Sign of “Win32:Agent-ZPS [trj]” has been found in “C:\Windows\System32\config\RegBack\SOFTWARE.OLD” file.
7/1/2008 12:16:29 AM admin 1216 Sign of “Win32:Agent-ZPS [trj]” has been found in “C:\Windows\System32\config\RegBack\SOFTWARE.OLD” file.

Are somewhat strange as I don’t know what RegBack is (registry back-up perhaps ?
If so then it would be regenerating the Software.old file which is a text file so I’m surprised it is picked up as any form of malware. This may be a false positive detection and should be analysed further.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

Summary:
I think the regeneration is likely to be non-malicious if this relates to registry back-up software you are aware of. In which case you need to do the steps I suggested earlier and report the findings.

-Scott-

system · November 30, 2009, 5:19pm

Thanks Scott!

I uploaded the file to Virus Total and Jotti, and in both cases the only scanner that detected the file was avast. (however, the file was 30+ MB so I had to zip it before I sent it due to size restrictions.)

I sent it to avast from the virus chest on the day it was detected (the 28th I think), but subsequent scans have always detected it. So I don’t know if avast hasn’t got around to reviewing it yet or if they have reviewed it and still believe it’s a virus.

system · December 2, 2009, 7:07pm

Does anyone know how long it usually takes Avast to correct a false positive? I emailed the file from virus chest on the 28th and it still is detected as of the most recent update. So I’m not sure if this file is malicious or good. I’m guessing the virus chest email went through okay but maybe it didn’t. Should I send a traditional email too with a brief explanation of why I think it may be a false positive?

Thanks

P.S. I am not certain as to what program may have created this SOFTWARE.OLD if it is indeed a legitimate registry backup of some sort. I do not know if Vista creates this file every so often. The only other program that I can think may have created this is Revo Uninstaller (which I use only rarely), because Revo says it does some kind of backup before uninstalls. But I have no idea if Revo did this or not.

system · December 2, 2009, 7:11pm

I’m not sure how long it takes…different people have had different experiences…It happened relatively quickly with me…

Yes, I would suggest sending it via email also…

send the file in a password protected archive to virus(at)avast(dot)com with ‘potential false positive’ in the subject line and the password in the email body.

system · December 2, 2009, 7:14pm

Thanks Scott. Is there a program which you recommend I use to create a password protected archive? I can create the zip but I cannot put a password on it because I have vista.

system · December 2, 2009, 7:19pm

I use 7zip www.7zip.com

Except that I use the portable version. This means that it is not installed normally and is contained in a single folder of your choosing, so that if/when you want to get rid of it, you can just delete the folder. I find this much easier than installing the program normally

It can be found here (if you are interested): http://portableapps.com/apps/utilities/7-zip_portable

-Scott-

system · December 2, 2009, 7:22pm

Thank you again Scott!

system · December 4, 2009, 5:53am

To Scott, or anyone else who can help:

Something weird is happening. After emailing the file to Avast, I’ve been having a problem every time I go to update Avast.

When the file (SOFTWARE.OLD) was originally detected on the 11/28, I created a folder called “c:\suspect” so I could extract from the virus chest to that folder, and upload the file to Virus Total and Jotti. I also used that folder to extract to so I could email the password protected zipped version to avast. Now when I update avast it says it is uploading SOFTWARE.OLD from c:\suspect. But there are no files in that folder because everytime I was done with the file, I would rescan it and have it sent back to the chest. So why is Avast trying to upload it, and why from this folder?

Again it happened after I emailed the file, and also after I increased the size of the virus chest because it seemed to be running out of space from me returning extracted copies to the virus chest after I was done with them (and there were quite a few extracted copies of it, due to my fumbling ineptitude with uploading files and zipping. Maybe I should have just deleted them when I was finished, but I just feel more comfortable sending them back to the chest). Did I mess up the settings or something when I changed the size of the virus chest?

system · December 4, 2009, 3:00pm

Hi Gentleman,

What you are seeing is the file being submitted to ALWIL. The files that are marked for submission to alwil are sent during the update process.

During that time, you will see this window, and it will also show the location of the file - i.e. where it was detected, similar to the screenshot.

This is nothing to be worried about, and it part of the submission process.

-Scott-

system · December 4, 2009, 6:08pm

Thanks Scott for replying. I knew it was doing something along those lines, but I just don’t know why it was from c:\suspect folder and why it happened when it did. Because while I did try to submit the file to avast back on the 28th, I tried to submit it from the virus chest (with the right-click>email to avast option), not c:\suspect. So I’m not sure why it was uploading from c:\suspect (which is a folder I created because of this suspected virus so I could manually upload it for testing purposes). And I don’t even think I had any files in c:\suspect at the times it was uploading. It didn’t make any sense.

Ultimately what I ended up doing was uninstalling and reinstalling avast just in case I had messed something up with it.

system · December 4, 2009, 6:20pm

UPDATE: I just checked my email and I got a reply from Avast. The virus analyst said the file is NOT a false positive. So the file is malicious.

Not the news I wanted to hear.

SOFTWARE.OLD .... is it a trojan or an FP

Announcements