Trojan detected in Grim Fandango directory

Avast updated itself to the new version today and it has detected a trojan called Win32:Agent-GHL in my Grim Fandango directory.

Apparently the file at fault is DAB003.LAB

I’ve moved it to chest and scanned there and it’s still detecting it as a trojan. Any ideas? I can’t find any info out about that particular virus and I’m a bit nervous about moving it back into it’s original directory to scan it with something else in case it does something.

To know if a file is a false positive, please submit it to JOTTI or VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the ‘a’ blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button…
You can use wildcards like * and ?. But be carefull, you should ‘exclude’ that many files that let your system in danger.
After that, please, periodically check it - scan it into Chest, right clicking the file - there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected as being infected then you can also remove it from the Exclusion list.

This link is a tutorial on how to help correct a virus detection that you believe to be false:
http://forum.avast.com/index.php?topic=25009.msg204838#msg204838

Started to upload it to Virustotal about 15 minute ago but still “uploading file”. It’s 68mb in size and over an 8mb broadband connection, should it be this slow?

After 20 minutes it came back with “es mayor” ???

VirusTotal and Jotti both have upload limits I believe between 10MB and 15MB so it wouldn’t be able to upload or scan it. See image, whilst this relates to sending emails I believe it is also correct for uploads.

What is DAB003.LAB I can find nothing in google for it ?

It’s a file for a game.

Just scanned it with AVG and that was okay, no viruses detected. I can’t email it to Avast either as it’s over their limit, so I think I’ll stick it in the chest for a few weeks and then try again then, see if it’s still an issue.

Can you inform Alwil team about a link to download it?
(Please, do not post here live links to ‘false positives’ or ‘malware’ files).

Hi, not sure where you can download it from as it’s installed from the game cd itself. The only way it could have been infected is by something attacking it and modifying the contents as as I say, this was installed from the original CD itself.

Hi,

I don’t know if this is directly related or of any help, but just today my Avast Antivirus also detected Win32:Agent-GHL. After searching a long time for some information, I found your post, and it’s all I’ve found on this particular variant.

The file in which it was detected was an index.dat file in my browser cache, much smaller than your suspicious file at about 1 MB. The index.dat file resulted when I tried to empty the cache. I couldn’t delete index.dat because it was being used by explorer.exe. When Avast detected it as a trojan, I couldn’t move it to the cabinet for the same reason. I killed explorer, and then I could quarantine it using Avast.

In the same scan, Avast also detected two false positives, Win32:CTX and Win32:Kuang, in two packed files associated with Panda Internet Security: PSKAVS.dll and PAV.dll[UPX]. Those files were in two Panda quick removal tools, pqremove.com and pqremove-generic.com. The Avast site lists some other Panda files containing unhidden virus signatures Avast commonly detects as CTX and Kuang, among other viruses. http://avast.com/eng/faq_panda.html The list doesn’t include Win32:Agent-GHL, however. Maybe it’s a newer virus or less commonly detected.

So I can’t be certain Win32:Agent-GHL was a Panda file. If it was, I don’t know why it would have been in my browser cache or actively in use by explorer. I wasn’t running any Panda program or using the removal tools at the time. The other two Panda files were easily quarantined.

I can’t speculate on any connection to Grim Fandango, but I know I’ve never voluntarily had files unique to that program on my computer. Unfortunately, in my zeal to rid my system of possible malware, I deleted the file and can’t send it anywhere for verification. If it shows up again, I’ll do so and mention it in another post.

Hunter-Gathere [R]

[skipped the grim fandango, tripped the light fandango, feeling kinda seasick & whiter than pale]

If you were to give us some more information about the Win32:Agent-GHL detection, we might be able to take a stab at it.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

I doubt it has anything to do with kentmonkey issue, unless it were the same file name and Grim Fandango folder.