Trojan-gen...False Positive?

I believe avast has given me a false positive. Right in the middle of doing a scan with Trojan Hunter, a box pops up and says, “Virus Alert!”.

Malware Name: Win: Trojan-gen
Malware type: Virus/worm
VPS Version:0529-0, 7/18/05

I think it mistook Trojan Hunter as a trojan of a sort. What do you think? Before I thought things through, avast recommended I put it in the chest, which I did. Then, I thought to myself, “Wait a minute-I’ll bet they thought this was a virus.” Pretty sure this was a false positive.

No you may be getting a conflict with two scanners doing the same task, as trojan hunter opens a file to check for trojans avast is likely to be scanning (or attempting to) that file as well, if it is infected it would alarm.

The most helpful element you didn’t mention, the location and file name of the virus, example (C:\windows\system32\infected-filename.xxx)?
This will indicate if it was detecting trojan hunter (signature file {if it uses one, I don’t use it} or a file associated with it or a file on your HDD.

Here’s the rest of it…C:\DOCUME~DAVIDE~\FIN\LOCALS~1\TEMP\MU92.exe. Doesn’t tell me anything?

Not knowing how trojan hunter works it is difficult to state exactly but to me it looks like it could be a file being extracted to a temporary folder to be scanned by trojan hunter (in the same way avast scans archive files). However any extracted files would be scanned by standard shield when created/extracted to the temporary location.

What it isn’t doing is pointing to the trojan hunter folder on your HDD, so it isn’t stating that trojan hunter is infected, but the file in that location.

It is probably advisable to temporarily disable standard shield when you scan with trojan hunter as there is likely to be conflict if trojan hunter detects or extracts an infected file (which AV will react and act first could cause conflict).

Now you can check that file using Jotti, check the offending/suspect file at: Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can’t do this with the file in the chest, you will need to move it out.

If confirmed as a false positive, then if you can zip and password protect (‘virus’, will do) the suspect file and send it to virus @ avast.com (no spaces).

Give a brief outline of the problem, the fact that you believe it to be a false positive and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

You can't do this with the file in the chest, you will need to move it out.

So where should it go, Dave. I right clicked on the "infected file"and have an option of refresh, restore or extract?

I would suggest that you create and put it in a temporary folder (‘Jotti Scan’ sounds reasonable or anything you choose), a different folder to the one that it was detected in. That way if it is indeed a virus any previous links to the original location can’t activate it. Then extract it to that location.

OK…I made up a new folder in My Documents and just called it “Possible Trojan”, extracted it from the chest and then ran a check on that file with ewido, SpyCop and Trohan Hunter. No malicious files found from either ot these checks.

Forgot to mention I tried Jotti but this is the result I got…

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

Just rean another scan with Trojan Hunter and again, avast warned me of a virus detection. It was from the same place as the other one with the same name, Win32:Trojan-gen but with a different file name…2dXw.exe. Any idea what’s going on here?

That is usually the message you get when you try to upload it to jotti from the chest as it is protected. So I’m surprised you would get this if you extracted it.

The second hit in the same location temp files may be where TH is unzipping an archive and as soon as it does this avast is on it like a rash. As I said previously you shouldn’t run two active scanners at the same time.

Check this file with jotti from the original temp location and see what it gives.

After that clear all your temp files/folders one of the many utilities to root out these will make the task easire. 6. CCleaner - Temp File Cleaner, etc.

I’ll give that a try when I get home…thanks :slight_smile:

Avast found also that same Trojan-gen something when I was scanning my system with A2 free.

Just to let you know colt, that you are not alone.

But after removing it into Avast virus chest, it is no more found :slight_smile:

That is usually the message you get when you try to upload it to jotti from the chest as it is protected. So I’m surprised you would get this if you extracted it.

Didn’t do that. I tried to upload from that folder, “Possible Trojan” that I made and extracted to. Then it gave me that message. I tried it again awhile ago and it did the same thing. Am I doing something wrong here?

I just ran a scan with a-squared myself and it came up with no malware.

I’ve never used CCCleaner before. Seems it came up with other files than temp and cookies. Is it pretty safe to use?

I decided to do a HJT log and didn’t see anthing related to that Trojan but did notice a couple of avast files missing. Don’t know what impact this would have or why they’re missing.

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

I wouldn’t have recommended it to you if I didn’t think it was safe, I use elements of it myself as do many others on this forum (mentioned in many threads).

This is a bug with the 1.99.1 version of HJT.

  1. they aren’t missing as the web shield and email scanner wouldn’t work.
  2. you can check the physical location on your HDD and confirm they are there.

I meant safe for someone that hasn’t used it before. When I ran it and it said it would permantently delte those files, I got chicken as I wasn’t sure of some of them what they were. Cookies I understand, cache, I understand, Log files and temp folders/files I understand, but; it’s like any software…you have to be careful what you click on. There may not be any going back. I didn’t see any evidence that CCClener backed up what they deleted just in case. Maybe I’m just too over cautious. I just got the computer back about a month ago after haveing problems with lost/corrupt files and didn’t want to screw it up.

Generally what ccleaner is going to remove isn’t critical and certainly nothing that won’t be resolved by a reboot.

Personally I prefer a program called ClearProg from http://www.clearprog.de/, however I still use ccleaner to do the System cleaning as there are a couple of things that aren’t covered in ClearProg.

The beauty of both programs is that you can deselect (un check) those items you don’t want to delete/clear. I never clear cookies automatically, I prefer to do it manually and also use firefox extension CookieCuller as there are some cookies I want to retain.

You have to decide what you want to remove by checking the help, etc. with the programs.

I stayed away from registry issues. If you click “Issues” it brings us Registry issues, then did scan. What it came up with was a lot of Unused File Extensions, Active X issues, Uninstaller Reference issues and Old Start menu keys. I decided just to shy away from this area.

The issues element is an entirely separate part and need not be/doesn’t run when you run the temp cleaning (main) part of ccleaner.

I use a diferent program for playing/cleaning with the registry (a specialist registry cleaner), ‘Government Health Warning editing the registry can seriously damage your health (system’s)’
So you are wise in leaving what you don’t know alone, redundant/empty registry keys may increase the size of the registry files and may contribute to registry file fragmentation which may have a slight performance hit, but they rarely do any harm.

I think I’d feel a bit safer letting Reg Supreme and Diskeeper take care of registry files that are defunct and defrag the simple way. I’ve got Diskeeper set to scan daily, all day and run an analysis once a week to clean up what the “Set it and Forget It” function may not have been able to keep up with. I’ve been into the registry to change/delete files but, I knew what I was looking for or followed someone’s instructions. Not afraid to go there but, I need to know iin my own mind what I’m looking for. That’s one place you have to tread lightly. :o