Trojan or false positive?

I’ve new to avast. While running a scan, Avast flagged the same .dll file in 3 different game folders. They are games downloaded from gamegiveawayoftheday.com in December 2007 and January 2008, and all came from the same publisher, Meridian '93. I moved the 3 files to the Chest. The file name is mtrial_sm.dll. Avast Id’ed this file as Win32:Oliga[trj]. I searched the avast site, but found no mention of it. Googling, I found a page at McAfee which listed other names that Trojan is known by, and Googling a couple of those found mentions of it which said it was a low danger Trojan designed to steal gaming passwords. I checked for the registry changes and files which the Trojan supposedly drops, but none of them were on my system.

I’ve had these games for months, but have been using PC-cillin, so that might explain why they were not previously detected. A search at the giveawayoftheday.com forum didn’t find anyone posting about finding this. Following advice found here in the avast forum, I submitted the file to both Virus Total and Jotti.
Virus total said Gdata and Ikarus, as well as avast, id’ed it as Win32:Oliga, and eSafe, Panda, and VIRPRE id’ed it as a suspicious file. The other 30 virus checkers found nothing. Out of 20 virus checkers on Jotti, 4 id’ed the file as Win32:Oliga - Avast, Gdata and Ikarus, and A-squared, which isn’t one of the checks on Virus Total. It said Panda found nothing, while Virus Total said Panda found the file “suspicious.”

This is the first time I’ve ever found malware on my PC, so I’m not sure if this is sufficient to be sure the files are bad, or if I should email them to Avast. As I mentioned, I’ve had these game folders on my PC for many months, and could find no evidence that this Trojan has been active, but I don’t do online gaming. I wouldn’t miss these three games particularly, if I need to delete the files and the games, but I’d like to know if they are really a Trojan or a false positive. Thanks for any advice.

With the low hit count and some being considered suspicious it is possible that they could be false positive detections.

Send the sample/s to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and possible false positive in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

Thanks, David, for your response. I was going to email a zipped copy of the file to Avast, but I realized I don’t know how to password protect it. Windows Help says Windows can’t do that, but “other applications” may be able to.

I tried to add a file to the User Files area of the Chest from the Infected Files area, but couldn’t locate the Chest when it asked me to find the file to add. So I added the file from the “Suspect” folder I had created to upload the file to Virus Total and Jotti. That’s the same file, of course, but it lists a different original location. I then tried many times to email the file to Alwil, but I kept getting a message saying Unknown Error - The email cannot be sent. The error report would say, “The program cannot use email.” I checked and changed the SMTP settings and they seem to be correct now, but I keep getting that message. Do you know a way I could password protect the zipped file so I could email that?

One way,is zip the file,then double click on the zipped file,you will then see the contents,then click on the word file in the top left of the page, and choose ’ add password '.It may not be the best way,but its the only way I know ;D

What is your email program ?

Really what I’m asking is do you only use web mail, like Yahoo or Hotmail, etc.

When you try to send the email did you change the default Protocol to use: option from MAPI to SMTP ?

If so leave it as it was on MAPI

I use 7zip (http://www.7-zip.org/) and that is a free zip program that is relatively easy to use and allows you to set passwords.

DavidR -

I’m using Thunderbird, but it sends mail through the Google mail server. Yes, I had switched to SMTP. I had first tried it as it was originally set, on MAPI, but doing that I got a message saying, “This action cannot be completed because the other program is busy. Choose ‘Switch To’ to activate the busy program and correct the problem.” When I clicked ‘Switch To’ it would either bring up Thunderbird or open the Start menu. Either way, I didn’t know what to do. So I thought, oh, it’s outgoing mail, so it should be SMTP and tried that - also with no success. I’ll check out 7zip, thanks.

Micky 77 -

Thanks for your suggestion, but when I go into the zipped file, and click ‘File’ at the top left, there is no ‘add password’ option. Just - Open, Extract All, Delete, etc.

Going through the google server uses SSL secure smtp and avast can’t handle that so you would have to send from outside of the chest.

Thanks for your help, DavidR. I have downloaded 7zip and will use it to send the file.

You’re welcome, lets hope it is corrected quickly (normally is), periodically scan the copy in the chest to see if it is still detected. When it is no longer detected you can restore it and remove any exclusions.