Vista Start Menu v2.91 / 2.92 has Win32: Trojan-gen {Other}?

Could someone verify that this is a false positive. I have the PRO version of Vista Start Menu and never had any problems until this morning. Apparently after avast updated it reported Vista Start Menu with a trojan. I tried installing an earlier version (2.91) from a backup DVD from a week or 2 ago and it detects it as well when I go to install it. I installed an earlier version (2.89) and it doesnt detect a trojan in it.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below. I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

Hello,

I too got the same alarm from Avast about my Vista start Menu Pro this morning, even though I’ve been using it for months. I move the offending file to a new location and uploaded it to VirusTotal and had it analyzed. Here is the result:

Antivirus Version Last Update Result
AhnLab-V3 2008.7.9.1 2008.07.09 -
AntiVir 7.8.0.64 2008.07.09 -
Authentium 5.1.0.4 2008.07.08 -
Avast 4.8.1195.0 2008.07.08 -
AVG 7.5.0.516 2008.07.08 -
BitDefender 7.2 2008.07.09 -
CAT-QuickHeal 9.50 2008.07.08 -
ClamAV 0.93.1 2008.07.09 -
DrWeb 4.44.0.09170 2008.07.09 -
eSafe 7.0.17.0 2008.07.08 -
eTrust-Vet 31.6.5939 2008.07.09 -
Ewido 4.0 2008.07.08 -
F-Prot 4.4.4.56 2008.07.08 -
F-Secure 7.60.13501.0 2008.07.08 -
Fortinet 3.14.0.0 2008.07.09 -
GData 2.0.7306.1023 2008.07.09 -
Ikarus T3.1.1.26.0 2008.07.09 -
Kaspersky 7.0.0.125 2008.07.09 -
McAfee 5334 2008.07.08 -
Microsoft 1.3704 2008.07.09 -
NOD32v2 3253 2008.07.09 -
Norman 5.80.02 2008.07.08 -
Panda 9.0.0.4 2008.07.08 -
Prevx1 V2 2008.07.09 -
Rising 20.52.12.00 2008.07.08 -
Sophos 4.31.0 2008.07.09 -
Sunbelt 3.1.1509.1 2008.07.04 VIPRE.Suspicious
Symantec 10 2008.07.09 -
TheHacker 6.2.96.374 2008.07.07 -
TrendMicro 8.700.0.1004 2008.07.09 -
VBA32 3.12.6.8 2008.07.08 -
VirusBuster 4.5.11.0 2008.07.08 -
Webwasher-Gateway 6.6.2 2008.07.09 Win32.Malware.gen (suspicious)
Additional information
File size: 1326592 bytes
MD5…: a8e7723f3a2362e2e4f041404a744e55
SHA1…: d7d42cb4cd2218355260cdc9ff4ccb94331f01c2
SHA256: 306a32f2f7dc40acea4f869a7475e8e8c0ed7c9cebd6171b5fc7ce37c5421dbe
SHA512: c50036127691048bcf6a8e2a853f7c0315fa9b03eeb5c728b3f93c2f2aa17afb
9ebe961f5c09dfde9494541f65de8ffd1346c514c0e9f4a38ac97079e8995048
PEiD…: ASProtect v1.23 RC1
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401000
timedatestamp…: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype…: 0x14c (I386)

( 10 sections )
name viradd virsiz rawdsiz ntrpy md5
0x1000 0x17f000 0x7de00 8.00 4c05009367367932ca8feb86f2d3f68a
0x180000 0x5000 0x1e00 7.97 9940aeb32c429fa57227d6483bef71c5
0x185000 0x26000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
0x1ab000 0x4000 0x3600 7.99 fb5893a879622b15fb93a81da7c672d8
0x1af000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
0x1b0000 0x1000 0x200 0.18 6f3dc8ebbdb16132bf4226b696bdfcb1
0x1b1000 0x19000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x1ca000 0x6c000 0x6b200 6.86 172110038c97b8b672282f27413d6b6b
.data 0x236000 0x56000 0x55400 7.94 993ffa58a7cce88a46cc0b945d8dd3b2
.adata 0x28c000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

( 27 imports )

kernel32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA
user32.dll: GetKeyboardType
advapi32.dll: RegQueryValueExA
oleaut32.dll: SysFreeString
advapi32.dll: RegSetValueExW
version.dll: VerQueryValueA
gdi32.dll: UnrealizeObject
user32.dll: CreateWindowExW
ole32.dll: CLSIDFromString
oleaut32.dll: SafeArrayPtrOfIndex
ole32.dll: ReleaseStgMedium
oleaut32.dll: GetErrorInfo
comctl32.dll: ImageList_SetIconSize
shell32.dll: ShellExecuteExW
shell32.dll: SHGetSpecialFolderLocation
comdlg32.dll: GetOpenFileNameW
gdiplus.dll: GdipGetImageEncoders
winmm.dll: timeGetTime
shell32.dll: -
shfolder.dll: SHGetFolderPathW
shell32.dll: Shell_NotifyIconA
shlwapi.dll : SHDeleteKeyW
ntdll.dll: NtQuerySystemInformation
cfgmgr32.dll: CM_Request_Eject_PC
powrprof.dll: IsPwrShutdownAllowed
oleaut32.dll: VariantChangeTypeEx
kernel32.dll: RaiseException

( 0 exports )
packers (Kaspersky): PE_Patch
packers (F-Prot): Aspack

Hope I’m not butting in, but since ZoneMaster60 hadn’t posted his findings yet I thought I’d go ahead and post mine and see if his are or will be the same as mine.

Thanks

It would appear to be an FP (although avast isn’t detecting it on VT, that isn’t unusual as it is not updated in real time like a users system is), so first ensure you have the latest VPS update and scan the file again.

If it is still detected, it needs further analysis and it to avast and exclude the file from scanning see the how to report it to avast! link above.