Back again,

I did a scan tonight and got W32:Malware-gen showing.
This time I sent the file to Virustotal and got the following listing

The file is part of Worms-3D which I have had loaded for several years.

I would appreciate any help please.

Ken turbine

edited to add info :
file is launcher.exe from Worms-3D
detected in natural folder and a restore file

system:
bespoke setup
AMD processor
Win XP home SP3
avast
Spybot S&D

File Launcher.exe received on 2010.02.23 16:02:51 (UTC)
Current status: finished
Result: 10/41 (24.39%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.23 Trojan-Downloader.Murlo!IK
AhnLab-V3 5.0.0.2 2010.02.23 -
AntiVir 8.2.1.172 2010.02.23 TR/Dldr.Murlo.ets
Antiy-AVL 2.0.3.7 2010.02.23 Trojan/Win32.Murlo.gen
Authentium 5.2.0.5 2010.02.23 -
Avast 4.8.1351.0 2010.02.23 -
AVG 9.0.0.730 2010.02.23 -
BitDefender 7.2 2010.02.23 -
CAT-QuickHeal 10.00 2010.02.23 TrojanDownloader.Murlo.dyz
ClamAV 0.96.0.0-git 2010.02.23 -
Comodo 4036 2010.02.23 -
DrWeb 5.0.1.12222 2010.02.23 -
eSafe 7.0.17.0 2010.02.23 Win32.TRDldr.Murlo.E
eTrust-Vet 35.2.7323 2010.02.23 -
F-Prot 4.5.1.85 2010.02.22 -
F-Secure 9.0.15370.0 2010.02.23 -
Fortinet 4.0.14.0 2010.02.21 -
GData 19 2010.02.23 -
Ikarus T3.1.1.80.0 2010.02.23 Trojan-Downloader.Murlo
Jiangmin 13.0.900 2010.02.23 -
K7AntiVirus 7.10.980 2010.02.22 -
Kaspersky 7.0.0.125 2010.02.23 Trojan-Downloader.Win32.Murlo.exq
McAfee 5900 2010.02.22 -
McAfee+Artemis 5900 2010.02.22 Artemis!39A2D3F7BB9A
McAfee-GW-Edition 6.8.5 2010.02.23 Trojan.Dldr.Murlo.ets
Microsoft 1.5406 2010.02.23 -
NOD32 4890 2010.02.23 -
Norman 6.04.08 2010.02.23 -
nProtect 2009.1.8.0 2010.02.23 -
Panda 10.0.2.2 2010.02.22 -
PCTools 7.0.3.5 2010.02.23 -
Prevx 3.0 2010.02.23 -
Rising 22.34.01.03 2010.02.11 -
Sophos 4.50.0 2010.02.23 -
Sunbelt 5694 2010.02.23 Trojan.Win32.Generic!BT
Symantec 20091.2.0.41 2010.02.23 -
TheHacker 6.5.1.6.206 2010.02.23 -
TrendMicro 9.120.0.1004 2010.02.23 -
VBA32 3.12.12.2 2010.02.23 -
ViRobot 2010.2.23.2198 2010.02.23 -
VirusBuster 5.0.27.0 2010.02.23 -
Additional information
File size: 389120 bytes
MD5 : 39a2d3f7bb9a64705ef00bc5e819106d
SHA1 : 68261115f2202cb4784f4efa15da581f39ce5076
SHA256: 4c7a745e15c1ba34285b06f89ca16320612b16bc63983078eab9589cde3d2db5
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xF132
timedatestamp…: 0x3F7C4147 (Thu Oct 2 17:16:23 2003)
machinetype…: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x28DEE 0x29000 6.61 fa5aa9d4018980e8251a06c414001b3b
.rdata 0x2A000 0xAC62 0xB000 4.93 11c9b0499088a4c97e3f27dadc76cc51
.data 0x35000 0x5994 0x3000 3.41 d4da59d64b9c024b2b9c1bdd4996fb94
.rsrc 0x3B000 0x26080 0x27000 6.66 915a2dcbc31b99155afc7dcdcc618869

( 11 imports )

advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegDeleteKeyA, RegEnumKeyA, RegOpenKeyA, RegQueryValueA, RegCreateKeyExA, RegSetValueExA, RegCloseKey
comctl32.dll: -
comdlg32.dll: GetFileTitleA
gdi32.dll: GetBkColor, GetTextColor, CreateRectRgnIndirect, GetRgnBox, GetStockObject, DeleteDC, ExtSelectClipRgn, ScaleWindowExtEx, SetWindowExtEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, Escape, TextOutA, RectVisible, GetMapMode, CreateBitmap, GetWindowExtEx, GetViewportExtEx, DeleteObject, SetMapMode, RestoreDC, SaveDC, ExtTextOutA, GetObjectA, SetBkColor, SetTextColor, GetClipBox, GetDeviceCaps, PtVisible
kernel32.dll: VirtualAlloc, GetSystemInfo, VirtualQuery, GetStartupInfoA, GetCommandLineA, ExitProcess, TerminateProcess, HeapReAlloc, HeapSize, LCMapStringA, LCMapStringW, SetUnhandledExceptionFilter, SetEnvironmentVariableA, SetEnvironmentVariableW, HeapDestroy, HeapCreate, VirtualFree, IsBadWritePtr, GetStdHandle, UnhandledExceptionFilter, FreeEnvironmentStringsA, VirtualProtect, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetStringTypeA, GetStringTypeW, GetTimeZoneInformation, IsBadReadPtr, IsBadCodePtr, SetStdHandle, GetExitCodeProcess, CreateProcessA, HeapFree, HeapAlloc, RtlUnwind, GetTickCount, GetFileTime, GetFileAttributesA, FileTimeToLocalFileTime, SetErrorMode, FileTimeToSystemTime, GetOEMCP, GetCPInfo, CreateFileA, GetFullPathNameA, FindFirstFileA, FindClose, GetCurrentProcess, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, TlsGetValue, EnterCriticalSection, GlobalHandle, GlobalReAlloc, LeaveCriticalSection, LocalAlloc, DeleteCriticalSection, InitializeCriticalSection, RaiseException, GlobalFlags, InterlockedIncrement, GetCurrentDirectoryA, WritePrivateProfileStringA, InterlockedDecrement, GlobalGetAtomNameA, GlobalFindAtomA, lstrcatA, lstrcmpW, FreeResource, SetLastError, GlobalFree, MulDiv, GlobalUnlock, FormatMessageA, lstrcpynA, LocalFree, WaitForSingleObject, CloseHandle, GlobalAddAtomA, GetCurrentThread, GetCurrentThreadId, GlobalLock, GlobalAlloc, FreeLibrary, GlobalDeleteAtom, lstrcmpA, GetModuleFileNameA, GetModuleHandleA, GetProcAddress, ConvertDefaultLocale, EnumResourceLanguagesA, lstrcpyA, LoadLibraryA, CompareStringW, CompareStringA, lstrlenA, lstrcmpiA, GetVersion, GetLastError, MultiByteToWideChar, WideCharToMultiByte, GetLogicalDrives, GetDriveTypeA, GetVolumeInformationA, FindResourceA, LoadResource, LockResource, SizeofResource, GetSystemDefaultLCID, GetVersionExA, GetThreadLocale, GetLocaleInfoA, GetACP, GetEnvironmentStrings, InterlockedExchange
ole32.dll: CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, StgOpenStorageOnILockBytes, CoGetClassObject, CLSIDFromString, CLSIDFromProgID, CoTaskMemFree, OleUninitialize, CoFreeUnusedLibraries, CoRegisterMessageFilter, OleFlushClipboard, OleIsCurrentClipboard, CoRevokeClassObject, CoTaskMemAlloc, OleInitialize
oleaut32.dll: -, -, -, -, -, -, -, -, -, -, -, -
oledlg.dll: -
shlwapi.dll: PathFindFileNameA, PathStripToRootA, PathFindExtensionA, PathIsUNCA
user32.dll: PostThreadMessageA, MessageBeep, GetNextDlgGroupItem, InvalidateRgn, InvalidateRect, CopyAcceleratorTableA, SetRect, IsRectEmpty, CharNextA, GetSysColorBrush, ReleaseCapture, LoadCursorA, SetCapture, EndPaint, BeginPaint, GetWindowDC, ReleaseDC, GetDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, wsprintfA, DestroyMenu, ShowWindow, MoveWindow, SetWindowTextA, IsDialogMessageA, RegisterWindowMessageA, WinHelpA, GetCapture, CreateWindowExA, GetClassLongA, GetClassInfoExA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SendDlgItemMessageA, SetFocus, IsChild, GetWindowTextLengthA, GetWindowTextA, GetForegroundWindow, RegisterClipboardFormatA, GetTopWindow, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, MapWindowPoints, SetForegroundWindow, UpdateWindow, GetMenu, GetSysColor, AdjustWindowRectEx, EqualRect, GetClassInfoA, RegisterClassA, UnregisterClassA, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, SetWindowLongA, DrawIcon, AppendMenuA, SendMessageA, GetSystemMenu, IsIconic, GetClientRect, EnableWindow, LoadIconA, GetSystemMetrics, EnumDisplaySettingsA, CharUpperA, OffsetRect, IntersectRect, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, CopyRect, PtInRect, GetWindow, SetWindowContextHelpId, MapDialogRect, SetWindowPos, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, IsWindow, GetDlgItem, GetNextDlgTabItem, EndDialog, GetMenuItemID, GetMenuItemCount, GetSubMenu, SetMenuItemBitmaps, GetFocus, PostMessageA, PostQuitMessage, SetCursor, IsWindowEnabled, GetLastActivePopup, GetWindowLongA, GetParent, MessageBoxA, ValidateRect, GetCursorPos, PeekMessageA, GetKeyState, IsWindowVisible, GetActiveWindow, DispatchMessageA, TranslateMessage, GetMessageA, CallNextHookEx, SetWindowsHookExA, LoadBitmapA, GetMenuCheckMarkDimensions, CheckMenuItem, EnableMenuItem, GetMenuState, ModifyMenuA
winspool.drv: OpenPrinterA, DocumentPropertiesA, ClosePrinter

( 0 exports )
TrID : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ssdeep: 6144:+OlRzkvXYrYNip47mxAGElRS60U1P3tuOLy5h29f0:+wWvXYrfmSxAGsY6nP8eIhE0
sigcheck: publisher…: Team17 Software Ltd
copyright…: Copyright (C) 2003 Team17 Ltd
product…: Launcher Application
description…: Worms3D Launcher Application
original name: Launcher.EXE
internal name: Launcher
file version.: 1, 0, 0, 1
comments…: n/a
signers…: -
signing date.: -
verified…: Unsigned
PEiD : -
RDS : NSRL Reference Data Set

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Send this file to virus(at)avast(dot)com

• subject: virus report etc.
• attach zip (password protected)
• password to email content example password: xx xx

hpguru
Sorry to be pedantic, but I do not want to make any mistakes.

You wish me to put the ‘infected’ file into password protected zip file
then e-mail it to the address given, in an e-Mail which also has the password .
Is this correct?

Ken turbine

If I understand you correctly, you want to know why avast doesn’t find virus by VirusTotal service. If so, please send a virus in the above instructions to avast for laboratory testing.

Yes, this is correct.

Hi ken_turbine,

The malware can be cured with SAS, Superantispyware, use it and it will find spyware and trojans that are missed by all others or unable to clean.
donload from: http://www.superantispyware.com

Another anti-malware scanner that removes this is MBAM, download from:
http://www.malwarebytes.org/mbam-download.php

polonus

Polonus,
I have downloaded SAS, but it has not gone to the normal place my downloads go to (a ‘Downloads’ folder) any ideas where it will have gone and if I cannot find it is it OK to download again?

Ken

Found it - looking for new folder not straight file - Doh!

Do you try check web browser options or Windows search?

I restored the file from the Virus Chest (my first reaction to any warning is to put it in the chest and then find out about it). I have run SAS and it has come up clean apart from fixing five tracker cookies.
I am puzzled, is this a possible false positive or did SAS identify the trojan as a tracker and eliminate it?

Ken turbine ???

In my opinion you should try the Malwarebytes’ Anti-Malware. Remember update database first. False positive is possible, i recommended you send this file to Alwil virus lab.

hpguru
I have now also run a Malwarebytes scan and the log is posted below. As I understand it, MWB found a couple of bad Registry entries, but no infected files. Should I now submit the file as a potential false positive? If so, is the Windows ‘Compressed folder’ sufficient or will I need to activate Winzip?

Regards,
Ken

Malwarebytes’ Anti-Malware 1.44
Database version: 3796
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

26/02/2010 21:58:19
mbam-log-2010-02-26 (21-58-19).txt

Scan type: Quick Scan
Objects scanned: 116777
Time elapsed: 4 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Maybe. You take avast better, if you send virus to lab that avast not detect properly.

To zip yuo may try free IZarc. http://www.izarc.org/

I have attempted to send the file in a zip as recommended, but have had trouble getting the file to zip up

Ken turbine

Try free IZarc?

Having monitor problems so will keep this quick
New signatures scan clear for MBAM and Avast
Many thanks to everyone who helped.

hpguru,
used IZarc with good results

have still got monitor probs so will quit now

thanks Ken

You’re welcome!

As my monitor appears to have stabilised now, I thought I would give a fuller resume.

After getting MBAM and SAS to go through without picking anything up directly related to the infected file I zipped the file using IZarc. My worry was that it compressed from 350kb down to 2kb for transmission. I e-Mailed this and then went to bed.
With a clear head in the morning, I restored the ‘infected’ file, did a deep scan with MBAM which was clear, and then updated Avast and did a full scan with Avast with the new signatures. This was clear on all counts. I tidied up the Chest and started to say thanks. At this point the deuced monitor start to play up and switch off (either the vid card or monitor must have become overheated after such a long workout).

So once again a heartfelt thanks to all involved.
Ken