I just purchased some software from a reputable seller online. Avast immediately alerted me to the Win32: Agent-ONZ virus. I contacted the seller (who was thankfully IMMED available). He’s stumped. He has sent me 3 different links for the product, having scanned them with his own anti-virus software and he’s not finding the virus. And he says none of his other customers have had this problem.
The virus is in an add-on bit of software to the main product. Since Avast quarantined it to the chest, I won’t be able to use that bit of software, but the rest of the program is running fine.
The seller has vowed to keep looking into this. I have come here to try and do my part at sorting out this mystery. So, my questions is… how come Avast is finding it and the seller’s scan does not? Does it really exist in the program files?
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.
Suspect: Upload the file/s to VirusTotal, Send a sample to avast if multiple detections at VT.
Check the suspect file/s at: VirusTotal - Multi engine on-line virus scanner and report the findings here in the topic. You can’t do this with the file in the chest, you will need to move it out.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a reference to this topic (give URL) and undetected malware in the subject.
If it is indeed a false positive, add it to the exclusions lists: Standard Shield, Customize, Advanced, Add and Program Settings, Exclusions
Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.
After having completed the steps listed, here are my results:
The suspected file is:
C:\DOCUMENTS & SETTINGS\OWNER\LOCAL~1\Temp\easyebook_1198452954\SearchPhraseCustomizer.exe
I zipped and password protected it and sent it to virus@avast.com as instructed.
Then I tried running it thru VirusTotal. When I send the SearchPhraseCustomizer.exe from the Suspect folder on C, I get an error message that says 0 bytes were transmitted. But the file in the folder is 180kb and it IS in the folder. Still, I can’t seem to upload it to VirusTotal.
So I tried uploading the zipped version. VirusTotal went thru it’s paces and all but one gave no results whatsoever. The only one that reacted said “Password protected file”
I have no idea if VirusTotal got an accurate reading.
So… now I’m just waiting on virus@avast.com to reply? Is that right?
It’s unlikey you will get a reply from avast, unless they need more info.
Can you try to make an unprotected zip and submit that to VT? I suspect you may get the same 0 bytes results but it is worth a try. You may also get a proper upload.
If you got a 0 bytes from VT, did you comply with the Bold text about moving the file out of the chest as that is the most common cause of the 0 byte file size.
Yes, I moved it out of the chest, placed it in a file I labeled Suspect on the C drive. I followed the instructions given above. The error message said 0 bytes received, then it repeated the message in Spanish.
I’m going now to try and upload an unprotected zip. BRB
I tried sending the file to VirusTotal completely unzipped. Same result, 0 bytes
As mentioned earlier, the suspect file is an ADD-ON element to the main product and is not necessary to run the main product. So I tried sending the whole package to VirusTotal.
Avast and Panda are the only two that reacted with results.
Avast : Win 32: Agent-ONZ
Panda: Suspicious File
The rest of them had no results.
I’ve certainly learned something new with all of this. Apparently there’s something called a false positive (something I knew nothing about before). Can I assume that’s what this is?
Is there anything more I can do to try to figure out why this is happening?
David and oldman, thank you so much for your input. I really appreciate it!
Can you copy it to your desktop?
If not, maybe you have access rights problems. You may be able to handle this file in Safe Mode. Anyway, take care to not execute them in Safe Mode (double clicking).
Yeah false positives…that’s why deleting a file is not a good first choice. You run out of options.
This one is starting to look like one.
You can either follow DavidR’s advice about restoring and excluding the file from being scanned. Or as you said it wasn’t nesseccary for running the program, wait a few days and right click the file and chose scan.
The 0 bytes uploaded always makes me suspicious, but that’s just me.
edit to add: Tech you’re right the temp folder is a strange place for the file.
After ready your replies, (THANKS GUYS! I CAN’T TELL YOU HOW MUCH I APPRECIATE THIS HELP!!!), I went and looked in the LOCAL\TEMP\easyebook folder. Avast alerted, of course, and I chose No Action. I attempted to execute SearchPhraseCustomizer and guess what error message I got?
“Windows cannot access the specified file. You may not have the appropriate permissions to access.”
If we’re talking about permissions on this computer, I have full Admin access. So… what permissions is it talking about? Should I contact the product seller and ask about this?
