Win32:DH fp?

Hello,

Avast found a virus called “win32:DH” (rated high) on 15/02/17, I had not noticed this, it was not automatically moved or dealt with, so has only manually been put in the chest today. The subsequent quick scans (16th-20th, daily) have all been fine.

Searched this forum and found a German thread, which seemed to list a similar thing as a false positive I am, however relying on my rather poor German and Google translation…

The file the virus is associated with looks like an old malwarebytes setup file, last changed in 2015, which seems a bit odd? I’ve check my malwarebytes log and the two programs were not running at the same time- as I understand it, they might clash? My computer was recently serviced, so it’s unlikely there would be malware from that long ago, unless I’m misunderstanding the “last changed” column.

Ran Malwarebytes normally, then in safe mode, nothing detected. Boot time scan with avast running, at 4% this may take some time to complete.

After that will do a full scan with avast, this will probably take a few hours to complete.

CPU around 2-10% when idle (normal for my system)
Memory around 13%, again this is normal

I struggled to find information for win32:DH, there was some for win32/DH and various versions, which might be the same sort of thing?

I’m tempted to change login details, passwords etc. and I have used a debit card online in the past few days, so may need to contact my bank? Although, have seen no odd activity as of yet.

I’ve disconnect my laptop to be on the safe side- writing this from a tablet.

I’m somewhat computer literate, but obviously not totally on the ball. Any insights or advice would be greatly appreciated :slight_smile:

Submit the file to Virustotal and post the link to the result here.

Boot time scan with avast running, at 4% this may take some time to complete.

After that will do a full scan with avast, this will probably take a few hours to complete.


Why run both, and why run boot time scan? it does not give any better detection
Boot time scan is something you use if you have problems removing a infection or if avast itselfe recomend it after a detection

A quick scan target all areas where activly running malware would be

Thanks for the reply, I’ve been googling how to upload the file, I’m guessing I need to extract it from the chest or restore it then just upload it to total virus? Sorry if this is a stupid question.

I ran multiple scans because the info I found said the file was a self replicating trojan- my thinking being it might have copied itself, whether there is any merit in this, I don’t know.

Also, as you have probably noticed I don’t know an awful lot about dealing with potential viruses!

Again, thanks for getting back to me guys, I know noob questions must be a pain

That’s what we do. If you don’t ask you may not ever find out.
If you have the time, we have the patience.
The only “bad” question is the one not asked.

Thanks for the reply, I've been googling how to upload the file, [b]I'm guessing I need to extract it from the chest or restore it then just upload it to total virus?[/b] Sorry if this is a stupid question.
Correct and if you see it as scanned before, click rescan for a fresh result

Cheers, file resorted and uploaded:

https://www.virustotal.com/en/file/78f6a591bb8d384209a1011ced4c40c28877f7df1e5ccdaba62e0f6c2aa36659/analysis/

Malwarebytes is happy with the file, avast flags- don’t know if this is relevant

Any confirmation or input would be most excellent

First submission 2015-04-16 15:41:48 UTC ( 1 year, 10 months ago )

Authenticode signature block and FileVersionInfo properties
Copyright(c) Malwarebytes Corporation. All rights reserved.
Product Malwarebytes Anti-Malware
File version 2.1.6.1022
Description Malwarebytes Anti-Malware
Comments This installation was built with Inno Setup.
Signature verification Signed file, verified signature
Signing date 6:40 PM 4/14/2015
Signers
[+] Malwarebytes Corporation
[+] VeriSign Class 3 Code Signing 2010 CA
[+] VeriSign
Counter signers
[+] Symantec Time Stamping Services Signer - G4
[+] Symantec Time Stamping Services CA - G2
[+] Thawte Timestamping CA

So a False Positive

Not important in this case, you did not do the rescan as i suggested above
Analysis date: 2017-02-20 00:33:21 UTC ( 18 hours, 22 minutes ago )

Phew, was in panic mode earlier.

Massive thanks for helping out, I really appreciate it :slight_smile:

I suppose a lot of folk you give advice to will fade into the ether, without acknowledging you guys’s assistance, which must be somewhat disheartened. So just want to say thanks again and keep up the great work! 8)

Your welcome

have notified avast so they can fix the FP :wink:

This detection is more of a heuristic.I have seen it with avg so it maybe that.

Probably fp.

Don’t worry it just means they are looking out for you 8)

Looks like a FP that was in AVG and now has been transfered to avast due to the merging of the databases.

I can confirm that file has clean status now.

On top of getting SLAMMED with VBS:Malware-gen False Positives yesterday I also had 8 of my 12 archived versions of Malware Bytes (mbam-setup-xxxxx) suddenly out of the blue after Avast has scanned them a jillion times always clean, get thrown into the Avast Virus Vault allegedly infected with Win32:DH.

I scanned one of my allegedly infected files. would like to know what the Downloader.Generic.gga is.

SHA256: 290bb5d83b8ed16ea339f355ec3df890b43b24ff415ebe02a062ae60954a1373
File name: mbam-setup-1.65.0.1400.exe
Detection ratio: 1 / 55
Analysis date: 2017-02-22 15:45:15 UTC ( 1 minute ago )
45 20
Probably harmless! There are strong indicators suggesting that this file is safe to use.

The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright© Malwarebytes Corporation. All rights reserved.
Product Malwarebytes Anti-Malware
File version 1.65.0.1400
Description Malwarebytes Anti-Malware
Comments This installation was built with Inno Setup.
Signature verification Signed file, verified signature
Signing date 10:04 PM 9/7/2012
Signers
[+] Malwarebytes Corporation
[+] VeriSign Class 3 Code Signing 2010 CA
[+] VeriSign
Counter signers
[+] COMODO Time Stamping Signer
[+] USERTrust (Code Signing)
Packers identified
F-PROT INNO, appended
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 1992-06-19 22:22:17
Entry Point 0x00009C40
Number of sections 8

====================
ExifTool file metadata
UninitializedDataSize0
CommentsThis installation was built with Inno Setup.
LinkerVersion2.25
ImageVersion6.0
FileSubtype0
FileVersionNumber1.65.0.1400
LanguageCodeNeutral
FileFlagsMask0x003f
CharacterSetUnicode
InitializedDataSize17920
EntryPoint0x9c40
MIMETypeapplication/octet-stream
LegalCopyrightMalwarebytes Corporation. All rights reserved.
FileVersion1.65.0.1400
TimeStamp1992:06:19 23:22:17+01:00
FileTypeWin32 EXE
PETypePE32
SubsystemVersion4.0
ProductVersion1.65.0.1400
FileDescriptionMalwarebytes Anti-Malware
OSVersion1.0
FileOSWin32
SubsystemWindows GUI
MachineTypeIntel 386 or later, and compatibles
CompanyNameMalwarebytes Corporation
CodeSize37888
ProductNameMalwarebytes Anti-Malware
ProductVersionNumber1.65.0.1400
FileTypeExtensionexe
ObjectFileTypeExecutable application

I did a quick scan tonight and had to cancel it at 38 percent as it was taking forever, however when it stopped after cancelling it brought up this file virus Win32:DH-A1 named as Updatedownloader.exe it was found in C:\Windows\System32\Codecs

I’ve put it in the virus chest, should I restore it?

The file properties show the category as Infected files.

I've put it in the virus chest, should I restore it?
You can always check file(s) at virustotal and find out

Would I not need to restore it first to send them the file?

Just tested the file with virustotal and it appears to be a safe file after all, so thanks for the heads up on virustotal.

Got hit with the win32:DH-1 tonight. SYMPTOMS: 50 percent increase of RAM, causing pc to run slow. Could NOT: open apps, run end task, scan with Avast or Malwarebytes. Skd boot scan but sys would not Shut down. ACTION: disconnect Ethernet, Hard shut down. Cold book to Safe Mode. Still couldn’t scan. Reboot thinking I’d try a restore point. On Normal boot the boot scan ran finding 3 Win32:DH-A1 High Threats. Avast Action set to fix auto (repair or delete if can’t repair. All 3 are in Chest. System running smoothly.