Win32: Pakes: CH (trj)

Hi,
I have a relatively new WinXP PC and noticed it running strangely. I ran a manual scan. Avast picked up this Trojan virus in the Google video program of all things! Does anyone have a clue on why this would be in there?

Avast successfully transferred to chest, and I deleted it from there, no prob… Thanks Avast!

But, why didn’t the active monitoring pick this up? I would have downloaded Google Video Client months ago. I run automatic updates and it runs in the background from start up.

Thanks

Bohawk
Christchurch
New Zealand

Hi Bohawk,

Consider the contents of this thread:
http://forum.hijackthis.de/showthread.php?t=8657

polonus

Hi Polonus,
Thanks for quick replay…and the link.
Sorry, but I really don’t understand the context of that link.

Avast caught the virus, and it’s been deleted. Is that not enough? That link thread doesn’t specifically refer to this virus name either.

What do I need to do to check further?

Thanks-
Bohawk

Looks like the same problem…

http://forum.avast.com/index.php?topic=23059.0

So, very likely this might have been a false positive?

I deleted it anyway, and am running the free online ewido anti spyware program just to make sure.

I too would have downloaded Google player from their site.

Will be fixed in the next VPS update.

Without putting words into polonus’s mouth, I believe because you mentioned google there are lots of Hosts entries relating to google in that link. What that is doing is redirecting any google url to another site ‘69.31.81.22’

However, it is unrelated to your issue with a false positive detection, so I think polonus misread your post.

For the future, deletion isn’t a good first option (you have none left), send it to the chest and investigate. From the chest it can be restored, deleted later as required.

Thanks everyone.

Cheers-
Bohawk

Hello, I also got the Win32 Pakes - CH (trj) in Aworld.exe and it removed both my Activeworlds and Also Stage Coach Island. These are the only two programs that it affected, so my guess is that it may have caught something AW was doing and I have read up on this Win 32 Pakes it seems to be pretty malicious. Yes I have had some problems and the funny part… This will really get to you. I have an older installer that requires AW Updates, the program works on install of this one, and the first update. After the 1st the Second Update is where the Win32 Pakes comes in. Seems they have written in the code to these updates and apparently they use it to spy on users in AW.

http://img.photobucket.com/albums/v411/hells/more2/3_8_8.gif

Hello, I also got the Win32 Pakes - CH (trj) in Aworld.exe and it removed both my Activeworlds and Also Stage Coach Island.
I assume that by removed you mean deleted ?

Well whilst this is a real pain in the rear, but a valuable lesson in deletion isn’t a good first option, ‘first do no harm.’ avast! doesn’t delete, the user selects or depending on the version can setup automated actions, so avast didn’t delete it, the most common recommended action is to send it to the chest. That way you can:

  1. Investigate it as you are doing now.
  2. Send it to virus @ avast.com if after investigation you think it is a false positive detection.
  3. Restore it if note 2. is true.
  4. Delete it later after a period of time with no adverse effects of it being moved to the chest.

If you haven’t detected the detected files this time round, you could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can’t do this with the file in the chest, you will need to move it out.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and check scan it periodically using the ashQuick scan (right click scan, it will need to be temporarily removed from the standard shield exclusions otherwise it won’t be scanned), when it is no longer detected then you can also remove it from the program settings, exclusions.
Also see (Mini Sticky) False Positives