win32:trojan-gen on GoogleUpdateSetup url!!!

today i got continuously warning with the title of MALWARE BLOCKED on google.com domain!!
object : hxxp://o-o.preferred.delta-gyd1.v13.lscache1.c.pack.google.com/edgedl/update2/1.3.21.111/GoogleUpdateSetup.exe?cms_redirect=yes
infection : win32:Trojan-gen
process: svchost.exe
AIS v7 Pro
i wanna know if this is a kind of false positive or not ?!
Edited : by clicking the url, it start to download GoogleUpdateSetup.exe and here download got interrupted and warning is shown.

For everyone’s protection (safety), can you please edit and change your link from http to hxxp so it is non-linkable? Thank you.

Thank you for changing the link.

I used some online scanners and these are the results:

Virus Total: CLEAN 0/19
Dr. Web: CLEAN
URL Void: CLEAN

Have you updated Avast and done any scans? If so, which scans have you done and what version and product of Avast are you using? What other security software do you have?

actually i think GoogleUpdateSetup.exe is the reason, user should download it after clicking the url for see a warning.
the latest version of Avast Internet Security Pro (7.0.1426) is running with the last virus database definition (120326-2),
with no other security programs.
tnx

  1. If you haven’t done any scans, please run an Avast Quick Scan and report the findings in your next post.

  2. Also please run and MBAM scan (Malwarebytes) Quick Scan:
    Check your computer for malware with Malwarebytes’ Anti-Malware (MBAM).
    · Download free http://www.malwarebytes.org/ for an on-demand scanner.
    · Double Click mbam-setup.exe to install the application.
    · After install, click update so you have latest database before scanning.
    · Under Settings:
    o General: Automatically Save File After Scan Completes is checked off
    o Scanner Settings: Check all boxes
    o Updater: Download and install update if available is checked off
    · Once the program has loaded, select “Perform Quick Scan”, then click Scan.
    · The scan may take some time to finish, so please be patient.
    · When the disinfection scan is complete, a log will appear in Notepad and you may be prompted to Restart. (See Extra Note).
    · Click the “remove selected” button to quarantine anything found. You will find the infection details under the Quarantine tab.
    · The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    · Copy & Paste the entire report in your next reply.

Thank you.

okay, i performed scans.
the result of Avast Quick Scan :
a .url file in favorites folder, severity high, status Threat: INI:shortcut-inf[Trj]

and this is the created log of MBAM :

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.27.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Windows XP :: MICROSOF-12677F [administrator]

Protection: Enabled

3/27/2012 2:00:14 PM
mbam-log-2012-03-27 (14-23-00).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 268415
Time elapsed: 22 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\Windows XP.MICROSOF-12677F\My Documents\Downloads\oi_wmv2avi.exe (PUP.BundleInstaller.OI) → No action taken.

(end)

Edited : [b]i disabled avast, then downloaded GoogleUpdateSetup.exe from that url, ran a scan no malware detected and also no detection when i started the file download!! ( by accident i was using a proxy )
then i turned off proxy tried to download from the url, malware detected!!![b]

I got exactly the same problem this morning at 8:50am (GMT) as soon as i navigated to google, avast kept claiming malware download

I also got this. It is quite irritating. My computer is NOT infected. I have run scans and NOTHING showed up.

You may want to put this into MBAM quarantine, where you can always take it out.

Upload this url to Avast and it will be analyzed in the next update; note that you will not get a personal notification regarding this, but I will notify the Avast Team re: the forum thread and they may respond to you here.

Hello,
the file is not detected in current VPS (maybe it was already fixed).

Milos

Thank you Milos for the update. :slight_smile: