win32:Trojan-gen {Other}

Hey Everyone,

Thanks in advance for your help. Basically, the scanner on the Standard Shield found this, which was confirmed with a thorough scan that found 2 additional items.

I snooped around the site to try and figure out what the heck to do. I’ve already run Ad-Aware, Spybot, MBAM, and SAS. SpywareBlaster is up and running. Nothing abnormal was found. I also ran CCleaner.

I made a “Suspect” folder on C:\ and excluded it from the scanner as previously posted. I then opened up the program, clicked on the Chest and highlighted the infected file. I then went to “Extract” and moved it to C:\Suspect, where there’s now a .pdf file in there.

-Was that done correctly? I will send this to the virus website shortly.

-Shall I delete C:\Suspect after I send the file?

I ran a boot scan, which just found the same stuff. Except, that it wouldn’t let me Move, Delete, Repair, or place it in the Chest.

Here’s what’s reported from the Warning.log (I’ve removed my name, if that’s ok):

9/18/2008 8:34:42 PM 1221784482 SYSTEM 868 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\WINDOWS\INSTALLER{27625A79-D272-41EF-844B-6EAC87D4A51E}\ICON3F55B0C912.PDF” file.

9/19/2008 12:55:25 AM 1221800125 NAME REMOVED 5736 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Program Files\Common Files\Wise Installation Wizard\WIS27625A79D27241EF844B6EAC87D4A51E_8_0_0_754.MSI\Icon.Icon3F55B0C912.pdf” file.

9/19/2008 7:11:10 AM 1221822670 NAME REMOVED 5736 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\System Volume Information_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP32\A0013297.MSI\Icon.Icon3F55B0C912.pdf” file.

9/19/2008 8:06:27 AM 1221825987 NAME REMOVED 5736 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\WINDOWS\Installer\e4bdb4.msi\Icon.Icon3F55B0C912.pdf” file.

Don’t know if this is a false-positive or not.

Again, thanks for your consideration.

Here’s the link to what Virustotal reported:

http://www.virustotal.com/analisis/1a2684c70b5357702721d3eb4b68a48e

Otherwise, here’s what I copied:

File Icon87F7773C5.ico received on 07.22.2008 15:14:57 (CET)
Current status: finished
Result: 1/33 (3.03%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - Win32.VB.dkn
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Secure - - -
Fortinet - - -
GData - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
TrendMicro - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - -
Additional information
MD5: c10ea8692d2e9ddb310999e738607811
SHA1: 2035225ed745e4253f7dadfd8dd2f9dc7179949c
SHA256: 8fd2e386804399a51285e43a8c8798732128e0711c5e61b4e13c5518a5d081cd
SHA512: 3ab13279ddb188fd3faca3bb85f3928bca587f174d9a24d0e402aed3bee2ca73d327ab8096dcbb6934cb79c55bcda06033b89ef3586bc9e731e1a967a1c3639a

Leave the suspect folder there and the exclusion in the standard shield (if you ever have to use it again), when everything is resolved one way or an other you can delete the file in the suspect folder. There should be a copy still in the chest ?

It isn’t unusual to not have avast detect on VirusTotal when it does so on your system. VT isn’t able to update the VPS in real time as the user is and this is often the cause. Remember the point of submitting it to VT is to see what the other scanners find.

This one does look like it could be an FP.

However I’m somewhat confused as the file uploaded to VT isn’t any of the ones in your warning.log that you posted ?

So, it took me a while to understand the glitch. Don’t know what happened. When I directly transferred the file from C:\Suspect to a thumb drive, the same thing happened. But, when I Extracted it directly to the thumb drive, it seems to have worked.

Here’s the link: http://www.virustotal.com/analisis/01ceb503b19400cf3a0d04ea2752618b

Just hang tight for now???

It looks like it could well be a false positive and should be sent for further analysis.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and possible false positive in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest.

Thanks for the quick reply.

I tried to e-mail from the Chest, but no luck. I went through the Help section to set up the SMTP, but it doesn’t seem to work. More likely I am doing something incorrectly.

I tried the MAPI method and all I get is a “Microsoft encountered a problem” dialog box.

Any idea on how to zip and password protect a file???

Be used to avast forum speed :wink:

Use http://www.7-zip.org/ or http://www.izarc.org/

What email program do you use ?

Do you only use webmail (Yahoo/Hotmail, etc.) ?

If I try to send using the SMTP option it fails, but if I leave it on the default MAPI setting it works, so I’m unsure what is happening with yours, other than the above questions.

I use Yahoo. However, I downloaded the aforementioned program and (hopefully) sent it zipped and password protected to the e-mail address supplied.

For now, I am leaving the C:\Suspect as is. Should I modify the anti-virus and/or Standard Shield to ignore that file?

Again, thanks for the continued help and fast replies.

You’ll see. They correct false positives very soon, mostly within a day or two. So, if you can let the file there and wait for avast team to correct the detection.
If not, you can move the file to Chest and let it there until you rescan it within Chest and it returns clean (i.e., they correct the false positive detection).

You’re welcome.

No rush to remove, as Tech said avast are usually quick to correct confirmed false positive detections. Leave a copy of the file in the chest and periodically scan it within the chest. Once it is no longer detected, use the restore function in the chest to send it back to the original location, delete the copy in the chest ans suspect folder (if one still there).

Just an update -

Haven’t heard back from Avast, per se, but have noted that there’ve been updates.

The file in C:\Suspect remains there, and when I scan it only, no infected files are found.

When I scan the file in the Virus Chest, here’s what pops up:

Scanning of selected files

Program will try to scan 1 selected file(s) in the Chest

Move files to temporary folder: C:\DOCUME~1*~1\LOCALS~1\Temp_avast4_\unp20725195.tmp
FileID: 0000000009 Original file name: C:\WINDOWS\INSTALLER{27625A79-D272-41EF-844B-6EAC87D4A51E}\ICON3F55B0C912.PDF New folder: C:\DOCUME~1*
~1\LOCALS~1\Temp_avast4_\unp20725195.tmp\9.PDF

Scan files in the temporary folder: C:\DOCUME~1*~1\LOCALS~1\Temp_avast4_\unp20725195.tmp
C:\DOCUME~1*
~1\LOCALS~1\Temp_avast4_\unp20725195.tmp\9.PDF – no virus –

Action was completed successfully!

Shall I assume this was a FP? If so, is it necessary to restore the file from the Virus Chest and delete C:\Suspect?

Thanks.

thanks for the submission
your plan works
you could remove the file from c:\suspect and leave the folder for next time :slight_smile:

You will not normally be contacted unless they require more information.

Nothing will be found as you have created an exclusion for c:\suspect*, so it isn’t scanned.

If the file you are scanning ‘in’ the chest is Icon.Icon3F55B0C912.pdf then it looks like it was an FP and they have corrected the detection.

I removed C:\Suspect from the exclusion list when I scanned just that folder.

Shall I delete C:\Suspect and restore the file from the Virus Chest?

If the file is not being detected as infected anymore, go ahead.

No need to delete the folder, if there is nothing in it it doesn’t get in the way.

If there is no detection on the the file that was in there, yes you can restore it from the chest; confirm that the file is back in the original location, if so delete the one in the chest.