win32: trojan gen

Viruses and worms
1

I have avast home edition, I ran avast weekly, after windows update, I ran avast, avast found this file name c:\windows\installer 5e7e8.msi\ISSetupFile,setupFile1, malware name win32:trojan-Gen [other], malware-type: Virus\worm on 10-17-08

I ran Spybot Search and destroy “found nothing”
I ran Ad-Aware 2008 from Lavasoft “found nothing”
I ran Malwarebytes’ anti-malware “found 3”
I ran SuperAntispyware “found 3”
I ran Pandasoftware “want me to buy they software”
I ran Avast again and Avast found the same file name above.
I ran Trend Micro Housecall on line “found nothing”
I ran Avast in Safe mode, Avast freezed up
I ran Avast in normal mode found the same file name above.

I had Avast all most 6yrs now, not once Avast can’t cleanup anything it found, just this time.
I don’t have any problem with my computer, computer run normal.

Could it be false positive by Avast.

Please tell me anything else I need to do.

2

Well I did a search for installer 5e7e8.msi and got zero hits on google, strange as a) I would expect to see some hits if it is a legit file, b) the windows folder to me is a strange location for an installation file.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

3

Hi DavidR, Thanks.

I’m new to this, Please give me more detail how to create a folder in c: and how to exclude the folder in “where can I find” Standard Shield and other.

I was looking in to the virus chest files, “the file for installer” I put in there each time Avast suggest not in there.

4

Using windows explorer, select the C:\ folder, at the top of the page, select File, New, Folder, and name it Suspect, click the return/enter key and you have created a folder called Suspect under the C:\ root folder.

Left click on the avast icon, a window will pop-up (avast! On-Access Protection), if you see a button, Details… >> click it. That will display a list of all the avast Shields/providers, select the Standard Shield one, click the Customize button, Advanced tab, Add button, now you type (or copy and paste) C:\Suspect* into the text field that opens.

I don’t know what this ‘other’ is that you are talking about, can you expand ?

5

I’m not sure, if using windows explorer, you mean go to MY COMPUTER>LOCAL DISK “C” to create a new folder, or you mean that I need to go to START>RUN then type in C:\suspect.

Sorry, I got lazy typing in all the words Stander Shield, Customize, Advanced, Add, so I used “other”.

I created the folder in “c” from My Computer and in “Avast On-Access Protection” in Add button, I type in C:\suspect*

So Am I created a new folder\suspect in the right place?

I have Windows XP professional SP3, I’m using Firefox.

Please tell me what I need to do next.

6

When you click on Local Disk C from my computer you are actually using windows explorer to display a structure of your hard disk partitions, folders and files, etc.

Click on the first image it will expand the size:
So when that window is open just below the title bar {in my image Main (C:)} you will see the Menu items, File, notice in my image the Blue highlights, they are the areas I have selected. File > New > Folder.

No you aren’t creating a new folder called \suspect you are creating a new folder called Suspect nothing else (no backslash \ in front of it).

Having created a new folder you are going to create an exclusion (so avast doesn’t scan it) for the suspect folder and its files and that is where the full path for the excluded folder and files is required C:\Suspect*

Please print out this page so you can refer to it when trying to complete this.

It is now almost 1:30 a.m. here and I am about to call it a night.

7

While waiting for your reply, I ran Avast scan, Avast alert me the same file name as before C:\windows\installer\5e7e8.msi\ISSetupFile.setupFile1, Malware name-win32 Trojan Gen “other”, Malware type-Virus\worm.

Thanks for telling me Local Disk C is actually using windows explorer, I wouldn’t know that.

I did created folder name SUSPECT in driver C, then I did created the full path C:\suspect* so Avast doesn’t scan that folder and files.

Thanks for your patient and your times.

8

You’re welcome.

Now you need to copy the file to the c:\suspect folder, it may be easiest to Pause the Standard Shield provider (right click the avast ‘a’ icon, select Pause provider, Standard Shield) so avast doesn’t alert. Once you have a copy of the file in there, right click the avast ‘a’ icon, select Resume provider, Standard Shield.

Now you can upload it to virustotal.

9

I extracted 5 files into the Suspect folder from the virus chest, but no file from Windows Installer from last night I ran Avast.

Please tell me how to upload the folder with all the files in it to Virustotal, I try to upload the folder to Virustotal, but I can up load individual file only.

10

You can only upload individual files not folders, there is also a 10MB limit on the file size you can upload.

What files did you extract from the virus chest (and what section of the chest were they in) ?
You should only be concerned with this current .msi file, avast also stores copies of important system files in case the original became infected.

I though you did another scan and found the .msi file again, which to my logic means it isn’t in the chest (unless after detection you selected move to chest). That was why I was trying to get you to copy the file from its original location into the suspect folder.

11

I extracted all files from Avast Virus Chest in All Chest Files.

Yes, I did ran another scan last night and found the msi file, after detection I moved the file to the chest but it not there now. I ran scan 5 times since 10-17, each time I ran, I moved the file to the chest, but where the file go, I don’t know.

So what should I do with detail instruction please.

12

First you didn’t say what the files are, this is essential information to help me to help you.

I really do wish Alwil would get rid of this All Chest Files collation of the three sections.

  • The only area you should be interested in is the Infected Files section, this is where the files detected by avast and selected by you to move to the chest are placed.
  • The User Files section is where the user can add files they suspect of being malware but not detected by avast.
  • The System Files section is where avast keeps back-up copies of important system files in case the original becomes infected (leave them alone).

Is the file in its original location c:\windows\installer 5e7e8.msi ?
This is an archive (installation) file and it is one of the files inside that is being detected, it may be that avast can’t extract the file from within the .msi file, that is why it may not be in the infected files section of the chest.

The other possibility is that avast was able to extract the infected/suspect file from the .msi file and that is why you can’t see an .msi file in the chest. It could be that there is a file called SSetupFile or setupFile1 (extracted from the .msi file) and it would be that file you extract to the suspect folder and upload. Which is again another reason for asking the file names that you extracted.

Go back to my original post and click the blue text to VirusTotal, that is a link to the site.

When the site is displayed in your browser, there is a Browse… button, left click it.
That will display a windows explorer style window, navigate to the C: local drive and then to the suspect folder, now select the file you need to upload and click OK.
You will now see the virustotal page again and there will be the location of the file on your HDD in the address window.
Click the Send File button, be patient it will take time to upload, don’t close the window.

Once the scan is complete you will see the results displayed of all the scanners.
Copy the URL in the address window (select it all and press the Ctrl key and the C key together).

Now reopen this topic and in a new post paste (press the Ctrl key and the V key together) the URL into the post. That allows us to visit the site and see the results. See image, your browser may differ as I’m using Firefox, but the address windows should be in a very similar position.

13

File _zjNo31p.exe.part received on 10.23.2008 19:07:07 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED
Result: 7/36 (19.45%)
Loading server information…
Your file is queued in position: 2.
Estimated start time is between 45 and 64 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they’re generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click “request” so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.10.22.0 2008.10.23 -
AntiVir 7.9.0.5 2008.10.23 TR/Dropper.Gen
Authentium 5.1.0.4 2008.10.23 -
Avast 4.8.1248.0 2008.10.23 Win32:Trojan-gen {Other}
AVG 8.0.0.161 2008.10.23 Dropper.Generic.ZKP
BitDefender 7.2 2008.10.23 -
CAT-QuickHeal 9.50 2008.10.23 -
ClamAV 0.93.1 2008.10.23 -
DrWeb 4.44.0.09170 2008.10.23 -
eSafe 7.0.17.0 2008.10.23 -
eTrust-Vet 31.6.6164 2008.10.22 -
Ewido 4.0 2008.10.23 -
F-Prot 4.4.4.56 2008.10.23 -
F-Secure 8.0.14332.0 2008.10.23 -
Fortinet 3.113.0.0 2008.10.23 -
GData 19 2008.10.23 Win32:Trojan-gen {Other}
Ikarus T3.1.1.44.0 2008.10.23 -
K7AntiVirus 7.10.505 2008.10.23 -
Kaspersky 7.0.0.125 2008.10.23 -
McAfee 5412 2008.10.23 -
Microsoft 1.4005 2008.10.23 -
NOD32 3549 2008.10.23 -
Norman 5.80.02 2008.10.23 W32/Smalldrp.ACOB
Panda 9.0.0.4 2008.10.23 -
PCTools 4.4.2.0 2008.10.23 -
Prevx1 V2 2008.10.23 -
Rising 21.00.32.00 2008.10.23 -
SecureWeb-Gateway 6.7.6 2008.10.23 Trojan.Dropper.Gen
Sophos 4.34.0 2008.10.23 -
Sunbelt 3.1.1747.1 2008.10.23 -
Symantec 10 2008.10.23 -
TheHacker 6.3.1.0.124 2008.10.23 -
TrendMicro 8.700.0.1004 2008.10.23 -
VBA32 3.12.8.8 2008.10.22 suspected of Malware.VB.35 (paranoid heuristics)
ViRobot 2008.10.23.1434 2008.10.23 -
VirusBuster 4.5.11.0 2008.10.22 -
Additional information
File size: 131072 bytes
MD5…: b2691833b4a254df09c9ee18309b7b51
SHA1…: 16e0993239563f91c1d2b2bb0adb604ae618ec7a
SHA256: 23212c2b6d73a57d1d06b64041e7452418d72951aa858ceafb9d56cba3db7006
SHA512: 17408f7af4d4919874a9487d0d0d34185caacda13d3dc04b8df48bca81b7cd07
f675d1eb10ba005bc477186a9d50a04715238d54545084990a205e02a4293a83
PEiD…: -
TrID…: File type identification
Win32 Executable Microsoft Visual Basic 6 (71.5%)
Win32 Executable MS Visual C++ (generic) (21.3%)
Win32 Executable Generic (4.8%)
Generic Win/DOS Executable (1.1%)
DOS Executable Generic (1.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4018f0
timedatestamp…: 0x44f0ab73 (Sat Aug 26 20:13:39 2006)
machinetype…: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xd024 0xe000 5.40 f38b2fafbf58355fc91c952d86e40a65
.data 0xf000 0xd6c 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0x10000 0x19ff0 0x1a000 5.98 58faaedf331a3cf5b74fef9842fe08a3

( 1 imports )

MSVBVM60.DLL: __vbaVarTstGt, __vbaVarSub, __vbaStrI2, _CIcos, _adj_fptan, __vbaVarMove, __vbaStrI4, __vbaAryMove, __vbaFreeVar, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaLineInputVar, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaLsetFixstr, -, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaExitProc, __vbaVarForInit, __vbaObjSet, -, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, -, __vbaVarIndexLoad, __vbaStrFixstr, __vbaFpR8, _CIsin, __vbaErase, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, -, __vbaPutOwner3, __vbaAryConstruct2, __vbaVarTstEq, __vbaI2I4, DllFunctionCall, __vbaRedimPreserve, __vbaLbound, _adj_fpatan, __vbaRedim, __vbaRecUniToAnsi, EVENT_SINK_Release, -, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, -, __vbaStrToUnicode, __vbaPrintFile, _adj_fprem, _adj_fdivr_m64, -, -, __vbaFPException, __vbaInStrVar, __vbaGetOwner3, __vbaStrVarVal, __vbaUbound, __vbaVarCat, __vbaI2Var, -, _CIlog, __vbaErrorOverflow, __vbaFileOpen, -, -, __vbaVar2Vec, __vbaR8Str, __vbaNew2, -, _adj_fdiv_m32i, -, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, -, -, -, -, __vbaVarTstNe, __vbaI4Var, __vbaAryLock, __vbaVarAdd, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, __vbaVarCopy, __vbaLateMemCallLd, -, _CIatan, -, __vbaStrMove, -, _allmul, _CItan, __vbaAryUnlock, __vbaVarForNext, _CIexp, __vbaFreeObj, __vbaFreeStr,

Here are 2 files I export from the Infected File in Avast chest. This 2 files from scan on 10-13-08

I just ran Avast scan on boot, I didn’t get alert from Avast.

14

File 84B3C5B8d01 received on 10.23.2008 19:14:15 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED
Result: 7/36 (19.45%)
Loading server information…
Your file is queued in position: 3.
Estimated start time is between 50 and 71 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they’re generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click “request” so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.10.22.0 2008.10.23 -
AntiVir 7.9.0.5 2008.10.23 TR/Dropper.Gen
Authentium 5.1.0.4 2008.10.23 -
Avast 4.8.1248.0 2008.10.23 Win32:Trojan-gen {Other}
AVG 8.0.0.161 2008.10.23 Dropper.Generic.ZKP
BitDefender 7.2 2008.10.23 -
CAT-QuickHeal 9.50 2008.10.23 -
ClamAV 0.93.1 2008.10.23 -
DrWeb 4.44.0.09170 2008.10.23 -
eSafe 7.0.17.0 2008.10.23 -
eTrust-Vet 31.6.6164 2008.10.22 -
Ewido 4.0 2008.10.23 -
F-Prot 4.4.4.56 2008.10.23 -
F-Secure 8.0.14332.0 2008.10.23 -
Fortinet 3.113.0.0 2008.10.23 -
GData 19 2008.10.23 Win32:Trojan-gen {Other}
Ikarus T3.1.1.44.0 2008.10.23 -
K7AntiVirus 7.10.505 2008.10.23 -
Kaspersky 7.0.0.125 2008.10.23 -
McAfee 5412 2008.10.23 -
Microsoft 1.4005 2008.10.23 -
NOD32 3549 2008.10.23 -
Norman 5.80.02 2008.10.23 W32/Smalldrp.ACOB
Panda 9.0.0.4 2008.10.23 -
PCTools 4.4.2.0 2008.10.23 -
Prevx1 V2 2008.10.23 -
Rising 21.00.32.00 2008.10.23 -
SecureWeb-Gateway 6.7.6 2008.10.23 Trojan.Dropper.Gen
Sophos 4.34.0 2008.10.23 -
Sunbelt 3.1.1747.1 2008.10.23 -
Symantec 10 2008.10.23 -
TheHacker 6.3.1.0.124 2008.10.23 -
TrendMicro 8.700.0.1004 2008.10.23 -
VBA32 3.12.8.8 2008.10.22 suspected of Malware.VB.35 (paranoid heuristics)
ViRobot 2008.10.23.1434 2008.10.23 -
VirusBuster 4.5.11.0 2008.10.22 -
Additional information
File size: 163430 bytes
MD5…: 726640e4c119c2bf4ef12eb57e9204fb
SHA1…: dd69eada3c0e348329be59a2cc74d0fbc39e1ce1
SHA256: 52d73f83178a73650fa0606ae826163c50866a3d75295801811e11726bccf9fa
SHA512: 7a846d90bf9acf0dba80633b003b8a989163e35fb731886847ef75a4e6b67650
7f3ccc8da1b42f455dcfdc996115a481585f3bbde815fc162e244f1acfed96b7
PEiD…: -
TrID…: File type identification
Win32 Executable Microsoft Visual Basic 6 (71.5%)
Win32 Executable MS Visual C++ (generic) (21.3%)
Win32 Executable Generic (4.8%)
Generic Win/DOS Executable (1.1%)
DOS Executable Generic (1.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4018f0
timedatestamp…: 0x44f0ab73 (Sat Aug 26 20:13:39 2006)
machinetype…: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xd024 0xe000 5.40 f38b2fafbf58355fc91c952d86e40a65
.data 0xf000 0xd6c 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0x10000 0x19ff0 0x1a000 6.26 cc12054c0be7383dc5cdf91958004bd1

( 1 imports )

MSVBVM60.DLL: __vbaVarTstGt, __vbaVarSub, __vbaStrI2, _CIcos, _adj_fptan, __vbaVarMove, __vbaStrI4, __vbaAryMove, __vbaFreeVar, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaLineInputVar, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaLsetFixstr, -, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaExitProc, __vbaVarForInit, __vbaObjSet, -, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, -, __vbaVarIndexLoad, __vbaStrFixstr, __vbaFpR8, _CIsin, __vbaErase, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, -, __vbaPutOwner3, __vbaAryConstruct2, __vbaVarTstEq, __vbaI2I4, DllFunctionCall, __vbaRedimPreserve, __vbaLbound, _adj_fpatan, __vbaRedim, __vbaRecUniToAnsi, EVENT_SINK_Release, -, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, -, __vbaStrToUnicode, __vbaPrintFile, _adj_fprem, _adj_fdivr_m64, -, -, __vbaFPException, __vbaInStrVar, __vbaGetOwner3, __vbaStrVarVal, __vbaUbound, __vbaVarCat, __vbaI2Var, -, _CIlog, __vbaErrorOverflow, __vbaFileOpen, -, -, __vbaVar2Vec, __vbaR8Str, __vbaNew2, -, _adj_fdiv_m32i, -, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, -, -, -, -, __vbaVarTstNe, __vbaI4Var, __vbaAryLock, __vbaVarAdd, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, __vbaVarCopy, __vbaLateMemCallLd, -, _CIatan, -, __vbaStrMove, -, _allmul, _CItan, __vbaAryUnlock, __vbaVarForNext, _CIexp, __vbaFreeObj, __vbaFreeStr, -

( 0 exports )

Here the second file. I couldn’t copy the URL, so I copy and paste it.

15

I’m sorry but if you don’t answer the questions I ask then I’m wasting my time and yours to as I haven’t got a clue what is going on now.

None of these as far as I can see have anything to do with the original detection.

A simple link to the results take up much less space which is why I suggested it.

16

I’m sorry DavidR, my English is not very good.

Please ash me those question again and right to the point so I can understand it.