yahho search protection detected Win32-Trojan-gen(other) on bootup?-false positi

Hi,i booted up pc today and as soon as the desktop loaded avast flagged up- warning detected Win32-Trojan-gen(other) in program files\yahoo\search protection\search protection.exe.
This is a first time detection in yahoo,i have had yahoo for some time years now -same program never changed it-and nothing has ever has been picked up before by avast,i done a FULL scan with malware bytes,spybot,spyware terminator NOTHING?. Could this be a false positive.
Running windows XP,SP3 all updates installed.

southern man

The detections named Win32-Trojan-gen(other) are generic detections. It may be false positive (maybe the .exe file is really infected). So before being sure, send the file to VisrusTotal and see if any other AVs detect it. You can send the file to Avast team as a false positive via the chest if you are sure that it is clean.

Thanks for the quick reply back!-ok i will do what you suggested,i have sent the file to avast just now and will now also send the file to virus total.
Just as a precaution i have deleted yahoo search protection from add/remove and turned off system restore and wil reboot and re-scan again with avast,get back to you thanks.

southern man

I would see the VirusTotal result first instead of sending the file as a false positive immediately.

hi back,i have just sent the supect file to virus total here are the results!

Srpski | Македонски | العربية | Suomi | ihMdI | | עברית | | Slovenščina | Dansk | Русский | Română | Türkçe | Nederlands | Ελληνικά | Français | Svenska | Português | Italiano | | | Magyar | Deutsch | Česky | Polski | Español
Virus Total
Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information…
File ashChest.exe received on 2009.07.17 01:33:42 (UTC)
Current status: finished
Result: 0/36 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.07.17 -
AhnLab-V3 5.0.0.2 2009.07.16 -
AntiVir 7.9.0.220 2009.07.17 -
Antiy-AVL 2.0.3.7 2009.07.16 -
Authentium 5.1.2.4 2009.07.17 -
Avast 4.8.1335.0 2009.07.16 -
AVG 8.5.0.387 2009.07.16 -
BitDefender 7.2 2009.07.17 -
CAT-QuickHeal 10.00 2009.07.16 -
Comodo 1676 2009.07.17 -
DrWeb 5.0.0.12182 2009.07.17 -
eSafe 7.0.17.0 2009.07.16 -
eTrust-Vet 31.6.6617 2009.07.15 -
F-Prot 4.4.4.56 2009.07.17 -
F-Secure 8.0.14470.0 2009.07.16 -
Fortinet 3.120.0.0 2009.07.16 -
GData 19 2009.07.17 -
Ikarus T3.1.1.64.0 2009.07.17 -
K7AntiVirus 7.10.794 2009.07.16 -
Kaspersky 7.0.0.125 2009.07.17 -
McAfee 5678 2009.07.16 -
McAfee+Artemis 5678 2009.07.16 -
McAfee-GW-Edition 6.8.5 2009.07.17 -
Microsoft 1.4803 2009.07.17 -
NOD32 4251 2009.07.16 -
nProtect 2009.1.8.0 2009.07.17 -
PCTools 4.4.2.0 2009.07.16 -
Prevx 3.0 2009.07.17 -
Rising 21.38.34.00 2009.07.16 -
Sophos 4.43.0 2009.07.17 -
Sunbelt 3.2.1858.2 2009.07.16 -
Symantec 1.4.4.12 2009.07.17 -
TheHacker 6.3.4.3.369 2009.07.16 -
TrendMicro 8.950.0.1094 2009.07.16 -
ViRobot 2009.7.16.1839 2009.07.16 -
VirusBuster 4.6.5.0 2009.07.16 -
Additional information
File size: 68640 bytes
MD5 : 34e6c608e21744bda2cfc5e89e293321
SHA1 : a478dd32b21670439aa6298bb593babd17183387
SHA256: 0a2b55d829fb226386fcd0fc4a5867e47ed338185da064497585ed553788cd4e
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x2EB4
timedatestamp…: 0x498A50F5 (Thu Feb 5 03:37:41 2009)
machinetype…: 0x14C (Intel I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x26D2 0x3000 5.20 548bd48ae17e28619b8f83afe38b1e6e
.rdata 0x4000 0x2CEE 0x3000 5.41 3b100434e4e3ff57b401f3f8b8d92e7a
.data 0x7000 0x1A0 0x1000 0.13 afa9e89df8ca0ab5269a29603dc3a819
.ChestVi 0x8000 0x8 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0x9000 0x5FF8 0x6000 5.70 81f886e8916d6e2ef7bda066b446ab28

( 0 imports )

( 0 exports )
TrID : File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 1536:OqPTWZeqHDkIfk2DyuV591iwXg1MP4+nf1p:OqP0CMPL
PEiD : -
RDS : NSRL Reference Data Set

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Scan another file
VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com - Terms of Service & Privacy Policy

southern man

comments?

hi just posted it if i am not mistaken nothing detected by anyone ,am i correct?

southern man

Yes, none of them. Now we can believe that it is clean. :slight_smile: Btw, if you’re lucky, avast! team will exclude it from the database in a short time. Otherwise you’ll have to exclude it in both standard shield and program settings manually because sometimes avast! team doesn’t examine the files submitted by users at all. ;D

Wait? avast! also didn’t detect it on VT? lol ;D Actually VT doesn’t give the true results each time. Mmm, but i think it’s still false positive.

I think you missed some parts in your post as i only see the quote.

It isn’t unusual to not have avast detect on VirusTotal when it does so on your system. VT isn’t able to update the VPS in real time as the user is and this is often the cause. Remember the point of submitting it to VT is to see what the other scanners find.

Also I find this somewhat of a strange issue, given the location and file name “program files\yahoo\search protection\search protection.exe.” This to me implies that there is some form of scanning possibly and it may be this which the win32:Trojan-gen is picking up on.

  • The avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected.

VT is automatically updated afaik. Maximum 1 update can be missed on VT at this time i think?

On Jotti and VirScan.org, i used to had strange results. On Jotti G DATA didn’t detect many files when avast! detected (now they removed G DATA). On VirScan many AVs didn’t detect some files even though they detect them in real life. I sent even eicar test file, but got a similar result. ;D I dunno about how these two sites work now, though.

So generally i don’t trust 100% but VT hasn’t given me such results so far. And some time ago i sent there a virus which avast! didn’t detect at that time, in VT avast! detected. Then i updated my avast! and it also detected. Therefore the AVs on VT is updated very quickly imo. There must be some other factors causing such situations.

VT has in the past had problems keeping avast up to date automatically and basically this is another case that proved that.

yes i think the yahoo search protection is a type of scanning as it is always resident in the task manager,but not anymore i’ve uninstalled it,never used it anyway and i like to be safe,i hate extras like toolbars and search thingys!!.
Thanks to you both for the replies back its late here 2.30am sorry bout the missing bit in the last post!,going to bed.

cheers all

southern man

In fact not, it’s not updated as quick as the desktop version… we had a long story of non-updated antivirus there…

Doesn’t Jotti use a Linux version of the engines? ???

I don’t know what they use. (btw i just realized that Jotti has G DATA again). i didn’t know that VT have some update issues coz my experince didn’t tell me so.

anyway, thanks for the clarifications David, Tech.