Yikes! Malwarebytes detects apparent avast file as trojan

Viruses and worms
1

I just got a warning from Malwarebytes that an apparent Avast file contains Trojan.FakeAlert. The file name is/was “c:\windows\temp_avast_\unp154893342.tmp”

Is this just a false alarm by Malwarebytes? That file is now quarantined, however I see that there are two files in that windows subdirectory at any moment - the “unp…” file has changing numeric value and another file “webshlock.txt” (empty semiphore file?).

[edit: just changed detected filename to reflect “temp” directory)

2

Not too unusual as that is where avast unpacks/sends copies of files to be scanned. However to determine if it were a good or bad detection you would need to send it to VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page.

So I assume that you are using MBAM Pro ?
Add the c:\windows_avast_ folder to the MBAM Ignore List.

The problem being that when MBAM intervenes in this folder it actually stops avast from scanning that file, which is bad as if it is infected, avast can’t alert on the ‘original file’ not this copy. This is why it is important to exclude this folder in the MBAM Ignore List.

3

I did indeed add avast to malwarebytes and malwarebytes to avast in some recommended manner - will also add that subdirectory (c:\windows\temp_avast_) as well to malwarebytes.

Should I restore that file to the subdirectory or is it now too late (since many other files have come and gone from there since).

4

I only mentioned (copied) that directory as it was in your original post, yes the c:\windows\temp_avast_ is the normal location used by avast.

5

Here is the URL from VirusTotal: http://www.virustotal.com/file-scan/report.html?id=eebfcddc6c5b1c1ab1adef014657b28a502dd6a30a44802e4c0dd2747762c388-1316715353

BTW - are these permanent URLs? Nice feature if so…

6

do you know these names ?

sigcheck:
publisher…: IF(c) Systems
copyright…: IF(c) Systems Corp All Rights reserved
product…: Lexware Group Soft
description…: Lexware Group Soft
original name: zdjridij.exe
internal name: zdjridij
file version.: 8.R187.2735T RC9.1100 alpha
comments…: n/a
signers…: -
signing date.: -
verified…: Unsigned

7

Whilst that does report a number of detections, many are related to its being heuristic, a suspect packer or generic detections, which are more prone to mis-detection.

This is one that should be sent to avast for further analysis:
Send the sample/s to avast as a Undetected Malware:
Open the chest and right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update. Note: manually adding to the chest doesn’t remove them from the original location, so they still have to be dealt with in that location. Either by MBAM or manual deletion as you have a copy in the chest now

Yes the VT results URLs are kept, I don’t know for how long, but it is certainly many months (possibly years) at the very least.

8

Nope…and at the time this was detected (or false detected) I was doing surfing of pretty mundane sites like Yahoo and CNN (and sublinks from those) - really boring and supposedly safe surfing.

9

Thanks very much the thorough instructions - will do so immediately.

To answer an earlier question - yes, I have a non-free version of Malwarebytes, obtained before I switched from an ISP-supplied “free” version of McAfee. I finally (after years) dumped McAfee and installed the free version of Avast. The impact of Avast is markedly lower than McAfee - faster EVERYTHING since I made the switch (one exception - a humongous number of TCP/IP connections are made by Avast - sufficiently large number to actually generate the Microsoft “Too many TCP/IP connections attempted” warning; not a biggee since they eventually get connected, just noticed it for the first time in the XP event log). Since Avast is “new” on my system I’m not sufficiently up-to-speed on it, its quirks, its capabilities, its net worth to me (that is, not yet jumping for the non-free version). So far, however, I’m majorly liking it.

10

That is somewhat strange as the avast folder should be empty (other than the webshlock.txt file), on completion of any scan that places files in this folder it should also clear the .tmp files.

Avast uses a localhost proxy so that http web traffic can be scanned, so instead of seeing your browser reported in all instances in any logging, they are redirected through the proxy. So avast isn’t actually instigating these connections only redirecting them.

McAfee has an uninstall tool that you could run to ensure any possible remnants are removed. Check out this page for removal tool and instructions, http://service.mcafee.com/FAQDocument.aspx?id=TS100507

Well the avast/antivirus section in the XP Event Viewer should no longer be there. This was as it used to be with avast5 I believe, but was discontinued in avast6, but depending on how avast6 was installed that might remain.

So what version of avast do you have installed, the latest is 6.0.1289 ?
11

It did - just that it was checking quite a bit at the time I made that post apparently.

Avast uses a localhost proxy so that http web traffic can be scanned, so instead of seeing your browser reported in all instances in any logging, they are redirected through the proxy. So avast isn't actually instigating these connections only redirecting them.

No, avast is responsible for literally hundreds of TCP connections that didn’t happen before - Firefox may be initially making some, but they’re going (majority) to the local avast proxy. This massive set of connections did not happen previously and apparently is what is causing the event warning. For specific example, I just booted this XP machine and started up Firefox. The home page is “wunderground.com”. After looking at that page, I clicked on my CNN link, “cnn.com”. That’s it. 400+ endpoints noted on my tcpview display.

An experiment - waited for things to settle down just now - this avast forum reply page only thing on my Firefox - tcpview is currently showing 33 endpoints, 6 established TCP connections (all apparently interprocess comms internal to my own machine e.g. Firefox has 4 TCP connections all being made to itself), 15 listening (10 of those Avast). Now I’m just going to open a tab to wunderground - result is now 200 endpoints, 135 established, 22 listening.

So what appears to have happened is, instead of a single TCP connection, each TCP attempt results in 3 connections - Firefox goes to proxy, proxy goes to Firefox, proxy goes to internet (and, hidden, internet goes to proxy). This behavior is causing the “Maximum TCP connection attempt limit” warning. This error doesn’t happen very often, probably because both my computer and internet connectivity are quite fast (the error is about maximum ATTEMPTS to make connections, not connections themselves, so as soon as a connection actually is made it’s no longer of consequence).

Well, that’s just an academic-like reply - the warning is just a warning, not an error so I can safely ignore it (he says…).

McAfee has an uninstall tool that you could run to ensure any possible remnants are removed. Check out this page for removal tool and instructions, http://service.mcafee.com/FAQDocument.aspx?id=TS100507

McAfee is long gone from my machine and replaced by Avast Free.

Well the avast/antivirus section in the XP Event Viewer should no longer be there.

Never saw one there - I’m just talking “System” events. I have the latest Avast Free, whatever that was a week or so ago and since updated automatically, if automatically updated. Typing on this forum is WAY more attention than I’ve paid to the installed version of (the ultra-low impact and I like it) Avast.