Author Topic: Grim Fandango game trojan-- False Positive (?)  (Read 7956 times)

0 Members and 1 Guest are viewing this topic.

Offline chameleon

  • Full Member
  • ***
  • Posts: 164
Grim Fandango game trojan-- False Positive (?)
« on: November 29, 2008, 04:21:27 AM »
Hi,

I did a scan with avast on the 24th November and came up with this result:

file name: C:\Program Files\LucasArts\Grim\DATA003.LAB
malware Name: Win32:PcClient-XZ [trj]


 "C:\Program Files\LucasArts\Grim\DATA003.LAB " refers to a file in the popular & reputable game Grim Fandango distributed by Lucas Arts. It is an original, purchased copy, so not sure why a Trojan result came up for that. I tried emailing it to avast! from the chest but received a message saying the file is too big to email.


I can't find any credible information on  the suspected trojan "Win32:PcClient-XZ "..

And I extracted & scanned the Grim Fandango file with Kapersky AV & no problems reported.

Should I remain worried about the Grim Fandango file? I have left it in the chest, for the meantime.




Jtaylor83

  • Guest
Re: Grim Fandango game trojan-- False Positive (?)
« Reply #1 on: November 29, 2008, 09:17:35 PM »
Hi, there. Have you installed the game from a CD or did you download it from a site like Torrentz?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Grim Fandango game trojan-- False Positive (?)
« Reply #2 on: November 29, 2008, 09:21:58 PM »
chameleon, submit the file to www.virustotal.com and post back the link for the results ;)
The best things in life are free.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Grim Fandango game trojan-- False Positive (?)
« Reply #3 on: November 29, 2008, 09:25:23 PM »
You could also check the offending/suspect file at: VirusTotal as Tech mentioned - A Multi engine on-line virus scanner. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.
« Last Edit: November 29, 2008, 09:27:12 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline chameleon

  • Full Member
  • ***
  • Posts: 164
Re: Grim Fandango game trojan-- False Positive (?)
« Reply #4 on: November 30, 2008, 02:38:51 AM »
Hi Jtaylor83,

Yes, I installed the game from legal CD, purchased just last month.

Tech & DavidR, I extracted & tried scanning through Virus Total but I received the message: Bigger than max permited size / Mayor del tamaño máximo permitido

And I then created a zipped folder and tried to send the file to virus@avast.com but I received a message from Thunderbird saying something like the file is too large for global server settings.

gah!





Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Grim Fandango game trojan-- False Positive (?)
« Reply #5 on: November 30, 2008, 03:01:00 AM »
How big is the file exactly ?
The VT limit is 10MB.

If you have it in the chest, open the chest and right click on it and select email to Alwil software (I know, I know), it doesn't actually get sent by email if you are on the latest versions of avast (latest is 4,8.1296), Fill in the pop-up form Type: possible false positive (see image 1) and submit.

This is uploaded during the next avast manual or auto update process, after the update is doenloaded and before it is installed the sample will be uploaded, see image 2.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline chameleon

  • Full Member
  • ***
  • Posts: 164
Re: Grim Fandango game trojan-- False Positive (?)
« Reply #6 on: November 30, 2008, 03:13:41 AM »
DavidR, I think the file is about 40 Megabytes.    :o

And so, I can't email it through the chest either. It says it's too big.

No matter, I will scan with a bunch of other online scanners like Trend Micro and Norton, etc, and if no other trojan reports come up for it then I will exclude it.



Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Grim Fandango game trojan-- False Positive (?)
« Reply #7 on: November 30, 2008, 02:57:46 PM »
Well this looks like a throw back to the old system where there is a Maximum size of file to send option in Program Settings, Chest. Change that to cater for the large file size and it should go, I assume you have a fast broadband to consider uploading something of that size.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Sataaa

  • Guest
Re: Grim Fandango game trojan-- False Positive (?)
« Reply #8 on: December 23, 2008, 09:51:06 AM »
I want to know what have come of this.

I am having the same problem and I also bought the original game.

Is it really a false positive?

Offline chameleon

  • Full Member
  • ***
  • Posts: 164
Re: Grim Fandango game trojan-- False Positive (?)
« Reply #9 on: December 23, 2008, 10:58:23 AM »
Sataaa,

I still don't know.

I just assume it is a false positive as no other virus scans I did online, at the time, picked it up as a problem.

I also had planned to email lucasarts for their opinion & you've reminded me to do that.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Grim Fandango game trojan-- False Positive (?)
« Reply #10 on: December 23, 2008, 12:21:29 PM »
Sataaa, Can you inform the file as being a false positive (click on the bottom right of the virus warning message).

To know if a file is a false positive, please submit it to VirusTotal and let us know the result. VirusTotal has a file size limit of 10Mb. You can use VirScan also.
If it is indeed a false positive, send it in a password protected zip to virus@avast.com. Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.

Maybe you need to disable Hide protected operating system files and enable View hidden files and folders to manage the file(s).
The best things in life are free.