what is “Win32:Trojan-gen. {Other}”?

[babel2]

I got a virus infected notice today!!  My Avast detects them with the latest VPS 000767-1.

The name of the virus is “Win32:Trojan-gen. {Other}”

and the infected files are
"c:\windows\system32\dllcache\mtxex.dll", "c:\windows\system32\mtxex.dll" and "c:\windows\system32\SET8.tmp".

I also scanned by “Trend flex security online scan”, “Symantec online scan” and windows defender with latest today.
They found no malwares.

So, what is “Win32:Trojan-gen. {Other}” and does anyone have same thing?

[sanctuary24]

I'm not an expert mate but if all the other anti-virus are saying its clean it could be either:

a) A false positive (ie its been detected as bad but its not)
b) Avast has detected this and others havent

you could try either sending the file to Avast team or using www.virustotal.com which checks it with all available anti-virus software

another last possibility would be to put as much info on here as possible and someone will help you work it out, a program such as Hijackthis can provide the details of your system

[Lisandro]

It's being detected by a gen(eric) signature for trojans of Win 32 systems.
To know if a file is a false positive, please submit it to JOTTI or VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.
VirusTotal and Jotti both have file size limits 10 and 15MB each.

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the 'a' blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button...
You can use wildcards like * and ?. But be carefull, you should 'exclude' that many files that let your system in danger.
After that, please, periodically check it - scan it into Chest, right clicking the file -  there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected as being infected then you can also remove it from the Exclusion list.

[babel2]

Thank you for you guys reply!!

I put the infected file on VirusTotal!
The result is only Ikarus T3.1.1.12 detects it and the others includes  Avast at VirusToal do not detect it.
However, My Avast detects it!!  I have no idea here why? 

I’ll also send infected files to virus@avast.com.

Sorry, it is long, and I past the result as VirusTotal here

Antivirus Version Last Update Result
AhnLab-V3 2007.8.21.0 2007.08.20 -
AntiVir 7.4.1.62 2007.08.20 -
Authentium 4.93.8 2007.08.20 -
Avast 4.7.1029.0 2007.08.20 -
AVG 7.5.0.484 2007.08.20 -
BitDefender 7.2 2007.08.20 -
CAT-QuickHeal 9.00 2007.08.20 -
ClamAV 0.91 2007.08.20 -
DrWeb 4.33 2007.08.20 -
eSafe 7.0.15.0 2007.08.20 -
eTrust-Vet 31.1.5069 2007.08.18 -
Ewido 4.0 2007.08.20 -
FileAdvisor 1 2007.08.20 -
Fortinet 2.91.0.0 2007.08.20 -
F-Prot 4.3.2.48 2007.08.20 -
F-Secure 6.70.13030.0 2007.08.20 -
Ikarus T3.1.1.12 2007.08.20 Virus.Win32.Trojan
Kaspersky 4.0.2.24 2007.08.20 -
McAfee 5101 2007.08.20 -
Microsoft 1.2803 2007.08.20 -
NOD32v2 2471 2007.08.20 -
Norman 5.80.02 2007.08.20 -
Panda 9.0.0.4 2007.08.19 -
Prevx1 V2 2007.08.20 -
Rising 19.36.60.00 2007.08.19 -
Sophos 4.20.0 2007.08.12 -
Sunbelt 2.2.907.0 2007.08.18 -
Symantec 10 2007.08.20 -
TheHacker 6.1.8.171 2007.08.20 -
VBA32 3.12.2.2 2007.08.20 -
VirusBuster 4.3.26:9 2007.08.20 -
Webwasher-Gateway 6.0.1 2007.08.20 -
Additional information
File size: 4096 bytes

Babel2

[Lisandro]

The result is only Ikarus T3.1.1.12 detects it and the others includes

Most probably a false positive of avast.

Avast at VirusToal do not detect it.
However, My Avast detects it!!  I have no idea here why? 

Because your avast is updated to the latest version and VirusTotal could be not.

[DavidR]

VirusTotal usually lags behind avast users in the VPS version they use, by all accounts VT can't easily update the VPS. So you will often see something like this, remember what you are looking for is confirmation from other AVs that the detection is good.

In this case it would appear to be an FP.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced, Add and Program Settings, Exclusions) and Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location.

When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

[babel2]

Thank you!!
This is a quickly information.
The VPS has updated from 000767-1 to 000767-2 around 12:00 noon at US PDT today.
After that I scanned the infected files again by the Avast. In this time, it found no virus!
I hope something was wrong on 000767-1. But still Ikarus says “Infected”. So I keep eyes on it!

[DavidR]

It takes time from your false positive submission to it being analysed, once detected as an FP it will quickly be corrected.

When submitting an FP (password protected zip file) I usually suggest you give the URL of your Topic on the forums.

Also see False Positives, how to report it to avast! and what to do to exclude them until the problem is corrected.

[babel2]

Thank you ALL!!
I've sent it to virus@avast.com.
I'll report something here after getting responce from them!!

Babel2

[Keith Warner]

Well, shall I add to this thread or start a new one?  I got the same alert during a scan last night.  Two instances of Spybot's TeaTimer update being infected:

"ORIGINAL FILE NAME: teatimer 1506-setup.exe"

I clicked the button to send report - is that enough?

I haven't been here in a long time, so my profile needs updating, but everything on the computer is up to date.


Thanks, Keith

[DavidR]

It may be better to start a new topic because the file that is being detected is different, though the Win32:Trojan-gen {Other} is likely to cover many different files if it is an FP, it relates to the file.

In the other topic you can post any confirmation of an FP like the VirusTotal results.

I don't believe the report button provides any meaningful information, follow the false positive reporting link above.

You can click the Profile and edit your Forum Profile Information.