Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Allochthonous on June 20, 2006, 05:39:52 PM
-
I completed a scan last night (VPS 0624-2) which detected this virus:
Win32:Trojan-gen {UPX!} in the file "browser.exe"
The file is located in C:\WINDOWS
I moved it to the virus chest, then moved it back so i could scan it with TrendMicro House Call to get a second opinion. It found nothing wrong with the file. I then moved it back into the chest while I investigated.
On a hunch, I rolled over to my other machine to see if the file existed there also. It did, and i got the same results. These machines are both WinXP SP2, with Avast 4 Home and Sunbelt Kerio Firewall. That is about all they have in common, except for an SBC Yahoo DSL connection.
On a second hunch, I popped in the SBC DSL installation CD into the old system and explored the CD for the file "browser.exe." There it was, and Avast freaked out once again. So, if it thinks its a virus on the CD, then it's not like the file on the system was infected later.
I can't recall whether I have scanned since I installed the DSL. It is very possible that I have not, as we have had a baby in the meantime and I have been rather distracted. If I have scanned, I wonder why Avast did not pick this up before. If I have not scanned, then why does Avast see this file as viral? Surely SBC would not include a virus on their installation CD, would they? Spyware, yes, virus?
I have a friend who also has SBC DSL and uses Avast. I will check with him tonight to see if a)he has the file and b)whether Avast finds it viral.
For now I have moved the file into the chest on both systems.
Any clue?
PK
-
First update the VPS the latest is 0625-2 yours is a week out of date (you should ensure auto updates is set), unless 0624-2 is a typo.
What is browser.exe ?
You could also check the offending/suspect file at: Jotti - Multi engine on-line virus scanner (http://virusscan.jotti.org/) if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.
Or VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/xhtml/index_en.html)
If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and check scan it periodically using the ashQuick scan (right click scan), when it is no longer detected then remove it from the exclusions.
Also see (Mini Sticky) False Positives (http://forum.avast.com/index.php?board=2;action=display;threadid=7779)
-
:) Hi :
I feel a "trojan" is more "spyware" than it is a "virus" ;
a very good program, to use as a "2nd Opinion", would
be "Ewido", available at www.ewido.net . Should consider
running their online scanner !?
-
OK, I talked to my friend. The file is on his SBC DSL Setup CD, but could not be found on his system. Avast went off on the file on the CD.
I tried those online scanners.
Jotti says that Avast found Win32:Trojan-gen
Fortinet found Pahador.F!tr
VirusBuster found Trojan.Autoit.A
However, it says the SAME THING when i scan the file from the CD too!
What the heck? This still has to be a false positive, right? I mean, if its ON THE CD?
I am still wating for the VirusTotal results.
I have an email out to Avast tech support. Should I confront SBC too?
I have one more SBC DSL system (my mother in law) that I can look onto to see if the file exists and what her McAfee AV thinks of it.
PK
-
There is no such file as browser.exe located in WINDOWS folder. So you can be pretty sure it's malware.
-
The VirusTotal results are similar.
They were identical for both the files on my system and the file on the SBC DSL install CD.
CAT-Quickheal - Trojan.Autoit.D
Fortinet - Pahador.F!tr
Sophos - Troj/Pahador-F
VirusBuster - Trojan.Autoit.A
The Ewido online scanner came up negative, except for cookies.
The issue isn't necessarily "what is this file doing in my WINDOWS directory" bu more like "why do a few AV scanners consider a file being distributed by SBC to be viral"?
Should I email this to Avast as a potential false positive as suggested in the sticky?
PK
-
Try a forums search for autoit as I remember AutoIt used to cause some false detections for those using AutoIt. However, if you haven't got AutoIt then that may not be relevant.
Again what is the browser.exe file for what does it do ?
Should I email this to Avast as a potential false positive as suggested in the sticky?
If you don't they will be none the wiser and unable to analyse it, so I would say yes.
-
DavidR: Thats part of the problem. I have NO idea what it is or what it does. All I know is that is exists on the SBC DSL install CD and in my WINDOWS directory. It exists on my friend's CD, but not his system.
Avast alarms on the file in ALL cases.
PK
-
Hi Allochthonous,
I also have SBC Global DSL and avast! detected the same on a home computer Saturday during a boot scan. Oddly the scheduled scan done Friday morning (standard/no archives) gave me no warnings even though, if this is from the SBC set up, it must have been on my drive since November 2005.
Prior to the boot scan I had scanned as follows because of suspicious activity on the pc (ie BitDefender 8 was disabled without explanation)
Avast! Scheduled Scan - no detection
Ewido v 3.5 - no detection
BitDefender 8 (after re-installation) - no detection
AdAware - no detection
Spybot S&D - no detection
Trend House Call - no detection
I'm treating mine as a real detection for the time being - I put it in the chest and plan on scanning it again with avast!, Bitdefender, and maybe ClamWin in a week or so.
I did not think to check the SBC set up cd but I will when I get home from work. I'll also check a second home pc as well as a friend's I set up 2 weeks ago to see if its present there. It could be a false positive but it wouldn't surprise me at all if its some sort of "marketing tool".
BTW, my DSL connection is just fine without it.
... we have had a baby in the meantime and I have been rather distracted.
Congratulations - hope your getting a little sleep.
-
mauserme: Thanks! (we actually can't complain about out quantity of sleep) She's a pretty good baby.
Hey, let me know what you find out on your SBC CD. I almost guarantee its gonna wig out on you. Also let me know what you find on your other SBC DSL PC's. I will try to make it over to the inlaws soon to see if that file exists on their system. They use McAfee for AV though.
I wish i knew the date that I started my SBC service so i knew whether I had indeed run a scan between then and now. I may have to dig through some paperwork.
PK
-
OK, i just confirmed it. I had DSL by mid March. I KNOW that i ran MANY MANY scans between then and now. I know this because i had another minor "run in" with some malware in early April. I bet I ran 20 different scans from many products, and I don't recall any of them finding this. (refer to my post here regarding that threat)
PK
-
New/Modified signatures get added all the time, this is why you often find stuff that has been on your system for some time being detected after VPS update and also why you should never delete but send to the chest and investigate as you have. Because of the fact that a few other AVs are alerting on it you have to air on the side of caution as has been mentioned before and send it to avast with some background info, such as this thread, etc.
-
Hey, let me know what you find out on your SBC CD. I almost guarantee its gonna wig out on you.
OK, consider me wigged.
Although I don't have access to my friend's computer right now I do have her installation disk. Scanning hers and mine yielded identical results:
avast! = W32:Trojan-gen[UPX]
Bitdefender with updated defs = no detection
Ewido (new version 4) = no detection
ClamWin = Error: Can't open file F:\setup\browser.exe
a-squared = no detection in browser.exe but did report the following
(http://)
I'm pretty sure browser.exe is the alternate browser SBC supplies (see your documentation) but I would obviously stay away from using it. The a-squared stuff? Not a clue...
New/Modified signatures get added all the time, this is why you often find stuff that has been on your system for some time being detected after VPS update ...
Yes, but the reason for my surprise is that there was no VPS update between my Friday and Saturday scans. The boot scan is a different animal, of course.
-
Thanks for checking Mauserme. This is getting very wierd. Yours was only detected during a boot scan? What does the regular scanner think of the file? Or did you not get that far?
Was the file "browser.exe" located in the WINDOWS directory like mine?
I think I will contact SBC tomorrow and see what they say about the file. I will also send a "false positive" email to Avast.
PK
-
It was not detected on my C: drive during a scheduled scan but the following day a boot scan did detect it on C: I think this might reflect a difference in sensitivity levels between the two types of scans. And yes, it was in C:\Windows
On the CD, scanning from the simple user interface and from the context menu gives a positive detection.
I've also now submitted it to Jotti and you can add Dr. Web to the list of detections (Trojan.Click.1255).
My feeling about this is
1) my connection is fine without it
2) I have no use for the browser (if that's what it is)
3) there are enough respected programs calling it a trojan that I don't trust it
Since I have the original file on the CD I'll probably just delete from C: at this point.
Do let us know what SBC says about it.
-
UPDATE:
I sent the file to virus@avast.com. I have not received a reply yet
I also chatted with SBC support about it. Here is their "awesome" reposonse:
Jason 8:27 AM Jun 22 2006
Thank you for using SBC Internet Services. My name is Jason and I have been assigned to your Live Assistance case. While I review the details of your case, please respond back to this message so that I know you are available.
Me:
Can you please tell me what the file "browser.exe" is? It can be found on the SBC DSL Installation CD and is also located in my C:\WINDOWS directory. My Avast!antivirus says that it is malware (a trojan), but I hope that it is a false positive. I would like more information about the file please.
Jason 8:33 AM Jun 22 2006
I understand that you wish to know about "browser.exe" file. Am I right?
Me:
Yes, that is correct.
Jason 8:40 AM Jun 22 2006
"browser.exe" is file can be associated with any browser. However, it could be trojan also. For more information about this file, you may visit http://www.malwhere.com/processes/browser.exe.html
Jason 8:40 AM Jun 22 2006
If you doubt any file to be a virus or Trojan, you may run virus scan for that particular file.
Me:
Yes, i have already read similar information. The problem is that the file on YOUR installation CD is testing positive for a trojan. Are you distributing viruses on your installation CD's?
Jason:
As I have mentioned you that "browser.exe" file is associated with the installation of Browsers. SBC CD contains the Internet Explorer and SBC Yahoo Browser installation files and they can be associated with this file.
Me:
OK, so the "browser.exe" file on the CD is related to either IE or the Yahoo Browser (but you don't know which)? Is this a false positive from my antivirus program then? (I have already reported it to them)
Jason 8:54 AM Jun 22 2006
Yes, normally this file belongs to the browsers. However, this process name is also used by several malicious applications.
Me:
So is the antivirus program just seeing the name "browser.exe" and thinking the file is malicious?
Jason 8:57 AM Jun 22 2006
Yes, it might be the case.
Me:
Hmmm. Ok then.
Me:
Thank you for your time.
------------
Any further thoughts here?
PK
-
Any further thoughts here?
At the risk of sounding like a cynic I'd call this a typical response.
He could have just as easily said "I don't know what you mean but I have several standard answers I can share with you".
If you think browser.exe is a file you might need leave it in the chest for a couple weeks and scan again later. If it is a false positive it will eventually be corrected and will not be detected any longer. Personally, I see no need for it on my set up.
-
*laugh*
I really don't think it's a file that i need either, but I have left it in my chest anyway.
PK
-
I sent the file to virus @ avast.com. I have not received a reply yet
Generally you won't receive an email unless avast requires more information.
From time to time check scan it in the chest (after VPS updates) and see if its infected status changes.
-
I just submitted it to Jotti again and avast! no longer detects it. Confirmed with a scan from from the context menu.
But ...
Dr. Web found Trojan.Click.1255
Fortinet found Pahador.F!tr
VirusBuster found Trojan.Autoit.A
VBA32 found Trojan.Click.1255
VBA32 is new to the list.
-
Looks like VBA32 is using the DrWeb database/engine as Trojan.Click.1255 seems a strange name to be found in more that one detection engine.
-
Yeah, my virus database just updated and now Avast no longer detects it in the chest or on the CD.
Hmm. Not sure about the others though. Lets give them time I guess.
I am pretty sure it is nothing, but I am still going to leave the file in the chest.
PK
-
Looks like VBA32 is using the DrWeb database/engine ...
I was thinking the same thing. Maybe they get updates a day or two later thatn the Dr. Web cusotmers.