Avast WEBforum

Avast Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Liquid on August 04, 2004, 01:15:48 PM

Title: About this Win32:Trojan-gen. {Other}
Post by: Liquid on August 04, 2004, 01:15:48 PM
Hi all!

Well, as i have read through these posts a little bit i think you´re tired of hearing about this "virus" if it really is a virus, lots of different opinions about this i´ve noticed.

Well, i have no choice, just yesterday i also did a scan of my system and Avast discovered this, like many others i noticed, mine is also located in c:program/Winrar and i CAN´T get rid of it no matter what i do.

The funny thing is though that i´ve tried several on-linescanners (trend-micro, symantec etc.,) and they don´t find a thing. This makes me wonder as some ppl just say it´s a falsealarm but it makes me nervous anyway.

So, my good friends, what the %*^# shall i do?

Please someone give me a good, easy solution to this!

Thank You!
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: Eddy on August 04, 2004, 01:20:51 PM
What version of Avast?
What vps version?
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: Liquid on August 04, 2004, 01:25:46 PM
I´m Using Avast Home Edition 4.1 build 4.1.418
(registered), vps: 0432-1......
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: KezzerDrix on August 04, 2004, 09:12:46 PM
I have the EXACT same problem.  Weird, I wonder if it finding a part of WINRAR to be a virus. ???
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: Vlk on August 04, 2004, 09:29:42 PM
Even with the latest VPS update (0432-2)?? :o
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: KezzerDrix on August 04, 2004, 09:38:48 PM
I have to admit that it is my moms computer.  I don't use winrar. I use www.zipgenius.it it is a free compression utility.  I am going to look at it Saturday, but it has been a repetive problem, always in the winrar file.  I plan on just removing winrar so she'll stop worrying about it.  However her pc auto updates on start up and it should be the latest version unless it has changed since Monday.

Title: Re:About this Win32:Trojan-gen. {Other}
Post by: bob3160 on August 04, 2004, 11:08:51 PM
Vlk
Mine has stopped "Singing" since the last update to 432-2. Thanks
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: Vlk on August 05, 2004, 12:41:44 AM
Basically, the latest VPS update should resolve all known false positives...
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: Kludgemeister on August 07, 2004, 09:14:44 PM
Using 0432-2 database, I get a trigger on "uninstall.exe" that comes with Meshcam (and on the Meshcam installation program)  but no trigger on winrar.exe.

Meshcam is at http://www.meshcam.com/

I've emailed the programmer, but I'm sure it's a false trigger.

Kludgemeister

Title: Re:About this Win32:Trojan-gen. {Other}
Post by: Vlk on August 07, 2004, 09:17:21 PM
Please submit the file to virus@avast.com , the virus lab guys will take of it shortly.

Thanks
Vlk
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: Kludgemeister on August 08, 2004, 02:11:28 AM
Vlk, I have been trying for almost 5 hours to upload the file.  I cannot send it by my ISP's POP mail, nor my ISP's Web mail, nor Yahoo mail.  All seem to be out of service.  Can your guys download the program from http://www.meshcam.com/download.php on their own?  Thanks.

Kludgemeister
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: Vlk on August 08, 2004, 10:50:37 AM
Ehm, what exactly is the problem? You can't send any emails? Or just this particular file?

Thanks
Vlk
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: DavidR on August 08, 2004, 02:12:55 PM
Vlk, I have been trying for almost 5 hours to upload the file.  I cannot send it by my ISP's POP mail, nor my ISP's Web mail, nor Yahoo mail.  All seem to be out of service.  Can your guys download the program from http://www.meshcam.com/download.php on their own?  Thanks.

Kludgemeister

What error messages are you getting to say you can't send the email?

Sometimes ISPs have an attachment file size restriction, what is the file size?

Sometimes ISPs and mail servers block .exe files in a half hearted attempt to combat viruses. Try to zip up the uninstall.exe file and see if that will go.
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: GrizeBar on August 08, 2004, 05:29:27 PM
Vlk, I have been trying for almost 5 hours to upload the file.  I cannot send it by my ISP's POP mail, nor my ISP's Web mail, nor Yahoo mail.  All seem to be out of service.  Can your guys download the program from http://www.meshcam.com/download.php on their own?  Thanks.

Kludgemeister

Try Zipping the file with WinZip and password protect the archive. Send the file along with a text message containing the password.


What error messages are you getting to say you can't send the email?

Sometimes ISPs have an attachment file size restriction, what is the file size?

Sometimes ISPs and mail servers block .exe files in a half hearted attempt to combat viruses. Try to zip up the uninstall.exe file and see if that will go.
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: DavidR on August 08, 2004, 06:13:19 PM
And your question is ???  ::)  ;)
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: Kludgemeister on August 08, 2004, 09:17:09 PM
Thanks for the replies, guys.

Vlk - Problem with just this email.

DavidR - Eudora was saying "Eudora network timeout" and "Eudora is tired of waiting for the system to respond" and Yahoo mail was saying "Document contains no data"  The exe file size is 2636k and the zipped version (which I also did try sending) is 2591k.  I have had no problem sending attachments in the past.

GrizeBar - Yes, I did try zipping the file with no improvement.

This morning I did try attaching just the "uninstall.exe" contained in the archive, with no problem.  It is what Avast was specifically triggering on.  It is only 48k.

Kludgemeister
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: DavidR on August 08, 2004, 11:47:37 PM
Thanks,

The timeout sometimes happens when you are trying to send a document with a large attachment.

I have no idea why Yahoo would say no data because to my mind an attachment is data, unless it has no text in the body of the email and that is what it's complaining about.

The attachment of in excess of 2MB would in some cases exceed an ISP or mail services limits. As you found zipping didn't help, this could be due to the size as mentioned above.

But you perservered and get the file that triggered the alert, good job.

Title: Re:About this Win32:Trojan-gen. {Other}
Post by: GrizeBar on August 09, 2004, 01:06:49 AM
And your question is ???  ::)  ;)

Oh, the replies go OUTSIDE  the Quotes!! DUH!

Sorry, I seem to have grunged that one.
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: rawjr on August 10, 2004, 04:43:48 AM
I've gotten the Win32:Trojan-gen {Other} virus warning now, and I must say it's really annoying. I'm only running the trial version of avast, but it's up to date (0433-1).

I can't see anything suspicious in the HijackThis-log, and trend and panda online scanners can't find anything.

Even though I have run the program, the "virus" seems to be contained (it hasn't spread). This might change after boot, of course, but with what I've read about this "virus" so far, I'm not really scared.

Since I used the panda scanner, I now have the kuang2 "virus" in imscan.dll. That I can't blame avast for directly, but it is annoying to know that without a virus scanner my system would have been perfectly healthy and I wouldn't have used hours on finding out what was wrong. A hoax is sometimes worse than an actual virus.

Now to my questions: How do I configure avast to ignore theese two "infected" files? Why is avast blocking the program, even though I haven't put it in the chest? And why is there no uninstall option, at least for the trial version?
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: whocares on August 10, 2004, 11:59:02 AM
and trend and panda online scanners can't find anything.
Hi,

- have you paused avst shield before using the Onlinescanners ?

- also read "VirusRemoval" below and scan the file online with KAV and RAV

- What WIN do you have ? Are all ServicePacks and Windowsupdates applied ? Please CHECK !!


- Where exactly was the infected File found (full path/folder/filename, e.g. like c:\Windows\system32\virusfile.exe) ? ;)
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: DavidR on August 10, 2004, 12:46:49 PM
And your question is ???  ::)  ;)

Oh, the replies go OUTSIDE  the Quotes!! DUH!

Sorry, I seem to have grunged that one.

Partly my fault and a lack in attention to detail, I didn't notice that you had commented inside the original quote.
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: rawjr on August 10, 2004, 01:49:47 PM
and trend and panda online scanners can't find anything.
Hi,

- have you paused avst shield before using the Onlinescanners ?

- also read "VirusRemoval" below and scan the file online with KAV and RAV

- What WIN do you have ? Are all ServicePacks and Windowsupdates applied ? Please CHECK !!


- Where exactly was the infected File found (full path/folder/filename, e.g. like c:\Windows\system32\virusfile.exe) ? ;)

Please, I have no problems removing viruses. In stead of giving me the standard routine, just answer my questions. If that is to difficult, at least give me reasons for answering your questions.
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: whocares on August 10, 2004, 03:01:19 PM
...well you can either delete the panda files, or exclude them from scanning in avast's options
(I don't have avast on this here PC so can't tell you the exact way to do it right now, but I guess if you're so proficient you can read/see help, faq's & Docu.. )
[EDIT]
same applies for "Uninstall", but if I understand you correctly
-> ControlPanel -> Add/Remove Programs -> avast ... would be a likely choice..)
If you mean PANDA_OnlineScan-Uninstal -> look in Downloaded.Program.Files (OBJECTS in IE-Options)
[/EDIT]

*

the reason for my questions about trojan-gen & onlinescanners is that:

- Trojan-Gen is a generic detection/name which comprises probably Dozens to hundreds different trojan-species/variants, and
- from your info it is not clear whether yours is a false alarm or not..
- or if it's just located in protected areas and thus can't be removed easily.. (_RESTORE .. ?)
- Trojan-Gen has in the past been known to detect stuff like fully-fledged Backdoors, but if you want to exclude that one from scanning -> your choice  ;D

--> I just wanted to help.. :)
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: rawjr on August 10, 2004, 06:23:23 PM
--> I just wanted to help.. :)

I'm sorry I was a little cranky, but after spending many hours trying to fix this "virus" and then finding out it's probably just a false positive...  >:(

But thanks for trying to help. :)

I run win xp pro sp1 fully updated, I have tried online scans (RAV, trend and panda) with and without avast disabled, and the file that's "infected" is  ...\Program Files\Serv-U\serv-u32.exe.

Avast reacts to this file when it's not running, and when it's running. To get serv-u up I have to disable avast, and as soon as I enable avast serv-u is shut down.

I can't seem to find an option in avast to ignore this specific file.

It would be helpful if avast made a list of the false positives, since it seems like there is a lot of them... ;)
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: Eddy on August 10, 2004, 06:28:37 PM
Many false positives are solved with the latest vps (433-1) Make sure you have it.

To exclude files: start avast > menu > settings > exclusions
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: Vlk on August 10, 2004, 06:38:32 PM
And make sure to submit the file to virus@avast.com, the virus guys will have a look at it and eventually change the detection code so that it won't be triggered any more...


Thanks
Vlk
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: whocares on August 10, 2004, 07:08:27 PM
Just to Clear things up..

This is a FTP-Server which is imho not usually part of WIN
-> You installed this intentionally ?

Cause this is also installed/used/misused by many worms with Backdoor-Functionailty..

 ;)
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: rawjr on August 10, 2004, 07:14:52 PM
Many false positives are solved with the latest vps (433-1) Make sure you have it.

To exclude files: start avast > menu > settings > exclusions

I have the latest vps (0433-1). Still not 100% sure this is a false positive, but must asume that since nothing bad has happend yet, and none of the online scanners can find anything.

Thanks for the info, it's now excluded.
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: rawjr on August 10, 2004, 07:18:30 PM
This is a FTP-Server which is imho not usually part of WIN
-> You installed this intentionally ?

Yes.
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: tokenjo on August 16, 2004, 03:01:23 AM
error deleting file can not delete deinst-qfe002.exe access is denied.
make sure the disk is not full or write protected and that the file is not currently in use.


c:\windows\system32\deinst-qfe002.exe
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: BizUnlim on August 16, 2004, 09:49:15 PM
Basically, the latest VPS update should resolve all known false positives...

Hello,

I really appreciate Avast AV, but when I tried to install a new software from what appears to be a very reputable site, Avast said I had this particular trojan gen AND this one, as well, in the installation of it:
Win32:SdBot-825[trj]

And I am wondering if it is a 'false positive' or a real danger?  If so, I will have to report it to them immediately.  I want the software (and more from their site, which I seriously doubt is faulty or full of viruses) but I'm scared to execute the program now...  :P

Can you help me?  I have the latest updates of the home version in both the software and the virus database according to my Avast software.

Thank you sooooo much,
Donna
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: bob3160 on August 16, 2004, 11:10:34 PM
BizUnlim
Welcome to the Forums
Please help us help you.
What version of Avast! are you using
What vps version?
What OS?
Where exactly is the file located
Whats the name of the Download Site?
etc. etc.
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: borolo on August 19, 2004, 07:14:52 AM
Hi, I'm getting this virus also.

I'm using w98
avast 4.1 home edition
file version 0434-1

When I open the MS explorer or MSN messenger a pop up window appears and immediately the virus warning appears.
It says it's allocated in c:\windows\submit2.exe
I tell it to delete it and it reapears in c:\windows\sdkqh32.dll

I used also the avast virus cleaner with no luck.

Also used CWShredder v1.59.1 and detects: CWS affiliate:Winshow. It cleans it but it is reapearing again.

What should i do??

thanks
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: tokenjo on August 19, 2004, 09:11:30 AM
SOLUTION FOUND!


AFTER SCANNING, DELETE THEN RESTART
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: Eddy on August 19, 2004, 09:58:25 AM
Quote
SOLUTION FOUND!
Not likely. There are likey more things that need to be done. Click on the link in my signature and follow all steps on that page to make sure your system is clean.
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: borolo on August 19, 2004, 04:13:05 PM
Thanks Eddie, I have some of these prgrams running. I'll try them in safemode to see what happens.

I'll let you know.
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: PaulVDV on August 22, 2004, 02:22:16 PM
Hello,

I got the same virus warning on the file c:\windows\system32\video_s32d.exe.
AVG cannot repair the file.

My AVG version is 4.1 Home Edition
Build Jun 2004 (4.1.418)
VPS 0434-2

Is this a false alarm ?

Thanks,
-Paul
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: Eddy on August 22, 2004, 02:47:03 PM
Run one or two online scanners and see if they pick that file up. Since google has nothing on it, it sure is a suspicious file.
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: bob3160 on August 22, 2004, 03:01:44 PM
PaulVDV
Welcome to the Forum.
Quote
My AVG version is 4.1 Home Edition
I didn't know they made that version! ;D
I think you meant Avast! version is 4.1 Home Edition didn't you? :)

Title: Re:About this Win32:Trojan-gen. {Other}
Post by: PaulVDV on August 25, 2004, 10:06:34 PM
Well, yes of course, it was Avast and not AVG ! Sorry for the confusion.

When I try online scanner, I get the following :

- with Computer associates: Win32.Rbot.IF
- with Kaspersky : Backdoor.Rbot.gen
- with Avast : Win32:Trojan-gen. {Other}

Which one is the right one ? None of them can clean it. What should I do ?

PS. Avast signature is now 0435 but still reports the problem.
I will submit the file to  virus@avast.com.

Thanks,
-Paul
Title: Re:About this Win32:Trojan-gen. {Other}
Post by: whocares on August 26, 2004, 12:13:14 AM

I will submit the file to  virus@avast.com.


Hi Paul,
no need to report the file, if it's a confirmed detection, is there..?

here's some info&removal instructions for it:
VGREP (http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=Win32.Rbot.IF&product=0)
the red links to Trendmicro, Symantec and mcafee are usually the most helpful..

or just try deleting the file in SafeMode
and APPLY all windowsupdates, and change all your passwords..

plus follow instructions in eddy's signature, or "VirusRemoval" below..

and post a hijackthis-Log
 ;)