Trojan in MSI files in Windows\Installer??

[littlerita]

System Windows XP Service Pack 2
Avast Professional V 4.7

A few weeks ago I ran a full system scan and Avast! found Trojan GpCoder in a few files--all were .msp files (1 in "downloads" folder--a Service Pack for ArcGIS and 1 in Windows/Installer folder.)
Avast! was unable to rename & move, move, or delete files.
I deleted the ArcGIS service pack (I can just re-download that one) but didn't want to mess with Windows file yet.

Ran a boot scan using Avast!.  No viruses detected.

Downloaded AVG and trial version of McAfee--no viruses detected. 

Avast! is still finding Trojan--now in more than 1 file in the Windows\Installer.  All of the files are .msp Windows Installer Patches, all are 62,857 kb or 70,097 kb.  If I right-click on the .msp file and choose "Scan", no virus is found.

Uploaded one of files to http://virusscan.jotti.org/ at advice of Avast! technical support.  One file had a Trojan (not the same one) found in VBA32 (paranoid heuristics), but not in any other (including AVAST!) the other had a Trojan found in AntiVir and ArcaVir--again different from original, but not in any other.

I am at a loss.  Avast! can't process the file, but I am not convinced that this is a false positive.

Ran Hijack this and visited http://www.hijackthis.de/index.php?langselect=english
Nothing unusual found there.
Also running Spyware Doctor--no problems found there.

I have been having trouble with some applications crashing or hanging--but they are famous for doing that under the best of circumstances.

Any help would be VERY MUCH appreciated.

[DavidR]

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner. That is a better source for confirmation, it uses the windows version and has 27 different engines.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.
Also see (Mini Sticky) False Positives, how to report and what to do to exclude them until the problem is corrected.

[littlerita]

David, thanks for the input.
I think the files are too big for the VirusTotal system.  I am unable to email them (max size 10GB) and uploading them directly to the website doesn't appear to be working--after a few minutes of uploading, I get a text only screen that says "es mayor". (I tried with a smaller .msi file that was not known to be infected and it worked fine.)

I guess I will assume a false positive unless anyone else has any hints.  Like I said before AVAST! is unable to move the file to the chest--so "restoring it to the original location" is not a problem.

Thanks again.

[DavidR]

It may well be that the detection isn't good, short of trying some on-line scans (but you have checked with two other AVs), add it to the exclusions as suggested.

On-line Virus Scanners and other useful Links Security-Ops.eu.tt.

I'm not sure of the reason why avast can't process the file, perhaps, size, you may need to increase the size allocated to the chest (Program Settings, Chest, Max size of Chest and File settings. Or perhaps the location of the files. Or perhaps unable to extract the infected element from within the archive.

[littlerita]

David,
Thanks for the advice of increasing the maximum size of files that can be allocated to the chest--the thought never occured to me--I'll remember that next time.
For now though, the problem seems to have cured itself--just ran a full disk scan and it is not finding the trojan anymore--after several weeks of finding it--is that unusual?  I never reported the false positive.  The only thing that I did differently was disable the skins on Avast!
Hopefully that will be the end of it.

[DavidR]

Hopefully so, welcome to the forums.