"Win32:Trojan-gen{Other}" Part 2

[Keith Warner]

  I got the same alert during a scan last night.  Two instances of Spybot's TeaTimer update being infected:

"ORIGINAL FILE NAME: teatimer 1506-setup.exe"

  In addition, the siren went off while trying to d/l SmitfraudFix from two different, well known 'Geek' sites today. 

Sounds like an otherwise wonderful program had a sudden 'Win32' brain-fart!


KW

[Lisandro]

Please, don't post twice the same.
Follow http://forum.avast.com/index.php?topic=30046.msg247763#msg247763

Edited, sorry, David asked you to start a new thread.

To know if a file is a false positive, please submit it to JOTTI or VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.
VirusTotal and Jotti both have file size limits 10 and 15MB each.

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the 'a' blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button...
You can use wildcards like * and ?. But be carefull, you should 'exclude' that many files that let your system in danger.
After that, please, periodically check it - scan it into Chest, right clicking the file -  there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected as being infected then you can also remove it from the Exclusion list.

[DavidR]

<snip>
  In addition, the siren went off while trying to d/l SmitfraudFix from two different, well known 'Geek' sites today. 
<snip>

It is the reboot.exe file that it is hiccuping about and that is probably because this file is a tool which could be used for good or evil and avast won't know which.

However I would have thought the detection would have the suffix [Tool], you can pause the web shield that will allow it to be downloaded, but when you try to open the zip file standard shield will kick up a fuss and you would need to exclude the file.

[DavidR]

Update:
I uploaded reboot.exe which basically confirms riskware/tool, I have sent it to avast for analysis and or reclassification of the malware name.

File Reboot.exe received on 08.21.2007 01:45:07 (CET)
Result: 7/32 (21.88%)
   
Antivirus    Version    Last Update    Result
AhnLab-V3   2007.8.21.0   2007.08.20   -
AntiVir   7.4.1.62   2007.08.20   -
Authentium   4.93.8   2007.08.20   -
Avast   4.7.1029.0   2007.08.20   Win32:Trojan-gen. {VB}
AVG   7.5.0.484   2007.08.20   Potentially harmful program HackTool.BVR
BitDefender   7.2   2007.08.21   -
CAT-QuickHeal   9.00   2007.08.20   -
ClamAV   0.91   2007.08.20   -
DrWeb   4.33   2007.08.20   -
eSafe   7.0.15.0   2007.08.20   -
eTrust-Vet   31.1.5069   2007.08.18   -
Ewido   4.0   2007.08.20   -
FileAdvisor   1   2007.08.21   -
Fortinet   2.91.0.0   2007.08.20   HackerTool/Reboot
F-Prot   4.3.2.48   2007.08.20   -
F-Secure   6.70.13030.0   2007.08.21   -
Ikarus   T3.1.1.12   2007.08.20   not-a-virus:RiskTool.Win32.Reboot.f
Kaspersky   4.0.2.24   2007.08.21   not-a-virus:RiskTool.Win32.Reboot.f
McAfee   5101   2007.08.20   potentially unwanted program Generic PUP
Microsoft   1.2803   2007.08.20   -
NOD32v2   2471   2007.08.20   -
Norman   5.80.02   2007.08.20   -
Panda   9.0.0.4   2007.08.19   -
Prevx1   V2   2007.08.21   -
Rising   19.36.60.00   2007.08.19   -
Sophos   4.20.0   2007.08.12   -
Sunbelt   2.2.907.0   2007.08.21   -
Symantec   10   2007.08.21   -
TheHacker   6.1.8.171   2007.08.20   -
VBA32   3.12.2.2   2007.08.21   -
VirusBuster   4.3.26:9   2007.08.20   -
Webwasher-Gateway   6.0.1   2007.08.20   Riskware.Tool.Reboot.C
Additional information
File size: 24576 bytes
MD5: f8d97683b922fa73b81bd0778a60f0df
SHA1: ac568d47177f14ce40797a34103b8250e21c6675

[Keith Warner]

Thank you, kind Sir!  I felt like I should follow up, but I had already deleted everything and didn't feel like bothering to start over.
KW

[DavidR]

Your welcome.

However, you need to do the same for the 1506-setup.exe file, upload to VT and post the results here and submit to avast (this will help other avast users), I can't do that for you I don't have spybot S & D.