Author Topic: Win32 Trojan-gen & Win32 Malware-gen [Sorted]  (Read 7381 times)

0 Members and 1 Guest are viewing this topic.

Offline Davy

  • Full Member
  • ***
  • Posts: 139
Win32 Trojan-gen & Win32 Malware-gen [Sorted]
« on: September 08, 2012, 03:24:25 PM »
I booted the machine and up popped Wind32 Trojan-gen. There were no other programs running.  Avast asked me to submit it so I put it in the virus chest and filled the form out, I was informed it would be submitted at the next update.

A boot time scan with Avast found some files, in MSft Office 2000... a couple could not be moved - can not file file or something along with a error number I did not note.

I then did a scan in safe-mode with Malwarebytes this  produced zero infection and gave me a clean bill of health!

The last Virus I has... correction the last viruses I had was with Norton AV many, many moons ago, I ditched it along with Internet Exploder and used Firefox 1.5 I think it was, which was new at the time, that took care of that!

Would I be correct in suspecting this a false +, I've haven't noticed any wired goings on, like pop ups or re-directions.  I noted there was a similar post which Essex boy was in the process of dealing with.... may be related.

Dave




« Last Edit: September 10, 2012, 12:03:51 AM by Davy »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85384
  • No support PMs thanks
Re: Win32 Trojan-gen & Win32 Malware-gen
« Reply #1 on: September 08, 2012, 03:37:27 PM »
Without more information it isn't possible to say one way or another if it is an FP.

What was the file name and location of the first malware-gen alert by avast ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.5.2470 (build 21.5.6354.675) UI 1.0.646/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Davy

  • Full Member
  • ***
  • Posts: 139
Re: Win32 Trojan-gen & Win32 Malware-gen
« Reply #2 on: September 08, 2012, 04:08:15 PM »
These are still in chest, but not up-loaded yet, it did say after the next up-date... is this right?

These are in order of appearance-:
OSA9.exe           Trojan-gen
MSOHELP.exe    Malware-gen
Graph9.exe        Malware-gen
A0079596.EXE   Trojan.gen (Volume restore info)

I don't know if these helps, there was no other pops ups. I use Firefox and I always clean out before I shut down and have Privacy Guardian clean on boot up.  All I can say is there isn't any unruly behavior that I can detect.... yet!

Thank you for your  prompt response

Dave


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85384
  • No support PMs thanks
Re: Win32 Trojan-gen & Win32 Malware-gen
« Reply #3 on: September 08, 2012, 04:26:25 PM »
You can either do a manual update or wait for the next auto update check for them to be uploaded. Even when uploaded there should still be a copy in the chest.

The actual locations of these detections is possibly the most useful information.

OSA9.exe is associated with Office Startup Assistant for Office 97 or Office XP (but a file name is no guarantee it is correct), do you have MS Office ?
The MSOHELP.exe and Graph9.exe are also associated with MS Office.  The A0079596.EXE  file in the System Volume Information location is no doubt a match for one of the above files as system restore would make a restore point if it is deleted or moved.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to Open the chest and right click on the file and select 'Extract' it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.5.2470 (build 21.5.6354.675) UI 1.0.646/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Davy

  • Full Member
  • ***
  • Posts: 139
Re: Win32 Trojan-gen & Win32 Malware-gen
« Reply #4 on: September 08, 2012, 09:35:59 PM »
Yes I use MS Office 2000 full versoin (2 CDs)

1) OSA9.exe    https://www.virustotal.com/file/09acb6cdf3a750be7b1d01cceade5e4fa298e5f97405a6b6116e4caaf8e49b88/analysis/1347131174/

2) MSOHELP.exe  https://www.virustotal.com/file/474cb9c4afd160dcf808ce129732de758d94a2c0b69a53d3315ed76ec91beb86/analysis/1347132298/

3) Graph9.exe  I can only find Graph9.dll looked all through, OSA9 I can only see in Prefetch folder.

I will have another look later. I've no problem at all with any Office 2000 tools.  I trust that this is partly the data that you want. Whilst composing this an Avast update popped up so I guess the Virus chest would have been up-loaded.

Thanks, Dave




Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37070
Re: Win32 Trojan-gen & Win32 Malware-gen
« Reply #5 on: September 08, 2012, 09:40:03 PM »
Quote
Whilst composing this an Avast update popped up so I guess the Virus chest would have been up-loaded.
if you still have the files in chest...you can right click the file(s) and rescan in chest to see if they are still detected

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85384
  • No support PMs thanks
Re: Win32 Trojan-gen & Win32 Malware-gen
« Reply #6 on: September 08, 2012, 09:49:21 PM »
I still don't know the location of these files and that gives a very good indication of the legitimacy of the file or not, that is why it was asked for.

Re 1. you uploaded the wrong file not the one sent to the chest, that is a .pf file not the original, so I'm not surprised that there were no detections on VT. So you need to extract the file from the chest as outlined in my last post, so that it can be uploaded.

Re 2. since there are no detections in the VT results (even for avast), scan the copy in the chest and see if it is still detected ?

Re 3. if you sent the files to the chest ?
Then there is little chance that it would be found on a search as the avast chest is a protected area; again why the file has to be extracted from the chest (and the location it is going to be extracted created and excluded), so that it can be uploaded.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.5.2470 (build 21.5.6354.675) UI 1.0.646/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Davy

  • Full Member
  • ***
  • Posts: 139
Re: Win32 Trojan-gen & Win32 Malware-gen
« Reply #7 on: September 08, 2012, 11:12:08 PM »
Righto, thanks guys.

I right clicked the files in the chest and they all scanned as 'infected'.  Just clicked..... that's why I couldn't find the files  -  they're in the chest right? If only I looked there!

I just did another scan with Malwarebytes but not in safe-mode this time and came up clean as a whistle.... nothing unusual in Task manager or in App. data (yep, I got hidden files open), also had a scout round the registry and looks OK as per some web site suggestions.

So I need create a folder on C drive and then I extract the virus chest to it and then tell Avast to exclude that file..... and that would let me sent it to Virustotal I guess!

BTW: I do keep a clean install copy and a cloned copy of this drive, so no worries should it decide to play nasty... meaning, I don't mind taking a risk in putting the infected files back to try.

Thanks for your patience!

Dave


Offline iroc9555

  • CCS, Vzla.
  • Avast Überevangelist
  • Starting Graphoman
  • *****
  • Posts: 7458
  • No soporte por PM.
Re: Win32 Trojan-gen & Win32 Malware-gen
« Reply #8 on: September 08, 2012, 11:24:10 PM »
I right clicked the files in the chest and they all scanned as 'infected'.......

Too soon to have been corrected if F/P.


I just did another scan with Malwarebytes but not in safe-mode this time and came up clean as a whistle....

No need to scan with MBAM in Safe Mode. A quick or fast scan is enough. Also, if you have MBAM as a second scanner you should have ran it before moving those files to Avast! chest for a second opinion.


So I need create a folder on C drive and then I extract the virus chest to it and then tell Avast to exclude that file..... and that would let me sent it to Virustotal I guess!

Yes, exactly as DaviR told you.
Hernan.
Dim 9200. C2D E6600; 2.40GHz. 4GB DDR2RAM. XP Pro_86. Spk3. IE8 & FF41. Avast FREE 2015. CIS 5.12(FW/D+). MBAM Premium. MCShield. WinPatrol +. SpywareBlasterOpenDNS. uBlock. WOT. Sandboxie


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85384
  • No support PMs thanks
Re: Win32 Trojan-gen & Win32 Malware-gen
« Reply #10 on: September 09, 2012, 12:27:25 AM »
The file in the system volume information folder was a copy of the OSA9.EXE that was moved to the chest and subsequently found in the system volume information folder as A0079596.EXE on a later scan. Don't do anything about this one it can be deleted from within the chest.

The others OSA9.exe, MSOHELP.exe and Graph9.exe - since only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.
Send the sample to avast as a False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update. A link to this topic wouldn't hurt.

@@@@
- In the meantime (if you accept the risk), add the full path to the file to the exclusions lists (see Note below):
File System Shield, Expert Settings, Exclusions, Add and
avast Settings, Exclusions

Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

Note: When using the Browse button it only goes down to folder level accept that. Now open the entry in the exclusions and change the \* to \file_name.exe where file_name.exe is the file you want to exclude.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.5.2470 (build 21.5.6354.675) UI 1.0.646/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37070
Re: Win32 Trojan-gen & Win32 Malware-gen
« Reply #11 on: September 09, 2012, 12:33:14 AM »
first and last file

First seen by VirusTotal
 2009-07-08 21:53:46 UTC ( 3 år, 2 måneder ago )

it is also the same file..different name

SHA256:   6acee23532093e68e5c523e7fe49e619190806722831f3678c6c190234d4651c

Offline Davy

  • Full Member
  • ***
  • Posts: 139
Re: Win32 Trojan-gen & Win32 Malware-gen
« Reply #12 on: September 09, 2012, 12:36:32 AM »
All up-loaded and ready to go at the next update.

Thanks, Dave

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85384
  • No support PMs thanks
Re: Win32 Trojan-gen & Win32 Malware-gen
« Reply #13 on: September 09, 2012, 01:06:24 AM »
As I said before I wouldn't wait for the next update I would initiate a manual virus definitions update check so they get sent right away.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.5.2470 (build 21.5.6354.675) UI 1.0.646/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Davy

  • Full Member
  • ***
  • Posts: 139
Re: Win32 Trojan-gen & Win32 Malware-gen
« Reply #14 on: September 09, 2012, 01:24:43 AM »
I've already done that manual update after I'd posted, thanks

Thanks for your help,  will now hang fire a while.

Dave