How to interpret virus detection

[REDACTED]

Hi,

my Avast (2015.10.0.2208 with signatures 150216-0) reports suspicious activity (see attachment). There are 2 files mentioned: One is the "object" (ctfxwlauncher) and one the "process" (rundll32). Now which one is the actual virus? Or what is so suspicious about them? Explicit scanning of both files did not find anything.

Thanks in advance,
Alex

[Pondus]

win32:Evo-Gen [susp] = Suspicious ... a on access detection only and will not show in any scan

Process is the one starting the activity and Object is the detected file

upload (ctfxwlauncher.exe) and test file here  www.virustotal.com  if tested before, click rescan for a fresh result
post link to scan result here

[REDACTED]

Thanks for your quick reply and the explanation.
I've already tested the file on virustotal before. Here's the result:
https://www.virustotal.com/de/file/4b74e3aa3ade083f03984e87f8d67da72d9a7bbaaacef23dd1dd28dcfcd14dca/analysis/1424096044/

Rundll32 is also clean.
I'll have to check what it is executing next time the issue appears. Maybe some explorer plugin or the like.

Alex

[Asyn]

You can report a possible FP here: https://www.avast.com/contact-us.php?subject=VIRUS-FILE

[REDACTED]

But if it's the interaction between rundll32 and ctfxwlauncher that is suspicious, then reporting ctfxwlauncher as FP could be misleading, couldn't it? I think I'll rather do some more investigation before.

Thanks,
Alex

[Asyn]

1. But if it's the interaction between rundll32 and ctfxwlauncher that is suspicious, then reporting ctfxwlauncher as FP could be misleading, couldn't it?
2. I think I'll rather do some more investigation before.

1. Not really, as the guys in the viruslab have always the final word.
2. Well, that's up to you.

[Pondus]

Thanks for your quick reply and the explanation.
I've already tested the file on virustotal before. Here's the result:
https://www.virustotal.com/de/file/4b74e3aa3ade083f03984e87f8d67da72d9a7bbaaacef23dd1dd28dcfcd14dca/analysis/1424096044/

Rundll32 is also clean.
I'll have to check what it is executing next time the issue appears. Maybe some explorer plugin or the like.

Alex

ctfxwlauncher.exe  First submission 2013-11-13 01:07:14 UTC ( 1 year, 3 months ago )

[REDACTED]

Hi Pondus,

sorry, but may I ask you to explain what your last post is supposed to tell me? I don't get it.

Alex

[Pondus]

there should be lots of detections on a file that old if it was infected, if very new it may not be detected yet

[Pondus]

example .... very old malware, file infector sality

First submission 2010-03-16 17:20:01 UTC ( 4 years, 11 months ago )
https://www.virustotal.com/en/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/


this was new 5 days ago ... fake FedEx mail attachment
https://www.virustotal.com/en/file/6dce201592cabc16afa0775cabea10377d7a3f7e7aacba777e2fbd3fae54aafc/analysis/1423616065/

two days later
https://www.virustotal.com/en/file/6dce201592cabc16afa0775cabea10377d7a3f7e7aacba777e2fbd3fae54aafc/analysis/

[REDACTED]

Good point. So my intention was right to look for a different cause.