Win32:DH fp?

[REDACTED]

Hello,

Avast found a virus called "win32:DH" (rated high) on 15/02/17, I had not noticed this, it was not automatically moved or dealt with, so has only manually been put in the chest today. The subsequent quick scans (16th-20th, daily) have all been fine.

Searched this forum and found a German thread, which seemed to list a similar thing as a false positive I am, however relying on my rather poor German and Google translation...

The file the virus is associated with looks like an old malwarebytes setup file, last changed in 2015, which seems a bit odd? I've check my malwarebytes log and the two programs were not running at the same time- as I understand it, they might clash? My computer was recently serviced, so it's unlikely there would be malware from that long ago, unless I'm misunderstanding the "last changed" column.

Ran Malwarebytes normally, then in safe mode, nothing detected. Boot time scan with avast running, at 4% this may take some time to complete.

After that will do a full scan with avast, this will probably take a few hours to complete.

CPU around 2-10% when idle (normal for my system)
Memory around 13%, again this is normal

I struggled to find information for win32:DH, there was some for win32/DH and various versions, which might be the same sort of thing?

I'm tempted to change login details, passwords etc. and I have used a debit card online in the past few days, so may need to contact my bank? Although, have seen no odd activity as of yet.

I've disconnect my laptop to be on the safe side- writing this from a tablet.

I'm somewhat computer literate, but obviously not totally on the ball. Any insights or advice would be greatly appreciated 

[Eddy]

Submit the file to Virustotal and post the link to the result here.

[Pondus]

Boot time scan with avast running, at 4% this may take some time to complete.

After that will do a full scan with avast, this will probably take a few hours to complete.

Why run both, and why run boot time scan?  it does not give any better detection
Boot time scan is something you use if you have problems removing a infection or if avast itselfe recomend it after a detection

A quick scan target all areas where activly running malware would be

[REDACTED]

Thanks for the reply, I've been googling how to upload the file, I'm guessing I need to extract it from the chest or restore it then just upload it to total virus? Sorry if this is a stupid question.

I ran multiple scans because the info I found said the file was a self replicating trojan- my thinking being it might have copied itself, whether there is any merit in this, I don't know.

Also, as you have probably noticed I don't know an awful lot about dealing with potential viruses!

Again, thanks for getting back to me guys, I know noob questions must be a pain

[Para-Noid]

That's what we do. If you don't ask you may not ever find out.
If you have the time, we have the patience.
The only "bad" question is the one not asked.

[Pondus]

Thanks for the reply, I've been googling how to upload the file, I'm guessing I need to extract it from the chest or restore it then just upload it to total virus? Sorry if this is a stupid question.

Correct    and if you see it as scanned before, click rescan for a fresh result

[REDACTED]

Cheers, file resorted and uploaded:

https://www.virustotal.com/en/file/78f6a591bb8d384209a1011ced4c40c28877f7df1e5ccdaba62e0f6c2aa36659/analysis/

Malwarebytes is happy with the file, avast flags- don't know if this is relevant

Any confirmation or input would be most excellent

[Pondus]

First submission 2015-04-16 15:41:48 UTC ( 1 year, 10 months ago )

Authenticode signature block and FileVersionInfo properties
Copyright(c) Malwarebytes Corporation. All rights reserved.
Product Malwarebytes Anti-Malware
File version 2.1.6.1022
Description Malwarebytes Anti-Malware
Comments This installation was built with Inno Setup.
Signature verification Signed file, verified signature
Signing date 6:40 PM 4/14/2015
Signers   

• Malwarebytes Corporation
• VeriSign Class 3 Code Signing 2010 CA
• VeriSign

Counter signers   

• Symantec Time Stamping Services Signer - G4
• Symantec Time Stamping Services CA - G2
• Thawte Timestamping CA

So a False Positive   


Not important in this case, you did not do the rescan as i suggested above
Analysis date:   2017-02-20 00:33:21 UTC ( 18 hours, 22 minutes ago )

[REDACTED]

Phew, was in panic mode earlier.

Massive thanks for helping out, I really appreciate it

I suppose a lot of folk you give advice to will fade into the ether, without acknowledging you guys's assistance, which must be somewhat disheartened. So just want to say thanks again and keep up the great work! 

[Pondus]

Your welcome

have notified avast so they can fix the FP   

[TrueIndian]

This detection is more of a heuristic.I have seen it with avg so it maybe that.

Probably fp.

Don't worry it just means they are looking out for you 

[Eddy]

Looks like a FP that was in AVG and now has been transfered to avast  due to the merging of the databases.

[savcin]

I can confirm that file has clean status now.

[catrike]

On top of getting SLAMMED with VBS:Malware-gen False Positives yesterday I also had 8 of my 12 archived versions of Malware Bytes (mbam-setup-xxxxx) suddenly out of the blue after Avast has scanned them a jillion times always clean, get thrown into the Avast Virus Vault allegedly infected with Win32:DH.

[catrike]

I scanned one of my allegedly infected files. would like to know what the Downloader.Generic.gga is.

SHA256:   290bb5d83b8ed16ea339f355ec3df890b43b24ff415ebe02a062ae60954a1373
File name:   mbam-setup-1.65.0.1400.exe
Detection ratio:   1 / 55
Analysis date:   2017-02-22 15:45:15 UTC ( 1 minute ago )
45 20
 Probably harmless! There are strong indicators suggesting that this file is safe to use.

The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
 Authenticode signature block and FileVersionInfo properties
Copyright© Malwarebytes Corporation. All rights reserved.
Product Malwarebytes Anti-Malware
File version 1.65.0.1400
Description Malwarebytes Anti-Malware
Comments This installation was built with Inno Setup.
Signature verification  Signed file, verified signature
Signing date 10:04 PM 9/7/2012
Signers   

• Malwarebytes Corporation
• VeriSign Class 3 Code Signing 2010 CA
• VeriSign

Counter signers   

• COMODO Time Stamping Signer
• USERTrust (Code Signing)

 Packers identified
F-PROT INNO, appended
 PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 1992-06-19 22:22:17
Entry Point 0x00009C40
Number of sections 8

====================
 ExifTool file metadata
UninitializedDataSize0
CommentsThis installation was built with Inno Setup.
LinkerVersion2.25
ImageVersion6.0
FileSubtype0
FileVersionNumber1.65.0.1400
LanguageCodeNeutral
FileFlagsMask0x003f
CharacterSetUnicode
InitializedDataSize17920
EntryPoint0x9c40
MIMETypeapplication/octet-stream
LegalCopyrightMalwarebytes Corporation. All rights reserved.
FileVersion1.65.0.1400
TimeStamp1992:06:19 23:22:17+01:00
FileTypeWin32 EXE
PETypePE32
SubsystemVersion4.0
ProductVersion1.65.0.1400
FileDescriptionMalwarebytes Anti-Malware
OSVersion1.0
FileOSWin32
SubsystemWindows GUI
MachineTypeIntel 386 or later, and compatibles
CompanyNameMalwarebytes Corporation
CodeSize37888
ProductNameMalwarebytes Anti-Malware
ProductVersionNumber1.65.0.1400
FileTypeExtensionexe
ObjectFileTypeExecutable application