found W32:Trojan-gen{other} during ALzip install

[movrshakr]

While installing Alzip (ESTsoft), I received an avast notification that it found W32:Trojan-gen{other} in C:\Windows\is-LJ1CI.exe. I tried to send it to Virus Total both through SSL and normal.  It returns a screen saying "0 bytes size received."  Yet the file is 55,808 bytes.

What now?  I did send the file to avast through the avast function to do that.

[DavidR]

Try copying it to a temporary location, the original in that location might be protected.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

[movrshakr]

I =did= have it in a separate location...had extracted it from the chest into C: root...then tried to send it to Virustotal from that location.

I have to leave house right now...will investigate the other suggestions you had in about 2 hours when return.

LATER: to clarify, avast was not alerting when I tried to send it...the receiving site just put up the page saying 0 bytes.

[movrshakr]

deleted dup

[movrshakr]

deleted dup

[movrshakr]

I did create a folder (C:|Suspect_files) and added it to the do-not-scan list.  However, when I extract it from the chest and store it in that location, avast still alerts.

Nevertheless, I tried to upload it to Virustotal. When on the  Virustotal page and I begin the navigating to the location with the file--using the Browse button on the page--once I drill down to the location, highlight the file, and click Open, i get this:

[movrshakr]

(Aside:  whoa...apparently doing a "Modify" creates an entirely new post.  Sorry about that....won't modify any more.)

[DavidR]

You can go into one of the posts and modify it leaving <deleted - duplicate> or words to that effect. Doing a modify shouldn't create a duplicate post, don't know what went wrong there. There is also a little icon in the posts like a piece of paper and a stubby pencil, click that it is an in-line editor.

I know why avast didn't alert, usually you didn't add it to the resident exclusions in the standard shield as in my original post. If you did that then exactly what did you enter ?

I notice that there is a typo in what you have posted here, with a Pipe | and not a colon :

If you right click on the file and select properties, security perhaps you can try taking ownership of it, it may also be a read only file, etc.

[movrshakr]

...I know why avast didn't alert, usually you didn't add it to the resident exclusions in the standard shield as in my original post. If you did that then exactly what did you enter ?

I did it exactly as previously described, and I just went back and did a check look again...C:\Suspect_files IS THERE in the list at the bottom.

I notice that there is a typo in what you have posted here, with a Pipe | and not a colon :

Yes, that was a typo... it is C:\Suspect_files

If you right click on the file and select properties, security perhaps you can try taking ownership of it, it may also be a read only file, etc.

Done that already...
Owner is Administrators
On that file, Administrators have all permissions checked except 'special.'
Users have 'read & execute' and 'read' checked. (Kind of strange how read is OK'ed there twice)

I gave Users 'full control'  thinking that might be why the send-it-to-virustotal was failing, but there was no change; exactly the same rejection appears as shown previously.

This is a highly unusual situation and I would appreciate continued help to resolve it.
Is this some highly advanced virus/trojan that has implemented a way to prevent being sent to scanners?  Or what.  It is totally unbelievable that a file can prevent itself from being transferred to another site.

[DavidR]

So your exclusion entry is like this C:\Suspect_files\* (you didn't show it in your reply), the asterisk is important it is a wild card for all files and or sub folder in the C:\Suspect_files folder ?

The strange thing is a google search for the file name you gave only returns one hit, this topic and to me that is also suspicious, certainly for a file in the windows folder. I wouldn't have though it would be generating random executable file names.

You could try to upload the complete installer file, alzip.exe (6.5MB) to virustotal. I would have downloaded it and tried to upload it, but I'm on-dial-up and that would have taken a long time.

Other than that I'm at a loss as to what else to suggest, as I would have though what had been suggested would get round the problem. I'm just an avast user like yourself.

[movrshakr]

So your exclusion entry is like this C:\Suspect_files\* (you didn't show it in your reply), the asterisk is important it is a wild card for all files and or sub folder in the C:\Suspect_files folder ?...

Arghhh...the window where you put that says to put in the LOCATION! A location is a folder, not a folder + an asterisk.

Cannot correct that right now as I am into a thorough full scan...will be awhile before that finishes.  Then I will correct it and try to send the file again.

[DavidR]

Whilst it mentions Location you should have seen examples of the use of wild cards (the *) and that is why it was in the original explanation on what to do because the interface isn't too clear.

[movrshakr]

That was what was preventing the upload (not having the asterisk), but there were sure no clues during the attempts as to avast being the cause.

Nevertheless the results are below...7 of 32 show a hit; generally Hupigon.  No clue where I got this virus from--I am very careful.
Anyone know what the vector is for this?.
Strange thing...Virustotal shows no hit by avast, but avast was what alerted me.
Other than getting rid of this file, what else to do?

[Lisandro]

The help file seems ok...

Strange thing...Virustotal shows no hit by avast, but avast was what alerted me.

It happens... I mean, the different detection.

To be sure you're clean, I suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
4. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

[movrshakr]

I use Spyware Blaster and Secunia all the time.  I will do the other steps.

LATER:
DONE: 1. Disable System Restore and reenable it after step 3.
DONE USING CCLEANER: 2. Clean your temporary files.
===Now running DrWeb CureIT =======

As for 3, next step, I did that earlier (did not discuss it here then).  It started the text only screen was showing the scan in progress.  I left the machine with boot scan running, but when I returned much later, machine was on, screen was black, everything unresponsive to mouse, touchpad, any key.  I had to hard kill power (hold button).  Coming back up I had the failure to start situation and had to run the 'do you want to try to repair start up.'  I don't like severe failures like that.

3. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
4. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector. (DONE REGULARLY, WILL REPEAT)