Avast found Win32: trojan-gen

[yod12]

One of my computers found three instances of  Win32: trojan-gen. I have no idea how it got there. In 15 years of computing, I've never got a hint of a virus except an attempted trojan 3 years ago.

Avast found them and there's not much of a clue as to what to do. Delete, Repair, and Send to Chest are the options with a VERY brief description. Any more input about this?

[Justin_22]

The -gen indicates a generic detection which can sometimes cause false positives
Where are the files? if they are in the chest you will need to extract them to a temporary folder (not the original location) to do this 
If they are still in the original location please upload the files to www.virustotal.com and post the results here

[Lisandro]

To know if a file is a false positive, please submit it to VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com. VirusTotal has a file size limit of 10Mb. Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.

Maybe you need to disable Hide protected operating system files and enable View hidden files and folders to manage the file(s).

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the 'a' blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button...
You can use wildcards like * and ?. But be careful, you should 'exclude' that many files that let your system in danger.

[yod12]

Thanks,
I REALLY don't have time for this. But I put the files in the Chest. They're on another computer - I'd rather not use it until this is taken care of. Can you tell me how I would do this?

[Lisandro]

I REALLY don't have time for this. But I put the files in the Chest. They're on another computer - I'd rather not use it until this is taken care of. Can you tell me how I would do this?

Can you rephrase? What exactly do you want to do?

[DavidR]

Thanks,
I REALLY don't have time for this. But I put the files in the Chest. They're on another computer - I'd rather not use it until this is taken care of. Can you tell me how I would do this?

If you don't have time to confirm by analysis at virustotal (assuming this is what you are talking about), and post the results, then we are unlikely to be able to offer any advice on how to take care of the unknown.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder. Right click on the file in the Infected Files section of the chest and select Extract, from the pop-up navigate to the suspect folder, this will make a copy of the file/s you select in the c:\suspect folder.

Upload to VirusTotal - Multi engine on-line virus scanner and report the findings of these files here.

[polonus]

Hi yod12,

Well I have to fully agree with DavidR here. We cannot turn magic out of the blue if we have not a clue. If you have no access to that computer and informing on behalf of a third party, we need to have some more data because generic findings are really generic you see. If they are in the chest they cannot harm the user. To give advice, we need the VirusTotal scan results for the affected files, and a hijackthis log attached as a txt file would also be helpful,

polonus

[CharleyO]

***

I will echo David amd Polonus in that for us to help you, you must help us with the needed information. Only you have access to the problem and we must rely on you to provide us with the clues in order for us to become the detectives.


***

[yod12]

Thank you all very much! Much of this is Greek to me (pardon to any Greeks, it's a colloquial expression). I'm trying to decipher what David's saying... So I can create a folder in the C:\ drive. Sorry, I have no idea what you mean by excluding it in the S Sheild, etc. I think I follow you about exporting them (one by one?) to that folder. I guess I can't just drag it to that folder? I imagine I may be able to figure out how to upload it. Again, I thank you all very much. Sorry I wasn't that clear in my previous post.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder. Right click on the file in the Infected Files section of the chest and select Extract, from the pop-up navigate to the suspect folder, this will make a copy of the file/s you select in the c:\suspect folder.

Upload to VirusTotal - Multi engine on-line virus scanner and report the findings of these files here.

[/quote]

[DavidR]

You need to customise the standard shield provider to add exclusions.

Left click the avast icon and you should get a pop-up of the avast shields/providers, if you see a button called Details... >> click that and it will give a more detailed view, select the Standard Shield.

Now you are at the start point of my instruction on how to add an exclusion.
You will see a Customize button, click that.
You will see a number of Tabs, click the Advanced one.
Click the Add button, that will allow you to create a new exclusion.
Type or copy and paste the exclusion C:\Suspect\*, click OK.

[yod12]

I'll see if I can figure this out. I really appreciate your help. Someone over at CNET said that I have to restore the virus to its original location if I put it in the Chest. Is that right?

[DavidR]

I have no idea of what was said at CNet or why, but here is the place to get avast related help. The worst possible place to put it would be the original location, as if it is a piece of malware then it would be active.

By Extracting it to a different location, even if it were malware it isn't active as any commands to run it in the original location wouldn't work in the temporary location.

That is why I told you to create the temporary location, c:\suspect folder and why you should exclude that folder so you can upload it to virustotal without avast alerting. This is the only way you can confirm if the detection is good or false.

I would recommend you don't waste your time at CNet as clearly they don't know what is going on. If you have any questions ask them here, where more people than you can shake a stick at (well 5 of them) are jostling to help you.

The one and only time it will be sent to its original location (restored) is if an when it is confirmed as a false positive detection and this hasn't been done.

[yod12]

So I create a 'suspect' folder and export these puppies in there. From looking quickly at the virustotal site, there's only an option to upload them (one by one?). Does it scan these files right away? Do I get a response? Are the results posted somewhere? What do I do with these things that are sitting in a 'suspect' folder in the meantime? Is it the same as the Avast Chest?
Thank you for you patient guidance. I really appreciate it!

[DavidR]

Yes you can only upload one at a time and they are scanned then (there may be a queue) and the results are displayed to the screen.

There is an option to email samples for analysis (you will have to check out the site for that I've never used it), I don't know if this would allow for sending multiple samples and the respons would come by email.

Leave them in the suspect folder until the situation is resolved, the same is true of the copy in the chest.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

[yod12]

Thanks David,

So I uploaded one of the files to virustotal. It scanned and displayed the reults as in a record. What do I do/how do I display the results here or anywhere else. I don't know what most of this stuff means.