LaCie little disk and win32:trojan-gen (other)

[marie-therese]

Good Morning,

I have a LaCie Little Disk to have an external backup to my PC.
I have Avast updated (the free version).

This morning, when willing to do a new backup, I got an alarm from Avast, saying that the file
LaCieSync_v7_o_306.exe was infected by Win32:Trojan-gen (other).
I have a version of this file on my PC and another one on the backup disk itself.
I tried both, and got an alarm with both.

I brought the backup disk at the office, and run a avast scan on it (avast also updated, free version) and here it doesn't find anything on the backup disK;

What should be my next steps?

Thank you very much.

[marie-therese]

I was reading other posts and made a jotti on the file on the backup disk. The only one giving an alarm is Panda. The other software say: nothing found.

[Lisandro]

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the 'a' blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button...
You can use wildcards like * and ?. But be careful, you should 'exclude' that many files that let your system in danger.

This link is a tutorial on how to help correct a virus detection that you believe to be false:
http://forum.avast.com/index.php?topic=25009.msg204838#msg204838
or http://forum.avast.com/index.php?topic=7779.msg62586#msg62586

VirusTotal is better than Jotti to test the file.

[marie-therese]

Thanks for your answer.

Are you sure it is a false positive?
I made a virustotal run, i'll put the result below: what do I do???
I must add that my firefox is also freezing sometimes... the computer doesn't react like always, so I am not sure it is a false positive...

 Fichier LaCieSync_v7_1_028.exe reçu le 2008.10.06 12:23:50 (CET)
Situation actuelle: terminé
Résultat: 3/36 (8.33%)
Formaté Formaté
Impression des résultats Impression des résultats
Antivirus    Version    Dernière mise à jour    Résultat
AhnLab-V3    2008.10.3.2    2008.10.06    -
AntiVir    7.8.1.34    2008.10.06    -
Authentium    5.1.0.4    2008.10.05    -
Avast    4.8.1248.0    2008.10.05    -
AVG    8.0.0.161    2008.10.05    -
BitDefender    7.2    2008.10.06    -
CAT-QuickHeal    9.50    2008.10.06    -
ClamAV    0.93.1    2008.10.06    -
DrWeb    4.44.0.09170    2008.10.06    -
eSafe    7.0.17.0    2008.10.05    Suspicious File
eTrust-Vet    31.6.6131    2008.10.06    -
Ewido    4.0    2008.10.05    -
F-Prot    4.4.4.56    2008.10.05    -
F-Secure    8.0.14332.0    2008.10.06    -
Fortinet    3.113.0.0    2008.10.06    -
GData    19    2008.10.06    -
Ikarus    T3.1.1.34.0    2008.10.06    -
K7AntiVirus    7.10.484    2008.10.04    -
Kaspersky    7.0.0.125    2008.10.06    -
McAfee    5398    2008.10.04    -
Microsoft    1.4005    2008.10.06    -
NOD32    3496    2008.10.06    -
Norman    5.80.02    2008.10.03    -
Panda    9.0.0.4    2008.10.05    -
PCTools    4.4.2.0    2008.10.05    -
Prevx1    V2    2008.10.06    Suspicious
Rising    20.65.02.00    2008.10.06    -
SecureWeb-Gateway    6.7.6    2008.10.06    Win32.Malware.gen#PEBundle (suspicious)
Sophos    4.34.0    2008.10.06    -
Sunbelt    3.1.1704.1    2008.10.05    -
Symantec    10    2008.10.06    -
TheHacker    6.3.1.0.101    2008.10.04    -
TrendMicro    8.700.0.1004    2008.10.06    -
VBA32    3.12.8.6    2008.10.05    -
ViRobot    2008.10.6.1408    2008.10.06    -
VirusBuster    4.5.11.0    2008.10.05    -

[marie-therese]

i tried again the backup in the office and now it says too that it is infected ...
Following your preceding instructions, I am not sure at all that it is a false positive..

What should I do? Send you the file??? How do I make my backup?

Thanks for your answer, I am very worried.

[Lisandro]

Are you sure it is a false positive?

Almost sure... seems a clean old setup file... also it's being triggered by the generic signatures of avast (-gen).

I must add that my firefox is also freezing sometimes...

This could happen by other reasons and not only virus infections...

What should I do?

I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

Send you the file???

Can you send the samples to virus@avast.com ?
You can zip and password the files... Inform a link to this thread and the password used.
You can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks.

[marie-therese]

I tried the boot with avast aas you requested, it worked for some time; but after a while, the pc went to sleep.... I had to restart wild... Now I'll try the next software you recommanded but if you have another idea in the mean time, i'll be pleased to hear it...

[Lisandro]

I tried the boot with avast aas you requested, it worked for some time; but after a while, the pc went to sleep...

With avast scanning? It shouldn't...
Can you check your sleep/standby configurations and keep your computer running?

[marie-therese]

i tried to download the DrWeb CureIT! but the link is not working... what do I do?

[Lisandro]

I tried the boot with avast aas you requested, it worked for some time; but after a while, the pc went to sleep.... I had to restart wild... Now I'll try the next software you recommanded but if you have another idea in the mean time, i'll be pleased to hear it...

Try to download in another computer... the link is working.
ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe

[marie-therese]

I have done the 2 first steps:

1. I cleaned the temporary files

2. I run avast at boot level for the C and D disks. The external backup was not on.

The avast scan at boot level took a looooooooooooooonnnnnnnnnnnnnnggggggggggggggg time, and got 2 worms:

New Folder.0xe est infecté par Win32:Hakaglan [Wrm], Mis en quarantaine
LaCieSync_v7_1_028.exe est infecté par Win32:Trojan-gen {Other}, Mis en quarantaine

The Win32:Hakaglan [Wrm] was in several files.

I put all the files in quarantaine, and I could delete them, but my only concern is for the LaCieSync_v7_1_028.exe file, as it is what permits me to use the external backup disk.

I did not do the following steps yet, I am waiting for your advices about what to do with what I found till now.

note: I forgot to tell you that I have also on my PC PCtools spyware, and this one doesn't find anything, but I can do the other ones you recommand.

[wyrmrider]

PC tools are good people  update and use it - sometimes it finds things and should help as a real time preventer

Microsoft has a tool for usb drive protection perhaps someone could comment if it might be useful and provide a link if so

leave all files in quarantine or avast chest- do not remove or delete anything till we are through
do not fool with system restore

[marie-therese]

ok

[marie-therese]

i run antispyware and got:

Adware.Tracking Cookie
   C:\Users\Marie-Thérèse\AppData\Roaming\Microsoft\Windows\Cookies\marie-thérèse@atdmt[1].txt
   C:\Users\Marie-Thérèse\AppData\Roaming\Microsoft\Windows\Cookies\marie-thérèse@ad.yieldmanager[1].txt
   C:\Users\Marie-Thérèse\AppData\Roaming\Microsoft\Windows\Cookies\marie-thérèse@weborama[1].txt
   C:\Users\Marie-Thérèse\AppData\Roaming\Microsoft\Windows\Cookies\marie-thérèse@laredoute.solution.weborama[2].txt

looks like stuff for ads, nothing more, no??? I put them in quarantaine as requested.

I'll do the antirootkit now.

[marie-therese]

here is the result of step 4.

avast! Antirootkit, version 0.9.6
Scan started: samedi 11 octobre 2008 0:23:00

Registry item [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\4}LE]  **HIDDEN**
Registry item [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\4}LE] CacheSizeInMB=0  **HIDDEN**
Registry item [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\4}LE] CacheStatus=2  **HIDDEN**
Registry item [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\4}LE] USBVersion=131072  **HIDDEN**
Registry item [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\4}LE] ReadSpeedKBs=529  **HIDDEN**
Registry item [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\4}LE] WriteSpeedKBs=0  **HIDDEN**
Registry item [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\4}LE] PhysicalDeviceSizeMB=238472  **HIDDEN**
Registry item [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\4}LE] RecommendedCacheSizeMB=0  **HIDDEN**
Registry item [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\4}LE] HasSlowRegions=0  **HIDDEN**
Registry item [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\4}LE] DoRetestDevice=0  **HIDDEN**
Registry item [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\4}LE] DeviceStatus=4  **HIDDEN**
Registry item [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\4}LE] LastTestedTime=-203495648  **HIDDEN**

Scan finished: samedi 11 octobre 2008 0:30:03
Hidden files found: 0
Hidden registry items found: 12
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0

something to do with that???