Author Topic: yahho search protection detected Win32-Trojan-gen(other) on bootup?-false positi  (Read 10363 times)

0 Members and 1 Guest are viewing this topic.

Offline Southern Man

  • Full Member
  • ***
  • Posts: 118
Hi,i booted up pc today and as soon as the desktop loaded avast flagged up- warning detected Win32-Trojan-gen(other) in program files\yahoo\search protection\search protection.exe.
 This is a first time detection in yahoo,i have had yahoo for some time years now -same program never changed it-and nothing has ever has been picked up before by avast,i done a FULL scan with malware bytes,spybot,spyware terminator NOTHING?. Could this be a false positive.
Running windows XP,SP3 all updates installed.

southern man
Avast  Free 8.0.1483 Resident AV,Private Firewall 7.0.291.,Malwarebytes-(DEMAND),SuperAntispyware-(DEMAND),Winpatrol 26.1.2013,Firefox 20.0,Opera 11.64,Windows XP SP3,2 GB Ram,AMD Athlon 2600 Barton.

Offline mevcit

  • Full Member
  • ***
  • Posts: 190
  • shake me make me take me don't break me lolz^^
    • My YouTube Channel
The detections named Win32-Trojan-gen(other) are generic detections. It may be false positive (maybe the .exe file is really infected). So before being sure, send the file to VisrusTotal and see if any other AVs detect it. You can send the file to Avast team as a false positive via the chest if you are sure that it is clean.
i want a player to give me cash, if you dont, you dont get no ass :P

Offline Southern Man

  • Full Member
  • ***
  • Posts: 118
The detections named Win32-Trojan-gen(other) are generic detections. It may be false positive (maybe the .exe file is really infected). So before being sure, send the file to VisrusTotal and see if any other AVs detect it. You can send the file to Avast team as a false positive via the chest if you are sure that it is clean.

Thanks for the quick reply back!-ok i will do what you suggested,i have sent the file to avast just now and will now also send the file to virus total.
 Just as a precaution i have deleted yahoo search protection from add/remove and turned off system restore and wil reboot and re-scan again with avast,get back to you thanks.

southern man
Avast  Free 8.0.1483 Resident AV,Private Firewall 7.0.291.,Malwarebytes-(DEMAND),SuperAntispyware-(DEMAND),Winpatrol 26.1.2013,Firefox 20.0,Opera 11.64,Windows XP SP3,2 GB Ram,AMD Athlon 2600 Barton.

Offline mevcit

  • Full Member
  • ***
  • Posts: 190
  • shake me make me take me don't break me lolz^^
    • My YouTube Channel
I would see the VirusTotal result first instead of sending the file as a false positive immediately.
i want a player to give me cash, if you dont, you dont get no ass :P

Offline Southern Man

  • Full Member
  • ***
  • Posts: 118
hi back,i have just sent the supect file to virus total here are the results!


Srpski | Македонски | العربية | Suomi | ihMdI |  | עברית |  | Slovenščina | Dansk | Русский | Română | Türkçe | Nederlands | Ελληνικά | Français | Svenska | Português | Italiano |  |  | Magyar | Deutsch | Česky | Polski | Español
Virus Total    
Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...
File ashChest.exe received on 2009.07.17 01:33:42 (UTC)
Current status: finished
Result: 0/36 (0.00%)
Compact Compact
Print results Print results
Antivirus    Version    Last Update    Result
a-squared    4.5.0.24    2009.07.17    -
AhnLab-V3    5.0.0.2    2009.07.16    -
AntiVir    7.9.0.220    2009.07.17    -
Antiy-AVL    2.0.3.7    2009.07.16    -
Authentium    5.1.2.4    2009.07.17    -
Avast    4.8.1335.0    2009.07.16    -
AVG    8.5.0.387    2009.07.16    -
BitDefender    7.2    2009.07.17    -
CAT-QuickHeal    10.00    2009.07.16    -
Comodo    1676    2009.07.17    -
DrWeb    5.0.0.12182    2009.07.17    -
eSafe    7.0.17.0    2009.07.16    -
eTrust-Vet    31.6.6617    2009.07.15    -
F-Prot    4.4.4.56    2009.07.17    -
F-Secure    8.0.14470.0    2009.07.16    -
Fortinet    3.120.0.0    2009.07.16    -
GData    19    2009.07.17    -
Ikarus    T3.1.1.64.0    2009.07.17    -
K7AntiVirus    7.10.794    2009.07.16    -
Kaspersky    7.0.0.125    2009.07.17    -
McAfee    5678    2009.07.16    -
McAfee+Artemis    5678    2009.07.16    -
McAfee-GW-Edition    6.8.5    2009.07.17    -
Microsoft    1.4803    2009.07.17    -
NOD32    4251    2009.07.16    -
nProtect    2009.1.8.0    2009.07.17    -
PCTools    4.4.2.0    2009.07.16    -
Prevx    3.0    2009.07.17    -
Rising    21.38.34.00    2009.07.16    -
Sophos    4.43.0    2009.07.17    -
Sunbelt    3.2.1858.2    2009.07.16    -
Symantec    1.4.4.12    2009.07.17    -
TheHacker    6.3.4.3.369    2009.07.16    -
TrendMicro    8.950.0.1094    2009.07.16    -
ViRobot    2009.7.16.1839    2009.07.16    -
VirusBuster    4.6.5.0    2009.07.16    -
Additional information
File size: 68640 bytes
MD5   : 34e6c608e21744bda2cfc5e89e293321
SHA1  : a478dd32b21670439aa6298bb593babd17183387
SHA256: 0a2b55d829fb226386fcd0fc4a5867e47ed338185da064497585ed553788cd4e
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x2EB4
timedatestamp.....: 0x498A50F5 (Thu Feb 5 03:37:41 2009)
machinetype.......: 0x14C (Intel I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x26D2 0x3000 5.20 548bd48ae17e28619b8f83afe38b1e6e
.rdata 0x4000 0x2CEE 0x3000 5.41 3b100434e4e3ff57b401f3f8b8d92e7a
.data 0x7000 0x1A0 0x1000 0.13 afa9e89df8ca0ab5269a29603dc3a819
.ChestVi 0x8000 0x8 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0x9000 0x5FF8 0x6000 5.70 81f886e8916d6e2ef7bda066b446ab28

( 0 imports )


( 0 exports )
TrID  : File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 1536:OqPTWZeqHDkIfk2DyuV591iwXg1MP4+nf1p:OqP0CMPL
PEiD  : -
RDS   : NSRL Reference Data Set
-

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Scan another file
VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com - Terms of Service & Privacy Policy

southern man

comments?
Avast  Free 8.0.1483 Resident AV,Private Firewall 7.0.291.,Malwarebytes-(DEMAND),SuperAntispyware-(DEMAND),Winpatrol 26.1.2013,Firefox 20.0,Opera 11.64,Windows XP SP3,2 GB Ram,AMD Athlon 2600 Barton.

Offline Southern Man

  • Full Member
  • ***
  • Posts: 118
I would see the VirusTotal result first instead of sending the file as a false positive immediately.
hi just posted it if i am not mistaken nothing detected by anyone ,am i correct?

southern man
Avast  Free 8.0.1483 Resident AV,Private Firewall 7.0.291.,Malwarebytes-(DEMAND),SuperAntispyware-(DEMAND),Winpatrol 26.1.2013,Firefox 20.0,Opera 11.64,Windows XP SP3,2 GB Ram,AMD Athlon 2600 Barton.

Offline mevcit

  • Full Member
  • ***
  • Posts: 190
  • shake me make me take me don't break me lolz^^
    • My YouTube Channel
I would see the VirusTotal result first instead of sending the file as a false positive immediately.
hi just posted it if i am not mistaken nothing detected by anyone ,am i correct?

southern man

Yes, none of them. Now we can believe that it is clean. :) Btw, if you're lucky, avast! team will exclude it from the database in a short time. Otherwise you'll have to exclude it in both standard shield and program settings manually because sometimes avast! team doesn't examine the files submitted by users at all. ;D
i want a player to give me cash, if you dont, you dont get no ass :P

Offline mevcit

  • Full Member
  • ***
  • Posts: 190
  • shake me make me take me don't break me lolz^^
    • My YouTube Channel
Wait? avast! also didn't detect it on VT? lol ;D Actually VT doesn't give the true results each time. Mmm, but i think it's still false positive.
i want a player to give me cash, if you dont, you dont get no ass :P

Offline Southern Man

  • Full Member
  • ***
  • Posts: 118
I would see the VirusTotal result first instead of sending the file as a false positive immediately.
hi just posted it if i am not mistaken nothing detected by anyone ,am i correct?
Thank you for your kind reply back,i am a bit relieved now,i have had some false positives before with avast not many happily!,but had quite a lot when i A2 SQUARED FREE.
 
southern man
southern man

Yes, none of them. Now we can believe that it is clean. :) Btw, if you're lucky, avast! team will exclude it from the database in a short time. Otherwise you'll have to exclude it in both standard shield and program settings manually because sometimes avast! team doesn't examine the files submitted by users at all. ;D
Avast  Free 8.0.1483 Resident AV,Private Firewall 7.0.291.,Malwarebytes-(DEMAND),SuperAntispyware-(DEMAND),Winpatrol 26.1.2013,Firefox 20.0,Opera 11.64,Windows XP SP3,2 GB Ram,AMD Athlon 2600 Barton.

Offline mevcit

  • Full Member
  • ***
  • Posts: 190
  • shake me make me take me don't break me lolz^^
    • My YouTube Channel
I think you missed some parts in your post as i only see the quote.
i want a player to give me cash, if you dont, you dont get no ass :P

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84910
  • No support PMs thanks
It isn't unusual to not have avast detect on VirusTotal when it does so on your system. VT isn't able to update the VPS in real time as the user is and this is often the cause. Remember the point of submitting it to VT is to see what the other scanners find.

Also I find this somewhat of a strange issue, given the location and file name "program files\yahoo\search protection\search protection.exe." This to me implies that there is some form of scanning possibly and it may be this which the win32:Trojan-gen is picking up on.

- The avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.3.2459 (build 21.3.6164.561) UI 1.0.609/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline mevcit

  • Full Member
  • ***
  • Posts: 190
  • shake me make me take me don't break me lolz^^
    • My YouTube Channel
VT is automatically updated afaik. Maximum 1 update can be missed on VT at this time i think?

On Jotti and VirScan.org, i used to had strange results. On Jotti G DATA didn't detect many files when avast! detected (now they removed G DATA). On VirScan many AVs didn't detect some files even though they detect them in real life. I sent even eicar test file, but got a similar result. ;D I dunno about how these two sites work now, though.

So generally i don't trust 100% but VT hasn't given me such results so far. And some time ago i sent there a virus which avast! didn't detect at that time, in VT avast! detected. Then i updated my avast! and it also detected. Therefore the AVs on VT is updated very quickly imo. There must be some other factors causing such situations.
« Last Edit: July 19, 2009, 01:38:15 AM by mevcit »
i want a player to give me cash, if you dont, you dont get no ass :P

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84910
  • No support PMs thanks
VT has in the past had problems keeping avast up to date automatically and basically this is another case that proved that.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.3.2459 (build 21.3.6164.561) UI 1.0.609/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Southern Man

  • Full Member
  • ***
  • Posts: 118
It isn't unusual to not have avast detect on VirusTotal when it does so on your system. VT isn't able to update the VPS in real time as the user is and this is often the cause. Remember the point of submitting it to VT is to see what the other scanners find.

Also I find this somewhat of a strange issue, given the location and file name "program files\yahoo\search protection\search protection.exe." This to me implies that there is some form of scanning possibly and it may be this which the win32:Trojan-gen is picking up on.

- The avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected.
yes i think the yahoo search protection is a type of scanning as it is always resident in the task manager,but not anymore i've uninstalled it,never used it anyway and i like to be safe,i hate extras like toolbars and search thingys!!.
Thanks to you both for the replies back its late here 2.30am sorry bout the missing bit in the last post!,going to bed.

cheers all

southern man
Avast  Free 8.0.1483 Resident AV,Private Firewall 7.0.291.,Malwarebytes-(DEMAND),SuperAntispyware-(DEMAND),Winpatrol 26.1.2013,Firefox 20.0,Opera 11.64,Windows XP SP3,2 GB Ram,AMD Athlon 2600 Barton.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
VT is automatically updated afaik. Maximum 1 update can be missed on VT at this time i think?
Therefore the AVs on VT is updated very quickly imo.
In fact not, it's not updated as quick as the desktop version... we had a long story of non-updated antivirus there...

On Jotti and VirScan.org, i used to had strange results. On Jotti G DATA didn't detect many files when avast! detected (now they removed G DATA). On VirScan many AVs didn't detect some files even though they detect them in real life.
Doesn't Jotti use a Linux version of the engines? ???
The best things in life are free.