Question about a trojan avast found

[DougTune27]

I need to know if a trojan found is a false positive or not.I had the following file found...

File:WalType.dll

Original Location:c:\Program Files(x86)\GOG.com\Patrician 3

Virus:Win32:Trojan-gen {other}

For now it resides in the virus chest until i get further assistance from you folks.Also,i have some mouse troubles that may or may not be related.Below are vista forum thread links for you to look at to see if anybody recognizes what's going on.

http://www.vistax64.com/general-discussion/246004-mouse-issues-causing-minor-irritations-help-needed.html
http://www.vistax64.com/system-security/246083-help-needed-regarding-trojan-found-possible-relation-mouse-troubles.html

[spg SCOTT]

Hi DougTune27,

From the filename, I am guessing it is related to this:
http://www.gog.com/en/gamecard/patrician_3

Please could you upload the file to www.virustotal.com to confirm if it is a false positive and report back with the link to the results?


You could also send the file in a password protected archive to virus(at)avast(dot)com with 'potential false positive' in the subject line and the password in the email body.

or

You could add the file to the user files of the virus chest and send it from there:

Right click avast icon in taskbar -->click start avast antivirus -->right click scanner background --> click virus chest --> navigate to user files --> click add files -->
right click file -->email to alwil software.

NOTE:
The file will actually be uploaded when the next update is performed (you can do a manual update to initiate the sending)


You could also add a link to this thread and some more information when you do.

-Scott-

[DougTune27]

I've sent the file from the virus chest to avast.I've linked to this thread so they can read it and the 2 links.While i wait for some reply i'm running malware bytes and  superantispyware to see if they pick up anything.Already ran eset online scanner and found nothing.Avast has so far only found any virus(if it is one).

[spg SCOTT]

Have you uploaded the file to virustotal yet?
This is ususlly very helpful in determining FPs etc.

Usually, if the file is a FP, then it will be changed in a subsequent update, and sometimes the ALWIL devs may drop in to let you know.

You can keep the file in the chest, and scan it after updates etc. to see the change (if any)


Oh yeah,

If you do send it to VT, you will need to restore it out of the chest and send from there:

Create a folder in C:\ called suspect - i.e.:

C:\suspect

Then exlude this in the standard shield:
Left click avast! tray icon -->More Details --> standard shield -->click 'customise' --> 'advanced' tab --> click add -->add this:

C:\suspect\*

Then 'extract' the file to that location and upload to virustotal

-Scott-

[DougTune27]

Here's the analysis from virustotal...

http://www.virustotal.com/analisis/e57cbb362c0b702164c1d6598885d21ca58efb7e6047ce54752bf7286cd621b2-1252068369

[spg SCOTT]

With 16/41 detections, I am not sure about it, although this post has to be considered considering some are 'generic' detections:

The avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected.

So we'll have to see what ALWIL thinks of it...

[DavidR]

Yes with that number of detections, generic, suspicious or otherwise, I would have to say it is highly likely to be a good detection.

Even with the very slim possibility it might be an FP, with this many getting a hit it is hard to imagine they all got it wrong. Also with a number of them flagging it as a form of Obfuscated malware, you have to say what it it that they are trying to hide that makes this so suspicious.

[Brandon72196]

If its from GOG.com then its a False Positive. GOG stands for Good Old Games, they sell old games for great prices. Old game files are usually picked up as False Positives. Dont worry about it.

[Milos]

Thank you for sending sample, it is false positive and it will be removed from VPS in next update.

[DougTune27]

Good to hear it's a false positive!My mouse is working again.I just pressed the hell out of the left button real hard multiple times and it became "unstuck".So there was no relation to what i thought was a virus.

[maxwachtel]

Perhaps you need a new mouse

[spg SCOTT]

DougTune27,

glad to hear it will be corrected

Once the avast! database has updated, you will be able to restore the file to it's orginal location from the chest (avast! will keep a copy in the chest, which can be deleted after you have restored it and checked it is back - or leave it in there if you wish )

If its from GOG.com then its a False Positive. GOG stands for Good Old Games, they sell old games for great prices. Old game files are usually picked up as False Positives. Dont worry about it.

Brandon72196,

This is the point of reporting it in the forum, and sending the file to avast!
Just telling someone to ignore it because it came from a reputable source - no matter who - is the wrong thing to do.
(think of the Delphi/induc issues...)
I personally will treat any detection as genuine, no matter what the source, until notified by the avast! team/detection is corrected.

Thanks,

-Scott-