Avast 4.8 alerted to Win32:Malware-Gen

[RONIN2010]

Do you mean by restoring a copy of the file to the new folder by, right-clicking the file in the chest and choosing "extract" and then extracting it to the new folder? Just wanted to make sure, haven't done that before and that's the options I'm getting when I view the file in the chest.

Yes, that's exactly what I meant, sorry if it was not that clear.
"Restore" will, of course, return the file to its original location.

No worries, thanks for clarifying! I'll give it a go once my scans have finished and upload the logs.

[RONIN2010]

Okay, here's what I have.

MBAM Logfile:

Malwarebytes' Anti-Malware 1.44
Database version: 3675
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/2/2010 5:07:04 AM
mbam-log-2010-02-02 (05-07-04).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 389964
Time elapsed: 2 hour(s), 4 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Virustotal scan of file VOL_TO~1.DLL:

http://www.virustotal.com/vt/en/recepcion?e44227a77c1cade44d4bbf1d86c45f13

(file was showing a size of 0 bytes...)



Virustotal scan of file DEVBIED.PKG:

http://www.virustotal.com/analisis/3a63e0a519fb3bcba9f951e29c2cfcfe35dbddd3946e113f0364e08de266c287-1265109255

[Tarq57]

It seems fairly clear or likely that "DEVBIED.PKG" is a FP.
The link to the other analysis doesn't work. Perhaps the file was not uploaded? What size is the .dll file (go to C:\Suspicious, locate the file, right click and select properties).
Could you try analyzing it again, please? (Chances are it's a FP also.)

Just for future reference,these VT results should be treated as a guide (a good guide) not as absolute. Eg: I have seen times where only one or two vendors detected an actual malicious file. The same file re-analyzed a day, two days, three days later showed increasing numbers of vendors flagging it.
Just so you are aware of that. It's a tool.

[RONIN2010]

Thanks Tarq57. I tried uploading VOL_TO~1.DLL to virustotal three times but to no avail I kept getting a message stating 0 bytes recieved. When I click the properties of the file it says it's 1904128 kb. Another odd thing I've discovered, is that this same file was flagged previously in the scan that occurred around december, the same one that flagged spybot as a virus. I've had my definitions updated to the latest and ran another scan this morning with avast. No results were found. And yet when I extract this file to the suspicious folder, it's still showing this file to be a virus.

[Tarq57]

What is the full name of the file?
Try uploading it to jotti instead.
Strangeness.

[DavidR]

Thanks Tarq57. I tried uploading VOL_TO~1.DLL to virustotal three times but to no avail I kept getting a message stating 0 bytes recieved. When I click the properties of the file it says it's 1904128 kb. Another odd thing I've discovered, is that this same file was flagged previously in the scan that occurred around december, the same one that flagged spybot as a virus. I've had my definitions updated to the latest and ran another scan this morning with avast. No results were found. And yet when I extract this file to the suspicious folder, it's still showing this file to be a virus.

Where is the location of the file when you are trying to upload it to VT ?
As 0 Bytes is indicative of it being blocked by avast.

- Create a folder called Suspect in the C:\ drive. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) "C:\Suspect\*" (excluding the "quotes") That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

[RONIN2010]

What is the full name of the file?
Try uploading it to jotti instead.
Strangeness.

The full name of the file is: VOL_TO~1.DLL

The path or location is: C\Program Files\vol_toolbar (before quarantine and extraction)

Where is the location of the file when you are trying to upload it to VT ?
As 0 Bytes is indicative of it being blocked by avast.

- Create a folder called Suspect in the C:\ drive. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) "C:\Suspect\*" (excluding the "quotes") That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

I extracted the file from avast's chest to a folder titled "suspect" on my desktop. The file is showing 1904128 KB's in the suspect folder as well as the chest. I'll exclude it from the scans, as you stated and see if this will allow me to upload.

[RONIN2010]

Okay.... I've tried doing exactly what you said David. I tried somewhere in the ballpark of 10 times. It still is having an issue with the 0 bytes episode. Although it's not triggering the alert. It took me 9 times before I got a result back from virustotal and it seems it actually took the file... Or at least, told me the file has already been submitted. I also tried the same with Jotti, which would not take it alll, saying the same thing, "0 bytes recieved". I also updated the virus defs, to the most current release and removed the exclusions and scanned the file again and still it's identifying it as the same thing, "Win32:Malware-Gen". Here's the log I got from virustotal... Note the portion about, "File Not available, prior to VT database update received on 2008.12.20"...

http://www.virustotal.com/analisis/0654dad111aaa377cfd0c108ea23f15b796c7e67380696598d049fce4a548cd1-1229801738

[DavidR]

Sorry but I'm totally confused, as you haven't followed the directions exact;y as I mentioned I really don't know what you have done, what exclusion you have made as you didn't post what you entered and where, as you didn't use the same paths as in my example.

[RONIN2010]

On the contrary I did follow your directions to a "T".

- Create a folder called Suspect in the C:\ drive. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) "C:\Suspect\*" (excluding the "quotes") That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

I first created a folder named "suspect", as you stated but then renamed it to something better suited for memory, to what I was doing. So I named the folder I created on my desktop, "VT". (Only difference, as you stated to title the folder "suspect"). I then added the entry "C:\VT\*", minus the parentheses as an exclusion. This by all means, tells avast that this folder and it's contents are specifically not to be scanned. I then extracted the file (VOL_TO~1.DLL) to the "VT" folder on my desktop. It was extracted successfully. File and folder are showing the correct file size in the folder (1904128 KB). I then went to virustotal and attempted to upload the file. I tried 9 times and kept getting the same message "0 bytes recieved". I know that the exclusion in avast was correctly added, as it did not introduce a virus alert, when I clicked on the file to upload to virustotal. If the exclusion was unsuccessful, it would have alerted the moment I clicked it. At the 10th time of trying to upload the file, it did upload. However I got this log:

 http://www.virustotal.com/analisis/0654dad111aaa377cfd0c108ea23f15b796c7e67380696598d049fce4a548cd1-1229801738

I'm still puzzled regarding the message at the beginning of the log stating: "File Not available, prior to VT database update received on 2008.12.20" To me it's as if it they've wiped this file from their database. Also, the fact that "Version" and "Last Updated", have no results for any of the scanners. That and the fact that avast's scanner did not detect this as a threat on virustotal, however mine does and it's current.


I then attempted to try Tarq57's suggestion and upload the file to jotti.

What is the full name of the file?
Try uploading it to jotti instead.
Strangeness.

I get the same exact result there. It kept stating, "0 bytes recieved". Except I couldn't even get Jotti to take the file. I then decided as a last ditch effort, to remove the file and folder from the exclusion list in avast and try updating my virus defs. again, (which it did, to version 100203-0, which is the current version) and scan the file to see if avast has rectified this as an FP. Unfortunately, same result, virus alert Win32:Malware-Gen.

[DavidR]

If you created a folder on your desktop, then "C:\VT\*" won't cut it as that doesn't equate the the desktop location, so the exclusion will fail. This is the path to the desktop, C:\Documents and Settings\YourUserName\Desktop equates to the desktop and C:\Documents and Settings\YourUserName\Desktop\VT\* to exclude the folder.

That is why for simplicity it is best to keep it as I suggested and needs be write down what the suspect folder is for to aid your memory. Not only that but it saves this ping pong of posts trying to resolve the problem.

[RONIN2010]

Allright I see what you're saying. Sorry, not sure how that slipped my observation but I didn't take that into consideration. I'm an Operations Analyst, working 12 hours a day and trying to handle this in my off time. Getting a little tired here.. But I do apologize. I removed all exclusions and followed your directions and added (C:\Documents and Settings\Owner\Desktop\VT\*) as the exclusion. I then uploaded the file to virustotal and jotti both. Here are the logs:

Virustotal log file:

http://www.virustotal.com/analisis/0654dad111aaa377cfd0c108ea23f15b796c7e67380696598d049fce4a548cd1-1229801738


Jotti log file:

http://virusscan.jotti.org/en/scanresult/92d791c624d77e0b5899da8f8766633c9f8cd5f5/64203920585dc05c7dccafe6d08dd8d7426f53fb


Same results as before with Virustotal. Only one scanner picks it up as a "Suspicious File". Still seems this file's history has been wiped from their database. As I stated before I am completely befuddled, as to why their avast scanner is not picking the file up as a threat but my avast scanner, which is current, is labeling it as a threat... As for jotti.. the majority of scanners, labeled the file to be a threat. About 9 different threats... Avast and GData being one of the scanners that didn't pick it up as a threat. But then again jotti is listing a database scan date of:

Scan taken on:   Sun 23 Aug 2009 02:04:02 (CET)  

So it doesn't seem they've had any updates to their database regarding this file. On the same note.. I did some research into the tickets I've previously opened with Avast Support and it just so happens, that the ticket I opened back in December of 09, contained 4 files that were detected as a trojan (Win32:Delf-MZG[Trj]). 3 of the files, we're Spybot's. These 4 files were:

teatimer.exe
advcheck.dll
SDHELPER.DLL

and

VOL_TO~1.DLL

A patch or updated definition batch, was quickly released about a day later. This identified these 4 files as false positives and no longer triggered alerts, when scanning them. However, it seems yet again, that I'm in the same boat. Not sure if that is the case but it is starting to seem plausible.

[DavidR]

Most certainly weird, "File Not available, prior to VT database update received on 2008.12.20"

Not to mention only 33 scanners shown when the last time I checked they had 41 scanners.

Though why VT would need to resort to its database, as when you upload it, if it finds a record of the MD5 number and it says this has been scanned before always elect to scan it again, that way it wouldn't be trying to recover any data.

The Jotti results for vol_toolbar.dll with 15/21 detections relating to adware/spyware and mega search. As I said some time ago, these search tool bars etc, offer little but want a pound of flesh in return, marketing data from your searches. 

All I can see is the different file name reported by Jotti (vol_toobar.dll) to what you are reporting is/was detected by avast VOL_TO~1.DLL (which is a windows 8.3 file name format shortening). So I don't know if this is throwing VT finds the MD5 in its database, but doesn't find that file name for the MD5.

The first 3 I would say you have nothing to be concerned with, but the last one, even if this was clean on all counts (e.g. no Jotti hits) I would be looking to remove this toolbar.
- ToolbarCop http://www.snapfiles.com/get/toolbarcop.html

[RONIN2010]

That was the conclusion I came to as well. That I'm likely better off getting rid of it. I reuploaded it to virustotal and jotti and had them reanalyze it as you said. Here's the log files:

Virustotal:

http://www.virustotal.com/analisis/0654dad111aaa377cfd0c108ea23f15b796c7e67380696598d049fce4a548cd1-1265258039

Jotti:

http://virusscan.jotti.org/en/scanresult/6fdf7935f6e761d29fc733fb63a522814405ea78

After that I decided to lookup the toolbar in the ADD/REMOVE programs utility in the Control Panel on my computer and see if it was still there. This being as I thought I had removed this a long time ago, when I uninstalled the Internet Security Suite it came embedded in. Low and behold, it's showing up and saying it's there. However, when I try to remove it via ADD/REMOVE programs, it says the file does not exist. Plot thickens... So I DL'd the toolbarcop you pointed out and removed it. I then went back into ADD/REMOVE programs and it's still showing up, except with a file size of "0". Now when I try to remove it, it initiates the unistaller and says "The toolbar DLL was not found". This being correct, as it should be gone. But now I'm stumped as to why there's still an entry in the ADD/REMOVE programs utility for the toolbar.. I also uploaded a screenshot of the ADD/REMOVE Programs utility, that shows the file there but with a size of "0" bytes.

[Tarq57]

What browser do you use? Check the various browser add-ons to make sure the toolbar is not still installed. Sometimes they can be  removed via the browser as well as or instead of add/remove programs.

Have a look at the MS Knowledgebase article on removing invalid entries from "add/remove programs".