Author Topic: win32:malware-gen (Read 4574 times)

Captain Wonderful · « **on:** July 12, 2010, 04:39:51 AM »

I did a full scan with Avast today, and found 3 win32:malware-gen infections. Two were in the C drive, which I was able to remove with Avast, but there is one in the D drive, which of course is the partitioned recovery drive, which cannot be accessed, as far as I know. Location is D:\hp\Drv\APP00038\offline_driver\UIU32m.exe. First, can you tell me how this segregated part of the disk can become infected? And most importantly, how can I remove it? Do you think any other damage may have resulted, like to registry? Any help would be much appreciated.

whoops. If I had bothered to read a little further down in the posts, I would have seen the one from mjplante. The poster on the CNET forum that DAVIDR supplies a link to, had exactly the same three files come up as win32:malware-gen as I. The conclusion they seem to reach, is they are false positives. Should I relax? Should I restore the two files in "C" that are in the vault? Thanks!!

Yanto.Chiang · « **Reply #1 on:** July 12, 2010, 07:09:56 AM »

Hi,

It was looked a FP detection, you may submit to virus@avast.com to asking to re-analyzed again.

Here's the reference link as for your information :
hxxp://forum.avast.com/index.php?topic=61695.0
hxxp://forums.cnet.com/5208-6132_102-0.html?messageID=3337473

cheers,
yanto chiang

mikaelrask · « **Reply #2 on:** July 12, 2010, 08:48:48 AM »

first welcome to the forum. you could scan with malwarebytes antimalware for an second option

http://filehippo.com/download_malwarebytes_anti_malware/

and the file avst found in your d/ drive you could uoload to virustotal.com and post the result here, or you could as the post before me pointed out send it to avast for a new analysis.

good luck.

DavidR · « **Reply #3 on:** July 12, 2010, 03:46:02 PM »

Quote from: Captain Wonderful on July 12, 2010, 04:39:51 AM

I did a full scan with Avast today, and found 3 win32:malware-gen infections. Two were in the C drive, which I was able to remove with Avast, but there is one in the D drive, which of course is the partitioned recovery drive, which cannot be accessed, as far as I know. Location is D:\hp\Drv\APP00038\offline_driver\UIU32m.exe. First, can you tell me how this segregated part of the disk can become infected? And most importantly, how can I remove it? Do you think any other damage may have resulted, like to registry? Any help would be much appreciated.

In theory they could have been infected from the start and a new or modified signature, could pick it up. When something has been on your system for some time (without showing any adverse effects), then there is in my opinion no reason to rush to a decision and if a decision is made it should be to send to the chest, 'first do no harm' as this can be reversed. The HP recovery partition is likely to be protected and that would block attempts to do anything with it.

Quote from: Captain Wonderful on July 12, 2010, 04:39:51 AM

whoops. If I had bothered to read a little further down in the posts, I would have seen the one from mjplante. The poster on the CNET forum that DAVIDR supplies a link to, had exactly the same three files come up as win32:malware-gen as I. The conclusion they seem to reach, is they are false positives. Should I relax? Should I restore the two files in "C" that are in the vault? Thanks!!

That was/is my summation and why I asked for the locations in the other topic. So it needs confirmation one way or an other.

####
You should check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract a copy of it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\* {br}That will stop the File System Shield scanning any file you put in that folder.

If only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.
Send the sample to avast as a False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.

- In the meantime (if you accept the risk), add it to the exclusions lists:
File System Shield, Expert Settings, Exclusions, Add and
avast Settings, Exclusions

Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

Captain Wonderful · « **Reply #4 on:** July 12, 2010, 07:02:53 PM »

Thanks DAVIDR and the rest!
Did as you suggested. Only Avast and GDATA scored hits. Here are the results pages.

http://www.virustotal.com/reanalisis.html?5d352ff346dc3559f4aa7dbd5d7ba35c0d55192fb41c9422d2d6630f447c1850-1278952220
http://www.virustotal.com/reanalisis.html?5d352ff346dc3559f4aa7dbd5d7ba35c0d55192fb41c9422d2d6630f447c1850-1278952873

Of course I couldn't submit the file in the D drive, so I'll just have to assume it's the same story. In the future, can I assume that anything challenged as malware in D drive is a FP? Is there any way it can be accessed by malware, or anything else? Thanks again.

DavidR · « **Reply #5 on:** July 12, 2010, 07:24:25 PM »

You are likely to find the three files are identical just checking the MD5 hash, which indicates if two files are the same you should see that they are - MD5 : e78a1e3be7f708a08419a468bbc6aa38.

It isn't wise to make assumptions, but don't act in haste and to investigate them, as it may well be possible to deposit new files into that location.

Captain Wonderful · « **Reply #6 on:** July 12, 2010, 07:40:04 PM »

DAVIDR
I'm a bit of a lame brain when it to comes to a lot of computer stuff and lingo, so I don't understand your last post. Could you dumb it down a bit and try again? Also, I ran into a bit of a snag when I tried restoring the two files from the chest. One restored and the other wouldn't. Any suggestions?

DavidR · « **Reply #7 on:** July 12, 2010, 08:52:35 PM »

Both of the file you uploaded I believe were identical they would both have the same MD5 number/hash (a unique ID for a file) there are tools which can identify that. though I don't think you need go to that length.

Unfortunately I can't give any suggestions as you didn't say anything about the restoration attempts, a) the location to which you sent them (and which one failed) and b) the error/reason given for the failure (if any) ?

Before you could restore a file, it would either have to be a) no longer considered infected e.g. a correction to the virus signatures or b) to have excluded the location where you are trying to restore the file. If the file is still considered infected and you hadn't excluded the location the restore would fail. But I can't say why it failed as I have no information to work with.

Captain Wonderful · « **Reply #8 on:** July 12, 2010, 09:39:22 PM »

I went to the chest and right clicked on each file, and scanned them. Both gave report of NO VIRUS. I assumed that Avast had made the correction in the update of definitions I did today. I then right clicked on each file and selected RESTORE. Being the suspicious type, I went to check that they in fact were back in place, and one was, but not C:\WINDOWS|System32\DriverStore\FileRepository\trx200cz.inf_f0de7c5e\UIU32m.exe. I repeated the RESTORE, but still didn't work.
No messages of any kind when I clicked restore. Also, I did a scan of my D drive, and Avast now finds no problem.

DavidR · « **Reply #9 on:** July 12, 2010, 10:02:48 PM »

OK, I don't have a C:\WINDOWS\System32\DriverStore\ folder, mine is C:\WINDOWS\System32\DRVStore\ and I don't have a FileRepository sub folder either. I suspect that this bit 'trx200cz.inf_f0de7c5e' is actually a file and that contained the UIU32m.exe file within it and avast hasn't been able to insert it back into that file.

What was the location of the restore that worked ?
If it is c:\hp\DRIVERS\Conexant_TREX_Modem\UIU32m.exe, then that is the more important one as it is more likely to be active, that is if you actually have a Conexant_TREX_Modem and the one in the FileRepository is more of a back-up.

Since the one in the D partition isn't detected either, then I think you should be good to go.

Captain Wonderful · « **Reply #10 on:** July 12, 2010, 10:35:53 PM »

Yes, you are right about the location of the file that worked. I guess I'll leave well enough alone unless you think I can do some sort of manual cut and paste type of restoration of the other file.
Thanks for all the help by the way.

DavidR · « **Reply #11 on:** July 12, 2010, 11:37:48 PM »

Only if you can find out if the C:\WINDOWS\System32\DriverStore\FileRepository\trx200cz.inf_f0de7c5e\ location is a sub-folder or as I suspect a compressed archive file.

If it is a sub-folder you may be able to see other files in it, if that is the case you may be able to extract (which is just copy) the file from the chest to a temporary location. Once in that location you may be able to then copy the file into that C:\WINDOWS\System32\DriverStore\FileRepository\trx200cz.inf_f0de7c5e\ folder.

If it is a compressed archive file then even you won't be able to copy the file back in there.

No problem, glad I could help.

Author Topic: win32:malware-gen (Read 4574 times)

Captain Wonderful

win32:malware-gen

Yanto.Chiang

Re: win32:malware-gen

mikaelrask

Re: win32:malware-gen

DavidR

Re: win32:malware-gen

Captain Wonderful

Re: win32:malware-gen

DavidR

Re: win32:malware-gen

Captain Wonderful

Re: win32:malware-gen

DavidR

Re: win32:malware-gen

Captain Wonderful

Re: win32:malware-gen

DavidR

Re: win32:malware-gen

Captain Wonderful

Re: win32:malware-gen

DavidR

Re: win32:malware-gen