Author Topic: Is this actually an infection? (thought it was a False positive but...)  (Read 7263 times)

0 Members and 1 Guest are viewing this topic.

Jao

  • Guest
Hi, I just read someone else's post about Malwarebytes detecting ChromeInst.exe as Trojan.Startpage when they actually never installed Google chrome.

Well, I've been using chrome since last July and C:\Arquivos de programas\Alwil Software\Avast5\chrome\ChromeInst.exe was never detected as any kind of threat. The file was created back in july (last time my PC got formatted), never modified but a few minutes ago, after updating mbam, avast5 and superantispyware,I ran full scans with all 3 programs and malwarebytes started detecting it as Trojan.Startpage

Also sent it to virustotal and nothing was detected:

http://www.virustotal.com/file-scan/report.html?id=3e3c881f6649f11d7387949076e7f37dd177a1c74554d16b4ebec871e582ee57-1289955364

Im quite sure it's a false positive, but could someone please help me make sure it's ok to ignore it? Thanks in advance!
« Last Edit: November 17, 2010, 08:56:03 PM by Jao »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89053
  • No support PMs thanks
Re: False positive?
« Reply #1 on: November 17, 2010, 02:27:29 AM »
Well the strange thing is that there are 0/43 detections on the VT results. Whilst MBAM is a specialist anti-malware given the name (Trojan.Startpage) is somewhat over the top as it could be nothing more than it having an option to change your current start page.

So I would say that it is most likely an over zealous or probably false positive given that you have had chrome (and presumably MBAM since July).
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Jao

  • Guest
Re: False positive?
« Reply #2 on: November 17, 2010, 02:30:54 AM »
Yep, I've used mbam for a while now and run scans often. It only detected that file after I updated it today. Thanks!

Edit: did some google searching and came up with this: On many other forums, its said that ChromeInst.exe is just Google Chrome's installer and maybe mbam is detecting it because Chrome sets it's start page as google - makes sense since the google IP shows up on comodo's active connections list when you open Chrome, *even if its set to about:blank*
A lot of people are making posts regarding this issue on many different forums and all of them date back to this week, so it's probably related to a recent mbam update
« Last Edit: November 17, 2010, 03:07:24 AM by Jao »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89053
  • No support PMs thanks
Re: False positive?
« Reply #3 on: November 17, 2010, 03:39:24 AM »
Yes, I would imagine it is featuring in the MBAM forums right now also.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Jao

  • Guest
Is this actually an infection?
« Reply #4 on: November 17, 2010, 08:26:47 PM »
Is my PC actually infected?

Heres why:

I ended up quarantining ChromeInst with mbam since it wouldnt really make a difference because Chrome is already installed. Updated avast, mbam and superantispyware and decided to run a full scan again. It's the first time Superantispyware ever detected something here:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/17/2010 at 04:29 PM

Application Version : 4.42.1000

Core Rules Database Version : 5874
Trace Rules Database Version: 3686

Scan type       : Complete Scan
Total Scan Time : 00:11:20

Memory items scanned      : 391
Memory threats detected   : 0
Registry items scanned    : 4769
Registry threats detected : 0
File items scanned        : 21126
File threats detected     : 1

Trojan.Agent/Gen-Nullo[Short]
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{34DE795F-5055-4051-B2C2-DA24901A7B3E}\RP17\A0005890.EXE



Checked it online and superantispyware database says this is like a leftover from a threat that was already removed, so i just deleted it.

Since this wasnt being detected yesterday, I presumed it could be related to the quarantined ChromeInst.exe and guess what? I tried to restore it just to see if superantispyware would detect anything but it just wouldnt work - it would disappear from MBAM's quarantined items list after clicking the "restore all" button but it wouldnt show up in the folder it was in before. Then I checked mbam's quarantine list and it was showing up once again - ended up just removing it and now it seems nothing is being detected.

Any ideas why this happened? Maybe today's Superantispyware definitions started detecting ChromeInst.exe and found it in mbam's quarantine or something?

And most important: should I get worried about this? Maybe run OTL and ask essexboy to check if the logs are ok?  Thanks again.

« Last Edit: November 17, 2010, 08:59:00 PM by Jao »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89053
  • No support PMs thanks
Re: Is this actually an infection? (thought it was a False positive but...)
« Reply #5 on: November 17, 2010, 09:17:26 PM »
Yes, it is a restore point for something previously moved/deleted in the system foledrs or an exe file, etc.

I don't think it is related to your current MBAM detection and it 'shouldn't be able to scan within the MBAM Quarantine as it shouldn't be able to scan within the avast chest, a protected area.

I wouldn't have deleted anything without 100% confirmation it was bad and I highly doubt that, left in the quarantine where it can do no harm even if it was bad shouldn't be an issue.

Personally I wouldn't be worried about it and left it in the MBAM quarantine as this isn't a file that is needed to run (the chrome install). I would have periodically restore it (weekly/fortnightly) from quarantine and do another scan with MBAM and see if as suddenly it was detected it is no longer detected.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

andrewoman

  • Guest
Re: Is this actually an infection? (thought it was a False positive but...)
« Reply #6 on: November 19, 2010, 12:24:17 AM »
I also got 2 hits, like yours, with MBAM. No scan has ever caught anything, and I have done a TON of scans in the past few weeks, safe mode too, as I have suspected malware. 

The first sign, a few weeks ago, was when Avast was being disabled upon startup and not updating. Upon startup the Avast icon would have an exclamation point over it, then after a couple of minutes, the exclamation point would disappear. 

After I ran a MBAM scan today, it caught 2 files, removed them, restarted my laptop, and upon startup Avast acted like normal, as it had a few weeks ago, and before that. There was no exclamation point and it updated immediately upon startup, verbal message and all. 

MBAM scan:

Files Infected:
C:\Program Files\Alwil Software\Avast5\chrome\ChromeInst.exe (Trojan.Startpage) -> No action taken.
C:\System Volume Information\_restore{2F34BD55-12CF-4B5C-8426-87DCCFA8E08F}\RP4\A0001894.exe (Trojan.Startpage) -> No action taken.

 
 

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89053
  • No support PMs thanks
Re: Is this actually an infection? (thought it was a False positive but...)
« Reply #7 on: November 19, 2010, 12:38:24 AM »
Well first I rather doubt that even if these two were infected, a) they are inert and b) they aren't required by avast to function. So this is I believe nothing more than a happy coincidence.

As has been mentioned this is almost certainly an FP by MBAM, which will no doubt be corrected at some point.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security