FiOS Dan
Premium
join:2001-07-06
Redondo Beach, CA
 ·Verizon FIOS
| 4 of 33 AVs see Trojan
Virustotal Results |
I was getting set to do my regular Saturday morning manual scan with Avast but, as users know, it first does a quick memory check. That is when it spotted an apparent Trojan hiding in a file named autoplay.exe in the Default User folder. The log entry is: 7/5/2008 11:12:49 AM, SYSTEM 1288, Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Default User\Start Menu\Programs\Startup\AutoPlay.exe" file.
I did not know what to make of this warning, especially because I have Spyware Terminator running in the background, and I had just recently completed manual scans with updated ST, a-squared Free, and SAS free programs. So I Googled around and found a few posts indicating that autoplay.exe is a legitimate Windows program but not in that Startup file location. Plus on my other two rigs that folder is empty.
So next I submitted the file in question to Virustotal and I think the results are rather interesting. Please refer to the attached screenshot. I subsequently quarantined the file in question in Avast's "Chest" and so far there have been no ill effects.
I am posting this little saga in the hopes of underscoring yet again the need for layered security and multiple options for identifying and analyzing potential nasties.
HTH
--
Courage is being scared to death but saddling up anyway.
|
|
ZZZZZZZ
Premium
join:2001-05-27
PARADISE | Why is it in your ''startup folder''?
»www.file.net/process/autoplay.exe.html
--
~~Get our troops home...now!!~~ |
|
FiOS Dan
Premium
join:2001-07-06
Redondo Beach, CA | When I did >Right Click>Properties on this file all of the fields were blank. No information whatsoever. I am pretty sure it was a baddie.
--
Courage is being scared to death but saddling up anyway.
|
|
ZZZZZZZ
Premium
join:2001-05-27
PARADISE | So you deleted it from the startup? |
|
FiOS Dan
Premium
join:2001-07-06
Redondo Beach, CA
·Verizon FIOS
| said by ZZZZZZZ  :So you deleted it from the startup? As mentioned in my opening post, I quarantined it in the Avast "Chest". It is no longer in the Startup folder.
--
Courage is being scared to death but saddling up anyway.
|
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs:
 ·Optimum Online
 ·Vonage
| reply to FiOS Dan
Something similar here, see Doctor Four 's post specifically:
»Avast detecting C:\WINDOWS\Browser.exe as trojan - FP?
Maybe another FP? |
|
FiOS Dan
Premium
join:2001-07-06
Redondo Beach, CA
·Verizon FIOS
| Perhaps but why are the other three AVs also identifying it? Plus I do not think the legitimate autoplay.exe belongs in the Startup folder, which is empty on my other two rigs. No, I think this just might be a bona fide nasty.
--
Courage is being scared to death but saddling up anyway.
|
|
Thug21
Just Chillin'
Premium
join:2005-08-21
2 edits | Send it in and see if they say it's a nasty. |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs:
·Optimum Online
·Vonage
| reply to FiOS Dan
said by FiOS Dan :Perhaps but why are the other three AVs also identifying it? Plus I do not think the legitimate autoplay.exe belongs in the Startup folder, which is empty on my other two rigs. No, I think this just might be a bona fide nasty. I don't know, but Doctor Four 's post in that thread shows a bunch of AV's (including Avast with "Win32:Trojan-gen {Other}") saying infected also, and it WAS an FP.
Maybe submit it to Avast or post about it on the Avast forum?
--
11,384 DEADLY TERROR ATTACKS SINCE 9/11~~SARAH BRIGHTMAN SYMPHONY WORLD TOUR |
|
FiOS Dan
Premium
join:2001-07-06
Redondo Beach, CA
·Verizon FIOS
| said by La Luna :Maybe submit it to Avast or post about it on the Avast forum? Emailed it to Avast. I will post if and when I get a response. Thanks for the suggestion.
--
Courage is being scared to death but saddling up anyway.
|
|
AL345
@bellsouth.net
| reply to FiOS Dan
I Have had the same problem! It scared me so bad, but what scares me is that after sending it to chest and then using the 8 set recovery disc that HP Supplied it gets back in there. Oh and Trend Micro and Bitdefender now detect it. Please post more about this. |
|
FiOS Dan
Premium
join:2001-07-06
Redondo Beach, CA
·Verizon FIOS
| I just took a look in that Startup folder, AL345, and there is no sign of that nasty's return. In your research, have you seen any mention of what this bad boy is supposed to do?
--
Courage is being scared to death but saddling up anyway.
|
|
ZZZZZZZ
Premium
join:2001-05-27
PARADISE
| You may want to rethink the ''Spyware Terminator '' and use a program like Threatfire,which I personally think is a much better choice.
No anti-virus is 100% foolproof on its own.
--
~~Get our troops home...now!!~~ |
|
FiOS Dan
Premium
join:2001-07-06
Redondo Beach, CA
·Verizon FIOS
| said by ZZZZZZZ :You may want to rethink the ''Spyware Terminator '' and use a program like Threatfire,which I personally think is a much better choice. No anti-virus is 100% foolproof on its own. I know you are not a big fan of ST and, to be honest, it did not perform well in this instance. I have been looking at Threatfire and perhaps it is time to run it on the rig I reserve for testing only. Thanks for the input.
--
Courage is being scared to death but saddling up anyway.
|
|
AL345
@bellsouth.net
| reply to FiOS Dan
You know I have no idea what it is supposed to do. And I may point out that I did not use a Windows XP CD that you would buy at Office Depot or Walmart, it is the discs that you order though HP. I have posted about this elsewhere and have gained a little bit more knowledge about it (One guy said it might be Bindo.A but I do not think he know what he was talking about because I do not use any P2P Apps on my computer) . But what scares me is that after quartering it in the chest it somehow got back to the startup location after using the discs. It not only is in the startup location it is also in C:\HP\BIN folder. And when I ran a bit defender scan it found alongside autoplay.exe found processlogger.exe have any idea what that is? |
|
noway1
join:2004-11-29
1 edit | The best way to get rid of all the HP crap is to format the HDD and install a real copy of an operating system. (XP Pro-Full-Retail, Windows 2000 Pro, etc.) |
|
FiOS Dan
Premium
join:2001-07-06
Redondo Beach, CA
·Verizon FIOS
| reply to AL345
Apparently this file has been vexing to people for at least a year now...»www.wilderssecurity.com/archive/···278.html
--
Courage is being scared to death but saddling up anyway.
|
|
AL345
@bellsouth.net | reply to FiOS Dan
So what are you saying it is? Should I not worry Kaspersky and NOD32 Online scan did not find any thing. So should I just let it sit in the chest or what? |
|
AL345
@bellsouth.net | reply to FiOS Dan
Oh and could you do one more thing for me? Could you please (with pudding on top) re-upload the file to Virus Total again and post the results? Thanks. You Rock! |
|
FiOS Dan
Premium
join:2001-07-06
Redondo Beach, CA
·Verizon FIOS
1 edit | reply to FiOS Dan
First of all, an update. There has so far been no response from Avast to my file submission. 
Second, AL345, I am not sure if I can upload the file to Virustotal again because Avast changes files when the program puts them in the chest. Is the screenshot in my opening post not sufficient?
--
Courage is being scared to death but saddling up anyway.
Edit: Okay I found this advice over at the Avast forum and if it works, I can resubmit the file to Virustotal later today. Stay tuned.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting. |
|
