Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Generic9.vpa Infection


  • Please log in to reply
10 replies to this topic

#1 sidthesurf

sidthesurf

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 18 November 2007 - 10:31 PM

AVG Free Anti-Virus found this in the filename SVCLauncher.exe on 11/17/2007 and again today (11-18-2007) in filename A0054356.exe.
I'm currently running a Kaspersky on line scan.

The computer is a Dell Insprion 9400 with WinXp sp2.

Thanks in advance for any and all help.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:18 PM

Posted 19 November 2007 - 10:49 AM

Where did AVG find A0054356.exe?

It looks like a file normally found in the System Volume Information Folder (SVI) which is a part of System Restore - the feature that allows you to set points in time to roll back your computer to a clean working state.

Keep in mind that System Restore will back up the good as well as the bad files so when malware is present on the system it gets included in any restore points. When you scan your system with anti-virus or anti-malware tools, you may receive an alert or notification that a virus was found in the System Volume Information folder (System Restore points) but the anti-virus software was unable to remove it. Since the System Volume Information folder is a protected directory, your tools cannot access it to delete these files and they sometimes can reinfect your system if you accidentally use an old restore point.

If that is where AVG found the file, to resolve this, you need to Set a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 sidthesurf

sidthesurf
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 19 November 2007 - 11:17 PM

Thanks for the reply.

I've done what you suggested. I'm now doing the Kaspersky online scan again. So far, 1 virus found and 5 infected objects.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:18 PM

Posted 20 November 2007 - 08:22 AM

Post the log results of the scan or advise what specific malware files Kaspersky found and where they are located.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 jollyratt

jollyratt

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 20 November 2007 - 04:58 PM

My AVG found 'Trojan Horse Generic9.VPA' on the 11/19/2007 located in:
C:\Program Files\Dell\Qick Set\SVCLauncher.exe

On 11/20/2007, he AVG found it in:
C:\System Volume Information\_restore(129201FA blah blah.exe

I tried running a System Restore on 11/20/2007 and each time, it was unsuccessful. I fear that the Generic9 is interfering. H E L P !!!!

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:18 PM

Posted 20 November 2007 - 05:45 PM

The detection on SVCLauncher.exe sounds like it could be a False Positive.

AVG uses heuristic detection which is the ability of an anti-virus program to detect new viruses before the vendor can get samples and update the program's definitions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. The techniques involves inspecting the code in a file to see if it contains virus-like characteristics. If the number of these characteristics/instructions exceeds a pre-defined threshold, the file is flagged as a possible virus.

The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as malicious. With heuristics, there is always a potential risk for a "False Positive" when the heuristic analysis flags a file as suspicious or infected that contains no malware. Reducing the detection sensitivity will minimize the risk but then that increases the possibility for new malware to infect your system.

See How AVG Heuristic Analysis Works.

Get a second opinion, by submitting the file to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.

The other file identified by your scan is in the System Volume Information Folder (SVI) which is a part of System Restore - the feature that allows you to set points in time to roll back your computer to a clean working state. This folder is protected by permissions that only allow the system to have access and is hidden by default unless you have reconfigured Windows to show it.

Keep in mind that System Restore will back up the good as well as the bad files so when malware is present on the system it gets included in any restore points. When you scan your system with anti-virus or anti-malware tools, you may receive an alert or notification that a virus was found in the System Volume Information folder (System Restore points) but the anti-virus software was unable to remove it. Since the System Volume Information folder is a protected directory, your tools cannot access it to delete these files and they sometimes can reinfect your system if you accidentally use an old restore point.

To resolve this, you need to Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 jollyratt

jollyratt

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 21 November 2007 - 12:44 AM

Thanks quietman7,

The problem is that both jotti's virusscan and virustotal.com are unable to scan the SVC Launcher.
jotti's takes me to a screen that reads > The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
and virustotal takes me to a screen that reads > 0 bytes size received / Se ha recibido un archivo vacio

Now, I'm a little bit rusty on my spanish but I think Se ha recibido un archivo vacio means 0 bytes size received in english (joke)

I guess my question is what is my best option? Just deal with AVG's false behavior or should I take action to get a healthy SVC Launcher that AVG is ok with?

Another thing, I don't think I can run restores any longer with the current SVC Launcher vaulted. This could pose a problem as well.

Thanks again,

jollyratt

#8 Paardenbloem

Paardenbloem

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 21 November 2007 - 04:10 AM

I'm having the same problem. (Yep, signed up just to enquire too :thumbsup:)

I'm running a Dell Inspiron 6400 on XP Home, and I'm having the same virus message (Generic9.VPA) in the same location (Dell>QuickSet) using AVG.

I think it must be a false positive, as for both of us to have completely the same virus warning cannot be coincidential.

But my question is; do I just ignore it? I don't want to restore my laptop if It's get AVG being overly sensitive.





Unrelated, good gracious at this emoticon! :flowers:

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:18 PM

Posted 21 November 2007 - 09:12 AM

rdsok, Moderator at the AVG forum has instructions for suspected FP's.

If you suspect a file to be a false positive. Test the file at [virusscan.jotti.org] and if it is a false positive, archive (zip, arc, tar etc) the file using a password and email a copy to virus@grisoft.com with a brief description as well as the password you used to archive it with.

If it is a false positive , turn off heuristic scanning for the time being. When Grisoft adjusts the virus definitions you can turn it back on. If turning off Heuristics still doesn't allow access to the file while testing and emailing... disable the resident shield temporarily.

forum.grisoft
Since you can't submit to jotti, follow the remaining instructions provided by Grisoft.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 jollyratt

jollyratt

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 30 November 2007 - 03:20 PM

:thumbsup: AVG has corrected this false postive problem with a recent update!! All my worries are gone!
Thanks Quietman! You were right on the money!

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:18 PM

Posted 30 November 2007 - 03:26 PM

Your welcome. :thumbsup:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users