Posted 07 August 2010 - 02:38 PM
A friend of mine asked me to post this for him, so I only have the details he's given me (which I hope will be enough). He burned the files/information to a CD and sent me them, but due to us being in different countries (possibly also mail problems) I only received the package a few days ago.
At the end of June, he updated the definitions on his version of AVG a few days before his internet was shut off (and won't be back until September/October, and he says he has no other readily accessible sources of the net'). He didn't run a scan until the following week in July, where his AVG 8.5 Free detected 3 viruses in the following location:
All he said about the detection name was it was listed as Trojan.Generic_ something or other for all 3 - the same name.
The file names are the following:
He removed them from the virus vault and ran scans with SUPERAntiSpyware, Malwarebytes' Anti-Malware, and Windows Defender but they detected nothing. Afterward, he scanned with AVG again and let AVG stick them back in the virus vault for the time being. He navigated to that folder and found 6 other files with similar names, the only difference being the letter at the end (like C0.### instead of F0.###). The creation/modified date for the other 6 files were the day he got his computer (brand new from BestBuy, IIRC).
He said he left the computer (a laptop) on for a several days running scans periodically (he usually shuts it off at night before going to bed) and when he woke up one morning, he noticed it wasn't in hibernate but in sleep mode - when he brought it out, it was on the log-in page and not the desktop. He went and checked out the Event History and noticed that the computer got a BSOD (the first one this particular computer has received in the year he's had it, and it has not gotten another yet to my knowledge). Here is that notation from the Event History:
The computer has rebooted from a bugcheck. The bugcheck was: 0x0000009f (0x0000000000000003, 0xfffffa80050f0060, 0xfffffa800534f060, 0xfffffa80036858d0).
He rebooted it again and opened in safe mode, running scans again with the aforementioned programs - same result, all popped up clean. To my knowledge, his computer isn't acting strange in any other way.
Anyway, I've sent the files to AVG for analysis but in the event I don't get a reply or something, he asked me to post here.
I've scanned the files using Jotti, Virus Total, and Virscan.org and the only one with hits was VirusTotal (all 3 file came up clean on the other 2). All 3 files on VirusTotal came up with the following:
McAfee-GW-Edition 2010.1 2010.08.06 Heuristic.LooksLike.Win32.Suspicious.J
TrendMicro 188.8.131.524 2010.08.07 PAK_Generic.001
His computer is a Laptop. Windows Vista Home Premium (I think 64-Bit.. 90% sure). AVG 8.5 Free, MABM and SAS were also updated with the latest definitions (as of June 27th), and he also had all Windows patches and such up to that point. Since the internet was gone at the end of June, it was (and has been) completely disconnected from the net' since.
I think this is just a coincidence (FP detection + BSOD) since.. its' a Windows PC, its' bound to BSOD eventually. Still. What do the experts out there think? I still have the disc with the files on it (should anyone need them for whatever reason, I was going to attach them but not sure if there is a rule on that or not) it also has the .dmp file from the BSOD on it.
Thanks for taking the time to read.