Sign in to follow this  
jerome

Trojan.Win32.Dropper!A2 in C:\ Windows\Installer

Recommended Posts

Hello,

yesterday my scan with A Squared updated was clean.

This morning after update a full scan finds this detection:

C:\Windows\Installer\{9112040C-6000-11D3-8CFE-0150048383C9}\cagicon.exe Objets détectés : Trojan.Win32.Dropper!A2

C:\Windows\Installer\{9112040C-6000-11D3-8CFE-0150048383C9}\mspicons.exe Objets détectés : Trojan.Win32.Dropper!A2

C:\Windows\Installer\{9112040C-6000-11D3-8CFE-0150048383C9}\oisicon.exe Objets détectés : Trojan.Win32.Dropper!A2

C:\Windows\Installer\{9112040C-6000-11D3-8CFE-0150048383C9}\opwicon.exe Objets détectés : Trojan.Win32.Dropper!A2

C:\Windows\Installer\{9112040C-6000-11D3-8CFE-0150048383C9}\unbndico.exe Objets détectés : Trojan.Win32.Dropper!A2

On "Virus total" only A Squared detects this. My McAfee and Malwarebytes Anti-Malware are clean.

It seems they are parts of Microsoft Office ("cagicon"= multimedia library, "oisicon"= Microsoft Office Picture Manager, "opwicon"= Microsoft Office Registration Assistant etc..)

False Positives?

I have submitted of course.

Full report in attachement.

I wait...

Regards,

Jérôme.

Share this post


Link to post
Share on other sites

Hello Fabian,

I just had a short update but the same detection remains...

I am patient and shall wait as you confirm it's a FP.

Regards,

Jérôme

Share this post


Link to post
Share on other sites

Hello,

A-Squared is also showing 5 infections of the Trojan.Win32.Dropper!A2 on my system.

C:\Config.Msi\1ae3ce.rbf

C:\Config.Msi\1ae3d3.rbf

C:\Config.Msi\1ae3d0.rbf

C:\Config.Msi\1ae3cd.rbf

C:\Config.Msi\1ae3cf.rbf

FP?

Thanks

Share this post


Link to post
Share on other sites
I sent them through "submit a file" from the quarantine list. Will that get them where they need to go?

iwuud2,

Yes they will be delivered to EMSI developers

Wait for subsequent updates and rescan

If the suspect was quarantined (temporarily) it can be submitted from the Quarantine area. You have a chance even to fill in and send some comments.

In the Configuration set option for "Silent" or "Manual" Re-Scanning

The jailed items will be rescanned after updates automatically and restored if FP was confirmed and the update brought the fix (see attached images)

or

you can restore files. Rescan after updates. Use Custom Scan of the folder where file resided If the are still flagged in order to submit flagged items use "Submit as false alert".

Right-Click on the item in the detection list and choose the said option from the pop-up menu.

If files are restored you can also use old fashion method and send them by e- mail as Fabian Wosar suggested

Create passworded compressed archive (ZIP o RAR) attach it to e-mail. Don't forget to supply the password in the e-mail body You can use [email protected] as well

My regards

Share this post


Link to post
Share on other sites

iwuud2,

Yes they will be delivered to EMSI developers

Wait for subsequent updates and rescan

If the suspect was quarantined (temporarily) it can be submitted from the Quarantine area. You have a chance even to fill in and send some comments.

In the Configuration set option for "Silent" or "Manual" Re-Scanning

The jailed items will be rescanned after updates automatically and restored if FP was confirmed and the update brought the fix (see attached images)

or

you can restore files. Rescan after updates. Use Custom Scan of the folder where file resided If the are still flagged in order to submit flagged items use "Submit as false alert".

Right-Click on the item in the detection list and choose the said option from the pop-up menu.

If files are restored you can also use old fashion method and send them by e- mail as Fabian Wosar suggested

Create passworded compressed archive (ZIP o RAR) attach it to e-mail. Don't forget to supply the password in the e-mail body You can use [email protected] as well

My regards

Just updated, seems the files were a FP and have been restored. Thanks for all the help!!

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.