Possible FP? TROJ-AGENT.DL MALWARE [Resolved]

The story so far…
Just updated The AV [Avast 4.7 home edition] on this XP home SP2 box and got the following popup from BOClean [4.22]

TROJ-AGENT.DL MALWARE STOPPED by BOCLEAN

location of startup file
C:\WINDOWS\STSYSRA.EXE

This trojan hores program was found on your machine.
It has been shut down etc etc.
Do you want the file removed also?

If I click yes, it appears to remove part of sonic update manager that came with this new dell box.

Then I get howls of protest from sonic whenever I reboot, asking me to insert the relevant CD or whatever media and repair the installation.
I tried uninstalling Sonic from add/remove programs, but it still squeals on rebooting.

I’ve used Norton GOBack to restore the HD to it’s previous state and have just got the BOClean alert again. But at least I don’t have to shut down the howls from Sonic via the task manager as before.

Any advice would be appreciated.
Cheers Paddy

Hi paddybythesea,
Welcome to the Comodo BOClean forum!
It could go either way on this one.
Was it STSYSTRA.EXE or STSYSRA.EXE?
In our Comodo BOClean Anti-Malware FAQ you’ll find the topic False Positives…where to send?
I’d grab a copy of STSYSRA.EXE and send it in.

STSYSTRA.EXE could be a false positive. But STSYSRA.EXE :-\ I would like to see a VirusTotal scan.

Greetz, Red.

Hi paddybythesea,

I am no means an expert actually a novice but i had the same sonic problem, it drove me crazy!! (:AGY)

This seemed to work for me on my operating system:

Click start then run, type msconfig then press enter and click on the startup tab.

See if you have these processes listed “issch” and “isuspm”. If so, uncheck them, click apply and restart the computer.

Hope this helps?
Novieiam

Thanks all, it was indeed STSYSRA.EXE

(STSYSTRA.EXE looks to be a perfectly legit audio driver:)

I’ve deleted the file, so I can’t send it anywhere.

Have just run a virus scan and come up clean and, thanks to Novieiam’s suggestion, I’m now free of the sonic curse!!

Hopefully, this will be the end of the matter.
Cheers Paddy

Is CBO set to “Keep copy of trojan as evidence”?
You can email that in.

Hi Cat, I do have BoClean set to keep a copy as evidence.
But I’m ■■■■■■ if I can work out where it’s kept.

BTW
I’m still running BOC 4.22 on WxpSP2
Any suggestions as to where I should look?

Cheers Paddy

From the Support Documentation

The second item on the left side is "Keep copy of trojan as evidence" and allows you to retain a copy of the most recently detected malware, safely disconnected from being operable, for further examination and study. The evidence copy will be named as "evidence.boc" and will be saved to your "My documents" folder or whatever location is specified for the report of malware activity and capture.

Thanks cat.
DOH!
If I’d just RTFM then life might be a bit simpler.

BTW I’ve emailed a copy of the file to
malwaresubmit [at] avlab.comodo.com and run it past virus total.

It comes out clean there.

cheers Paddy

Good deal, might be one of those FP’s.
Kevin would have to weigh in on why it’s detected.

Yes indeed. Just got an email confirming it is a FP, and has been fixed in the latest update.

Cheers Paddy

Thank you for your help paddybythesea!
I’ll mark this as resolved and lock it up.
IM a Mod if you need it re-opened.