Quaranteed and blocked file
WSA just quaranteed and blocked the file "9gsgsgyu.exe.part" on the last scan. How can I determine if this is an actual threat or a false positive, so I can delete it or restore it? I tried to Google it, but nothing was displayed. Also does anyone know what it is? :8
Hello JDMoose!
The only way to determine if it is a False Postitive is to submit a Trouble Ticket and let Webroot Support take a look at things.
What classification did Webroot give to the file, as in just what malware name did it show when it blocked it? You can find this a few different ways but the easiest might be to simpy:
Open WSA
Click on the 'gear tool' next to Utilities
Click on the Reports tab
Click the Save Threat Log button
Open and read the log.
The detection should be logged here. What description does it have to say for it?
The only way to determine if it is a False Postitive is to submit a Trouble Ticket and let Webroot Support take a look at things.
What classification did Webroot give to the file, as in just what malware name did it show when it blocked it? You can find this a few different ways but the easiest might be to simpy:
Open WSA
Click on the 'gear tool' next to Utilities
Click on the Reports tab
Click the Save Threat Log button
Open and read the log.
The detection should be logged here. What description does it have to say for it?
It doesn't give a description in the threat log other than the file was located in the temp folder as shown below.
Starting Routine> Removing c:usersXXXXappdatalocal emp9gsgsgyu.exe.part...#(PX5: E390A8DF00EDEF8D00CA06D89E7FD60005BFEDC4 - MD5: 8B62AEAF62C820594354FB12ECAC1B50)...
Deleting File> c:usersXXXXappdatalocal emp9gsgsgyu.exe.part
Starting Routine> Removing c:usersXXXXappdatalocal emp9gsgsgyu.exe.part...#(PX5: E390A8DF00EDEF8D00CA06D89E7FD60005BFEDC4 - MD5: 8B62AEAF62C820594354FB12ECAC1B50)...
Deleting File> c:usersXXXXappdatalocal emp9gsgsgyu.exe.part
+56I checked the MD5 Hash "MD5: 8B62AEAF62C820594354FB12ECAC1B50" and nothing shows up so it's best to Submit a Support Ticket and the threat researchers will let you know either way!
Thanks,
Daniel 😉
Thanks,
Daniel 😉
Thanks for checking it out for me. I'll submit the support ticket. I think it was interesting that it didn't come up on Google. Also both of my PC's have it. I am assumming it came from an email since I have my laptop set to leave a copy of emails on the server. 😃
So it's a Trojan? I'm assuming the Webroot Cloud where I found it is on my Webroot Web Console under Scan Information in the PC Security tab? So I can go ahead and delete it then.
Thanks for the info.
Thanks for the info.
+56Unless you want to wait for a reply from Support? Is that what it said on your console Trojan? As this tells me 9gsgsgyu.exe.part that you or someone tried to download a file and WSA intercepted it before it could complete the download and left the part in the Temp Folder in Appdata and deleted it! Deleting File> c:usersXXXXappdatalocal emp9gsgsgyu.exe.part
Thanks,
Daniel 😉
Thanks,
Daniel 😉
That is actually the first time I had encountered a detection with .part COOL. I still learn something new every day...
Thanks TH!
Thanks TH!
I think it's best to wait for a reply from the threat research team of Webroot before deleting the file.
This is the response I received from support. I did delete it from my laptop and so far I am having no issues. I am curious as to what the file is associated with. I did update Adobe Flash yesterday.
"Thank you for submitting your report. We have examined the logs from your system and found that the detected items were the result of a false positive, and are not a threat. We have updated our security definitions to address this."
"Thank you for submitting your report. We have examined the logs from your system and found that the detected items were the result of a false positive, and are not a threat. We have updated our security definitions to address this."
Hi JD
From my research it would seem that .part is a suffix added to a filename by Firefox's default download manager, and therefore it would apepar that the fact that it's all you see means Firefox isn't properly compiling the file after the download completes. Were you using Firefox by any chance, in relation to this issue?
Regards
Baldrick
From my research it would seem that .part is a suffix added to a filename by Firefox's default download manager, and therefore it would apepar that the fact that it's all you see means Firefox isn't properly compiling the file after the download completes. Were you using Firefox by any chance, in relation to this issue?
Regards
Baldrick
+56Thanks for the info you have to watch when downloading Flash and make sure you get it from there site also even on there site they add PUA's so be on the watch when installing and check any unwanted add-ons please see here: https://community.webroot.com/t5/Security-Industry-News/Adobe-Flash-Player-14-0-0-125-amp-Adobe-AIR-14-0-0-110/td-p/115306
Cheers,
Daniel 😉
Cheers,
Daniel 😉
+56Please see here@ wrote:
Hi JD
From my research it would seem that .part is a suffix added to a filename by Firefox's default download manager, and therefore it would apepar that the fact that it's all you see means Firefox isn't properly compiling the file after the download completes. Were you using Firefox by any chance, in relation to this issue?
Regards
Baldrick
Thanks,
Daniel 😉
+56@DavidP1970 wrote:Yes I see many of them in my travels and I will leave it at that! LOL
That is actually the first time I had encountered a detection with .part COOL. I still learn something new every day...
Thanks TH!
Daniel 😃
Like I said... I learn something new every day, and that is what I love about the Community. I know a lot, much of it from right here, but I have a lot left to learn and I will NEVER know it all.
Thanks again Daniel!
:)
Thanks again Daniel!
:)
Hi Daniel
Thanks for pointing that out...don't know how I missed your post...doh. Interestingly even though I use FF I have not really come across a malformed download that would generate this...must be lucky I guess. Have seen an equivalent in Chrome, with of course a completely different naming convention.
Regards
Baldrick
Thanks for pointing that out...don't know how I missed your post...doh. Interestingly even though I use FF I have not really come across a malformed download that would generate this...must be lucky I guess. Have seen an equivalent in Chrome, with of course a completely different naming convention.
Regards
Baldrick
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
+56And FF is my main Browser also!@ wrote:
Hi Daniel
Thanks for pointing that out...don't know how I missed your post...doh. Interestingly even though I use FF I have not really come across a malformed download that would generate this...must be lucky I guess. Have seen an equivalent in Chrome, with of course a completely different naming convention.
Regards
Baldrick
Daniel
Ah ha...used to be mine but now I mainly use Chrome, for work re. the Community as a lot of members use it, and Maxthon for more general run of the mill interwebbing...;)
Baldrick
Baldrick
As a matter of fact, I was using Firefox, especially since it is my main browser. On my Win7 laptop I had to delete the download and download it a second time. I had no problem with my main XP computer, even though WSA found and quaranteed the file on both PC's. Since it was located in the Temp folder, I did delete it on my laptop, but left it quaranteed on the main PC, until I find out if I caused any issues by deleting it to begin with. I also updated FF to ver 30.0. My cloud log does show it as a Trojan.
I really appreciate all the help and info I have been receiving from everyone. :D
I really appreciate all the help and info I have been receiving from everyone. :D
@ wrote:
Hi JD
From my research it would seem that .part is a suffix added to a filename by Firefox's default download manager, and therefore it would apepar that the fact that it's all you see means Firefox isn't properly compiling the file after the download completes. Were you using Firefox by any chance, in relation to this issue?
Regards
Baldrick
+56I can confirm but that's all I can say!
Sun 15-06-2014 18:19:00.0225 Infection detected: c:usersdanielappdatalocal empsfaff5q4.exe.part [MD5: B4361D118DA4875AD9C04E91DCEB79B7] [3/00080001] [Pua.Gen]
Sun 15-06-2014 18:19:00.0225 Infection found in realtime: c:usersdanielappdatalocal empsfaff5q4.exe.part [MD5: B4361D118DA4875AD9C04E91DCEB79B7, Size: 348708 bytes] [524289/00000003] [Pua.Gen]
HTH,
Daniel 😉
Sun 15-06-2014 18:19:00.0225 Infection detected: c:usersdanielappdatalocal empsfaff5q4.exe.part [MD5: B4361D118DA4875AD9C04E91DCEB79B7] [3/00080001] [Pua.Gen]
Sun 15-06-2014 18:19:00.0225 Infection found in realtime: c:usersdanielappdatalocal empsfaff5q4.exe.part [MD5: B4361D118DA4875AD9C04E91DCEB79B7, Size: 348708 bytes] [524289/00000003] [Pua.Gen]
HTH,
Daniel 😉
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.