Quaranteed and blocked file


Userlevel 3
WSA just quaranteed and blocked the file "9gsgsgyu.exe.part" on the last scan. How can I determine if this is an actual threat or a false positive, so I can delete it or restore it? I tried to Google it, but nothing was displayed. Also does anyone know what it is? :8

20 replies

Userlevel 7
Hello JDMoose!
 
The only way to determine if it is a False Postitive is to submit a Trouble Ticket and let Webroot Support take a look at things.
 
What classification did Webroot give to the file, as in just what malware name did it show when it blocked it? You can find this a few different ways but the easiest might be to simpy:
 
Open WSA
Click on the 'gear tool' next to Utilities
Click on the Reports tab
Click the Save Threat Log button
 
Open and read the log.
 
The detection should be logged here.  What description does it have to say  for it?
 
 
Userlevel 3
It doesn't give a description in the threat log other than the file was located in the temp folder as shown below.
 
Starting Routine> Removing c:usersXXXXappdatalocal emp9gsgsgyu.exe.part...#(PX5: E390A8DF00EDEF8D00CA06D89E7FD60005BFEDC4 - MD5: 8B62AEAF62C820594354FB12ECAC1B50)...
Deleting File> c:usersXXXXappdatalocal emp9gsgsgyu.exe.part
Userlevel 7
Badge +56
I checked the MD5 Hash "MD5: 8B62AEAF62C820594354FB12ECAC1B50" and nothing shows up so it's best to Submit a Support Ticket and the threat researchers will let you know either way!
 
Thanks,
 
Daniel 😉
Userlevel 3
Thanks for checking it out for me. I'll submit the support ticket. I think it was interesting that it didn't come up on Google. Also both of my PC's have it. I am assumming it came from an email since I have my laptop set to leave a copy of emails on the server. 😃
Userlevel 7
Badge +56
It didn't even show on VT! But the Webroot Cloud Database does!
 
Daniel ;)
 

Userlevel 3
So it's a Trojan? I'm assuming the Webroot Cloud where I found it is on my Webroot Web Console under Scan Information in the PC Security tab? So I can go ahead and delete it then.  
 
Thanks for the info.
Userlevel 7
Badge +56
Unless you want to wait for a reply from Support? Is that what it said on your console Trojan? As this tells me 9gsgsgyu.exe.part that you or someone tried to download a file and WSA intercepted it before it could complete the download and left the part in the Temp Folder in Appdata and deleted it! Deleting File> c:usersXXXXappdatalocal emp9gsgsgyu.exe.part
 

Thanks,
 
Daniel 😉
Userlevel 7
That is actually the first time I had encountered a detection with .part    COOL.  I still learn something new every day...
 
Thanks TH!
Userlevel 7
I think it's best to wait for a reply from the threat research team of Webroot before deleting the file.
Userlevel 3
This is the response I received from support. I did delete it from my laptop and so far I am having no issues. I am curious as to what the file is associated with. I did update Adobe Flash yesterday.
 
"Thank you for submitting your report. We have examined the logs from your system and found that the detected items were the result of a false positive, and are not a threat. We have updated our security definitions to address this."
Userlevel 7
Hi JD
 
From my research it would seem that .part is a suffix added to a filename by Firefox's default download manager, and therefore it would apepar that the fact that it's all you see means Firefox isn't properly compiling the file after the download completes.  Were you using Firefox by any chance, in relation to this issue?
 
Regards
 
 
Baldrick
Userlevel 7
Badge +56
Thanks for the info you have to watch when downloading Flash and make sure you get it from there site also even on there site they add PUA's so be on the watch when installing and check any unwanted add-ons please see here: https://community.webroot.com/t5/Security-Industry-News/Adobe-Flash-Player-14-0-0-125-amp-Adobe-AIR-14-0-0-110/td-p/115306
 
Cheers,
 
Daniel 😉
Userlevel 7
Badge +56
@ wrote:
Hi JD
 
From my research it would seem that .part is a suffix added to a filename by Firefox's default download manager, and therefore it would apepar that the fact that it's all you see means Firefox isn't properly compiling the file after the download completes.  Were you using Firefox by any chance, in relation to this issue?
 
Regards
 
 
Baldrick
Please see here @ https://community.webroot.com/t5/Webroot-SecureAnywhere-Complete/Quaranteed-and-blocked-file/m-p/116918#M7304
 
Thanks,
 
Daniel 😉
Userlevel 7
Badge +56
@DavidP1970 wrote:
That is actually the first time I had encountered a detection with .part    COOL.  I still learn something new every day...
 
Thanks TH!
Yes I see many of them in my travels and I will leave it at that! LOL
 
Daniel 😃
Userlevel 7
Like I said... I learn something new every day, and that is what I love about the Community.  I know a lot, much of it from right here, but I have a lot left to learn and I will NEVER know it all.
 
Thanks again Daniel!
 
 :)
Userlevel 7
Hi Daniel
 
Thanks for pointing that out...don't know how I missed your post...doh.  Interestingly even though I use FF I have not really come across a malformed download that would generate this...must be lucky I guess.  Have seen an equivalent in Chrome, with of course a completely different naming convention.
 
Regards
 
 
Baldrick
Userlevel 7
Badge +56
@ wrote:
Hi Daniel
 
Thanks for pointing that out...don't know how I missed your post...doh.  Interestingly even though I use FF I have not really come across a malformed download that would generate this...must be lucky I guess.  Have seen an equivalent in Chrome, with of course a completely different naming convention.
 
Regards
 
 
Baldrick
And FF is my main Browser also!
 
Daniel
Userlevel 7
Ah ha...used to be mine but now I mainly use Chrome, for work re. the Community as a lot of members use it, and Maxthon for more general run of the mill interwebbing...;)
 
Baldrick
Userlevel 3
As a matter of fact, I was using Firefox, especially since it is my main browser. On my Win7 laptop I had to delete the download and download it a second time. I had no problem with my main XP computer, even though WSA found and quaranteed the file on both PC's. Since it was located in the Temp folder, I did delete it on my laptop, but left it quaranteed on the main PC, until I find out if I caused any issues by deleting it to begin with. I also updated FF to ver 30.0. My cloud log does show it as a Trojan.
 
I really appreciate all the help and info I have been receiving from everyone.  :D

@ wrote:
Hi JD
 
From my research it would seem that .part is a suffix added to a filename by Firefox's default download manager, and therefore it would apepar that the fact that it's all you see means Firefox isn't properly compiling the file after the download completes.  Were you using Firefox by any chance, in relation to this issue?
 
Regards
 
 
Baldrick
 
Userlevel 7
Badge +56
I can confirm but that's all I can say!
 
Sun 15-06-2014 18:19:00.0225    Infection detected: c:usersdanielappdatalocal empsfaff5q4.exe.part [MD5: B4361D118DA4875AD9C04E91DCEB79B7] [3/00080001] [Pua.Gen]
Sun 15-06-2014 18:19:00.0225    Infection found in realtime: c:usersdanielappdatalocal empsfaff5q4.exe.part [MD5: B4361D118DA4875AD9C04E91DCEB79B7, Size: 348708 bytes] [524289/00000003] [Pua.Gen]
 
HTH,
 
Daniel 😉

Reply