micorosoft office access

[angel8008]

why microsoft office?
Sign of "Win32:Ardamax-EL [trj]" has been found in "D:\Program Files\Microsoft Office\Office12\ACCICONS.EXE" file. 

[Leo52]

I am having exactly the same problem. In addition msaccess.exe (Office 2007) is supposedly infected! This is not possible, since I reinstalled Access 2007 and avast still comes up with this erraneous infection message!

Regards
Leo

[ptumelty]

Hi,

I'm having exactly the same problems too. In accicons.exe 3d2ae.msi, ultimaterWW.msi and msaccess.exe. Is this a bug in the virus definitions that are causing false positives to be issued? I've checked the task list and my machine doesn't appear to be showing symptoms of any keyloggers running. Any advice?

Paul.

[oldman]

It may be a fp. I suggest you send a sampble to virus at avast dot com. It needs to be a password protect zip to send by email. Or you can move it to the user's section of the chest and send from there, no need to password protect it. The file will still remain in it's original location.

If you are sure it's a false positve add it to the exclusion list for on access scanning. Left click The "a" icon, click on standard shield, customize button and advanced tab.

[ptumelty]

Thanks for the reply. Just checked with VirusTotal.com.

Nothing else seems to be picking it up. Also, I've checked the MD5 with a genuine msaccess.exe md5 and they match perfectly. If there was a virus attached to this .exe then wouldn't this be different?

The other file accicons.exe and the randomly named .msi check out also and only report as being infected through avast.

Do you think I can just ignore this and wait for an official response?

Will forward a file on to avast for analysis.

Paul.

File MSACCESS.EX received on 11.18.2007 10:44:25 (CET)

Result: 1/32 (3.13%)

Result:
Antivirus Version Last Update Result
AhnLab-V3 2007.11.17.0 2007.11.16 -
AntiVir 7.6.0.34 2007.11.16 -
Authentium 4.93.8 2007.11.17 -
Avast 4.7.1074.0 2007.11.18 Win32:Ardamax-EL
AVG 7.5.0.503 2007.11.17 -
BitDefender 7.2 2007.11.18 -
CAT-QuickHeal 9.00 2007.11.17 -
ClamAV 0.91.2 2007.11.18 -
DrWeb 4.44.0.09170 2007.11.17 -
eSafe 7.0.15.0 2007.11.14 -
eTrust-Vet 31.2.5304 2007.11.17 -
Ewido 4.0 2007.11.17 -
FileAdvisor 1 2007.11.18 -
Fortinet 3.11.0.0 2007.11.18 -
F-Prot 4.4.2.54 2007.11.16 -
F-Secure 6.70.13030.0 2007.11.17 -
Ikarus T3.1.1.12 2007.11.18 -
Kaspersky 7.0.0.125 2007.11.18 -
McAfee 5165 2007.11.16 -
Microsoft 1.3007 2007.11.18 -
NOD32v2 2665 2007.11.17 -
Norman 5.80.02 2007.11.16 -
Panda 9.0.0.4 2007.11.17 -
Prevx1 V2 2007.11.18 -
Rising 20.18.61.00 2007.11.18 -
Sophos 4.23.0 2007.11.18 -
Sunbelt 2.2.907.0 2007.11.17 -
Symantec 10 2007.11.18 -
TheHacker 6.2.9.133 2007.11.17 -
VBA32 3.12.2.5 2007.11.16 -
VirusBuster 4.3.26:9 2007.11.17 -
Webwasher-Gateway 6.0.1 2007.11.16 -

[ptumelty]

Tried to send a sample to avast but file is too large!

Any other ideas?

Paul.

[TimoX]

Same Trojan reported, in similar files.

accicons.exe from c:\Windows\Installer\{90120000-0030-....
ACCICONS.EXE from C:\Program Files\Microsoft Office\Office 12
EnterpriseWW.msi from C:\Windows\Installer\{90120000-0030-....
MCACCESS.EXE from C:\Program Files\Microsoft Office\Office 12

And just like everyone else, I too found out theyre too large to send in for analysis.

--

(I always knew Micro$oft used keyloggers. just didnt think they used the ones made for script kiddies.. ;P)

[ptumelty]

Just checked the files out on SuperAntiSpyware and they come back as clean. I am 99.9% sure that this is a false positive

It would be nice to get some official word from Avast just to be sure though. Regarding the file size, there is an option in the settings that I found that allows you to set the max upload size. I changed this and was able to send the file, although I'm not sure how quick they will get back to me

Paul.

[Maxx_original]

we'll check this detection and correct the FP

[ptumelty]

Hi, just done an update and this seems to have done the trick. I'm assuming that this was tested and found to be a FP and that the definitions have not just been set to ignore!

[drewgray]

I've had the same problem all day folks. Avast auto-updated, told me msaccess was an Ardamax-EL trojan, I reinstalled office, scanned it again and it was still a Trojan, but scanned it with every other piece of software I could find and they all said it was fine.  Then Avast auto-updated again, which it doesn't normally do so often, and now it doesn't say it's a virus anymore.  Seems like avast realised they had made an error in their definitions and corrected it pronto.  Still it's wasted most of my Sunday.   Although I can't really complain about a great free service and they must have to work at speed to get the updates out in time.

[DavidR]

The key is to do what you have now done, check the forums first before embarking on a lengthy task.

Confirm the detection if it is on a previously installed component that wasn't detected before, use VirusTotal - Multi engine on-line virus scanner to confirm. You can't do this with the file in the chest, you will need to move it out (export) to a temporary location.

[Hoba]

Hi!

I had same kind of problem too.
My computer was very slow and I decided to check it by Avast.
I was shocked when i was discovered that i have few trojans in my computer (same trojan).
Other was in Windows/Install -folder and the other was in Office 2007.
I deleted all problems what i can.
Can anyone tell me, what kind of files are located in Windows/Install -folder.
Did I deleted important file?
Is it also possible that Avast causes my computer to slow down?
I have Windows Vista and Zone Alarm -firewall.

(Sorry my awful English! )

[DavidR]

Your English is fine.

I don't know what might be in your Windows\Install folder it could vary from system to system. On my system I have Windows\Installer and I have mainly activeX Control Folders and a lot of .msi (MicroSoftInstallation file Type Windows Installer Package).

It is not unknown for malware to place files in unlikely and or system folders to confuse users into thinking they are important files.

Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest and investigate.

What is the malware name, the infected file name, where was it found e.g. (malware name, C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

There is by all accounts a bug in Zone Alarm that when run in Vista it slows internet and local network access. This isn't just effecting users with avast but is possibly more noticeable because the Web Shield monitors HTTP traffic. Currently there is no ZA solution and nothing the avast can do to get round the problem as far as I'm aware. Some have suggested trying another firewall, though there aren't that many Vista compatible filewalls available, especially when it comes to free ones.

[Hoba]

Sign of "Win32:Ardamax-EL [trj]" has been found in "C:\Windows\Installer\346513.msi\Icon.accicons.exe" file. 
Sign of "Win32:Ardamax-EL [trj]" has been found in "C:\Windows\Installer\346513.msi" file. 
Sign of "Win32:Ardamax-EL [trj]" has been found in "C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe" file. 
Sign of "Win32:Ardamax-EL [trj]" has been found in "D:\Folder's name\Office\MS Office 2007.iso\OFFICE~0\ENTERP~0.WW\ENTERP~0.MSI\Icon.accicons.exe" file. 
Sign of "Win32:Ardamax-EL [trj]" has been found in "D:\Folder's name\Office\MS Office 2007.iso\OFFICE~0\ENTERP~0.WW\ENTERP~0.MSI" file. 
Sign of "Win32:Ardamax-EL [trj]" has been found in "D:\Folder's name\Office\MS Office 2007.iso\OFFICE~0\ENTERP~0.WW\ENTERWW.CAB\MSACCESS.EXE" file. 
Sign of "Win32:Ardamax-EL [trj]" has been found in "D:\Folder's name\Office\MS Office 2007.iso\OFFICE~0\ENTERP~0.WW\ENTERWW.CAB\ACCICONS.EXE" file. 
Sign of "Win32:Ardamax-EL [trj]" has been found in "D:\Folder's name\Office\MS Office 2007.iso" file. 
Sign of "Win32:Ardamax-EL [trj]" has been found in "C:\Windows\Installer\346513.msi\Icon.accicons.exe" file.

I have scanned at least Office once before with Avast's Quick Scan.