Win32:Neptunia-NM [Trj] 、Win32:Trojan-gen {Other}

[avast1.cn]

Sign of "Win32:Neptunia-NM [trj]" has been found in "C:\Program Files\Tencent\QQ\ausdl.dll" file. 
Sign of "Win32:Neptunia-NM [trj]" has been found in "C:\Program Files\Tencent\QQ\P2PFile\vqqsdl.dll" file. 
Sign of "Win32:Neptunia-NM [trj]" has been found in "C:\Program Files\Tencent\QQ\QQPet\ausdl.dll" file. 
Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Program Files\Tencent\QQ\QQZoneHelper.dll" file. 
Sign of "Win32:Neptunia-NM [trj]" has been found in "C:\Program Files\Tencent\QQ\QzoneSupport.exe" file. 
Sign of "Win32:Neptunia-NM [trj]" has been found in "C:\Program Files\Tencent\QQ\VQQPlayer.ocx" file. 
Sign of "Win32:Neptunia-NM [trj]" has been found in "C:\Program Files\Tencent\QQ\vqqsdl.dll" file.

when the vps update to '16.3.2008 - 80316-0' ,i got these virus! It's error report?
Very many friends have met and my same question! because many people use QQ in china. The error  possibly causes so many people to unload avast.How should we do?

[DavidR]

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.

If it is indeed a false positive, add it to the exclusions lists: Standard Shield, Customize, Advanced, Add and Program Settings, Exclusions Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive in the subject.

Or you can also add the file to the User Files (File, Add) section  of the avast chest (if you haven't already sent it to the chest) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

[avast1.cn]

反病毒引擎   版本   最后更新   扫描结果
AhnLab-V3   2008.3.18.0   2008.03.17   -
AntiVir   7.6.0.73   2008.03.17   ADSPY/QQHelper
Authentium   4.93.8   2008.03.14   -
Avast   4.7.1098.0   2008.03.17   Win32:Neptunia-NM
AVG   7.5.0.516   2008.03.17   -
BitDefender   7.2   2008.03.17   -
CAT-QuickHeal   9.50   2008.03.14   -
ClamAV   0.92.1   2008.03.17   -
DrWeb   4.44.0.09170   2008.03.17   Adware.QQHelp
eSafe   7.0.15.0   2008.03.09   -
eTrust-Vet   31.3.5621   2008.03.17   -
Ewido   4.0   2008.03.17   -
F-Prot   4.4.2.54   2008.03.16   -
F-Secure   6.70.13260.0   2008.03.17   W32/Smallworm.AUP
FileAdvisor   1   2008.03.17   -
Fortinet   3.14.0.0   2008.03.17   Adware/QQHelp
Ikarus   T3.1.1.20   2008.03.17   Virus.Win32.Neptunia.NM
Kaspersky   7.0.0.125   2008.03.17   -
McAfee   5253   2008.03.17   -
Microsoft   1.3301   2008.03.16   -
NOD32v2   2953   2008.03.17   -
Norman   5.80.02   2008.03.17   -
Panda   9.0.0.4   2008.03.16   -
Prevx1   V2   2008.03.17   Generic.Malware
Rising   20.36.02.00   2008.03.17   -
Sophos   4.27.0   2008.03.17   -
Sunbelt   3.0.963.0   2008.03.14   -
Symantec   10   2008.03.17   -
TheHacker   6.2.92.247   2008.03.15   -
VBA32   3.12.6.2   2008.03.16   -
VirusBuster   4.3.26:9   2008.03.17   Worm.Ice.A
Webwasher-Gateway   6.6.2   2008.03.17   Ad-Spyware.QQHelper

附加信息
File size: 552306 bytes
MD5: 82f49876a140b3cf454060e85bac0826
SHA1: 12f222f1bc03e0c732b3c3b88ab3cc069d532fe4
PEiD: -
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=4C6EC3BB9053B5A0C1090965B46DF2002BE26939

[polonus]

Hi avast1.cn,

Read here: http://forum.avast.com/index.php?topic=33906.0

polonus

[avast1.cn]

I had send a file QQ_virus.rar to mail virus@avast.com!

So is this a false positive or not? I'm waiting 。。。。。。

Almost all of Chinese netizens are using QQ.  It's a very serious matter For us!

[DavidR]

With 9 of 32 scanners detecting something it is a little difficult to say it is a false positive detection.

Since 4 of them specifically mention QQ in the adware/spyware name it is even harder to say it is an FP. I have no knowledge of Tencent QQ, so perhaps it is ad supported or gathers information on browsing habits, etc. I don't know.

I would also suggest you check the other files at virustotal.

It will not hurt to submit the files to avast for analysis.

[polonus]

Hi avast1.cn,

Threat Name: TENCENTQQ     
      
This is an adware that displays ads using popups. It monitors browsing habits and relays back results to its own server such that it can generate popups based on those results. Tencent QQ is however a Chinese made IM system, which can be installed via drive-by download. Regarding stability, Tencent QQ is written in Chinese and can cause Windows to crash if the Chinese character set isnt installed. http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453083549    
And the files that were flagged were part of this adware, fuller description of it:
http://www.threatexpert.com/report.aspx?uid=e860f2c6-920d-409b-9de2-739ce9f39dd4
If TencentQQ is not considered malware in China, you can put it into the avast exclusion list, but I would also like an explanation of the Chinese developer why antispyware & malware scanners flag this software as adware. Read about the Tencent QQ controversies and annoyances here:
http://en.wikipedia.org/wiki/QQ
I have given you all the information I have here, and I think you can make a decision now, if you have a Chinese character set installed it cannot be qualified as malware, but it comes in the category of adware. If that can be blocked I would not see a reason not to have it onto your computer, as it is mighty popular in China,

polonus
      
               
 

[DavidR]

That was my suspicion, ad supported/adware, which if people installed it themselves and are generally happy to accept the ads, they can add the files to the avast exclusions.

However, previously there was only one QQ file flagged as malware now it seems there are many based on avast1.cn's list. So it appears to be growing.