Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: WDGC on July 07, 2006, 02:37:09 PM
-
A scan using avast! 4.7.844 Home Edition, VPS version: 0627-3, 07/07/2006, produces a warning screen "A Trojan Horse Was Found", with the following information:
D:\Purrint 23\PurrintInst.exe
Win32:Zapchast-S [Trj]
Trojan Horse
Prior to this scan the last scan was one week ago, Friday 30th June, 2006 and nothing was detected. Scans with ewido anti-malware, Ad-Aware and Spybot do not detect anything.
Purrint is a program to "manage your Print Screen button" and I've been using it for about 3 months.
http://www.snapfiles.com/get/Purrint.html
All things considered I think it highlylikely this detection is a false positive.
-
If you are getting a virus warning that you believe is a false positive, then if you can zip and password protect ('virus', will do) the suspect file and send it to virus @ avast.com (no spaces), or send from the chest.
Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a false positive and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.
You could also check the offending/suspect file at: Jotti - Multi engine on-line virus scanner (http://virusscan.jotti.org/) if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.
Or VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/xhtml/index_en.html)
If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and check scan it periodically using the ashQuick scan (right click scan), when it is no longer detected then remove it from the exclusions.
Also see (Mini Sticky) False Positives (http://forum.avast.com/index.php?board=2;action=display;threadid=7779)
-
Thank you for your reply. I'll carry out your suggestions and see how things go.
-
Your welcome, let us know what you find.
-
I uploaded the detected file to Jotti's and to VirusTotal, and D:\Purrint 23\PurrintInst.exe was only
detected by avast!
I have also sent the detected file to virus @ avast.com.
-
You can add the file to the exclusions as I mentioned and restore the file from the chest, this will allow you to continue to use it. Check periodically after VPS updates to see if the FP (if confirmed) has been corrected.
-
I have also sent the detected file to virus @ avast.com.
Hello WDGC, welcome to the forums
No security software detects every malware, 100% of todays's malwares, as you know.
Your efforts exactly help avast! users.
Thank you very much. ;)
Alwil team will analyze the file you sent, probably.
I wish seeing your footprints on avast! VPS ASAP.
( of cause, if it is a malware certainly. )
-
A scan using VPS version: 0628-0, 10/07/2006 does not detect D:\Purrint 23\PurrintInst.exe.
However it does make the following detection:
File name: C:\Program Files\Mozilla Firefox\updater.exe
Malware name: Win32:Sality-W
Malware type: Virus/Worm
VPS version: 0628-0, 10/07/2006
When uploaded to Jotti's and VirusTotal, C:\Program Files\Mozilla Firefox\updater.exe is only detected by avast!
I, once again, think it highly unlikely this is a virus or worm and have sent the detected file to virus @ avast.com.
-
Need, I think, for a very quick fix on this one - otherwise we will see a whole lot of "me too" posts.
Very clearly an issue with the latest VPS update ... no problem with the prior VPS release.
-
The same virus message is produced on scanning the updater.exe for Mozilla Thunderbird too.
-
I've reported Firefox FP like hour ago...
-
Hi My roommate got the same virus in Firefox and Thunderbird this morning to when he did a scan and he deleted and he deleted this morning and did not move it to the chest and before he did the update with avast he was surfing and checked is mail and all his mail came up clean. I hope by deleting this worm win32:sality-w he did not mess up. Maybe I am worry for nothing. (Just curious if is False one dose that mean I have to reinstall Firefox and Thunderbird) sorry in asking this question but we are both older people and still learning things on the computer.) Thanks for the info
-
The program update.exe in the programs from Mozilla (Thunderbird, Firefox and Sundbird) where all effected at work. Though I doubt they are infected.
The updater.exe program is used to update the programs itself and the functionallity of the programs is not effected in any other way that you cannot auto update the program.
If you deleted the update.exe program I think you have to reinstall the program to get back that functionallity. Though you dont have to do that until there is a new version out. If you moved it to the cheast instead of deleting it you can always restore the file from the cheast and should get back the functionallity by it.
-
Thanks for the info I looked in program files it still shows that I still have the file update file so maybe I am still safe. Thanks again! Plus when I pushed to check update it shows no updates at this time.
-
I just got report from Alwil virus lab that Mozilla updater.exe false positive is already fixed in latest VPS update.
-
Rajor I delete the worm dose that mean I have to reinstall FireFox and Thunderbird over again sorry to ask this stupid question and if so how would I reinstall it.
-
Just install it over. Settings and user files will remain while it will fix the missing files you've deleted. Nothing special or hard to do ;)
-
Thank you Rejor but I deleted the worm and I was just wondering do I have to reinstall it and where do I find it to reinstall it from . When the thing was detacted my roomate deleted the worm. So I was wondering do I need to reinstall the file in both Firefox and Thunderbird or will the update still update. When I checked both to see if there was a update. It said no updates at this time it will check priocally for new updates so that is why I am wondering what we need to know. Sorry that I don't understand what you mean. Thanks. I just know what you mean about stting and user files and it will fix the missing file
-
- Vps: Updated
(previous version: 0628-0, updated version: 0628-1)
C:\Program Files\Mozilla Firefox\updater.exe not detected by this latest Vps update.
-
... but I deleted the worm ...
It wasn't a worm - the detection was a "false positive".
As RejZoR said, just reinstall Firefox and Thunderbird - as if starting from scratch - and updater.exe will be back where it should be.
It might pay you to read the avast! Help Files and remember to use the virus chest if you are again confronted with a detection.
-
False positive, for sure :P
-
I understand that there is a new update VPS 628-1 but my roomate did the VPS 628-0
and he did not move it to the chest so I was wondering that he said to delete all dose that mean do I have reinstall Firefox and Thunderbird over or will the update in FireFox and Thunderbird still work when there is a new update for them. If dosen't work where do I get the fix for the update for FireFox and Thunderbird. I check my program files it still shows the Update file and the updater pictures in there. So my question will FireFox and Thunderbird still Update when there is a new version (exampe 1t shows it is still 1.5.0.4 will it still update to 1.5.0.5 when there is a new one.) I am new to this and don't know that much and learning still and if dosen't update it to it where do I go to install one or do I have install everything new. Thank you where both older people and don't know what to do. I just went to download it and they said the same virus has been detected that is why I am asking.
-
Just install over it... www.mozilla.com
-
Thanks Rejor I went to web page when I went to install it warned me about the virus still coming up. So what do I do.
-
Thanks Rejor I went to web page when I went to install it warned me about the virus still coming up. So what do I do.
Download the setup file.
Disconnect from Internet.
Add the false positive files to the Standard Shield Exception list.
Install Firefox/Thunderbird without fear.
Wait for a virus database update, change your avast settings back.
-
Thanks Tech,
But I am sorry to be so stupid I don't how to do that. And I do see that there is a new one there 628-1 maybe I should do that manually. I am sorry to sound like a broken record but we just deleted the worm the folders are still there and when I click on the Help In FireFox and Thunderbird it says there is no updates now but will check preodically so because it saying that I was wondering do I still need to update those programs. Thanks sorry to be a bother :-[
-
Just make sure avast! is fully updated (VPS). This false positive is already fixed.
-
Lava1
If you downloaded FireFox from mozilla.com and installed it then yo uhave the latest version and there is no updates available.
The way you see that the file updater.exe was removed is that in FireFox help menu the check for updates (or how its set in english ::) ) are grey and you cant cklick it. If you can click and check for updates in FireFox then you are OK as far as FireFox is concerned.
-
but I deleted the worm ......
<Snip>
Take this a a valuable lesson, never delete as a first option it doesn't leave you with any options. If you move it to the chest on detection and investigate, if you find it is an FP then you can simply restore the file from the chest.
-
can anyone figure it out..
I'm using Mozilla Thunderbird 1.5.0.4, a couple of days back I noticed that all attachment like *.doc *.xls got changed to *.bin *.dat after they were sent to a recipient.. Avast scan found Win32:Sality-W in updater.exe file, but couldn't remove it. Currently none of the virus scanners, including avast, can find anything... however the problem still exist.. :(
any idea what's up ???