Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: MeDIeVaL on October 01, 2007, 09:24:07 AM
-
This is 2nd time SUPERAntiSpyware pick up a trojan inside avast! program in my system. Eventhough, I strongly believe it's just a false positive alarm but s'thing must be done from both side to prevent the continously detection inside avast! program.
-----------------------------------------------------------------------------------------------------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 09/25/2007 at 04:56 PM
Application Version : 3.9.1008
Core Rules Database Version : 3311
Trace Rules Database Version: 1315
Scan type : Complete Scan
Total Scan Time : 01:01:15
Memory items scanned : 536
Memory threats detected : 2
Registry items scanned : 6024
Registry threats detected : 0
File items scanned : 63128
File threats detected : 48
Trojan.Mezzia/Resident
D:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\AHRESWS.DLL
D:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\AHRESWS.DLL
D:\PROGRA~1\ALWILS~1\AVAST4\AHRESWS.DLL
D:\PROGRA~1\ALWILS~1\AVAST4\AHRESWS.DLL
Adware.Tracking Cookie
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@partygaming.122.2o7[2].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@revenue[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@affiliatetracking[2].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@mediaservices.myspace[2].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@msnportal.112.2o7[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@atdmt[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@specificclick[2].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@imrworldwide[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@questionmarket[2].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@ads.us.e-planning[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@trafficmp[2].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@perf.overture[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@adbrite[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@2o7[2].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@rambler[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@toplist[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@bs.serving-sys[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@m1.webstats.motigo[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@4.adbrite[2].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@revsci[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@adopt.euroclick[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@msnservices.112.2o7[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@server.iad.liveperson[2].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@3.adbrite[2].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@serving-sys[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@richmedia.yahoo[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@ads.adbrite[2].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@blastclick[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@eas.apm.emediate[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@ads.blackmetal.co[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@realmedia[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@clickaider[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@tribalfusion[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@crackle[2].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@www.centurymedia[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@eyewonder[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@gostats[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@adinterax[2].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@adlegend[2].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@adtech[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@ads.pointroll[2].txt
C:\Documents and Settings\MeDIeVaL\Cookies\medieval@2o7[2].txt
C:\Documents and Settings\MeDIeVaL\Cookies\medieval@atdmt[1].txt
C:\Documents and Settings\MeDIeVaL\Cookies\medieval@imrworldwide[2].txt
C:\Documents and Settings\MeDIeVaL\Cookies\medieval@msnportal.112.2o7[1].txt
C:\Documents and Settings\MeDIeVaL\Cookies\medieval@msnservices.112.2o7[1].txt
-----------------------------------------------------------------------------------------------------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 10/01/2007 at 04:33 AM
Application Version : 3.9.1008
Core Rules Database Version : 3316
Trace Rules Database Version: 1317
Scan type : Complete Scan
Total Scan Time : 00:56:52
Memory items scanned : 530
Memory threats detected : 2
Registry items scanned : 5955
Registry threats detected : 0
File items scanned : 58192
File threats detected : 19
Trojan.Mezzia/Resident
D:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\AHRESWS.DLL
D:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\AHRESWS.DLL
D:\PROGRA~1\ALWILS~1\AVAST4\AHRESWS.DLL
D:\PROGRA~1\ALWILS~1\AVAST4\AHRESWS.DLL
Adware.Tracking Cookie
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@mediaservices.myspace[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@msnportal.112.2o7[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@ads.revsci[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@atdmt[2].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@questionmarket[2].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@imrworldwide[2].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@adbrite[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@toplist[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@rambler[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@bs.serving-sys[2].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@revsci[2].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@microsoftgamestudio.112.2o7[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@msnservices.112.2o7[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@serving-sys[1].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@ads.adbrite[2].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@adinterax[2].txt
D:\Documents and Settings\MeDIeVaL\Cookies\medieval@adtech[1].txt
-
Well that is an avast file and I have it in my avast4 folder, so I suggest you check it out at one of the multi engine scanners, which is what you really should have done first, confirm detections.
You should also check the suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.
Or Jotti - Multi engine on-line virus scanner (http://virusscan.jotti.org/) if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.
The MD5 of C:\Program Files\Alwil Software\Avast4\AhResWS.dll is af4e5eb372f516ef061e65e8973b57b5
File properties, see image.
-
I've scanned it with VirusTotal at both date after scanning with SUPERAntiSpyware and found 0 out of 32 so that's why I strongly believe it's just a false positive and I've done nuthin' to it. But, I still believe avast! or SUPERAntiSpyware must do s'thing to end this problem. At least, avast! team can aknowledge thier mates in SUPERAntiSpyware to fix the detection, right?
-
I've scanned it with VirusTotal at both date after scanning with SUPERAntiSpyware and found 0 out of 32 so that's why I strongly believe it's just a false positive and I've done nuthin' to it. But, I still believe avast! or SUPERAntiSpyware must do s'thing to end this problem. At least, avast! team can aknowledge thier mates in SUPERAntiSpyware to fix the detection, right?
It isn't an avast problem but a false positive detection of a legitimate avast file so you need to report it to SAS as it is their problem to resolve.
avast can't do anything as it doesn't know what it is that is causing SAS to alert.
I have no idea if there is any communication between SAS and Alwil software.
-
Strange, SAS reports the file as clean on my system. ???
-
Strange, SAS reports the file as clean on my system. ???
Mine too ???
-
This screenshot I've taken this evening as SAS asked me to submit the sample...
(http://www.geocities.com/solutem/avast.JPG)
-
No troubles here...
Are you sure your avast installation is not compromised?
Is SAS fully updated?
-
Nope, there's no compromise in avast! installation. The detection only occur start from 25/09/07 as I scan my system weekly with every security application. As you can see the SAS were up to dates. I'll check for the updates almost e'day...
-
No troubles here...
Same here, just checked, no problems at all.
-
SAS only detect the trojann when I've done full system scanned. If I right clicked the file and scanned it found nuthin...
-
SAS only detect the trojann when I've done full system scanned.
I've done that, I mean, just for that folder but the deepest scanning... Am I wrong? Is there any wrong setting on my installation?
-
MeDIeVaL, is this the same system that had the trojan downloader?
http://forum.avast.com/index.php?topic=30525.msg253810#msg253810
I'm wondering if it compromised Avast and/or SAS. Did you verify the MD5 of %:\Program Files\Alwil Software\Avast4\AhResWS.dll to the one DavidR posted in reply #1? Mine has the correct MD5 and is clean as I stated.
(Edit: Added:) SAS started detecting the Avast file right after the downloader was detected.
-
I've done that, I mean, just for that folder but the deepest scanning... Am I wrong? Is there any wrong setting on my installation?
Tech, I would think the context menu scan would be the most thorough. I only found two scanner options in SAS that weren't set to maximum (Ignore non-executable files and Ignore files larger than 4 MB), but even after changing them, a full system scan came out clean.
-
MeDIeVaL,
I'm wondering if it compromised Avast and/or SAS. Did you verify the MD5 of %:\Program Files\Alwil Software\Avast4\AhResWS.dll to the one DavidR posted in reply #1? Mine has the correct MD5 and is clean as I stated.
You are right to press for this check as it is critical and the reason I posted it in the same opst as the VT and Jotti links is because the MD5 of the file is part of the information provided on the VirusTotal scan. So yes it would be nice if MeDIeVaL would confirm this.
-
MeDIeVaL, is this the same system that had the trojan downloader?
http://forum.avast.com/index.php?topic=30525.msg253810#msg253810
I'm wondering if it compromised Avast and/or SAS. Did you verify the MD5 of %:\Program Files\Alwil Software\Avast4\AhResWS.dll to the one DavidR posted in reply #1? Mine has the correct MD5 and is clean as I stated.
(Edit: Added:) SAS started detecting the Avast file right after the downloader was detected.
Nope, not the same system. That's my friend pc actually (as I do a part time job repairing and upgrading pc). This prob just occur to my own pc, never had this prob before 25th Sep. I've submitted the sample to SAS hoping that they will give the positive feedback 'bout this. Actually, this prob has do no harm to my pc except I'm afraid if I accidently put the suspected file into quarantined or worst delete it. I'm in my office right now, I would cx the MD5 after I'm getting back from work.
-
Here the MD5 for avast!
Additional information
File size: 53248 bytes
MD5: af4e5eb372f516ef061e65e8973b57b5
SHA1: 5cda88f692618d44aa238a4f673671ef28045510
-
Which is the same as the one I posted.
The MD5 of C:\Program Files\Alwil Software\Avast4\AhResWS.dll is af4e5eb372f516ef061e65e8973b57b5
So your file is the same as mine and it hasn't been changed.
-
Sounds like it's up to SAS now to offer an explanation.
-
Just finished full scanning my system with SAS. It seem the problem solved with SAS latest update... Don't have the false positive alarm detection anymore :D
-
Just finished full scanning my system with SAS. It seem the problem solved with SAS latest update... Don't have the false positive alarm detection anymore :D
Glad you got it sorted, MeDIeVaL.
I'm still curious why SAS would detect the same file as positive on one system, but not on others. I saw on their forum they didn't give you an explanation (they usually don't), so I guess I'll never know. ???