Avast WEBforum

Business Products => Archive (Legacy) => Avast Business => Avast Server Protection => Topic started by: leondeoro on September 22, 2010, 01:52:34 PM

Title: Virus not founb by avast server version 4.8
Post by: leondeoro on September 22, 2010, 01:52:34 PM

I have a Windows 2003 server  with avast server version 4.8 installed and uptodate. It deosn't detect a trojan that I have discover because each time a logon the programm SAFESRUF is run (I never install this soft). I stop the process and delete all the files in c:\windows\system 32\3com_dni\1\1\ including safesurf.exe and all the entry in windows registry. But after a logoff logon sequence the soft re appear. Avast doesn't detect it. Does any body have a solution ?

Title: Re: Virus not founb by avast server version 4.8
Post by: Milos on September 22, 2010, 03:50:29 PM

Hello,
send us (virus@avast.com) the file(s) to analyze. You can use processMonitor (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) to find which process creates it.

Milos

Title: Re: Virus not founb by avast server version 4.8
Post by: leondeoro on September 23, 2010, 08:59:38 AM

The problem is that I don't have any infected files. No anti virus detect the Trojan. I have detected it because safesurf.exe is run on each logon and a windows appear with the lunch process of safesurf.exe
The exact description of this Trojan is http://www.viruslist.com/sp/weblog?weblogid=208187928 (http://www.viruslist.com/sp/weblog?weblogid=208187928) It includes all files and programs run. The problem is that it use only "Legal" progams that are not detected by any antivirus. According the ling above Kasperky calls it : Trojan-Clicker.Win32.FrusEfas I have used Kaspersky trial version but it didn't detect anything.
Please help.

Title: Re: Virus not founb by avast server version 4.8
Post by: Milos on September 23, 2010, 10:05:44 AM

Try to use processMonitor to see what is causing the safesurf to run, or adding to registry for launching during logon.

Milos

Title: Re: Virus not founb by avast server version 4.8
Post by: mike-vancouver on November 20, 2010, 07:51:12 AM

Milos,
Please send me e-mail, if you are still interested in copy of safe-surf virus files.

Just three days ago, I had same situation as described in original post.

It wasn't difficult to trace and remove, but it took over the server not allowing for any access to it from outside.

Avast found only some .tmp files created by that virus.

I created c:\program files\microsoft directory.

I have it saved.

Please let me know if you still need a copy for research.

ps. link to the Microsoft tool you posted earlier in this thread does not work.
could you please update it?
THX