Win32:Radmin-B [Tool] ???

[Seb2]

Was using vnc to connect to my home pc (through my BSD-server) from work.
After an hour or so the connection just died, couldn't log in on my server or ping or anything.
After a while it was back up again. I guess my ISP had some problems....sometimes the net goes down for a little while.

Anyway, when I get back from work I see this Malware-warning from Avast....in WinVNC.exe, and after I moved that to the chest I get another one for some VNC dll-file.


How the hell could a virus come in and all of a sudden infect my vncserver and nothing else???
Dont know what this Radmin-B is, and as seems to be usual with Avast I dont get any info about it either.
Should I worry, or is it just some mistake by Avast, claiming my tightvnc-server to be/have a virus/malware?

Many thanks if someone can help
As it is now, with two of the files in the chest, I cant run the vncserver and cant log in to my windows-machine remotely.

[DavidR]

First confirm that they are correct detections.

Is this a program you have been using for some time and does the path to it ..\tightvnc\... correspond to its location ?

You could also check the offending/suspect file at: Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.
Or VirusTotal - Multi engine on-line virus scanner

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and check scan it periodically using the ashQuick scan (right click scan), when it is no longer detected then remove it from the exclusions.

If you are getting a virus warning that you believe is a false positive, then if you can zip and password protect ('virus', will do) the suspect file and send it to virus @ avast.com (no spaces), or send from the chest.

Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a either a false positive and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

[Seb2]

First confirm that they are correct detections.

Is this a program you have been using for some time and does the path to it ..\tightvnc\... correspond to its location ?

You could also check the offending/suspect file at: Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.
Or VirusTotal - Multi engine on-line virus scanner

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and check scan it periodically using the ashQuick scan (right click scan), when it is no longer detected then remove it from the exclusions.

If you are getting a virus warning that you believe is a false positive, then if you can zip and password protect ('virus', will do) the suspect file and send it to virus @ avast.com (no spaces), or send from the chest.

Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a either a false positive and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

It is a program I've used for half a year or so (same version, backupped on the server and last time reinstalled after format of XP-machine like a month ago).
Have made full system scans, last one about a week ago, and nothing found.
Now all of a sudden, in that particular file, it warns for this malware (that I dont have a clue what it could be).

I'll do as you said, take it out of the chest, and try one of those online-scanning sites you linked to.

The path sure is right, since I cant restart the service (winvnc is installed as a service in XP) anymore.

[Seb2]

Oh crap, I try to upload, but when I do Avast screams at me and the only thing I can choose (except put in chest or delete or move) is "No Action", which seems to disable the file someway cause when I upload it scans and says "no virus found" but on filesize it says 0 bytes, so Avast probably ruins my upload of the file.

I'll try to disable Avast....not very good maybe, but what else to do :S

[Seb2]

For some strange reason I cant open a gif or png from firefox if I put it on my webserver....very strange. Oh well....I guess the feedback from this online scanner can be interpreted as WinVNC not being a virus, but Avast and some others treat it as a dangerous program that you shouldn't have installed if you dont know what it is.

Right???

And one explanation it showed up all of a sudden is that Avast just recently made the decision to put a "warning" on this application.....right again???

[rock]

I have had Tightvnc installed for years with Avast. All of a sudden today it is reporting that C:\Program Files\TightVNC\WinVNC.exe is malware.

Malware Name: WIN32:Radmin-B
VPS version 5-22-06

I suspect that this is bogus and someone screwed up with the latest definition but came here to find out and this is the first thread I found on it.  Can anyone confirm that this is a bogus alert?

edit: bah, I now have to disable avast because after clicking no-action it keeps complaining about vnchooks being a virus.

[Seb2]

I have had Tightvnc installed for years with Avast. All of a sudden today it is reporting that C:\Program Files\TightVNC\WinVNC.exe is malware.

Malware Name: WIN32:Radmin-B
VPS version 5-22-06

I suspect that this is bogus and someone screwed up with the latest definition but came here to find out and this is the first thread I found on it.  Can anyone confirm that this is a bogus alert?

edit: bah, I now have to disable avast because after clicking no-action it keeps complaining about vnchooks being a virus.

Thats great
I now feel 99.9% confident there is no virus, its just Avast that is extremely overprotective and unclear

Great to have this forum though. As soon as there is a problem, log in and ask, wait a maximum of 5 minutes, and you have an expert opinion/explanation on it

[DavidR]

I think that it is more likely to be the fact it could possibly be used for alternate purposes rather than bogus/false detection, the same sort of thing happens with key loggers it is difficult to identify the purpose. So these things happen 5 AVs alerted on it, since Kaspersky, McAfee, Microsoft and another AV also detects this in one form or another I wouldn't directly call it a bogus/false detection outright.

If you are happy with it, do as I suggested add it to the exclusions and send samples to avast so that they can improve the VPS signatures but it may be that it won't change because of the potential for misuse.

[Seb2]

I think that it is more likely to be the fact it could possibly be used for alternate purposes rather than bogus/false detection, the same sort of thing happens with key loggers it is difficult to identify the purpose. So these things happen 5 AVs alerted on it, since Kaspersky, McAfee, Microsoft and another AV also detects this in one form or another I wouldn't directly call it a bogus/false detection outright.

If you are happy with it, do as I suggested add it to the exclusions and send samples to avast so that they can improve the VPS signatures but it may be that it won't change because of the potential for misuse.

Saying "this might be a unwanted program" is a bit better than saying "You have malware Radmin-B, no more information available".
That could scare the shit out of anyone

Thanks a lot for the help

EDIT: Great, now I cant start the service again cause Avast fucked it up. I'll have to reinstall VNC

[rock]

You are like me and use it to access your home PC.   However this could be very bad for IT admins that use Tightvnc for PC support on their supported desktops along with Avast.   Can you imagine, particularly if there are alot of PCs with both products.

That is unless the Pro addition does not include tightvnc in the definition.  But even forgetting that what about all the people like you that are away on travel or business that use Tightvnc to access their home PC. 

I suppose alot of people are out of luck right now, until they get back to their desktop.  Do not get me wrong I think Avast is great product but I question the reasons having Tightvnc suddenly added as a virus or malware when it is not.

[Seb2]

You are like me and use it to access your home PC.   However this could be very bad for IT admins that use Tightvnc for PC support on their supported desktops along with Avast.   Can you imagine, particularly if there are alot of PCs with both products.

That is unless the Pro addition does not include tightvnc in the definition.  But even forgetting that what about all the people like you that are away on travel or business that use Tightvnc to access their home PC. 

I suppose alot of people are out of luck right now, until they get back to their desktop.  Do not get me wrong I think Avast is great product but I question the reasons having Tightvnc suddenly added as a virus or malware when it is not.

You're sure right about that.
And the hazzle to get it working again afterwards
Firstly it somehow ruined the installation, so I had to reinstall.
Then, even though I put the whole folder in "excluded" that didn't help, cause that was just for manual scanning. To exclude the files from resident protection I had to go in under several options and manually type in the path....I'm not even sure I did it right (how to use wildcards and such) but I put in "C:\Program\TightVNC\*.*" and it seems to work now.....who knows though....

[Vlk]

I'm still trying to find out if this is a bug or feature...

[dbhankins]

Oh crap, I try to upload, but when I do Avast screams at me and the only thing I can choose (except put in chest or delete or move) is "No Action"

Actually, there is one more action you can perform when Avast! puts up a malware warning.  It's easy to miss because it doesn't have a big button to click on like the others.

Click the "X" in the upper right hand corner of the dialog in order to close it.  Avast! will then allow whatever program it blocked to continue executing.

You are then responsible for any infection you get as a result.


Dan

[U2KZoo51]

I have the same problem, Avast can be affect intentionally to tightvnc for do question monetary?
I have problems with all computers in my lan office.

[rock]

Actually, there is one more action you can perform when Avast! puts up a malware warning.  It's easy to miss because it doesn't have a big button to click on like the others.

Click the "X" in the upper right hand corner of the dialog in order to close it.  Avast! will then allow whatever program it blocked to continue executing.

Dan

Hmm, I had the same problem and thought I tried the X but remember it kept alerting anyway.  I suppose closing on the X will not help since vnc is always loaded in memory. I ended up excluding the VNC directory and vnc is working fine now.

edit: U2KZoo51 post is a perfect example of what I was saying a few posts back.  Very bad policy to list legitimate applications as malware.