Anyone running Avast alongside Jetico ? Trojan problem

[joey_365]

I've just ran a weekly scan of my drive, with avast AV. It picked up Win32:Rbot-CSS in my Jetico Personal Firewall directory. According to Avast bcfgenv.dll was infected, can any Jetico users confirm that they have this file in the Jetico directory ?

I tried to move the file to chest, but was informed that, because it was in memory, a boot scan was required. Which I did. I moved it to the chest from there, however on restart, Jetico is asking for permissions all over again, for everything that needs access. I'm pretty sure the infected file, must be the configuration file for Jetico.

I made an image of my drive before doing anything, so can restore again, if I made any rash errors on my part. Can anyone confirm this file exists on their machine ? Or maybe this has happened to someone else too ?

[Jarmo P]

You should be able to remove that file back from chest, at least if Stopping On-Access Protection temporarily by right clicking the a-icon. Then you can send that file (copy) to a scan like Jotti where it will be scanned with various antiviruses:
http://virusscan.jotti.org/

[joey_365]

Thanks for that Jarmo 

Although, the site seems a little flakey. It took me several attempts to upload the file, and when it did, it says it was scanning, but just stayed there for a long time and did nothing.

[Jarmo P]

Strange, maybe it was busy. It is considered a trustworthy site and not flakey
You could try this one instead:
http://www.virustotal.com/en/indexx.html

[joey_365]

Thanks Jarmo 

That worked perfectly, it seems only Avast was picking it up, all the rest reported nothing.

Many Thanks.

[Jarmo P]

You can be happy now, having found Avast give a false positive. You were giving valuable information to virus experts and readers who might have had the same problem
I was too last week:
http://forum.avast.com/index.php?topic=23215.0

BTW, before I gave you that last link, since i have not ever used that before, i submitted processguard.exe to that scan and 2 antiviruses found that suspicious, but not avast this time. False positives seem quite common these days.

[DavidR]

Thanks Jarmo 

That worked perfectly, it seems only Avast was picking it up, all the rest reported nothing.

Many Thanks.

You want to send this to avast so it can be corrected they can update the VPS files.
If you are getting a virus warning that you believe is a false positive, then if you can zip and password protect ('virus', will do) the suspect file and send it to virus @ avast.com (no spaces), or send from the chest.

Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a false positive and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and check scan it periodically using the ashQuick scan (right click scan, it will need to be temporarily removed from the standard shield exclusions otherwise it won't be scanned), when it is no longer detected then you can also remove it from the program settings, exclusions.

[joey_365]

Thanks again Jarmo for the help and information. 

DavidR,

Thanks also for your help, I will contact Avast sometime tomorrow, as it's late now. Thanks for taking the time to answer, and for your informative post also. 

[ReneeDj3]

I've had the same problem showing up in my AOL Active Security Monitor.  Win32:Rbot-CCS is showing up as a trojan in OPSWATAVCommon.dll.  What can I do to get my system back to operating normally before both programs updated?

[DavidR]

What can I do to get my system back to operating normally before both programs updated?

By following the same instructions/advice, confirm the detection id either good or false by using the links to VirusTotal or Jotti, files can't be uploaded from the chest so you will need to either restore or move to a temporary folder.

If it is a false positive, send it to avast and add the path for the file to the exclusions as mentioned in my previous post.

[HIPPO]

I am using Jetico Personal Firewall.
My Avast didn't detect "bcfgenv.dll" as a virus.
I checked it with VirusTotal.
The result is below.
I think that your file is strange.

Property of "bcfgen.dll"
File size : 61,440bite.
File Version : 1.0.0.26
description : Configuration Environment Support


Complete scanning result of "bcfgenv.dll", received in VirusTotal at 09.09.2006, 02:06:22 (CET).
Antivirus   Version   Update   Result
AntiVir   7.1.1.16   09.08.2006   no virus found
Authentium   4.93.8   09.09.2006   no virus found
Avast   4.7.844.0   09.08.2006   no virus found
AVG   386   09.08.2006   no virus found
BitDefender   7.2   09.08.2006   no virus found
CAT-QuickHeal   8.00   09.07.2006   no virus found
ClamAV   devel-20060426   09.09.2006   no virus found
DrWeb   4.33   09.08.2006   no virus found
eTrust-InoculateIT   23.72.120   09.08.2006   no virus found
eTrust-Vet   30.3.3068   09.08.2006   no virus found
Ewido   4.0   09.05.2006   no virus found
Fortinet   2.77.0.0   09.09.2006   no virus found
F-Prot   3.16f   09.09.2006   no virus found
F-Prot4   4.2.1.29   09.08.2006   no virus found
Ikarus   0.2.65.0   09.08.2006   no virus found
Kaspersky   4.0.2.24   09.09.2006   no virus found
McAfee   4848   09.08.2006   no virus found
Microsoft   1.1560   09.09.2006   no virus found
NOD32v2   1.1746   09.08.2006   no virus found
Norman   5.90.23   09.08.2006   no virus found
Panda   9.0.0.4   09.08.2006   no virus found
Sophos   4.09.0   09.09.2006   no virus found
Symantec   8.0   09.09.2006   no virus found
TheHacker   5.9.8.208   09.08.2006   no virus found
UNA   1.83   09.08.2006   no virus found
VBA32   3.11.1   09.07.2006   no virus found
VirusBuster   4.3.7:9   09.08.2006   no virus found

[DavidR]

It could be that the VPS has been updated as this may have been a false positive, see reply #4 above.

Since the last reported VPS update on http://www.avast.com/eng/vps_history.html is 07.09.2006 - 0636-2 and the current one is 08.09.2006 - 0636-3 it looks like this VPS update was corrective rather than adding new signatures.

[rdmaloyjr]

I use Jetico with avast! & bcfgenv.dll isn't detected as malware.

Complete scanning result of "bcfgenv.dll", received in VirusTotal at 09.09.2006, 03:22:44 (CET).

Antivirus   Version   Update   Result
AntiVir   7.1.1.16   09.08.2006   no virus found
Authentium   4.93.8   09.09.2006   no virus found
Avast   4.7.844.0   09.08.2006   no virus found
AVG   386   09.08.2006   no virus found
BitDefender   7.2   09.08.2006   no virus found
CAT-QuickHeal   8.00   09.07.2006   no virus found
ClamAV   devel-20060426   09.09.2006   no virus found
DrWeb   4.33   09.09.2006   no virus found
eTrust-InoculateIT   23.72.120   09.08.2006   no virus found
eTrust-Vet   30.3.3068   09.08.2006   no virus found
Ewido   4.0   09.05.2006   no virus found
Fortinet   2.77.0.0   09.09.2006   no virus found
F-Prot   3.16f   09.09.2006   no virus found
F-Prot4   4.2.1.29   09.08.2006   no virus found
Ikarus   0.2.65.0   09.08.2006   no virus found
Kaspersky   4.0.2.24   09.09.2006   no virus found
McAfee   4848   09.08.2006   no virus found
Microsoft   1.1560   09.09.2006   no virus found
NOD32v2   1.1746   09.08.2006   no virus found
Norman   5.90.23   09.08.2006   no virus found
Panda   9.0.0.4   09.08.2006   no virus found
Sophos   4.09.0   09.09.2006   no virus found
Symantec   8.0   09.09.2006   no virus found
TheHacker   5.9.8.208   09.08.2006   no virus found
UNA   1.83   09.08.2006   no virus found
VBA32   3.11.1   09.07.2006   no virus found
VirusBuster   4.3.7:9   09.08.2006   no virus found

I feel JPF is the perfect compliment to avast! with its great protection & very low resource use.  avast! is the best anti-virus & Jetico Personal Firewall is the best firewall in my opinion.  Neither has ever let me down.  After Jetico is configured I get very few application alerts, the ones I do get are JPF doing its job.

In alphabetical order are the four most outstanding security applications I use: avast!, Jetico, SpywareBlaster & WinPatrol.