Author Topic: Trojan.Mezzia inside avast!...?  (Read 11507 times)

0 Members and 1 Guest are viewing this topic.

Offline MeDIeVaL

  • Full Member
  • ***
  • Posts: 165
Trojan.Mezzia inside avast!...?
« on: October 01, 2007, 09:24:07 AM »
This is 2nd time SUPERAntiSpyware pick up a trojan inside avast! program in my system. Eventhough, I strongly believe it's just a false positive alarm but s'thing must be done from both side to prevent the continously detection inside avast! program.
-----------------------------------------------------------------------------------------------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/25/2007 at 04:56 PM

Application Version : 3.9.1008

Core Rules Database Version : 3311
Trace Rules Database Version: 1315

Scan type       : Complete Scan
Total Scan Time : 01:01:15

Memory items scanned      : 536
Memory threats detected   : 2
Registry items scanned    : 6024
Registry threats detected : 0
File items scanned        : 63128
File threats detected     : 48

Trojan.Mezzia/Resident
   D:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\AHRESWS.DLL
   D:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\AHRESWS.DLL
   D:\PROGRA~1\ALWILS~1\AVAST4\AHRESWS.DLL
   D:\PROGRA~1\ALWILS~1\AVAST4\AHRESWS.DLL

Adware.Tracking Cookie
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@partygaming.122.2o7[2].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@revenue[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@affiliatetracking[2].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@mediaservices.myspace[2].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@msnportal.112.2o7[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@atdmt[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@specificclick[2].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@imrworldwide[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@questionmarket[2].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@ads.us.e-planning[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@trafficmp[2].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@perf.overture[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@adbrite[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@2o7[2].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@rambler[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@toplist[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@bs.serving-sys[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@m1.webstats.motigo[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@4.adbrite[2].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@revsci[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@adopt.euroclick[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@msnservices.112.2o7[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@server.iad.liveperson[2].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@3.adbrite[2].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@serving-sys[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@richmedia.yahoo[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@ads.adbrite[2].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@blastclick[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@eas.apm.emediate[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@ads.blackmetal.co[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@realmedia[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@clickaider[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@tribalfusion[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@crackle[2].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@www.centurymedia[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@eyewonder[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@gostats[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@adinterax[2].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@adlegend[2].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@adtech[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@ads.pointroll[2].txt
   C:\Documents and Settings\MeDIeVaL\Cookies\medieval@2o7[2].txt
   C:\Documents and Settings\MeDIeVaL\Cookies\medieval@atdmt[1].txt
   C:\Documents and Settings\MeDIeVaL\Cookies\medieval@imrworldwide[2].txt
   C:\Documents and Settings\MeDIeVaL\Cookies\medieval@msnportal.112.2o7[1].txt
   C:\Documents and Settings\MeDIeVaL\Cookies\medieval@msnservices.112.2o7[1].txt
-----------------------------------------------------------------------------------------------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/01/2007 at 04:33 AM

Application Version : 3.9.1008

Core Rules Database Version : 3316
Trace Rules Database Version: 1317

Scan type       : Complete Scan
Total Scan Time : 00:56:52

Memory items scanned      : 530
Memory threats detected   : 2
Registry items scanned    : 5955
Registry threats detected : 0
File items scanned        : 58192
File threats detected     : 19

Trojan.Mezzia/Resident
   D:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\AHRESWS.DLL
   D:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\AHRESWS.DLL
   D:\PROGRA~1\ALWILS~1\AVAST4\AHRESWS.DLL
   D:\PROGRA~1\ALWILS~1\AVAST4\AHRESWS.DLL

Adware.Tracking Cookie
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@mediaservices.myspace[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@msnportal.112.2o7[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@ads.revsci[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@atdmt[2].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@questionmarket[2].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@imrworldwide[2].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@adbrite[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@toplist[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@rambler[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@bs.serving-sys[2].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@revsci[2].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@microsoftgamestudio.112.2o7[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@msnservices.112.2o7[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@serving-sys[1].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@ads.adbrite[2].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@adinterax[2].txt
   D:\Documents and Settings\MeDIeVaL\Cookies\medieval@adtech[1].txt
HP Pavilion g4. Intel Core i5-2410M @ 2.3GHz. 4GB RAM. Win7 SP1 64bit. avast! Free 7.0.1456. COMODO Firewall

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84922
  • No support PMs thanks
Re: Trojan.Mezzia inside avast!...?
« Reply #1 on: October 01, 2007, 04:13:08 PM »
Well that is an avast file and I have it in my avast4 folder, so I suggest you check it out at one of the multi engine scanners, which is what you really should have done first, confirm detections.

You should also check the suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.

The MD5 of C:\Program Files\Alwil Software\Avast4\AhResWS.dll is af4e5eb372f516ef061e65e8973b57b5

File properties, see image.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.3.2459 (build 21.3.6164.561) UI 1.0.609/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline MeDIeVaL

  • Full Member
  • ***
  • Posts: 165
Re: Trojan.Mezzia inside avast!...?
« Reply #2 on: October 02, 2007, 05:56:17 AM »
I've scanned it with VirusTotal  at both date after scanning with SUPERAntiSpyware and found 0 out of 32 so that's why I strongly believe it's just a false positive and I've done nuthin' to it. But, I still believe avast! or SUPERAntiSpyware must do s'thing to end this problem. At least, avast! team can aknowledge thier mates in SUPERAntiSpyware to fix the detection, right?
HP Pavilion g4. Intel Core i5-2410M @ 2.3GHz. 4GB RAM. Win7 SP1 64bit. avast! Free 7.0.1456. COMODO Firewall

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84922
  • No support PMs thanks
Re: Trojan.Mezzia inside avast!...?
« Reply #3 on: October 02, 2007, 02:18:35 PM »
I've scanned it with VirusTotal  at both date after scanning with SUPERAntiSpyware and found 0 out of 32 so that's why I strongly believe it's just a false positive and I've done nuthin' to it. But, I still believe avast! or SUPERAntiSpyware must do s'thing to end this problem. At least, avast! team can aknowledge thier mates in SUPERAntiSpyware to fix the detection, right?

It isn't an avast problem but a false positive detection of a legitimate avast file so you need to report it to SAS as it is their problem to resolve.
avast can't do anything as it doesn't know what it is that is causing SAS to alert.

I have no idea if there is any communication between SAS and Alwil software.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.3.2459 (build 21.3.6164.561) UI 1.0.609/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Jahn

  • Guest
Re: Trojan.Mezzia inside avast!...?
« Reply #4 on: October 03, 2007, 03:55:08 AM »
Strange, SAS reports the file as clean on my system. ???

Offline Vladimyr

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1639
  • Super(massive black hole) Poster
Re: Trojan.Mezzia inside avast!...?
« Reply #5 on: October 03, 2007, 04:33:55 AM »
Strange, SAS reports the file as clean on my system. ???
Mine too ???
There is a way that seems right to a man,
       but in the end it leads to death
.” - Proverbs 16:25

Offline MeDIeVaL

  • Full Member
  • ***
  • Posts: 165
Re: Trojan.Mezzia inside avast!...?
« Reply #6 on: October 03, 2007, 01:10:47 PM »
This screenshot I've taken this evening as SAS asked me to submit the sample...

HP Pavilion g4. Intel Core i5-2410M @ 2.3GHz. 4GB RAM. Win7 SP1 64bit. avast! Free 7.0.1456. COMODO Firewall

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re: Trojan.Mezzia inside avast!...?
« Reply #7 on: October 03, 2007, 02:18:15 PM »
No troubles here...
Are you sure your avast installation is not compromised?
Is SAS fully updated?
The best things in life are free.

Offline MeDIeVaL

  • Full Member
  • ***
  • Posts: 165
Re: Trojan.Mezzia inside avast!...?
« Reply #8 on: October 03, 2007, 05:11:45 PM »
Nope, there's no compromise in avast! installation. The detection only occur start from 25/09/07 as I scan my system weekly with every security application. As you can see the SAS were up to dates. I'll check for the updates almost e'day...
HP Pavilion g4. Intel Core i5-2410M @ 2.3GHz. 4GB RAM. Win7 SP1 64bit. avast! Free 7.0.1456. COMODO Firewall

Offline Bluesman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 901
  • Amiga Power!
Re: Trojan.Mezzia inside avast!...?
« Reply #9 on: October 03, 2007, 07:44:25 PM »
No troubles here...

Same here, just checked, no problems at all.
"The blues are the roots, everything else is the fruits" -Willie Dixon

Offline MeDIeVaL

  • Full Member
  • ***
  • Posts: 165
Re: Trojan.Mezzia inside avast!...?
« Reply #10 on: October 03, 2007, 08:07:35 PM »
SAS only detect the trojann when I've done full system scanned. If I right clicked the file and scanned it found nuthin...
HP Pavilion g4. Intel Core i5-2410M @ 2.3GHz. 4GB RAM. Win7 SP1 64bit. avast! Free 7.0.1456. COMODO Firewall

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re: Trojan.Mezzia inside avast!...?
« Reply #11 on: October 03, 2007, 08:25:33 PM »
SAS only detect the trojann when I've done full system scanned.
I've done that, I mean, just for that folder but the deepest scanning... Am I wrong? Is there any wrong setting on my installation?
The best things in life are free.

Jahn

  • Guest
Re: Trojan.Mezzia inside avast!...?
« Reply #12 on: October 03, 2007, 10:44:43 PM »
MeDIeVaL, is this the same system that had the trojan downloader?
      http://forum.avast.com/index.php?topic=30525.msg253810#msg253810

I'm wondering if it compromised Avast and/or SAS. Did you verify the MD5 of %:\Program Files\Alwil Software\Avast4\AhResWS.dll to the one DavidR posted in reply #1? Mine has the correct MD5 and is clean as I stated.

(Edit: Added:) SAS started detecting the Avast file right after the downloader was detected.
« Last Edit: October 03, 2007, 10:59:01 PM by Jahn »

Jahn

  • Guest
Re: Trojan.Mezzia inside avast!...?
« Reply #13 on: October 03, 2007, 10:50:16 PM »
I've done that, I mean, just for that folder but the deepest scanning... Am I wrong? Is there any wrong setting on my installation?
Tech, I would think the context menu scan would be the most thorough. I only found two scanner options in SAS that weren't set to maximum (Ignore non-executable files and Ignore files larger than 4 MB), but even after changing them, a full system scan came out clean.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84922
  • No support PMs thanks
Re: Trojan.Mezzia inside avast!...?
« Reply #14 on: October 03, 2007, 11:28:52 PM »
MeDIeVaL,
I'm wondering if it compromised Avast and/or SAS. Did you verify the MD5 of %:\Program Files\Alwil Software\Avast4\AhResWS.dll to the one DavidR posted in reply #1? Mine has the correct MD5 and is clean as I stated.

You are right to press for this check as it is critical and the reason I posted it in the same opst as the VT and Jotti links is because the MD5 of the file is part of the information provided on the VirusTotal scan. So yes it would be nice if MeDIeVaL would confirm this.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.3.2459 (build 21.3.6164.561) UI 1.0.609/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security