Author Topic: avast! reports IrfanView 4.23 has virus  (Read 8117 times)

0 Members and 1 Guest are viewing this topic.

graham.lv

  • Guest
avast! reports IrfanView 4.23 has virus
« on: March 30, 2009, 09:31:11 AM »
http://www.irfanview.com/

IrfanView 4.23 and the extra plug-ins have a virus.  I certainly got hit by something, however it knocked out Vodafone mobile connect usage meter and ati Catalyst control center.  Also, ALL html files on disk are infected with HTML_iFrame virus/worm.   I did have a look mat a couple and probably a redirect to an ad/further infection HAS been added.

----
Does IrfanView contain Spyware or Viruses, etc.?

http://www.irfanview.com/faq.htm
Q: Does IrfanView contain Spyware or Viruses, etc.?
A: NO. If your anti virus program reports a virus or spyware in IrfanView downloaded from the official homepages, you should either update the anti virus program or use a better one.

I've used IrfanView since forever, but it looks like some false?/reports before when I looked at the DATE in the Google search...

Spyware, viruses, & security : HELP ME!!! Do You Guys Know About IrfanView BEING A VIRUS
by gfunkafro - 11/1/05 9:21 PM
http://forums.cnet.com/5208-6142_102-0.html?forumID=32&threadID=134046&messageID=1510242

Tech Support Guy Forums > Software & Hardware > All Other Software  >
Official Irfanview Download from Cnet contained a virus?
TheArmegeddon's Avatar     
TheArmegeddon TheArmegeddon is offline
   
Computer Specs
Senior Member with 134 posts.
        
Join Date: Jul 2007
Location: O-Burg, NY
Experience: Pro At Gaming Level
24-Sep-2007, 09:12 PM #1
Official Irfanview Download from Cnet contained a virus?
while I wait for somebody to look at my HJT log, I want to know if anybody here downloaded the latest Irfanview from Cnet's download.com and then after installng, had a virus scan for the antivirus to detect that a file in the irfanview folder (my specific is the deutsch.dll file in the language pack or language folder) that was known as PAK_Generic.001 and it to be an actual virus and not an overreaction?
http://forums.techguy.org/all-other-software/628721-official-irfanview-download-cnet-contained.html


So, what does avast! think - it's never effected me before, but at about the same time I did get hit by a drive by - Firefox click top to continue - like most news sites I go to.

==========================================================
EDIT::

I just downloaded a new copy of IrfanView 4.23 from the official website via cnet download as the link is - scanned it with advast! - AND IT IS CLEAN!!!!!!!!!!!!!!!!!

Therefore, is advast! right?  about the other one I have containing a virus..  I uploaded a couple of infected html (iFame - worm/virus) files to advast! from within the program.  Should (or can) I upload the suspect IrfanView exe (can zip/rar) or not wanted by you.  If so, what's best way?
=============================

« Last Edit: March 30, 2009, 09:45:26 AM by graham.lv »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: avast! reports IrfanView 4.23 has virus
« Reply #1 on: March 30, 2009, 02:27:23 PM »
Can you inform the file as being a false positive? (click on the bottom right of the virus warning message).

This link is a tutorial on how to help correct a virus detection that you believe to be false:
http://forum.avast.com/index.php?topic=25009.msg204838#msg204838
or http://forum.avast.com/index.php?topic=7779.msg62586#msg62586
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: avast! reports IrfanView 4.23 has virus
« Reply #2 on: March 30, 2009, 07:36:01 PM »
Interesting I have irfanview 4.2.3 and have been using it for years with no alert from avast. I have just scanned its program folder and no alert, see image. So if mine is clean and yours is infected, I suspect that it along with other files you mention are infected.

Exactly what is the malware name, file name and location of the irfan detections ?

You should check the offending/suspect file/s at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: avast! reports IrfanView 4.23 has virus
« Reply #3 on: March 30, 2009, 07:49:03 PM »
I downloaded the Irfanview 4.23 setup last night as well as the plugins.  avast scanned both downloads without reporting a problem.

I just uploaded the Irfanview 4.23 setup to VirusTotal and the only non-clear report (out of 40 scans) was esafe which reported it as a "Suspicious file".



Edit: thanks to David for spotting my typo in the version.
« Last Edit: March 30, 2009, 08:12:53 PM by alanrf »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: avast! reports IrfanView 4.23 has virus
« Reply #4 on: March 30, 2009, 08:00:28 PM »
According to the irfanview web site the current version is 4.23 ???
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: avast! reports IrfanView 4.23 has virus
« Reply #5 on: March 30, 2009, 08:12:13 PM »
Thanks David .. that will teach me to check before I hit "Post".  Having typed it once I just pasted it second time ... I will go back and correct it.

graham.lv

  • Guest
Re: avast! reports IrfanView 4.23 has virus
« Reply #6 on: March 31, 2009, 12:49:42 AM »
Interesting I have irfanview 4.2.3 and have been using it for years with no alert from avast. I have just scanned its program folder and no alert, see image. So if mine is clean and yours is infected, I suspect that it along with other files you mention are infected.

Exactly what is the malware name, file name and location of the irfan detections ?

You should check the offending/suspect file/s at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.



I uploaded it and below is the link:

eSafe   7.0.17.0   2009.03.27   Suspicious File

http://www.virustotal.com/analisis/92061b8e953a6e778402034fa8a970d0


File iview423_setup.exe received on 03.31.2009 00:42:18 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 24/40 (60%)

Avast   4.8.1335.0   2009.03.30   Win32:Vitro

==========================================
EDIT::

I just uploaded the *NEW* IrfanView downloaded yesterday that avast! scanned clean and below is the link to the online checker::

http://www.virustotal.com/analisis/d6450a28b57213a74a0bf8ea2e03f6c8

File iview423_setup.exe received on 03.31.2009 01:08:17 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 1/40 (2.5%)
-------------------------

As you can see - the old one has a 60% chance of virus and the new one only 2.5%.

WHAT DO YOU THINK ?

« Last Edit: March 31, 2009, 01:14:01 AM by graham.lv »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: avast! reports IrfanView 4.23 has virus
« Reply #7 on: March 31, 2009, 01:43:34 AM »
Simple the old one was infected and the new one having only been detected by esafe and that as suspicious is most likely a false positive detection.

This matches Alan's results on his that he sent to VT and the afcat that avast doesn't detect it where it did on the other one.

Virut, etc. is a virulent .exe file infecter so it is entirely possible that the other rash of infections were from the same infection.

I would also suggest that you run this tool DrWeb CureIt! - See http://www.freedrweb.com/cureit/ - Download ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe (Free) Fairly effective against file infectors, Virut (infects .exe, .scr, .mp3 & .wmv), more so when used in safe mode.

DrWeb also do a Live CD if you are unable to get into your system see, http://www.freedrweb.com/livecd/?lng=en, documentation ftp://ftp.drweb.com/pub/drweb/livecd/LiveCD-en.pdf
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security