Win32:Kavos [Trj]

[Ragamuffin]

So after getting one problem fixed I apparently have another. I wasn't doing anything in particular, but just had two warnings come up on avast standard shield, the files are "AVSAudioPlayer2.dll" and "AVSAudioVisualizationEx2.dll" both were found in "H:\Program Files\Common Files\AVSMedia\ActiveX" both are in the Virus Chest now. Any help would be much appreciated.

[DavidR]

Is AVS Media something that you installed ?
Were you using the medial player at the time ?

If so it would be worth confirming the detections.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

[Ragamuffin]

Yes I installed it, quite some time ago to convert a different form of video file into .avi if I remember rightly. No I wasn't using it when the warning came up, I haven't used it in quite some years, looking at the files in the virus chest they both say Last Changed back in December '05 to give you an idea.

Link for AVSAudioVisualizationEx2.dll and link for AVSAudioPlayer2.dll

[polonus]

Hi Ragamuffin,

As the virustotal results are clean, I think these could be FP's, can you check in the logs these were actually flagged?

polonus

[mkis]

Also may help to run mbam - http://www.filehippo.com/download_malwarebytes_anti_malware/
Make sure to take action on checked files at the finish of scan

Then run boot scan - http://www.digitalred.com/avast-boot-time.php
And see if there are any new detections or re-detections


Probably best full uninstall of AVS Media but DavidR may inform better on that.

Giveaway of the Day has up to date Media programs and apps on a regular basis
- http://www.giveawayoftheday.com/
If you do a little research and bide your time, you can get a real good program for free.

Edit - sorry cross-posted with Polonus

[Ragamuffin]

Hi Ragamuffin,

As the virustotal results are clean, I think these could be FP's, can you check in the logs these were actually flagged?

polonus

Yep, they were, looking at the logs right now

Also may help to run mbam - http://www.filehippo.com/download_malwarebytes_anti_malware/
Make sure to take action on checked files at the finish of scan

I've created a "suspect" directory and extracted the files to it like DavidR suggested and run a MBAM scan on the folder but it didn't flag either file.

Probably best full uninstall of AVS Media but DavidR may inform better on that.

Yea, that's what I'm thinking, like I said, I haven't used to program in years, I only really picked up the trial of it for a one off conversion.

[DavidR]

Yes I installed it, quite some time ago to convert a different form of video file into .avi if I remember rightly. No I wasn't using it when the warning came up, I haven't used it in quite some years, looking at the files in the virus chest they both say Last Changed back in December '05 to give you an idea.

Link for AVSAudioVisualizationEx2.dll and link for AVSAudioPlayer2.dll

It is what I suspected in a way, something on your system for some time now detected and the VT Results confirm it is highly likely a false positive detection.

If as I suspect it is a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected. This should be reported to avast as it may impact others using this media player and avast, so correcting the mis-detection helps all avast users.

After having done that, since you haven't used it in years you need to decide if you really need it at all, given you haven't use it for so long.

####
What threw me at first was your comment, "I wasn't doing anything in particular, but just had two warnings come up on avast standard shield." This is why I asked were you using it as something has to be active for the standard shield to detect it, so considering you 'haven't use it for years' it is running in the background taking up system resources.

[Ragamuffin]

Well that seems a little strange, as it wasn't running to my knowledge. Looking over the HijackThis logs I've done over the last 24 hours none of them have AVS in them, and I hadn't launched it.

[polonus]

Hi Ragamuffin,

Yep, we have these issues with heuristics. A-squared was renowned for these issues, that later after checking against virustotal.com etc. appeared to be FP's. As the amount of variants of certain malware grows exponentially and malcreants use all sort of good-software cryptors, packers and obfuscation the lines between trusted benign software and malcode or malicious programs and tools sometimes becomes blurred and a False Positive lies around the corner. Avast is trying to correct these as soon as they are found up and reported, as you maybe yourself has established. Also let this be a comfort to you as avast would not flag FP's it would not find the real ones either,

polonus

[DavidR]

Well that seems a little strange, as it wasn't running to my knowledge. Looking over the HijackThis logs I've done over the last 24 hours none of them have AVS in them, and I hadn't launched it.

That is the thing with the standard shield, it is an on-access scanner, so files before they are allowed to run are scanned it doesn't scan files randomly; that is what threw me for a loop as I couldn't figure out why it would scan them, hence the question about were you using the media player.

Many applications when installed want to run on boot and media players seem to be prime candidates for this behaviour and they simply aren't needed untill you double click on a media file associated with that media player.

So a little weird if there is no entry for those files in HJT then the only thing I can think of is something accessed them with write permission and avast intercepted that access.
What other security software do you have ?
Any desktop search/indexing tools ?

[polonus]

Hi Ragamuffin,

To make absolutely sure about not having anything like Kavos there.
•    Log in the safe mode.
•    Turn off the System Restore, to delete all the viruses whose backup has been taken by it. Right click on My Computer-> Properties-> System Restore tab-> click on Turn off System Restore on all drives. You may need to restart the computer.
•    You's already rand Malwarebytes’ Anti-Malware , and that did not find a thing.
•    This all to make absolutely sure,

@DavidR,  HJT is becoming a relict, essexboy also reports that it is missing on new detections, it was abandoned by the Dutch developer of the tool and TrendMicro did not so much towards further development as they acquired it apparently, I use FreeFixer now...

pol



polonus

[DavidR]

Yes HJT may be a relic, but lets not forget these files are related to a legit media player installation, so the media players entries wouldn't be subject to any obfuscation.

The files concerned have no detection in MBAM nor any in VT, not even avast and that tends to support the my supposition that it is an FP, the result of a recent VPS Update, one which hasn't yet been applied to VirusTotal (hence no detection by avast on VT).

[Ragamuffin]

That is the thing with the standard shield, it is an on-access scanner, so files before they are allowed to run are scanned it doesn't scan files randomly; that is what threw me for a loop as I couldn't figure out why it would scan them, hence the question about were you using the media player.

Many applications when installed want to run on boot and media players seem to be prime candidates for this behaviour and they simply aren't needed untill you double click on a media file associated with that media player.

So a little weird if there is no entry for those files in HJT then the only thing I can think of is something accessed them with write permission and avast intercepted that access.
What other security software do you have ?
Any desktop search/indexing tools ?

Security-wise I've got a fair few things at the moment from sorting my previous problem, MBAM, SpywareBlaster, Spybot S&D, SUPERAntiSpyware and AVG, I've not got any desktop search of indexing tools though. Exactly how it happened was I had utorrent running and most of those security programs, Spybot S&D had just finished and I'd started a MBAM scan and a little way into the scan was when avast picked up the AVS files.

[Ragamuffin]

Hi Ragamuffin,

To make absolutely sure about not having anything like Kavos there.
•    Log in the safe mode.
•    Turn off the System Restore, to delete all the viruses whose backup has been taken by it. Right click on My Computer-> Properties-> System Restore tab-> click on Turn off System Restore on all drives. You may need to restart the computer.
•    You's already rand Malwarebytes’ Anti-Malware , and that did not find a thing.
•    This all to make absolutely sure,

Just to check here, do I need to turn System Restore back on? If so do I need to do it in Safe Mode too? Do you want me to run any scans, with MBAM or SUPERAntiSpyware or anything in safe mode after I turn System Restore off, or back on again?

[DavidR]

I believe your culprit may be the MBAM scan, see below on how this can occure:

So if MBAM opened these file to be scanned  avast would try to intercept that call and scan the files first, the fact that avast alerted is a side issue as to possibly why avast scanned them in the first place.

Personally, I usually advise pausing the Standard Shield when scanning with other security software. This avoids possible conflict and duplicate scanning and reduses the overall duration of the scan.

Secondly, having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable. For many there only be a minor issue in that it would cause duplicate scanning.

It is these intercepts one resident AV over another which can cause conflicts (two dogs fighting over a bone), this could lock your system and at worst this can happen on boot and lock you out.