Author Topic: Event Log Explorer FP  (Read 10804 times)

0 Members and 1 Guest are viewing this topic.

Offline YoKenny

  • Serious Graphoman
  • **
  • Posts: 8798
Event Log Explorer FP
« on: August 19, 2009, 01:43:33 AM »
I have used Event Log Explorer for ages on XP and now avast! detects it
Code: [Select]
8/18/2009 7:13:01 PM SYSTEM 1704 Sign of "Win32:Induc" has been found in "http://www.eventlogxp.com/download/elex.zip\elex_setup.exe\{app}\elex.exe\[ASProtect]" file.
What is really weird is that Microsoft Security Essentials (MSE) is detecting it also:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Virus%3aWin32%2fInduc.A&threatid=2147627628

I reported it on their forum:
http://www.fspro.net/forum/viewtopic.php?t=1094
E5200 2.5GHZ, 4GB RAM, 320GB HD, Windows 7 Home Premium 64bit, avast! V9.0 Free, IE10
P4 2.8GHZ, 1.5GB RAM, 40GB HD, XP Pro SP3 32bit, avast! V9.0 Free, Google Chrome
with hpHosts, MVPS HOSTS files, SpeedFan, WinPatrol PLUS

Offline spg SCOTT

  • Massive Poster
  • ****
  • Posts: 4136
  • There is no magic, only lost physics
    • spg SCOTT
Re: Event Log Explorer FP
« Reply #1 on: August 19, 2009, 01:46:18 AM »
I presume you sent it to ALWIL? ;)
“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

Offline YoKenny

  • Serious Graphoman
  • **
  • Posts: 8798
Re: Event Log Explorer FP
« Reply #2 on: August 19, 2009, 01:51:23 AM »
I presume you sent it to ALWIL? ;)

My memory fails me so can you refresh it for me.
 
When I visit the Event Log Explorer download site to get the zip file avast! warns me with a pop up but I don't see how to send it to ALWIL.
E5200 2.5GHZ, 4GB RAM, 320GB HD, Windows 7 Home Premium 64bit, avast! V9.0 Free, IE10
P4 2.8GHZ, 1.5GB RAM, 40GB HD, XP Pro SP3 32bit, avast! V9.0 Free, Google Chrome
with hpHosts, MVPS HOSTS files, SpeedFan, WinPatrol PLUS

Offline spg SCOTT

  • Massive Poster
  • ****
  • Posts: 4136
  • There is no magic, only lost physics
    • spg SCOTT
Re: Event Log Explorer FP
« Reply #3 on: August 19, 2009, 01:58:16 AM »
You can click on the report as false positive at the bottom right of the alert.

“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72614
  • No support PMs thanks
Re: Event Log Explorer FP
« Reply #4 on: August 19, 2009, 02:40:37 AM »
You would need to pause the web shield to be able to download it and take no action if the standard shield alerts, it shouldn't on the zip file but would when you try to extract it.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If you can pause the standard and copy the file to that location, enable the standard shield again.

Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first.

####
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and possible false positive in the subject.
 
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already in the chest) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
 
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2015 10.4.2227 R4 beta1/ Outpost Firewall Pro9.1/ Firefox 40.0.3, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.1.8/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline YoKenny

  • Serious Graphoman
  • **
  • Posts: 8798
Re: Event Log Explorer FP
« Reply #5 on: August 19, 2009, 06:56:42 AM »
Detected by:
Avast 4.8.1335.0 2009.08.18 Win32:Induc
GData 19 2009.08.19 Win32:Induc
Microsoft 1.4903 2009.08.18 Virus:Win32/Induc.A

http://www.virustotal.com/analisis/70eaf33d574f0fa749ff28ab089402035be789913f20917be23aefbb8e522245-1250657939

I sent the file from the Chest I think.
E5200 2.5GHZ, 4GB RAM, 320GB HD, Windows 7 Home Premium 64bit, avast! V9.0 Free, IE10
P4 2.8GHZ, 1.5GB RAM, 40GB HD, XP Pro SP3 32bit, avast! V9.0 Free, Google Chrome
with hpHosts, MVPS HOSTS files, SpeedFan, WinPatrol PLUS

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 1365
Re: Event Log Explorer FP
« Reply #6 on: August 19, 2009, 09:21:21 AM »
Hi,
Win32:Induc was added yesterday (VPS 090818-0) and it is found in files compiled with Delphi (it infects systems with installed Delphi), so everything compiled with infected Delphi is infected too. So files are infected before these files are signed, so they heave valid sign.

Milos

Offline kalaybg

  • Newbie
  • *
  • Posts: 3
Re: Event Log Explorer FP
« Reply #7 on: August 19, 2009, 09:31:19 AM »
Hi,
Win32:Induc was added yesterday (VPS 090818-0) and it is found in files compiled with Delphi (it infects systems with installed Delphi), so everything compiled with infected Delphi is infected too. So files are infected before these files are signed, so they heave valid sign.

Milos
How do we delete it ?? I woke up this morning and thought what a beautiful day ! BUT NO ! AIMP2 doesn't work , Kmplayer doesn't work . Fear to run skype because it may not work too . I deleted the infected files and then uninstalled the programs . I ran avast to scan and it found something in the registers , i deleted it . Then reinstalled aimp2 and it found Win32:Induc.a again :( . I am running full online Kaspersky scan .
I sent the inflicted .dll as a false alert , dunno why .
So this virus does nothing but just multiply and infect delphi programs ?

Offline nmb

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3062
Re: Event Log Explorer FP
« Reply #8 on: August 19, 2009, 09:34:37 AM »
@ kalaybg

no problems for me with aimp2 and avast.

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 1365
Re: Event Log Explorer FP
« Reply #9 on: August 19, 2009, 09:59:47 AM »
Hi,
Win32:Induc was added yesterday (VPS 090818-0) and it is found in files compiled with Delphi (it infects systems with installed Delphi), so everything compiled with infected Delphi is infected too. So files are infected before these files are signed, so they heave valid sign.

Milos
How do we delete it ?? I woke up this morning and thought what a beautiful day ! BUT NO ! AIMP2 doesn't work , Kmplayer doesn't work . Fear to run skype because it may not work too . I deleted the infected files and then uninstalled the programs . I ran avast to scan and it found something in the registers , i deleted it . Then reinstalled aimp2 and it found Win32:Induc.a again :( . I am running full online Kaspersky scan .
I sent the inflicted .dll as a false alert , dunno why .
So this virus does nothing but just multiply and infect delphi programs ?

Hi,
it infects installed Delphi, so only new compiled programs are infected, it doesn't infect other existing .exe (including .exe compiled with Delphi).
I hope that my explanation is more clear.

Milos

Offline kalaybg

  • Newbie
  • *
  • Posts: 3
Re: Event Log Explorer FP
« Reply #10 on: August 19, 2009, 10:07:48 AM »
No Milosh , how do i get rid of it forever and ever .

[img=http://img134.imageshack.us/img134/336/avast.jpg]


Look at the screenshot , I used delete(the second left to right )  , so it deletes the AIMP2.dll  . But then i need to reinstall AIMP2 , when i reinstall it , the same window pops up telling me that the .dll is infected . I read on russian sites that same thing happens to QIP .
« Last Edit: August 19, 2009, 10:09:19 AM by kalaybg »

Offline YoKenny

  • Serious Graphoman
  • **
  • Posts: 8798
Re: Event Log Explorer FP
« Reply #11 on: August 19, 2009, 10:19:41 AM »
Hi,
it infects installed Delphi, so only new compiled programs are infected, it doesn't infect other existing .exe (including .exe compiled with Delphi).
I hope that my explanation is more clear.

Milos
I do not have Delphi compiler. 
Event Log Explorer has been running fine on my system for as long as I have had avast! so the latest database update File version 090818-0 is detecting an existing .exe file in elex.exe ehich is the main executable of Event Log Explorer.

I am running a Microsoft Security Esentials Quick Scan right now after a database update and will post its results when finished.
E5200 2.5GHZ, 4GB RAM, 320GB HD, Windows 7 Home Premium 64bit, avast! V9.0 Free, IE10
P4 2.8GHZ, 1.5GB RAM, 40GB HD, XP Pro SP3 32bit, avast! V9.0 Free, Google Chrome
with hpHosts, MVPS HOSTS files, SpeedFan, WinPatrol PLUS

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 1365
Re: Event Log Explorer FP
« Reply #12 on: August 19, 2009, 11:18:32 AM »
No Milosh , how do i get rid of it forever and ever .

[img=http://img134.imageshack.us/img134/336/avast.jpg]


Look at the screenshot , I used delete(the second left to right )  , so it deletes the AIMP2.dll  . But then i need to reinstall AIMP2 , when i reinstall it , the same window pops up telling me that the .dll is infected . I read on russian sites that same thing happens to QIP .

Hi,
uninstall AIMP2 and download some which is not infected -- this mean wait while author disinfect his Delphi and compile AIMP2 again.

Milos

Offline jsejtko

  • Avast team
  • Full Member
  • *
  • Posts: 172
    • ALWIL Software
Re: Event Log Explorer FP
« Reply #13 on: August 19, 2009, 11:19:29 AM »
Hello Guys,

This infection has been discovered 2 days ago and all AV vendors add its detection into their virus databases because its flaged as ITW (In The Wild). But this infection may be old - no one know how old, but many software developers are infected and their software releases are infected too. Even it is signed it is infected! They were submitting infected copies to singing companies.

The problem is that it is new technique to infect - executable infects source code (one delphi library) - any program built with delphi on infected machine is infected too.

So you can get clean installation only! after software producer will be clean and will release absolutely new version. Or you may rollback to some old version which is not infected.

Regards
« Last Edit: August 19, 2009, 11:21:10 AM by jsejtko »

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 1365
Re: Event Log Explorer FP
« Reply #14 on: August 19, 2009, 11:22:10 AM »
Hi,
it infects installed Delphi, so only new compiled programs are infected, it doesn't infect other existing .exe (including .exe compiled with Delphi).
I hope that my explanation is more clear.

Milos
I do not have Delphi compiler. 
Event Log Explorer has been running fine on my system for as long as I have had avast! so the latest database update File version 090818-0 is detecting an existing .exe file in elex.exe ehich is the main executable of Event Log Explorer.

I am running a Microsoft Security Esentials Quick Scan right now after a database update and will post its results when finished.

Hi,
author of Event Log Explorer uses infected Delphi.

Milos