I have reported something that might be a virus / false positive. Uploaded it and zip protected it to an email adddress. Can the staff check if they got it? Pavel replied to me, that he could not open it so i have resent it. {Evernotedemo.exe } which seems to be a tutorial flash placed in an .exe.
Recieved and investigated?
–Thanks
P.S: Avast also detects every reinstall of rt2500.sys {Ralink Driver on Vista Ultimate} as a virus. Even on a clean machine from OEM {Vista Ultimate} disk.
You could also check the offending/suspect file/s at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below. I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
Hi welcome to the avast forum -virus and worms and FP section.
Do not panic, and know everything will be well in the end.
This infection you have on your computer could be
a variant of this malware family: http://www.castlecops.com/p970160-Spy_Banker_samples.html
Make sure you place hijackthis in C, and not in a temporal file, because of later backups.
We will try to analyze the hijackthis logfile txt, as I said attach it to your next posting,
and could also establish it is a FP.
Even if a file has been scanned before it is always best to have it rescanned, you never know if more scanners now detect it or importantly less scanners detect it.
GData uses two scanning engines and one of those is avast so effectively only three detections, so the file should be analysed and you have sent it to avast.
So that means evernote distributed it with it’s download? It was an offical evernote download and install. Actually I remember running it the program demo’s evernote’s features. Avast needs to test this file themselves evernote’s latest 2.x series.
Email 1:
Hello,
Is this a virus that I have zipped up with 7zip?
================================
Password is: <— It is a real password based on what i think.
Rather have it sent normally, but guess it would spread right? If it is a real virus?
Also forum uploading would be great then emailing having upload for staff only.
EverNoteDemo.7z
2207K Download
Email 2:
Hello,
and thank You for notifying us about a suspected file.
However, I cannot unpack it due to wrong password, the " " does not work.
Would You please send me the correct password, or this file recompressed using standard password " "?
Many thanks and best regards,
P wrote (not sure if he was ok to use his name here)
Alwil Software, a.s.
wrote:
Hello,
Is this a virus that I have zipped up with 7zip?
Password is:
Rather have it sent normally, but guess it would spread right?
If it is a real virus?
Also forum uploading would be great then emailing having upload
for staff only.
[b]Email 3:[/b]
Hello Pavel,
I’ll try to do so maybe gmail ruins the zip.7z file. As it has trouble’s with exe’s in the first place.
I’m trying the following:
Using the password: " " without quotes.
Recompressing the file.
If It still does not work we would need to find another way to do it. That is what i meant very complicated to report to you guys!
Hopefully this will work this time.
Let me know what else I can do to transmit you the virus (funny way said it well to investigate) / potential false positive.
All it means is that a file in evernote’s distribution was detected as infected by three scanners and requires further investigation, nothing more nothing less. You have emailed the sample and it will be analysed. If it is found to be an FP it will be quickly corrected.
Interestingly I can find no EverNoteDemo.exe on the EverNote.com site, so I can’t try anything else. Unless it is in the full download which is 50+ MB which as a dial-up user I won’t be trying to download.
Well, pardon for writing way I’m sick today so physically fatigued (taking Iron) not paying attention to punctuations.
I have checked this out after finally being able to get full file. Using three different versions of it. With assumptions server was compromised. And all of them seem clean until point of setup deflate. Seems avast is showing a false positive. Because evernote is a “for profit” entity would not neglect this file since 2007 and not know. This same program is free and pro depending if one orders pro license. Clearly not in their interest to have people pay for Trojans. Although none freeware servers might be compromised. Such an active Company would already pull it a year later. Unless they accidentally somehow got infected and just now the scanners starting to sound the alarm. Still no word from evernote or Avast. Good thing though the demo file is prevented from launching upon install. But if it is really a virus year later. I might be screwed as it originally went undetected.
Really hope you will feel much better soon! You have sort of solved your problem yourself through exploration and you are a wiser man through doing this. You know that it is more than likely a FP, have to wait for the AV scanner to get updated to not flag it any longer or put it to the exclusion list.
Never trust anyone, and establish the facts first hand, that is get the information to make an informed decision. We are glad to help you with this, and so all will be well in the end, have a nice day and stay healthy,