Latest update is crying wolf?

Since the last update of the VPS files, my PC (WinXP Pro SP2) is throwing up endless numbers of virus alerts - on files which checked out ok for YEARS.

As it started recommending me to delete files within such archives as Win98 CABS (I have multi partitions), I decided to do a test. One of the cirus alerts was for the Win32:tenga worm supposedly in an archived download of MSN Messenger (downloaded from the official site). So I downloaded it AGAIN from Microsoft and avast! 4.0 home edition is STILL showing that as containing the tenga worm. I cannot find a setting to stop the program continuously calling attention to this and other similar false alerts.

I am not keen on shutting off my anti-virus completely and I CERTAINLY don’t want to switch to another anti-virus program. But I have recommended avast! to a number of members of family and they are now complaining that I sold them a pup (either by installing viruses on their Windows PCs or by recommending avast! which throws up false alerts).

Any others have this problem in the last week?

Thanks for any help I can get.

Just ran a full system scan. (archives & thorough set).
Not a single warning.

Sorry, most probably, false positives.
Can you give us more info about the files (names and paths)?

You can add some files (or folders) to the exclusion lists for a while and warn Alwil team to correct the false positives alarms.

Isn’t Briton using an older version of Avast ie: “4.0”. Would a later version of Avast possibly help Briton?

Good shot! Last version is 4.6.691 and VPS 0532-5

OK, thanks Tech. Not trying to interfere but just noticed that. :slight_smile:

Interfere?
Aren’t all of we here to help?
Every help is welcomen.

briton, that’s really strange. Tenga signature has been added 3 weeks ago; of course, it may have been changed recently, but I don’t think it’s very likely.
Also, common MS installation CABs are checked against false alarms, so it shouldn’t happen…

What is the exact builf of avast! you have installed?
As Tech already asked: can you give as a few examples of the detected filenames?

I’ve seen a similar problem. I was running Microsoft Antispyware today to do a full file scan and avast detected 3 files infected with “Win32:Trojano-2107 [Trj]”. The files were:
ibm-dm1.exe
ibm-dm2.exe - IBM Deskstar files used on an old PC
and
dc71.exe found in the recycle bin

System is Win XP x64

OK thanks ALL for the replies. Sorry I wasn’t more specific - I rushed my post :frowning:

Well, I have now updated avast! on both WinXP Pro PCs here and it got REALLY hairy on the second one - that one has the massive disks on which we keep ISO files and so on. So a full scan took most of the day. If you wanted a file list, it would be er… well, let’s just say that the report file was MOSTLY tenga reports and when saved as a simple text file it was 2,255kb in size. So the full list would probably be self-defeating.

Why not go to the source of one of the files? Here it is from the original site:

http://g.msn.com/7MEEN_US/EN/INSTALL_MSN_MESSENGER_DL.EXE

That is the OFFICIAL download site for MSN Instant Messenger (download and install later). And yes, THAT file throws a tenga warning. Good old Microsoft? It’s just one example. Many of the others appear to be in backed up CABS of OS installs and downloads of program install files. I am only hoping that avast! hasn’t managed to delete small parts of them because I have no idea how to get them back. I was in the middle of a backing up operation and decided to update avast! and do a complete scan before I continued.

Yes, I have simply locked out the partitions on which the major stuff is. But that isn’t the point, is it! :stuck_out_tongue: lol

Very good point. Sorry, my mistake. I was (and am) using: avast! version 4.6 Home Edition Build Jul2005 (4.6.691) Xtreme Toolkit version 1.9.4.0

(Whenever I do a VPS update, I do a program update as the overhead time is short.)

Latest build at the time I did the full scan (details earlier in this post). Sorry again - my post might have been misleading. I usually update avast! once per month so the previous VPS might have been before the “3 weeks ago” you mention. (You mean you only just added the signature of an OLD thing like tenga? I didn’t realise you left them in the wild for so long!) I can’t remember what the previous VPS was - can I look that up in a log file somewhere? (I can’t use auto-update because of bandwidth limitations although I am now using “notify and ask” updating since this problem occurrred).

Hope that gives accurate information in response to your questions.

I’ve been poring through the report files here and there is one pattern I noticed immediately. The install files for certain communication programs appear to throw up the Tenga - that makes sense as Tenga is a DCOM exploit, right? So if you download, for example, MSN Instant Messenger (and possibly any other instant messenger - anyone tried this on Yahoo! or AIM for example?) it throws up a Tenga warning if you download the complete file and scan inside compressed/archive files. But you get the same result if you download Callwave (go to www.callwave.com and you can test it on the original). Same now appears to happen with eFax (again, best if you go to www.efax.com). And also with Eudora (email client) and Lightning Download manager (get those from the source at www.eudora.com and www.lightningdownload.com ). All seem to have a communications component.

Is there a setting in avast! I don’t know about but which I have set too fine? If it were another antivirus program, that would have been my first idea here but I can’t find one which would allow these programs to pass the scan without exclusion. All of the programs in that group are the main setup files.

Other examples: Macromedia Shockwave (the standalone installer file). Macromedia Flash Player (the standalone installer file). (Both those from www.macromedia.com. Panicware Popup Stopper (www.panicware.com). Apple Quicktime (standalone installer). Sun Java Run Time Environment installer.

Do I need to continue trawling these report files? These are major items of commonly used software being used by, for example, 75% of computer users. Not all of those users download the standalone installers but do a web install, but because we are installing on up to 10 machines (ancient dialup with NO chance of broadband in this rural area means that we tend to download the standalone installers and then write it to CD for the other members of the family in the area). But heck, if that’s the Tenga worm, I’ll have to live with it :smiley: I mean, Java Runtime Environment? WHEW!

Oh, another example? AdAware. Yes, that famous piece of software. The download of AdAware from the source. Tenga. My ISP is Bellsouth who supply the Propel Accelerator. Tenga!

If you want the names of all those files, here they are:

MSN Instant Messenger: INSTALL_MSN_MESSENGER_DL.EXE
Macromedia Flash Player: flashplayer7_winax.exe
Macromedia Shockwave: Shockwave_Installer_Slim.exe
CallWave: IamSetup__001F16000_.exe
Eudora: Eudora_6.2.1.exe
eFax: efxsetup.exe
AdAware: aaw6.exe
Propel Accelerator from Bellsouth.net: accelerator.exe
Lightning Download: lightning_setup.exe

This is just a SHORT list of examples of just a FEW of the files throwing this warning.

[b]And that is only the Win32:Tenga alerts. I was kind of hoping that you would find some simple booboo and fix it before I start worrying about all the OTHER stuff it suddenly started working on :-[/b]

And if you still aren’t convinced, try this one as an example of an even longer list from Microsoft download site:

050618-1 Security Update for Windows XP (KB888302) Pub 2-Aug-05 330kb\WindowsXP-KB888302-x86-ENU.exe

Win32:Tenga? Wow Microsoft! :stuck_out_tongue: I don’t think so. I think the answer to my original question is somewhat simpler. EITHER my settings are wrong (strange that they didn’t have a problem before the last VPS update I did) OR one of the last few VPS updates is including normal DCOM operations in its signature or something - heck, I am clueless how you guys write this AntiVirus software - I can program, but you are more like magicians than programmers! lol

I haven’t actually sent any of these files to avast! team for three reasons: 1. They are all available at the official download sites. 2. They are quite large and I am lucky to get better than 28.0 baud on my ISP so you can get the originals of the files a lot easier and a lot quicker without me spending two days sending them. 3. The last file I sent avast! (from the Win98SE installation CD) arrived there and noone ever told me what happened about it (was it a false positive or do I have something weird on my Win98SE CD? :stuck_out_tongue: )

Thanks for all the help. If you need any more info, please let me know.

Briton, I don’t get any detection on the files you mention. So, I would say:

  1. Either your avast! installation got somehow very badly corrupted (which would probably be the only explanation if you really get detections inside of CAB files - however, the examples of detected files you posted were only exe files).

or

  1. You really have Tenga virus running (active) on your computer and it is infecting all the executable files on your disk (it can do it rather fast, I must say).

Can you tell me the exact size (in bytes) of the files, e.g. WindowsXP-KB888302-x86-ENU.exe, or INSTALL_MSN_MESSENGER_DL.EXE?

Within Windows XP explorer, the following sizes are given:

WindowsXP-KB888302-x86-ENU.exe
Size: 38.5 KB (39,424 bytes)
Size on disk: 48.0 KB (49,152 bytes)

INSTALL_MSN_MESSENGER_DL.EXE
Size: 7.02 MB (7,364,808 bytes)
Size on disk: 7.03 MB (7,372,800 bytes)

I can’t think why it would make a difference, but I am reading that info from a different pc on the LAN.

OK. So assuming you now tell me that this LAN is infected with Tenga and yet avast! has always been resident and running on all computers on the LAN, how come it didn’t show it? Tenga isn’t new! And how come I still have no idea WHERE it is on the LAN?

And how do I now fix it? avast! only suggests deletion or move to chest. Unlike the ones available on line, some of the files are simply unavailable unless I pay again for them (assuming I CAN get them).

Thanks.

Well Tenga is parasitic virus so it can attach to othe otherwise clean executables.
Although i wonder how it slipped past avast! ???

The size of INSTALL_MSN_MESSENGER_DL.EXE is the same as I have, so it doesn’t seem to be infected… My size of WindowsXP-KB888302-x86-ENU.exe is 396008, so they don’t match for some reason.

So, when you scan WindowsXP-KB888302-x86-ENU.exe (for example) using the Explorer context menu (“Scan…”), Tenga is reported? Can you please try to submit the “infected” file to Jotti and let us know the results?

You wonder? What do you think I am doing!!!

OK. I checked out INSTALL_MSN_MESSENGER_DL.EXE and worked out what happened. The file was resident on a LAN drive and obviously had Tenga, but sometime during the last couple of days, it got replaced by an updated file of the same name (newer version of Instant Messenger). So although it was appearing in the report, it was no longer relevant.

WindowsXP-KB888302-x86-ENU.exe is also on a network share. But all that happens when I try to do anything with it is for the pc which holds that drive throws up an avast! Win32:Tenga alert. So the only thing I can do with it is to check it’s file attributes (hence the size).

Submission to jotti produces:

“The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file”

I’m trying guys. But what worried me is that I have a pc full of tenga infection which is presumably spreading itself around not only our home network, but the world.

How can I get to do anything with these infected files if they lock out? Is it avast! locking them out or Tenga? No mention it does that in the virus information database.

What now? Any ideas?

Maybe I should just add one thing. Of course I am preparing to simply delete every folder, file and archive with a problem. That only leaves me with the problem of replacing the files which I don’t have somewhere else (I noticed that there were some reports in the Restore files which I don’t yet know how to remove). ONLY? Welll, all the download and install later files are easy - I have a list and I know the sources. Some others are going to be more problematic as my backups got corrupted when 3 disks got mechanical failures within 3 days of each other. But I can work around those somehow.

The problem is, there is no point in doing ANY of that until I am sure that there is nothing on ANY of the partitions which will reinfect them. Anti-virus software is great if it catches a virus on first appearance - you can fix it, delete it, move it to chest etc. But I can’t find anything in Help which tells me what to do when I have HUNDREDS of files in a range of partitions.

Do I just start at the top of the avast! scan report and go through deleting them until I get to the end? What do I do about those viruses embedded inside Windows Restore files? Are they by nature inactive? And what about the ones inside compressed archives? Can I just delete the single file or do I have to lose the whole archive? And what about the ones in compressed executables that I can’t open without running them? Can avast! delete the single file within the archive?

Sorry if I have a lot of questions. I use anti-virus software to avoid having to ask these questions :frowning:

Any help would be welcome (but not SPAM invitations to listen to someone’s internet radio station thank you - who on earth is SPAMMING in this forum?)

OK. In case someone now looks up this topic - the subject is a false positive… avast! positives were ACCURATELY discovering the Win32:Tenga virus.

Still VERY puzzling how it got in but I have checked every log I can check and can see no trace of where and how it got in NOR did I ever discover the actually source.

After my last post, I isolated the networked PCs from each other and isolated them from the internet (after updating the VPS files of course).

Then on each of them I did the following:

I disabled system restore on ALL partitions on ALL drives. Interestingly enough this did NOT remove all restore points so I manually deleted the restore folders from all partitions (deleted - not moved to Recycle Bin).

Then the long wait while avast! did a complete “Thorough including compressed archives” scan on all partitions.

I did the partitions in groups to minimise the possibility of disaster if there was a power cut (it’s lightning season here in Georgia) did the OS partitions first then the data partitions (where ALL of the infections were found bar some oddities which are not worth worrying about).

I cannot think why I would do this in some sort of silent mode so I didn’t look it up to see if possible.

I am still a little puzzled why it insists on alerting some viruses for me to choose the action during the scan (which means you could leave it on overnight and find it had stopped after 5 minutes unattended) and yet most of what it finds is left until the report stage after the scan is finished. Can’t find an explanation in Help so any ideas on that one and can you include it in Help some time on an upgrade?

avast! found different things on each PC and LUCKILY I seemed to have created a sort of trap for viruses in that I had a complete copy of an old drive with WinMe on it in one of the partitions and Win32:Tenga wasted most of its efforts harmlessly infecting all the exe files on that copy all of which could simply be deleted. So it never actually affected any of the working partitions despite both WinXP PCs having multiboot capability into Win98SE. This isn’t telling the virus writers anything that helps them as there is no way a virus could be expected to know that it was a “dummy” it was infecting (I think!)

Anyway, apart from LOTS of Win32:Tenga infections, it found some other stuff which seems to be older viruses which were never scanned with later updates (somehow) plus a LOT of very old email archives which were thrown up as Decompression Bombs. I searched avast! site, forum and the web and can’t find out exactly what this does. I understand what it IS, but as far as I can tell, unless there is a virus in the tail-end of it, it doesn’t really DO anything except maybe crash a piece of software once. Am I right?

In each case where a virus alert arose, I attempted repair, then chest then delete (if the others didn’t work). If THOSE all failed, which happened a lot, I manually deleted the entire file containing the virus - which avast! was unable to know about.

Once scans were complete, I did the same with each occurrence of anything except “unable to scan” - those were for two reasons “password protected” and “file corrupted”. While avast! can tell you that, it can’t actually do anything with them. So I removed the corrupted files manually and opened the password protected files later to let avast! in to scan them.

While the VRDBs were right up to date, remarkably few of the files could be repaired despite being totally unrelated to the operating system partitions. Many of the “Move to chest” operations failed too and a few of the deletes. Not sure about that - I thought an up-to-date VRDB meant that nearly ANYTHING non-OS could be repaired…

After completion of ALL scans and doing SOMETHING with ALl the infections (repair/chest/delete or manual delete), I scheduled a boot-time scan of ALL partitions and was amazed to discover that avast! then discovered even more infections - many of them appeared to be the same as the ones found during the previous scan. Can’t work that out at all but at least I know it’s clean.

One of the files infected and which couldn’t be repaired was the download of Ad-Aware install file so I downloaded the latest version, installed it and ran it and lo and behold, the first thing it threw up were Malware occurrences. I guess the definition of Malware is different or something.

Anyway, once all partitions on all PCs were clean, I re-enabled the network and things seem ok.

Several questions up there, but this one is my MAIN reason for posting again. If I get another alert, how do I discover where the ORIGIN of the infection is so that I can check it was sorted out? I mean after dealing with hundreds of infected files, I still have no idea which one was the active virus which then did it’s parasitic best.

If you can answer that one, you are a hero :stuck_out_tongue:

Additionally, I wouldn’t mind discovering:

a. whether a decompression bomb is, on its own, as harmless as I suggest.

b. Why an up-to-date VRDB does NOT mean that you get the majority of files repaired (especially with a parasitic “add-on” like Tenga).

c. Why the boot-time scan finds viruses apparetnly already dealt with by the scans run within the OS.

Apart from that, I am still using avast! :smiley:

HELP!

Following that cleanup, I set avast! resident scanners onto the most secure settings that still allowed SOME use of the pcs. I did the same with the firewall. I made sure Windows Update and avast! updates were fully up to date at all times.

And today, I noticed that avast! doesn’t actually alert me to the existence of new infected files (or newly infected files) unless I open the partition in Windows Explorer.

So have I got something wrong in the configuration of avast! ?

Each pc has several partitions each of which is primary even where the partitions are on the same physical drive. Does this affect how avast! works on them? If so, how should I change the configuration? If not, why doesn’t the resident scanner notify me when a new infected file is written to the partition or an existing file is infected?

While responding to the latest alerts, whether I selected Move to Chest or Delete (Repair NEVER working), the alert dialog box cancelled without notifying me that it had failed to perform the action and without giving me the chance to select “Delete on restart”. Any ideas? Obviously I scheduled a boot-time scan and chose the only workable option “Delete” but this is now wreaking havoc because it is obvious that the root cause of the infections is not being located by avast! It worries me - as well as taking a LOT of time chasing these infections - but SURELY it worries someone at ALWIL?

HELP! Please!

Following that cleanup, I set avast! resident scanners onto the most secure settings that still allowed SOME use of the pcs.

So have I got something wrong in the configuration of avast! ?


What would be helpful is what your settings are (otherwise we can’t say if they are wrong or right)?
What you have to do is compromise between security and performance, but at a minimum I believe you should have Standard Shield set to scan all created/modified files, that way the infected files will be scanned when they are saved to the HDD.

http://img.photobucket.com/albums/v325/for-dwr/scanner-adv.jpg

Repair only works if the infected file is one that VRDB has scanned (mainly system files, .exe, dll, etc.) and the VRDB has been generated. The alert dialogue usually gives you the recommended action as the focused button.