these processes tried to connect to some addresses. i dont’ remember. i blocked them with my firewall. then i checked the logs. addresses are:66.90.97.238 and 64.251.22.163
these processess are set in the Local machine run and current user run sections in the registry
avast didn’t find anything. I scanned system32 and it found asn2.exe and id-ed it as win32:rbot-afn I think this one has nothing to do with the above mentioned files. I deleted them (they were marked as system files) and cleaned the registry strings. i also sent the files to avast.
I scanned one of the files at http://virusscan.jotti.org/
Statistics
Last file scanned at least one scanner reported something about: sndu32.dll.ren, detected by:
Scanner Malware name
AntiVir Trojan/Spy.Goldu.FT.1.A
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus Backdoor.Win32.Haxdoor.gf
NOD32 a variant of Win32/Haxdoor
Norman Virus Control X
UNA X
VBA32 Backdoor.Win32.Haxdoor.gf
If you are not getting a virus warning that you believe is a new, undetected virus, then if you can zip and password protect (‘virus’, will do) the suspect file/s and send it to virus @ avast.com (no spaces), or add it to the virus chest and send it from there.
Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a either a new, undetected virus and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.
I already sent the files from the chest.
avast 4.6.763
0605-01
I already gave a brief outline of the problem in my first post. though I belive your message, David, is a copy-paste one:)
What about euhristics then? I tried to scan it with NOD32 it didn’t identified the virus bur SUSPECTED that it’s some kind of new one. Avast didn’t do it.
The brief outline relates to the email you sent “Give a brief outline of the problem (possibly a link to this thread)” rather than the post here as that may not be read when they read your email.
avast currently doesn’t use Heuristics in the main Standard Shield or Web Shield scanners (trying to avoid false positives probably) only in the email scanner.
My first post is actually what I wrote in the message that I sent from the chest. I’m surprised that you don’t use heuristics. I’d rather have several false positives and one real one.
I don’t work for avast, I’m just a user like yourself, but the question on heuristics has been asked a number of times. For a competant user who doesn’t panic when a detection alarm rears it head, but checks (jotti, etc)/analyses exactly what is detected and where it is found can probably say with reasonable certainty that it is a false positive.
However, for the average Joe who won’t recognise a system file from a virus (or see as you did other processes running) for them each detection is a scary experience and one which they take as gospel, it is a virus, they know nothing about the term false positive. The problem arises in what they do about it not if it is a false positive or correct detection, many use the nuclear option to delete as their first option, rather than move to the chest and investigate.
That is were a false positive is so dangerous when it is on a system file and the inexperienced user deletes as a first option, you may well be able to take care of yourself but there are many that can’t.
Personally I would like to see heuristic scanning, but the Warning must make it clear that it is a heuristic detection and not to delete (or not give that option) and move to the chest. However, that is something for Alwil to decide.
They have something of the kind in NOD32, as I told you.
H:\msprexe.exe - probably unknown CRYPT.WIN32virus [7]
The thing is that in case average Joe finds out that his system has some virus or trojan AND his antivirus software didn’t warn him about it he may start heapping reproaches on Alwil.
Okay, what I personally expect from this topic here is that these files will be added to the defs bases as they are trojans. I’ve just updated the bases and the
program core. So all Avast! users are still vulnerable to these trojans, while NOD32 users are informed on possible infection.
Oops. My Opera has problems with uploading files at http://virusscan.jotti.org/
So I tried IE. Here are the actual results of scanning. HmmAvast doesn’t look quite great her.
File: msappview32.exe
Status: INFECTED/MALWARE
MD5 dd4dfaf62abd09557402faeb2d9aa580
Packers detected: MEW
Scanner results
AntiVir Found Worm/Rbot.118441
ArcaVir Found Trojan.Rbot.Gen.118440.MX
Avast Found nothing
AVG Antivirus Found IRC/BackDoor.SdBot.SAZ
BitDefender Found Backdoor.SDBot.630BE27B
ClamAV Found Trojan.Mybot-3412
Dr.Web Found Win32.HLLW.MyBot.based
F-Prot Antivirus Found W32/Sdbot.OHD
Fortinet Found W32/RBot!bdr
Kaspersky Anti-Virus Found Backdoor.Win32.Rbot.gen
NOD32 Found probably a variant of Win32/Rbot (probable variant)
Norman Virus Control Found W32/Spybot.ABWX
UNA Found Backdoor.Rbot
VBA32 Found Backdoor.Win32.Rbot.gen
File: msprexe.exe
Status: INFECTED/MALWARE
MD5 ecfa61834048ceb634eed7b169437068
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Backdoor.RBot.A198A4CA
ClamAV Found nothing
Dr.Web Found Win32.HLLW.MyBot
F-Prot Antivirus Found nothing
Fortinet Found W32/SpyBot.A-mm
Kaspersky Anti-Virus Found Backdoor.Win32.Rbot.aoe
NOD32 Found probably unknown CRYPT.WIN32 (probable variant)
Norman Virus Control Found W32/Spybot.AFPK
UNA Found nothing
VBA32 Found Win32.HLLW.MyBot
Hi Nosferatum :
It appears what is being reported are trojans and/or
worms !? Therefore, it would seem wise to have a program
that "specializes" in these 2 categories, such as the good
& FREE "Ewido" available from www.ewiod.net/en !?
wouldn’t it be wise to have any other antivirus from the above mentioned to get these trojans identified??
I’m not trying to be rough on Alwil, I like Avast very much but I feel upset at the fact that it can’t cope with a problem that almost any other software can deal with.
Moreover I feel that this send-files-to-avast issue doesn’t work as it is supposed
Today I checked both files (they are stored in the chest) once again. Avast identified msappview32.exe as Win32:SdBot-gen14 [Trj]. But msprexe.exe still is not identified.
Today I checked both files in the chest once again. At long last Avast identifies them both.
Dear Nosferatum,
While there is no AV program that finds all, you should always have second opinion or non-resident scanners to get to the full scala.
Download DrWebCureit and run that against your computer. The days that a single AV and FW solution could protect us on the Internet, those days are long gone.