Jump to content
WnSoft Forums

P2E-related virus?

Ken Thomson

By Ken Thomson
in General Discussion

 Share

Recommended Posts

Ken Thomson New Member

Ken Thomson

Posted
Posted

My virus program is detecting a virus in all recent P2E presentations I've made (the .exe files). The virus name is Trojan Horse PSW.Banker.HMQ. It doesn't show in any other program - anyone know anything about this? Is P2E embedding the virus - or is it a case of mistaken identity?

Link to comment
Share on other sites
Ian Senior Member

Ian

Posted
Posted

There was a similar problem a few years ago when a Norton update mistakenly identified certain PTE exes as viruses. Igor managed to sort it out with Symantec and subsequent definitions updates cured the problem.

Maybe its happened again?

Which anti-virus program do you use? I've just updated the definitions for my Inoculate program and it hasn't caused any problems.

Ian

Link to comment
Share on other sites
Ken Cox Advanced Member

Ken Cox

Posted
Posted

see

http://www.picturestoexe.com/forums/index....1&st=&p=entry

for the scenario

also

you can dowload a quick trojan check from mcafee

at

http://vil.nai.com/vil/stinger/

McAfee AVERT Stinger

Stinger is a stand-alone utility used to detect and remove specific viruses. It is not a substitute for full anti-virus protection, but rather a tool to assist administrators and users when dealing with an infected system. Stinger utilizes next generation scan engine technology, including process scanning, digitally signed DAT files, and scan performance optimizations.

the day before yesterday the web became very slow for me

yesterday the stinger program was updated as well as getting 2 updates on my AVG software

i ran stinger and avg and came up clean

ken

Link to comment
Share on other sites
Ken Thomson New Member

Ken Thomson

Posted
  • Author
Posted

There was a similar problem a few years ago when a Norton update mistakenly identified certain PTE exes as viruses. Igor managed to sort it out with Symantec and subsequent definitions updates cured the problem.

Maybe its happened again?

Which anti-virus program do you use? I've just updated the definitions for my Inoculate program and it hasn't caused any problems.

Ian

I was thinking of that history when I mentioned "Mistaken Identity"

I use AVG anti virus, just updated today.. I have one PC using another virus program, I'm just off to run it to see if it indentifies a problem

Link to comment
Share on other sites
Ken Cox Advanced Member

Ken Cox

Posted
Posted

Igor

Grisoft AVG Ver.: 7.0.344/Virus Database:267. 11.13/123 Release Oct 6 /2005

is now showing

TROJAN HORSE PSW BANKER HMQ

I think they were made with ver 4.31 -- 19 files

said it healed the trojan

am now running mcafee stinger 258 on same files

when i ran it yesterday it showed nothing

ken

Link to comment
Share on other sites
Igor Advanced Member

Igor

Posted
Posted

I just sent a letter to AVG.

This problem occurs only with old slide-shows created in v4.30

And I think AVG will solve it very soon.

If it possible, please send your response to AVG. Here is example of slide-show created in v4.30 which AVG MISTAKENLY marks as a "virus": htttp://www.wnsoft.com/test/PTE_v430_SlideShow.zip

Link to comment
Share on other sites
Ken Cox Advanced Member

Ken Cox

Posted
Posted

Igor, am trying to add two files to the thread--screenshot jpg's

in the vault the file is 3.64 mb

when it is restored the zip file is 16 kb

and am unable to locate the vault containing the quarantined exe and zip files.

and i would be unable to send the infected files anyways because avg in its present state will not allow me to send infected files

am also emailing you

ken

post-16-1128718125_thumb.jpg

post-16-1128718924_thumb.jpg

Link to comment
Share on other sites
Nathan Average Member

Nathan

Posted
Posted

I ran a full virus scan with AVG 7.0 at 13.30 today, as always the scan finished with "No Virus Detected".

Tonight, at 1958, AVG updated as scheduled, after reading this thread I ran a further full scan, this time all 36 PtoE files on the hard drive were detected as containing the "Trojan Horse PSW Banker.HMQ". Of the 36, 10 were my own humble creations, remainder had been downloaded, the last one, "The Barn", being downloaded last night.

I was away from the computer for some time, coming back, switching the monitor back on, AVG's report said 36 files healed and deleted. Checking my PtoE library folder all files are there. Each individual file was scanned manually with AVG and were clear.

I'm assuming this must be related to the latest update now reporting, I think the term is, "false positives".

Am I right or wrong? Unless AVG revise their update, what is the necessary action to take regarding settings ? Basically I've normally left AVG to do it's own thing apart from adjusting to scan e-mail.

Link to comment
Share on other sites
Nathan Average Member

Nathan

Posted
Posted

After iniitial concern seeing as this was the first time ever AVG had detected a trojan, seems I misunderstood what had happened. 36 files removed to vault was a bit of a shock but fortunately other files had not contained any supposed threat.

Did a second scan with 'A2 squared' updated, which for Trojans is as good as it gets, scan came up clear of no more than a couple of tracking cookies as malware.

Link to comment
Share on other sites
Lin Evans Advanced Member

Lin Evans

Posted
Posted

AVG got me as well - erased five of my commercial executables before I could kill the program. AVG "Says" it has "healed" the files when in fact it erases them. They do not subsequently appear in the Windows trash bin so it will be necessary to use commercial hard disk recovery software to recover the deleted files. Fortunately I have them backed up on media not available to AVG, but it's very annoying that I was given no choice in what to do. After I saw that five of my slideshows had been tagged as having a Trojan Horse I immediately stopped AVG, but instead of immediately stopping it proceeded to erase my files.

This is not a good way for a program to behave - I emailed both sales and support and told them what happened.

Lin

Link to comment
Share on other sites
Ken Cox Advanced Member

Ken Cox

Posted
Posted

Lin

as per Igor

Please send you request to AVG using their on-line forum

http://www.grisoft.com/doc/SalesForm/lng/us/tpl/tpl01

and give them URL to this file:

http://www.wnsoft.com/test/PTE_v430_SlideShow.zip (1.5 MB)

btw the update yesterday was supposed to cover psw banker hmq

my letter to avg

Sales Support Form

----------------------------------------------------------------------------

----

Name KEN COX

E-mail pbyk@sympatico.ca

Are you currently using AVG? FREE

Choose Your Topic General product information

Choose Product Type Not Sure

Enter your question http://www.wnsoft.com/test/PTE_v430_SlideShow.zip (1.5

MB)

the latest update

Grisoft AVG Ver.: 7.0.344/Virus Database:267. 11.13/124 Release Oct 7 /2005

is still showing files made with ver 4.3 as infected

i am unable to restore 17 usable files from the vault to their source

folders and have them work

the size of all the exe's is +- 1 gb

License Number (will help expedite your request)

70FREE-TX-L7Z2U-IB-P1-C01 -SIJTY-QEN

Link to comment
Share on other sites
Igor Advanced Member

Igor

Posted
Posted

Stupid problem, really.

Three years ago we had exactly same problem with wrong detecting of EXE created ONLY with PTE v4.30 with Norton Antivirus and Kaspersky Antivirus (as now problem with AVG).

I wrote directly to Cris Kaspersky and to internal email of developers of Norton Antivirus and they quickly solved this false alarm. Now it seems that AVG took same earlier bases with this error...

Here are letters of Norton Antivirus to Cris Kaspersky concering similar problem which happened 3 years ago:

"Eugene,

We will fix this issue today. Thanks for the sample. I do not have info yet while we detect the file, but it might be part of something larger so we added detection as a droped file not noticing it was commercial. I will let you know.

Regards,

Peter

----------------

Eugene & Igor,

We fixed the defs. We detected 1 file out of 4 here and we removed the detection for that one. Unfortunetly the person who handled this issue is in Japan, but I will have a few words with him today as soon as he gets into the office.

We are sorry! The fix will release with this week's LiveUpdate! Please let me know if you should experience any other issues! Thanks!

Regards,

Peter"

Link to comment
Share on other sites
Lin Evans Advanced Member

Lin Evans

Posted
Posted

Hi Ken,

I emailed both Grisoft technical support and their sales with the problem. I also called their U.S. distributor who was less than helpful. My first contact at the distributor was a woman who informed me that AVG doesn't "erase" Trojan Horses. She then tried to explain to me the difference between a "virus" and a "trojan horse". I spoke with her supervisor and again explained the situation as well as explaining that I was unsure whether my message to technical support would get through because their auto-response kicked back my email explaining that they didn't have me on record as a "registered user" of AVG even though I've been a paid registered user since they left beta. The manager at their US distributor told me I would need to contact Grisoft and I asked him for a phone number. He said they could only contact Grisoft by email (frankly I find this hard to believe). I explained to him that delays in correcting this situation would result in considerable bad press for AVG since I had posted a warning on dPReview which is visited by millions of people each month. He didn't seem to be at all concerned so I suspect I will post the warning on all forums I visit - in total read by over 1,000,000 visitors DAILY.

I've had the same experience as you. Files recovered from the Virus Vault have been damaged and no longer run. The program didn't even say it was moving the files to the virus vault, instead it said it had "healed them" (probably where the damage occurred) and "deleted" them. I did find all five of my executable files in the Virus Vault and non of them are usable any more.

I'm very dissapointed with Grisoft - not because of their making a mistake because that's sometimes unavoidable, but because there is no telephone number where someone can immediately report such problems. I find it very difficult to believe that a company with the amount of business that is generated by AVG does not have a telephone where they can be reached. Further, the distributor told me that it sometimes takes 48 hours or even 72 hours to get a response from their technical support. That's simply unacceptable.

Best regards,

Lin

Lin

as per Igor

Please send you request to AVG using their on-line forum

http://www.grisoft.com/doc/SalesForm/lng/us/tpl/tpl01

and give them URL to this file:

http://www.wnsoft.com/test/PTE_v430_SlideShow.zip (1.5 MB)

btw the update yesterday was supposed to cover psw banker hmq

my letter to avg

Sales Support Form

----------------------------------------------------------------------------

----

Name KEN COX

E-mail pbyk@sympatico.ca

Are you currently using AVG? FREE

Choose Your Topic General product information

Choose Product Type Not Sure

Enter your question http://www.wnsoft.com/test/PTE_v430_SlideShow.zip (1.5

MB)

the latest update

Grisoft AVG Ver.: 7.0.344/Virus Database:267. 11.13/124 Release Oct 7 /2005

is still showing files made with ver 4.3 as infected

i am unable to restore 17 usable files from the vault to their source

folders and have them work

the size of all the exe's is +- 1 gb

License Number (will help expedite your request)

70FREE-TX-L7Z2U-IB-P1-C01 -SIJTY-QEN

Link to comment
Share on other sites
Lin Evans Advanced Member

Lin Evans

Posted
Posted

I think I've had it with AVG. I just noticed that my subscription expires on the 22nd of this month and I think I'll try Panda which has a much better track record of both detecting and removing viruses and of not rendering false positives.

Lin

Link to comment
Share on other sites
Ken Cox Advanced Member

Ken Cox

Posted
Posted

avg just issued another update

Grisoft AVG Ver.: 7.0.344/Virus Database:267. 11.13/126 Release Oct 9 /2005

Added detection of new variant of I-Worm/Mytob, BackDoor.Hupigon, new variants of trojans PSW.Legendmir, PSW.Banker, Pakes, Clicker.

but it still detects Igor's test file as having

PSW.Banker trojan

ken

Link to comment
Share on other sites
Ken Cox Advanced Member

Ken Cox

Posted
Posted

Sunday, October 09, 2005 44 Deg. F, at 5:05 AM.

I think we need to know what each members anti virus program does when it detects a virus – false or real. The Grisoft AVG users have pretty well documented what it does, but we do not know what the other programs do for our own education – we now know that AVG puts it in the vault, but if it heals it and returns it to the folder it came from it renders the exe useless

In my case the AVG GUI is not in the startup group but AVG itself is and scans incoming mail. In this state it will not allow me to even send an eicar.com test file. For testing purposes i have eicar files placed on my drives to make sure the anti virus program is detecting

See

http://www.rexswain.com/eicar.html

when i run the free McAfee Stinger program

http://vil.nai.com/vil/stinger/

and it comes to the eicar test files it triggers the AVG program and a virus detected screen comes up and stays up for X# of seconds – it is set to continue scanning after the screen times out .

I do not let AVG run scheduled scans, i run forced scans of specific files/folders, the other day when this problem came up i did a forced scan of the folder that holds most of my folders of p2e shows – at present it is 7.89 GB, contains 18,497 files in 634 folders. Too bad i did not take the test results of the stinger program which did not detect any Trojans.

When i run a shell extension test of a specific folder i get a screen that gives many options if it detects something

Heal, delete, etc. as well as close

I will insert a picture showing this screen

Sunday, October 09, 2005 FROM AVG 6:24 AM

Added detection of new variant of I-Worm/Mytob, BackDoor.Hupigon, new variants of trojans PSW.Legendmir, PSW.Banker, Pakes, Clicker.

But AVG still detects the test file provided by Igor as having the PSW.Banker HMQ trojan

So if anybody else can add information re how your anti virus conducts itself please add it to this thread

Ken

post-16-1128854424_thumb.jpg

Link to comment
Share on other sites
Nathan Average Member

Nathan

Posted
Posted

Hoping for some improvement after the latest update from AVG today at 1959 hrs I was sadly disappointed. As a test I downloaded from Creating Slideshows forum, 'Cold' and 'A New Day'.

Without unzipping, a manual scan on each file told me 'Cold' is clean, A New Day', virus found. Both have been left unzipped for the time being.

I wish to reinstall Friday's deleted files from a back up on CD, hoping AVG will have sorted this tomorrow. Not holding my breath though!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...