ANTIVIR PE - BPFTPSERVER - trojan???????

[Boat Drinks J.T.S.]

hello every body,
I just joined and I really HOPE you experts out there can solve my doubts, please. I use:
OS: W98SE
Antivirus: ANTIVIR Personal Edition Version 6.25.00.03
Firewall: ZONEALARM free
I also run since one year an FTP server using: BPFTPSERVER
(www.bpftpserver.com)

3 days ago I went to launch the SERVER as usual and to my immense shock my ANTIVIR PE popped up saying this:
"THE FILE G6FTPSRV.EXE CONTAINS SUSPICIOUS CODE (HEURISTIC/TROJAN.WIN32.PWS)"

A trojan inside a sofware I registered and paid for?
A trojan on my PC even using ANTIVIR and Firewall?
Is it dangerous? How can it be?
How do I get rid of it?

I even uninstalled BPFTPserver and downloaded it again brand new from ther site but problem still the same. I CANNOT LAUCH IT ANYMORE.

A friend told me that also in the latest FREE version of antivir PE the heuristics were included....and you can choose between 3 settings from low-medium-high. I'm not very techie person and I dont know what HEURISTICS are... ......I checked and heuristics are set to medium by default.

I tried LOW and the server launches OK no problem but if I revert it to
MEDIUM it's poppin up preventing the launch.

should i worry ??
Can you please please help as soon as possible?
Thank you for reading me and for your time.

all the best from Italy to u all
Claudio

[Jooske]

Hi there Claudio and welcome to the forum.
It might be a false positive of course. Go for a second opinion here:
www.kaspersky.com/remoteviruschk.html
You upload the exe file online and in a few seconds you have KAV advice about it.

Now with the antivir:
if you close that completely, does your server work again?

If KAV did not see anything malicious in the file, email antivir support about it as a possible false positive.
Since you already downloaded a fresh file it doesn't look like the original is infected.
Depending on that KAV online advice you can tell the server developer about this too of course.
To make sure your whole system is really clean please post your hijackthis log in the hjt forum for experts review. http://www.wilderssecurity.com/showthread.php?t=15913

[Boat Drinks J.T.S.]

Quote:

Originally Posted by Jooske

Hi there Claudio and welcome to the forum.
It might be a false positive of course. Go for a second opinion here:
www.kaspersky.com/remoteviruschk.html
You upload the exe file online and in a few seconds you have KAV advice about it.

Ciao kind Jooske
i am very surprised by such a quick reply.
Thanks lot. It look like this might become my favourite
tech forum. Great you are.
I did what you said and I checked the BPFTPSERVER exe file and I got this reply:


---------------------------------------
You're clean!
.....Kaspersky Anti-Virus has not detected any viruses at this time in
the file you submitted.
.....Scanned file: G6FTPSRV.EXE
.....G6FTPSRV.EXE - packed with PE_Patch
.....G6FTPSRV.EXE - packed with ASProtect
.....G6FTPSRV.EXE - OK

.....Statistics:
.....Known viruses: 90480 Updated: 06-06-2004
.....File size (Kb): 506
.....Virus bodies: 0
.....Files: 3
.....Warnings: 0
.....Archives: 0
.....Suspicious: 0
---------------------------------------


this is great.........
It tells me i'm clean......
Cant believe it..........

Now with the antivir:
if you close that completely, does your server work again?


If it runs with HEURISTICS option set to MEDIUM the ANTIVIR pops up.
If I set it LOW it doesnt pop up and server work ok.
If ANTIVIR is closed completely the SERVER works ok as well.



If KAV did not see anything malicious in the file,
email antivir support about it as a possible false positive.


What's a false positive sorry

I dont know if they give support to the FREE version users,
i will check and see........
I still dont understand why ANTIVIR PE pops up while KAV tells me it's clean....



Since you already downloaded a fresh file it doesn't look like the original is infected.
Depending on that KAV online advice you can tell the server developer about this too of course.


I did it immediately 3 days ago but BPFTPSERVER support is not as close FAST as you are...i'm still waiting their reply......


To make sure your whole system is really clean please post your hijackthis log in the hjt forum for experts review. http://www.wilderssecurity.com/showthread.php?t=15913


Sorry, you are getting really too techtalk here..... I'm still learning.
What's a "hijackthis log" ? How do I produce one?
Or where I find it on my PC?
sorry for my ignorance,

thanks for all your help
wish u well
CLAUDIO

bOATdRINKS

[Jooske]

A false positive means an alert is on an innocent file. It can happen, as a detection definition might be very close to other malware.
So do send antivir a copy of your file it alerts on and tell them it should be clean as KAV says so.
If you like another opinion you can send a copy of the "infection" to submit@diamondcs.com.au where the experts tell you more about it too.
Antivir will be happy with your comments as not any developer likes to have false alarms and they can refine their detection.
If you can only run the server by closing Antivir it is not good for their business either, so they just should be grateful for your submission.
Does antivir have an option to exclude certain files from their resident protection? In that case you can still have protection on high and run the server till antivir changes it's detection somewhat for you.

Now about the HijackThis log:
i posted the other link in the other message where you read in step #2 exactly what it is, where to get that download to create the logfile, how to use it and how and where to post it. (it's just made in a few seconds)

[Boat Drinks J.T.S.]

Quote:

Originally Posted by Jooske

A false positive means an alert is on an innocent file. It can happen, as a detection definition might be very close to other malware.
So do send antivir a copy of your file it alerts on and tell them it should be clean as KAV says so.

hi, thanks, I will get in touch with them.

If you like another opinion you can send a copy of the "infection" to submit@diamondcs.com.au where the experts tell you more about it too.

Did it. I sent the exe file to them. I await....

Antivir will be happy with your comments as not any developer likes to have false alarms and they can refine their detection.
If you can only run the server by closing Antivir it is not good for their business either, so they just should be grateful for your submission.
Does antivir have an option to exclude certain files from their resident protection? In that case you can still have protection on high and run the server till antivir changes it's detection somewhat for you.

OK, will see what they reply......thanks

Now about the HijackThis log:
i posted the other link in the other message where you read in step #2 exactly what it is, where to get that download to create the logfile, how to use it and how and where to post it. (it's just made in a few seconds)

ok, got it. I did run SPYBOT and I will post the log in a few minutes.
I await.....thanks lot Jooske.
by for now
Claudio

bOATdRINKS

[Jooske]

Meant from step #2, the HijackThis log; look in that place with all those HijackThis logs and you have an idea how they look like and how they work, what the experts can do for you with that
Waiting for the comments of the labs!

Seeing your HijackThis log here http://www.wilderssecurity.com/showthread.php?p=191553
Now waiting for experts review tehre!
What i do see is you have the MS Office in the startup, which i would not recommend in general, as it takes lots of recourses. Only if you really need it all time you can keep it that way, in all other cases i would throw that from the autostart.
Other things i'm not really familiar with, as i do have some questionmarks at a few items, but i leave that really to the experts as i would not forgive myself to make errors in that part.

[Boat Drinks J.T.S.]

Quote:

Originally Posted by Jooske

Meant from step #2, the HijackThis log; look in that place with all those HijackThis logs and you have an idea how they look like and how they work, what the experts can do for you with that
Waiting for the comments of the labs!

Seeing your HijackThis log here http://www.wilderssecurity.com/showthread.php?p=191553
Now waiting for experts review there!

...thanks...got their review. It says ALL OK but although I keep getting told
...that ALL IS OK my problem still there.........

What i do see is you have the MS Office in the startup, which i would not recommend in general, as it takes lots of recourses. Only if you really need it all time you can keep it that way, in all other cases i would throw that from the autostart.

...ok, followed your advice and took it away from autostart
...thanks, my system's actually faster now
...many thanks

Other things i'm not really familiar with, as i do have some questionmarks at a few items, but i leave that really to the experts as i would not forgive myself to make errors in that part.

...cheers
...you've been very kind
...I guess in order to solve my problem I'll have to wait for the replies
...from the BPFTPSERVER support and ANTIVIR support......
...will let u know
...thanks again

bOATdRINKS

[Jooske]

Glad so far my little advice helped
No news from the DiamondCS lab yet where you also submitted the file? (I'm just informed it's a national holiday today in WA so it might take another day).
In the meantime you might like to look around for what more there is for a layered protection, so it would not be immediately a problem if you have to slide Antivir protection to medium or low as i expect it to test all traffic anyway, or the other option should be exclude your server from AntiVir protection and leave that task to another program (eventually).
You might like to get the AutoStartViewer from the DCS site as well which shows even more then the HijackThis scanner.

[Boat Drinks J.T.S.]

Quote:

Originally Posted by Jooske

Glad so far my little advice helped
No news from the DiamondCS lab yet where you also submitted the file? (I'm just informed it's a national holiday today in WA so it might take another day).

hi there, yeah ...your help was/is great
cheers
no, havent got a reply yet from DiamondCs but...wow...I got
this reply from the ANTIVIR support........

---------------------
Dear Sir or Madam,
Thank you for your recent inquiry.
We could not find a virus in the attachment you have sent us.
This is a false positiv.
We will take the signature out in one of our next updates.
We thank you for your assistance.
---------------------
Freundliche Grüße
H+BEDV Datentechnik GmbH
i.A. Matthias Beck
Sales Support/Consulting
Anschrift: Lindauer Str. 21, D-88069 Tettnang, Germany
Tel (Zentrale):+49 (0) 7542-500 0
---------------------

hey, it sounds like you were right in the first place......
Do they mean that they are going to modify their software
to accomodate my problem ?
I cant believe it.....it's probably my first success in IT....
.....and thanks to you of course........


In the meantime you might like to look around for what more there is for a layered protection, so it would not be immediately a problem if you have to slide Antivir protection to medium or low as i expect it to test all traffic anyway, or the other option should be exclude your server from AntiVir protection and leave that task to another program (eventually).


At the moment (untill Antivir updates to fix the conflict) I will keep
the Heuristics set to LOW, in that way the
server starts and works perfect......

bloody HEURISTICs...are they really that important?
Am I really more protected if they are set ON.
Any problem if I disable them all? After all they've only just been
implemented in their latest version.
And without them I never got infected in the last 2 years anyway......


You might like to get the AutoStartViewer from the DCS site as well which shows even more then the HijackThis scanner.


thanks for the tip, I might get it....
what do I see with it better than HJT?
anyway, thanks again
all the best

bOATdRINKS

[Jooske]

I've been told AutoStartViewer shows even more! And it does, with all options checked. Use it occasionally.
In TDS at the moment we have the Autostart Explorer, with which i am personally very happy. The ASViewer shows so much more i can easily overrlook things. There are people so happy with it they include it into TDS in stead, i use it occasionally as a stand alone tool and for normal quick views the current Autostart Explorer.

Look around at the www.diamondcs.com.au site (it's in my signature) -- very nice tools there!


Any anti-virus/anti-trojan developer is unhappy with false positives so they're always happy with your samples. For Australia it was a national holiday so comments might follow tomorrow.
Antivir meant the detection database will be changed in it's next update, so maybe today it changed already.
Heuristics, these days with more new trojans and updated versions then letters in the alphabeth a day i would be happy with all possible protection, although one might need to lower their detection somewhat to keep the system workable as you've seen. It looks for possible malicious code, even if not in a specific trojan.

[Boat Drinks J.T.S.]

Quote:

Originally Posted by Jooske

I've been told AutoStartViewer shows even more! And it does, with all options checked. Use it occasionally.
In TDS at the moment we have the Autostart Explorer, with which i am personally very happy. The ASViewer shows so much more i can easily overrlook things. There are people so happy with it they include it into TDS in stead, i use it occasionally as a stand alone tool and for normal quick views the current Autostart Explorer.

Look around at the www.diamondcs.com.au site (it's in my signature) -- very nice tools there!


hi Jooske,

I will look around for sure, although I dont think i will get into it too much...
my IT knowledges, although fairly good, dont match yours' and your colleagues', so I think I'm happy with HJT that, after all the troubles,
somehow helped me to overcome the problem... read on.....


Any anti-virus/anti-trojan developer is unhappy with false positives so they're always happy with your samples. For Australia it was a national holiday so comments might follow tomorrow.
Antivir meant the detection database will be changed in it's next update, so maybe today it changed already.


exactly.....you are right again
i just got back from work and happened to check the update option of
Antivir ......and there was a new update available....
After that....I launched the server with Heuristics set to MEDIUM
and...SURPRISE SURPRISE..........
it starts and run NO PROBLEM at all......
I'm amazed.....
I would have never gotten this far without you...
I've learnt more about viruses in the last couple of days than in the
last 2 years....and I do thank you for that.....
I'm also greatful to google that pointed me to your forum
when I cried for help.........


Heuristics, these days with more new trojans and updated versions then letters in the alphabeth a day i would be happy with all possible protection, although one might need to lower their detection somewhat to keep the system workable as you've seen. It looks for possible malicious code, even if not in a specific trojan.


I see. One thing i dont understand. If setting the heuristics to Medium created me that problem, I cant think of what's gonna happen if I set it
to HIGH. I wouldnt be maybe able to launch any program at all?
So why they give an HIGH option at all? Who's gonna use it?
Sorry, but now you are my official teacher, and I trust your words.......

And finally I also got this reply from DiamondCS Support......


Hi,
You should contact your Antivirus vendor. The file is clean, their heuristics are too sensitive for this file
Heuristics try to guess what a program is capable of and since trojans can install an FTP server to steal files, this looks similar

They should be able to refine their detection soon so you can go back to the MEDIUM setting, but you should send them the file
Best regards,
DiamondCS Support

so what can I say? THANK YOU.
If you're a music lover, I'd love to give you an account on my
little ftp to share maybe some good tunes......
in case....i'll be happy..

all the best
CLAUDIO



bOATdRINKS

[Jooske]

You're welcome Claudio!
If you look in my signature the lightblue "come say hi!" you see part of my history in the security world, in fact a nice read.
Using the thread in my resume, so feel free to post something nice there if you like. Google for Jooske Security and you see this thread high in the rankings.

Glad you found this forum!
Google for your username here and you'll see yourself high in the rankings as well!
You can see all people in this forum have their own skills and people work as a team, the moderators and admins (all volunteers, btw) and all other visitors, we all have our backgrounds and get more education by the day in this and other serious top forums.
Give yourself time to learn on stage, things catch your eye or you see something and read about it, etc. Except for the current young kids <wide grin!> nobody was born with all that knowledge at once!
I was forced to learn the hard way (again see the thread above) and learning new things gets into a habit. As we have in this forum several tens of thousands visitors of whom lots post, ask, share, and help finding solutions we learn so much faster then all on our own.

Many people here try to help people around as well at times, and at those occasions one realises to know something and we might miss the forum for references if we can't connect to internet from that place.


I mean indeed to look in the tools at DiamondCS, lots of very nice protective and detection tools, free tools and evaluation versions you might like to register at a certain time. You might have looked in the special DiamondCS forum on top in the Wilders forum here, to get a general impression.
We believe in a layered protection as a general anti-virus/anti-trojan and a firewall are not enough these days, certainly if you run a webserver.
With using the tools and looking a lot in the forum your computer knowledge and recognising suspicious processes does grow by the day.

With your antivir protection/heuristics: you might like to do a full system scan at times with the heuristics detection on highest when you don't run your server; such scans take the longest time in general. With that for any scanner is a risk of false positives. You can send your log to Antivir of the files you doubt they are wrong, include the files if you like, so they can refine their detection. And you might like a second opinion like you did this time. For general normal daily use you can put the heuristic sensitivity as low as needed to keep safe and workable.

I use the HJT scanner more frequent as well to see if everything is still ok, but i also have lots of layered protection --let's say all that runs on my windows version from the DiamondCS website, TDS, WormGuard, Port Explorer, CryptoSuite, etc etc Also in TDS during a full system scan i set the wormslider on highest sensitivity and i always have client/server detection up.

BTW the guys at DiamondCS are my main teachers since internet

Good to have you here! And i'm glad your heuristic problem for the moment is solved!