ANTIVIR PE - BPFTPSERVER - trojan???????

Discussion in 'malware problems & news' started by Boat Drinks J.T.S., Jun 6, 2004.

Thread Status:
Not open for further replies.
  1. Boat Drinks J.T.S.

    Boat Drinks J.T.S. Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    11
    hello every body,
    I just joined :D and I really HOPE you experts out there can solve my doubts, please. :'( :'( :'( I use:
    OS: W98SE
    Antivirus: ANTIVIR Personal Edition Version 6.25.00.03
    Firewall: ZONEALARM free
    I also run since one year an FTP server using: BPFTPSERVER
    (www.bpftpserver.com)

    3 days ago I went to launch the SERVER as usual :) and to my immense shock :eek: :eek: :eek: my ANTIVIR PE popped up saying this:
    "THE FILE G6FTPSRV.EXE CONTAINS SUSPICIOUS CODE (HEURISTIC/TROJAN.WIN32.PWS)"

    A trojan inside a sofware I registered and paid for?
    A trojan on my PC even using ANTIVIR and Firewall?
    Is it dangerous? How can it be?
    How do I get rid of it?

    I even uninstalled BPFTPserver and downloaded it again brand new from ther site but problem still the same. I CANNOT LAUCH IT ANYMORE.

    A friend told me that also in the latest FREE version of antivir PE the heuristics were included....and you can choose between 3 settings from low-medium-high. I'm not very techie person and I dont know what HEURISTICS are... :oops: ......I checked and heuristics are set to medium by default.

    I tried LOW and the server launches OK no problem but if I revert it to
    MEDIUM it's poppin up preventing the launch.

    should i worry o_Oo_O??
    Can you please please help as soon as possible?
    Thank you for reading me and for your time.

    all the best from Italy to u all
    Claudio
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there Claudio and welcome to the forum.
    It might be a false positive of course. Go for a second opinion here:
    www.kaspersky.com/remoteviruschk.html
    You upload the exe file online and in a few seconds you have KAV advice about it.

    Now with the antivir:
    if you close that completely, does your server work again?

    If KAV did not see anything malicious in the file, email antivir support about it as a possible false positive.
    Since you already downloaded a fresh file it doesn't look like the original is infected.
    Depending on that KAV online advice you can tell the server developer about this too of course.
    To make sure your whole system is really clean please post your hijackthis log in the hjt forum for experts review. https://www.wilderssecurity.com/showthread.php?t=15913
     
  3. Boat Drinks J.T.S.

    Boat Drinks J.T.S. Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    11
    bOATdRINKS
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    A false positive means an alert is on an innocent file. It can happen, as a detection definition might be very close to other malware.
    So do send antivir a copy of your file it alerts on and tell them it should be clean as KAV says so.
    If you like another opinion you can send a copy of the "infection" to submit@diamondcs.com.au where the experts tell you more about it too.
    Antivir will be happy with your comments as not any developer likes to have false alarms and they can refine their detection.
    If you can only run the server by closing Antivir it is not good for their business either, so they just should be grateful for your submission.
    Does antivir have an option to exclude certain files from their resident protection? In that case you can still have protection on high and run the server till antivir changes it's detection somewhat for you.

    Now about the HijackThis log:
    i posted the other link in the other message where you read in step #2 exactly what it is, where to get that download to create the logfile, how to use it and how and where to post it. (it's just made in a few seconds)
     
  5. Boat Drinks J.T.S.

    Boat Drinks J.T.S. Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    11
    bOATdRINKS
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Meant from step #2, the HijackThis log; look in that place with all those HijackThis logs and you have an idea how they look like and how they work, what the experts can do for you with that :)
    Waiting for the comments of the labs!

    Seeing your HijackThis log here https://www.wilderssecurity.com/showthread.php?p=191553
    Now waiting for experts review tehre!
    What i do see is you have the MS Office in the startup, which i would not recommend in general, as it takes lots of recourses. Only if you really need it all time you can keep it that way, in all other cases i would throw that from the autostart.
    Other things i'm not really familiar with, as i do have some questionmarks at a few items, but i leave that really to the experts as i would not forgive myself to make errors in that part.
     
    Last edited: Jun 6, 2004
  7. Boat Drinks J.T.S.

    Boat Drinks J.T.S. Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    11

    bOATdRINKS
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Glad so far my little advice helped :)
    No news from the DiamondCS lab yet where you also submitted the file? (I'm just informed it's a national holiday today in WA so it might take another day).
    In the meantime you might like to look around for what more there is for a layered protection, so it would not be immediately a problem if you have to slide Antivir protection to medium or low as i expect it to test all traffic anyway, or the other option should be exclude your server from AntiVir protection and leave that task to another program (eventually).
    You might like to get the AutoStartViewer from the DCS site as well which shows even more then the HijackThis scanner.
     
  9. Boat Drinks J.T.S.

    Boat Drinks J.T.S. Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    11

    bOATdRINKS
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I've been told AutoStartViewer shows even more! And it does, with all options checked. Use it occasionally.
    In TDS at the moment we have the Autostart Explorer, with which i am personally very happy. The ASViewer shows so much more i can easily overrlook things. There are people so happy with it they include it into TDS in stead, i use it occasionally as a stand alone tool and for normal quick views the current Autostart Explorer.

    Look around at the www.diamondcs.com.au site (it's in my signature) -- very nice tools there!


    Any anti-virus/anti-trojan developer is unhappy with false positives so they're always happy with your samples. For Australia it was a national holiday so comments might follow tomorrow.
    Antivir meant the detection database will be changed in it's next update, so maybe today it changed already.
    Heuristics, these days with more new trojans and updated versions then letters in the alphabeth a day i would be happy with all possible protection, although one might need to lower their detection somewhat to keep the system workable as you've seen. It looks for possible malicious code, even if not in a specific trojan.
     
  11. Boat Drinks J.T.S.

    Boat Drinks J.T.S. Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    11
    so what can I say? THANK YOU.
    If you're a music lover, I'd love to give you an account on my
    little ftp to share maybe some good tunes......
    in case....i'll be happy..

    all the best
    CLAUDIO



    bOATdRINKS
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You're welcome Claudio!
    If you look in my signature the lightblue "come say hi!" you see part of my history in the security world, in fact a nice read.
    Using the thread in my resume, so feel free to post something nice there if you like. Google for Jooske Security and you see this thread high in the rankings.

    Glad you found this forum!
    Google for your username here and you'll see yourself high in the rankings as well!
    You can see all people in this forum have their own skills and people work as a team, the moderators and admins (all volunteers, btw) and all other visitors, we all have our backgrounds and get more education by the day in this and other serious top forums.
    Give yourself time to learn on stage, things catch your eye or you see something and read about it, etc. Except for the current young kids <wide grin!> nobody was born with all that knowledge at once!
    I was forced to learn the hard way (again see the thread above) and learning new things gets into a habit. As we have in this forum several tens of thousands visitors of whom lots post, ask, share, and help finding solutions we learn so much faster then all on our own.

    Many people here try to help people around as well at times, and at those occasions one realises to know something and we might miss the forum for references if we can't connect to internet from that place.


    I mean indeed to look in the tools at DiamondCS, lots of very nice protective and detection tools, free tools and evaluation versions you might like to register at a certain time. You might have looked in the special DiamondCS forum on top in the Wilders forum here, to get a general impression.
    We believe in a layered protection as a general anti-virus/anti-trojan and a firewall are not enough these days, certainly if you run a webserver.
    With using the tools and looking a lot in the forum your computer knowledge and recognising suspicious processes does grow by the day.

    With your antivir protection/heuristics: you might like to do a full system scan at times with the heuristics detection on highest when you don't run your server; such scans take the longest time in general. With that for any scanner is a risk of false positives. You can send your log to Antivir of the files you doubt they are wrong, include the files if you like, so they can refine their detection. And you might like a second opinion like you did this time. For general normal daily use you can put the heuristic sensitivity as low as needed to keep safe and workable.

    I use the HJT scanner more frequent as well to see if everything is still ok, but i also have lots of layered protection --let's say all that runs on my windows version from the DiamondCS website, TDS, WormGuard, Port Explorer, CryptoSuite, etc etc Also in TDS during a full system scan i set the wormslider on highest sensitivity and i always have client/server detection up.

    BTW the guys at DiamondCS are my main teachers since internet :cool:

    Good to have you here! And i'm glad your heuristic problem for the moment is solved!
     
Loading...
Thread Status:
Not open for further replies.