Concerned about 7 July AVG defs update

Discussion in 'other anti-virus software' started by Cheshire, Jul 7, 2009.

Thread Status:
Not open for further replies.
  1. Cheshire

    Cheshire Registered Member

    Joined:
    Jul 7, 2009
    Posts:
    5
    Location:
    UK
    Hello from a newcomer :)

    I’m very concerned about the result of a full system scan run since I installed update 270.13.7/2222.

    For the last eight years, I have kept Dr TCP (DRTCP021.exe) on the desktops of several computer systems. I’ve been running AVG 8.5 Free since its release and at least two previous releases of the software. Since installing 270.13.7/2222, which claims to detect variants of Generic13.BWUN, DRTCP021.exe is reported to be a Trojan horse called Generic13.BWER.

    I have run a full online scan using Panda AV. I have also submitted DRTCP021.exe to Jotti and not one AV scanner found anything amiss. I assume this is a false negative and that the problem lies in the current virus database: 270.13.7/2222. Is anything known about this issue?
     
  2. kinwolf

    kinwolf Registered Member

    Joined:
    Oct 19, 2006
    Posts:
    271
    Lookslike a false positive, it happens. Simply report it to AVG and they should fix it quick.
     
  3. Cheshire

    Cheshire Registered Member

    Joined:
    Jul 7, 2009
    Posts:
    5
    Location:
    UK
    I'm using the free version of the software. I don't think there's an option to submit a file/report. There is an AVG forum but I cannot persuade the registration process to complete successfully. Meanwhile, AVG is having a field day, constantly popping up. If the issue isn't fixed I'll have to change my AV software.
     
  4. progress

    progress Guest

    First use the option 'Revert virus database to previous version', you can find it in Tools - Advanced Settings - Update - Manage. Then you should send the file to virus(at)avg.com: False Positive :)
     
  5. Cheshire

    Cheshire Registered Member

    Joined:
    Jul 7, 2009
    Posts:
    5
    Location:
    UK
    In trying to revert to the previous database I hit two problems. First, a "General Error Message" appeared. Secondly, the option to revert greyed out.
     
  6. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,907
    Location:
    U.S.A.
  7. Tonto Williams

    Tonto Williams Registered Member

    Joined:
    Jul 7, 2009
    Posts:
    5
    My Resident Shield picked this up today (Generic13.BWER) as I did a full system Ad-Aware scan immediately following updating Ad-Aware.

    A Resident Shield alert came up during the scan, so I clicked on Heal, but at the end of the scan there was another Resident Shield alert for it, though it wasn't showing on the Ad-Aware scan results. So I guess it may have landed with the update.

    It's location is C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe and Process ID is 3272

    I could find no trace of an explanation on the web, and a Google search delivered nothing. Until now - this thread on this forum has come up.

    Do I take it this is a false positive due to a trojan listed in the AWWService virus database following the update?

    Tonto
     
  8. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,907
    Location:
    U.S.A.
    Tonto Williams, first, welcome to Wilders! To get a second opinion on this AAWService.exe, which is part of Lavasoft's Ad-Aware 2007 engine, submit that file to Virus Total and/or Jotti's Malware Scan (do not post any results here!).

    If clean (more than likely a false positive IMO), report it to AVG. The link I provided to Cheshire will give you instructions as to how to do it.
     
  9. Tonto Williams

    Tonto Williams Registered Member

    Joined:
    Jul 7, 2009
    Posts:
    5
    Thanks for the welcome and advice JRViejo. :)

    I will do what you said, though I'm uncertain what you mean by submitting the 'file'. What file would this be and how would I retrieve it?
     
  10. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,907
    Location:
    U.S.A.
    Tonto Williams, when you go to VirusTotal or Jotti, you'll see a browse button. Click it and find the location of that file, which you stated being: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe. Click Send File (VirusTotal) or Submit File (Jotti) and the file will be scanned, letting you know the scan results.
     
  11. Tonto Williams

    Tonto Williams Registered Member

    Joined:
    Jul 7, 2009
    Posts:
    5
    OK, thanks. Nothing found. Prob a false pos.

    Yet, it begs the question why isn't Resident Shield still picking it up? It picked it up twice yesterday, and I clicked on 'Heal' both times. Has RS removed it?

    Will run an AVG scan to see if it will pick it up again. If it does, I'll re-submit file to Jotti before healing, and that should be the clincher.

    Thanks again :)
     
  12. Cheshire

    Cheshire Registered Member

    Joined:
    Jul 7, 2009
    Posts:
    5
    Location:
    UK
    Good morning All! :)

    Thanks for your warm welcome. Tonto and I clearly have the same problem because of the 7/7/09 definitions update. It seems just as unlikely that either AAWService.exe or DRTCP021.exe are infected by Generic13.BWER.

    The AVG forums do not indicate that this is a known issue. Perhaps this is not surprising because I found in impossible to register, giving up after at least 90 minutes effort. I cannot find information on Generic13.BWER via Google but there are a few references to AVG picking up Generic13 Trojans in what appear to be uninfected files.

    Working with AVG popping up to warn me of the presence of Generic13.BWER became impossible. I have uninstalled the AVG 8.5 software and changed to Avast v.4.8. I installed this on my parents’ computers a few weeks ago and found it impressive though I prefer the AVG interface. I’ve run a full system scan with Avast set at the highest level. My system is reported to be squeaky clean.
     
  13. w3d

    w3d Registered Member

    Joined:
    Jul 8, 2009
    Posts:
    2
    Location:
    UK
    I had the same threat detected 'on open' by "AVG 8.5 Free Resident Shield" when booting my machine this morning... DRTCP.exe contains "Trojan horse Generic12.BWER" (and again this thread is the only web page that Google finds).

    The DRTCP.exe file on my system has been sat in my Apps directory since 2006 (the file was last modified in 2002) - so it's an old one.

    One (big) concern was why this file should be being accessed anyway - soon after booting up the machine. AVG detected this "Trojan" when the file was 'opened'. I too have Ad-Aware installed - would this be doing a background check that would have caused the file to be 'opened'? Ad-Aware itself does not detect anything. I was not doing a deliberate system scan of any kind.

    I chose not to do anything with the threat (based on this thread, the nature of the file and passed experience - I've had a few false positives with AVG).

    My virus DB version is now: 270.13.8/2223
    (+1 on Cheshire's reported DB version)
    ...and I no longer get any threat detected by AVG! (I previously tried to do a manual update of the virus DB and there were no new updates - I assume AVG had auto updated in the background)

    This is all in the space of about 20mins (from getting a detected threat to no threat reported). I think the threat was detected BEFORE AVG had updated it's virus DB this morning. The AVG update yesterday (possibly to 270.13.7/2222) was perhaps the issue, but the DRTCP.exe file was not accessed/scanned until I booted my machine first thing this morning.

    I'm currently running a full system scan (AVG) and no threats have been found.

    As others have suggested, I think it's a false positive - IMO.
     
  14. Tonto Williams

    Tonto Williams Registered Member

    Joined:
    Jul 7, 2009
    Posts:
    5
    Yes. My AVG was also updated this morning, running scan at mo, and no threats found so far.

    I also checked Res Shield history, and both yesterday's infections were in Ad-Aware's AWWService. One of them was named as DRTCP021.exe (located on Docs and Setts\blah blah\Desktop) and the other as a string of nos and letters, in System Volume Information.

    I didn't realise I had DRTCP still installed. But it looks to me like Ad-Aware's AAWService (adwatch thing) opens DRTCP's files to check for threats, and this is picked up by AVG Res Shield as a false pos.

    Also ran Ad-Aware scan, and Res Shield did not pick up anything as Ad-Aware opened DRTCP. I guess AVG have sussed it out and updated this morning.
     
  15. Cheshire

    Cheshire Registered Member

    Joined:
    Jul 7, 2009
    Posts:
    5
    Location:
    UK
    That's good news, w3d and Tonto! :D If all continues well I just might go back to AVG--- we've had a long relationship-- but I'm quite pleased with Avast.
     
  16. w3d

    w3d Registered Member

    Joined:
    Jul 8, 2009
    Posts:
    2
    Location:
    UK
    Presumably Ad-Aware's AWWService appears as the "process" in AVG's resident shield log and DRTCPxxx is the "object" that the infection appeared in. The "process" being the event that caused the "object" to be opened in the first place?

    In looking at my logs, it appears that Ad-Aware did not seem to play any part in the detection in my case. "C:\WINDOWS\explorer.exe" appears as the process?! But I only used explorer to later examine the file AFTER the initial detection - so how did explorer.exe come to be looking at the file in the first place?!
     
  17. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,907
    Location:
    U.S.A.
    w3d, first, welcome to Wilders! Yes, you are correct. The Process is an action that is performed to call out a potential dangerous Object so it can be detected by AVG's Resident Shield. I have had a few instances of Windows Defender doing its daily scan (or performing a manual MBAM scan), triggering an AVG virus alert, which turns out to be a false positive. In these few cases, I alerted AVG and within the hour, sometimes less, a new database definition was issued by AVG, so it does not surprise me to hear of your 20 minute time span.

    As to why explorer.exe is the process in your case, I don't know. Nevertheless, this time AWWService.exe seems to be an FP and that's good!
     
  18. Tonto Williams

    Tonto Williams Registered Member

    Joined:
    Jul 7, 2009
    Posts:
    5
    All's well so far here too. Thanks every one. :)
     
Loading...
Thread Status:
Not open for further replies.