Is this for real??

Discussion in 'other anti-virus software' started by Xaq, Jun 14, 2004.

Thread Status:
Not open for further replies.
  1. Xaq

    Xaq Registered Member

    Joined:
    Mar 5, 2004
    Posts:
    33
    Location:
    My House, it's on that street with the thing
    I've been looking for a new firewall and figured I'd give avast! a whirl. I installed it and right away it found a virus. I deleted the file and didn't really think much of it. Then I gave a quick random scan of a complete folder and was shocked. It bfound over thirty instances of Win32:Hantaner in trusted files including the installation files of MRUblaster, process gaurd free, and kerio personal firewall. How cna this be? I've never had trouble with a virus before. I ran a McAfee Virus scan on the same folder and it found nothing. Is this for real or a mistake?
     
  2. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Given the kinds of files and the fact that McAfee doesn't pick up anything, I'd be inclined to say these are false positives. Avast has a support forum here: http://forum.avast.com/ You might want to post there and let them know the specific names of the files Avast claims are infected but McAfee doesn't so they can check them out and correct them if, as it seems, they are indeed false positives.

    I don't know anything really about Avast AV, but were heuristics involved in the detection or just signatures? Or can you not tell by adjusting settings? Some products heuristics can result in a high incidence of fp's. I don't know if that was the case in this instance. But you should probably let them know. FP's can be real bad news if they lead people to delete needed files for other apps or the OS.

    Other online AV scanners are listed here if you want to check to see what other scanners say: http://www.broadbandreports.com/faq/9721#scan
     
  3. Xaq

    Xaq Registered Member

    Joined:
    Mar 5, 2004
    Posts:
    33
    Location:
    My House, it's on that street with the thing
    hmmm, I ran an online test on MRUblastersetup.exe with Kaspersky an it found a virus also. That is very weird. I have never had problems with viruses ever. I think my McAfee virus scan is a bit out of date on the detections list. I dont want to have to delete over 40 files because of a virus I'm not even sure is there.
     
  4. Xaq

    Xaq Registered Member

    Joined:
    Mar 5, 2004
    Posts:
    33
    Location:
    My House, it's on that street with the thing
    Alright, I found a little background info on Win32.HLLP.Hantaner.

    Win32.HLLP.Hantaner

    It is a harmless nonmemory resident parasitic Win32 virus. The virus itself is PE EXE file (Win32 executable file), it is written in Delphi and has the length about 47K (not compressed) or 24K (compressed by UPX).

    It searches for *.EXE files (any files with .EXE filename extension) in the KaZaa download directory and writes itself to the beginning of the files. As a result the virus is able to spread through KaZaa files sharing network (being downloaded from infected machine).

    The virus does not manifest itself in any way.

    The virus also contains the text strings:

    HANTA-Vjoiner ,si que lo hice yo, ErGrone/GEDZAC...
    eso va para los seÓoritos de PER, en especial a Machado, que no tiene la educaciÕn necesaria para responder un E-Mail.
    y para los que se enojaron con CPL, jeje, pa que ocupan Hotmail!!!, teniendo miles de mailbox gratis y con mas espacio.
    FallÕ la Heuristica y contra una tÊcnica antigua JoJOjOO-Escrito en Delphi 6!-

    Sounds harmless so I guess I'll just ignore it for now. hmmm, KaZaa. I guess theres a price for free music after all.
     
  5. Pigman

    Pigman Registered Member

    Joined:
    May 15, 2004
    Posts:
    381
    Umm... You have Kazaa? That's not good stuff, you know... got spyware in it.
     
  6. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    AVAST and AntiVir PE generates quite a number of false alarms. i'm sure its another one. AVAST doesn't even have hauristics support for filesystem scanning. Javacool produces some great softwares and i know they won't pack a virus with one of their products. there is also another possibility that the setup file got infected by that virus. either way you should get rid of AVAST and get a decent one. meanwhile scan your system with webscans.
     
  7. Xaq

    Xaq Registered Member

    Joined:
    Mar 5, 2004
    Posts:
    33
    Location:
    My House, it's on that street with the thing
    Yeah, I know about the Spyware but the vast majority of it is gone. So far Avast doesnt seem to good. It runs 4 processes, sometimes 5, and whene ever I log off, reboot, etc and log back in the stupid alarm goes off about 40 times until I click ok on every single box. I put the folder that was causing the alarms in the excludes file, but the alarm still goes off during start-up.
     
  8. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    Before "bashing" Avast! I would suggest looking into this situation a little more. Especially since KAV's online scanner also detected Hantaner. If you read from this web site http://msmvps.com/trafton/articles/5138.aspx you can see that Hantaner is indeed a file infector. And another interesting quote that might explain the legitimate files being reported as infected (from the same website)... "There have been unsubstantiated reports that W32.HLLP.Hantaner will occasionally infect other folders. One such case involves content in the folder C:\Games. However, it is more likely that these files in some way passed through the Internet Explorer downloads folder." But as you mentioned, payload of this particular virus seems rather minimal.
     
  9. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    618
    I can't believe this. Xaq's machine is obviously flooded with infected files but because his (outdated) McAfee scanner doesn't detect anything it's the AV's faulto_O :eek:

    So what exactly would you expect from your AV? To NOT react even if a virus is found??

    AMRX your offensive attitude towards avast is widely known but isn't this a bit too much? You are sure? C'mon... :(
     
  10. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Ladies and gents,

    Questioning any software is just fine. Making statements about any software as well - provided it comes with proof. Merely as a precaution: bashing any software will not be tollerated on this board ;).

    regards.

    paul
     
  11. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    what should i say? well i apologise if you think i'm bashing AVAST. if anyone is working for AVAST, he/she shouldn't take it personally. its just that every month i download some free AVs and scan my system. i encountered false alarms with those products i mentioned. next time i'll log those false alarms. anyway dear rerun2 and xaq, i downloaded MRUBlastersetup.exe and scanned it with Kaspersky. it says no virus. so it means either your setup got infected or its a false..........forget it. just run some webscans as sig suggested and make sure your system is clean. then download MRUblaster from Javacool website and tell us what happened.

    dear Paul, though i never posted or read anything in Javacool forum, i think you are hosting the official Javacool forum. a word from you about this would be nice.
     
  12. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    AMRX,

    I do applaud you for logging ;) - it's no doubt in the interest of software users ;)

    FYI: vlk is an Avast rep - I'm not revealing any secrets here ;)

    Well, we are hosting all dedicated software support forums you'll find over here. As for my impression: for sure all Javacool Softwares - provided they are downloaded from a trusted source - are plain clean. I'll tend to agree with vlk on this issue:

    regards.

    paul
     
  13. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    avast! very strong generic detection sometimes (usually after specific VPS update) provide a false positive,yes,but Alwil team fixes them asap (asap means half day at most) so these FP are not really annoying. Its better to encounter one FP then a real virus don't you think?
    Btw in one year of avast! usage i encountered exactly 1 false positive (on two very similar samples) and it was encountered the day when they increased generic detection capability. Sounds fair enough to me.

    @Xaq
    Just a note,you are referring avast! as firewall in first post when its an antivirus. You probably mistyped i guess.

    And sorry if it sounds stupid,but as my signature says... Next time read what warning message says and don't rush for Delete button. Thats why warning messages are there.
     
  14. Xaq

    Xaq Registered Member

    Joined:
    Mar 5, 2004
    Posts:
    33
    Location:
    My House, it's on that street with the thing
    Ahh yes, I just now realized that I typed firewall in the first post (I feel like an idiot, I wondered why people thought I was so confused). I think I may have figured out my problem. It turns out this may not be a false alarm after all and that I'm just really stupid. Long ago I backed-up all my shared files from KaZaa into my primary download folder (for me that is). I'm guessing an exe file contained the virus and infected every other exe file in that folder. I put all the files in the virus chest, redownloaded a portion of the files, and all seems to be working fine now. Thanks to everyone for the advice. Xaq
     
  15. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Send those files to avast or antivir team next time. Let them know. Is this too much work? Avast support is great and I don't think they'd igore you.


    tECHNODROME
     
    Last edited: Jun 15, 2004
  16. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    dear Technodrome, its very easy to say send those files or to ask is this too much work. i'm on dial-up and i always do everything i can do. so don't you worry.
     
Loading...
Thread Status:
Not open for further replies.