Is this for real??

I've been looking for a new firewall and figured I'd give avast! a whirl. I installed it and right away it found a virus. I deleted the file and didn't really think much of it. Then I gave a quick random scan of a complete folder and was shocked. It bfound over thirty instances of Win32:Hantaner in trusted files including the installation files of MRUblaster, process gaurd free, and kerio personal firewall. How cna this be? I've never had trouble with a virus before. I ran a McAfee Virus scan on the same folder and it found nothing. Is this for real or a mistake?

 

Given the kinds of files and the fact that McAfee doesn't pick up anything, I'd be inclined to say these are false positives. Avast has a support forum here: http://forum.avast.com/ You might want to post there and let them know the specific names of the files Avast claims are infected but McAfee doesn't so they can check them out and correct them if, as it seems, they are indeed false positives.

I don't know anything really about Avast AV, but were heuristics involved in the detection or just signatures? Or can you not tell by adjusting settings? Some products heuristics can result in a high incidence of fp's. I don't know if that was the case in this instance. But you should probably let them know. FP's can be real bad news if they lead people to delete needed files for other apps or the OS.

Other online AV scanners are listed here if you want to check to see what other scanners say: http://www.broadbandreports.com/faq/9721#scan

 

hmmm, I ran an online test on MRUblastersetup.exe with Kaspersky an it found a virus also. That is very weird. I have never had problems with viruses ever. I think my McAfee virus scan is a bit out of date on the detections list. I dont want to have to delete over 40 files because of a virus I'm not even sure is there.

 

Alright, I found a little background info on Win32.HLLP.Hantaner.

Win32.HLLP.Hantaner

It is a harmless nonmemory resident parasitic Win32 virus. The virus itself is PE EXE file (Win32 executable file), it is written in Delphi and has the length about 47K (not compressed) or 24K (compressed by UPX).

It searches for *.EXE files (any files with .EXE filename extension) in the KaZaa download directory and writes itself to the beginning of the files. As a result the virus is able to spread through KaZaa files sharing network (being downloaded from infected machine).

The virus does not manifest itself in any way.

The virus also contains the text strings:

HANTA-Vjoiner ,si que lo hice yo, ErGrone/GEDZAC...
eso va para los seÓoritos de PER, en especial a Machado, que no tiene la educaciÕn necesaria para responder un E-Mail.
y para los que se enojaron con CPL, jeje, pa que ocupan Hotmail!!!, teniendo miles de mailbox gratis y con mas espacio.
FallÕ la Heuristica y contra una tÊcnica antigua JoJOjOO-Escrito en Delphi 6!-

Sounds harmless so I guess I'll just ignore it for now. hmmm, KaZaa. I guess theres a price for free music after all.

 

Umm... You have Kazaa? That's not good stuff, you know... got spyware in it.

 

AVAST and AntiVir PE generates quite a number of false alarms. i'm sure its another one. AVAST doesn't even have hauristics support for filesystem scanning. Javacool produces some great softwares and i know they won't pack a virus with one of their products. there is also another possibility that the setup file got infected by that virus. either way you should get rid of AVAST and get a decent one. meanwhile scan your system with webscans.

 

Yeah, I know about the Spyware but the vast majority of it is gone. So far Avast doesnt seem to good. It runs 4 processes, sometimes 5, and whene ever I log off, reboot, etc and log back in the stupid alarm goes off about 40 times until I click ok on every single box. I put the folder that was causing the alarms in the excludes file, but the alarm still goes off during start-up.

 

Before "bashing" Avast! I would suggest looking into this situation a little more. Especially since KAV's online scanner also detected Hantaner. If you read from this web site http://msmvps.com/trafton/articles/5138.aspx you can see that Hantaner is indeed a file infector. And another interesting quote that might explain the legitimate files being reported as infected (from the same website)... "There have been unsubstantiated reports that W32.HLLP.Hantaner will occasionally infect other folders. One such case involves content in the folder C:\Games. However, it is more likely that these files in some way passed through the Internet Explorer downloads folder." But as you mentioned, payload of this particular virus seems rather minimal.

 

I can't believe this. Xaq's machine is obviously flooded with infected files but because his (outdated) McAfee scanner doesn't detect anything it's the AV's fault

So what exactly would you expect from your AV? To NOT react even if a virus is found??

AMRX your offensive attitude towards avast is widely known but isn't this a bit too much? You are sure? C'mon...

 

what should i say? well i apologise if you think i'm bashing AVAST. if anyone is working for AVAST, he/she shouldn't take it personally. its just that every month i download some free AVs and scan my system. i encountered false alarms with those products i mentioned. next time i'll log those false alarms. anyway dear rerun2 and xaq, i downloaded MRUBlastersetup.exe and scanned it with Kaspersky. it says no virus. so it means either your setup got infected or its a false..........forget it. just run some webscans as sig suggested and make sure your system is clean. then download MRUblaster from Javacool website and tell us what happened.

dear Paul, though i never posted or read anything in Javacool forum, i think you are hosting the official Javacool forum. a word from you about this would be nice.

 

avast! very strong generic detection sometimes (usually after specific VPS update) provide a false positive,yes,but Alwil team fixes them asap (asap means half day at most) so these FP are not really annoying. Its better to encounter one FP then a real virus don't you think?
Btw in one year of avast! usage i encountered exactly 1 false positive (on two very similar samples) and it was encountered the day when they increased generic detection capability. Sounds fair enough to me.

@Xaq
Just a note,you are referring avast! as firewall in first post when its an antivirus. You probably mistyped i guess.

And sorry if it sounds stupid,but as my signature says... Next time read what warning message says and don't rush for Delete button. Thats why warning messages are there.

 

Ahh yes, I just now realized that I typed firewall in the first post (I feel like an idiot, I wondered why people thought I was so confused). I think I may have figured out my problem. It turns out this may not be a false alarm after all and that I'm just really stupid. Long ago I backed-up all my shared files from KaZaa into my primary download folder (for me that is). I'm guessing an exe file contained the virus and infected every other exe file in that folder. I put all the files in the virus chest, redownloaded a portion of the files, and all seems to be working fine now. Thanks to everyone for the advice. Xaq

 

Send those files to avast or antivir team next time. Let them know. Is this too much work? Avast support is great and I don't think they'd igore you.


tECHNODROME

 

dear Technodrome, its very easy to say send those files or to ask is this too much work. i'm on dial-up and i always do everything i can do. so don't you worry.