V4 Replaced with Antivir - Trojans found!

Hi all,

I've got to say I'm pretty worried now. I've been using ESS V3 for about a year and in Feb I purchased a new license because I'd found my PC performed so much better with ESS in comparison to some other well known Security Suites. Periodic online scans with KIS and Bitdefender and also weekly scans with Malwarebytes never showed any issues, so I trusted that ESS was doing its thang and doing it well.

I'd been suffering from major slowdowns recently and getting odd disconnections and reconnections from my network adaptor. This all happend after I installed some software I use for work on my home pc. I did this because my works laptop was acting up also and I needed to hit deadlines. (The laptop runs KIS 2009 company provided).

After deciding to do a full re-install of windoze XP, I decided to install the latest Version of ESS i.e: V4. Since then I suffered the same as many others here, with periodic and seemingly random disconnections from the internet, and I could find no logs to explain why or event show that it had happend wireshark et'all!

After reading the various threads on here I uninstalled V4 and loaded up a 90 day trial of Avira AntiVir. I then did a full scan. It found 9 seperate Trojans 8 were seperate instances of the same one and the other was in a file I'd never actually accessed on a secondary drive. The files I quarantined contained the following Trojans.
(A)TR/Crypt.XPACK.Gen
and a file
(B)HIDDENEXT/Crypted - Malware
which Avira describes as
a file containing an executable program that is disguised by a harmless file exstension

I'm not so worried about the second one, but the first was found lurking in one of the install's of a corporate product that we use for reporting and was one of the programs I installed when setting up my home PC as mentioned earlier. Funny how my home PC gave up the ghost shortly after installing it!

The Reporting Tool install disk which I think is the primary source of the trojan has been on a USB drive that is attached to between two and three machines daily and has been for the last three plus years!


My questions are:

Why didn't ESS V3 or V4 pick up on this or KIS2009 or Malwarebytes or Bitdefender for that matter?

When is ESS V4 going to be fixed for internet connectivity.

Is Avira giving me false alarms and have I just quarantined the install and the installed files and a few editions of my backups for no-reason?

How do I get confidence back in ESS after having the V4 issues and the dllhost and mstdc deletions on 2 of my PC's and the apparent silence of ESET moderators on here to explain the issues one way or another?

If you've stuck with me so far, Thanks for reading,

Greg

 

What makes you think they are not false positives? You stated you just did a clean wipe, I'm going to assume you have a general knowledge of computers and therefor would be hard to simply become infected by trojans. Avira is well knows for high false positives.

edit: 1) same as above

2) most likely in the next build

3) same as 1.

4) same as 1.

 

What makes you think they are not false positives?

I'm sure you didn't miss the fact that I asked whether this might be the case in my original post!

You stated you just did a clean wipe, I'm going to assume you have a general knowledge of computers and therefor would be hard to simply become infected by trojans.

I did do a clean wipe, however, that does no good if you immediately restore from an infected source, Which if I believe Avira is what I did whilst running ESS V4!

I do have some rudimentary knowledge, I've been in IT development for about 25 years! If you read my post as to the source of the Trojan (false or not) It seems strangely coincidental that my problems arose shortly after the installation of the "so-called" problematic files. I'm not saying that this is a 2 + 2 = 4 situation here, but those 25 years have tought me that coincidences are also quite rare too. The PC we're talking about here has been running sweetly Since I built it in September 2007 and turned from being an Intel Quad Core with 4GB RAM to a lump of wood within a period of a few days!

Avira is well knows for high false positives.

Well maybe it is, maybe it isn't. I do tend to keep fairly well abreast of the security software scene (Without being obsessive) however, I had not heard this. I know it of Bitdefender, but that doesn't report diddly on my machines!

Regards,

Greg

 

You can follow this Guide: http://kb.eset.com/esetkb/index?page=content&id=SOLN141 and provide information in your email asking whether the files are real infections or not, make sure you ask it in the way that creates a need for a reply.

 

http://www.avira.com/en/threats/section/fulldetails/id_vir/3488/tr_crypt.xpack.gen.html

http://www.avira.com/en/threats/section/details/id_vir/4327/hiddenext_crypted.html

 

Thanks Elapsed,

I think I might just give this a go / If I can get one of the files back out of Avira's Quarantine

Greg

 

Hi RonJor,

I tend to agree and am in the process of doing such. Whilst writing my initial entry, Avira's first system scan had yet to finish. I'm tempted to give ESS the benefit of the doubt in this instance. Unfortunately, this does not get me around the constant disconnections.

I'd be tempted to go back to V3 and wait it out, However, I'd read some positive reviews recently re: Avira and I saw no harm in giving the 90 day free trial a go (it just landed on my desk recently via a copy of PC-Pro), I have no priorl experience of this product, and wasn't aware of any 'False Positives' issues from this provider. I decided on this course of action, mainly because of the number of issues coming out of Eset recently.

Regards,

Greg

 

Cheers Hawki,

I intend submitting the files to both ESET and AVIRA. Lets see what happens

Greg

 

Avira will give out FPs. The only way you might really know is to upload them to Virus Total and see who detects them. If 4 or more of the top vendors do, they are real. If 4 or more of the Paranoid vendors do they are FPs.

 

Send those files to Kaspersky too.
They have a very good lab and you will have an answer in a few hours.

 

I've seen both Avira and Kaspersky reply a file is clean when it is malicious when I send samples(I've checked it myself). They are all human and they make mistakes, there is no better or worse, they all have the same training.

 

Maybe , but hi will have a second (very good ) opinion.

 

Hi,

I sent the files to Avira, on the same evening as my original post. They haven't replied yet! Doesn't give me that warm fuzzy feeling!

Sending the files to Avira was very easy, as you can do it via the security suite interface. However, the files are renamed and placed somewhere hidden when quarantined. I haven't yet dragged them out and sent them to ESET or anyone else, I'm more inclined to pop them through virus total first though.

Since elapsed bashed me rather severely I thought with the FP post I did a bit more research into Avira and tend to agree with his first analysis. Although I'm open to suggestions at the moment.

As soon as a fix for the V4 connectivity issues surfaces I'll probably be switching back to Eset. I am forced to use Kaspersky on my works laptop and may submit a file up to them. I probably wouldn't use KIS on my own PC though, although I think I prefer it to Avira

Regards,

Greg

 

Zip them. Put passowrd and send here, Tell the password in the mail.

newvirus@kaspersky.com

For Avira, upload here. U wil get reply.

http://analysis.avira.com/samples/index.php

 

I didn't mean to "bash" you, but Kaspersky is a very good security suite. (Better than Avira in my opinion).

But I cannot understand why people are posting "omg email kaspesky". We already concluded they have been sent to Avira and ESET for analysis. There is no need to submit it to every company under the sun unless it's an actual threat.

 

Hi Elapsed,

Just yanking the chain a little I'm still running Avira here, it's been ok and since it's initial scan performance has been quite good!. I haven't had any noticeable slowdowns and bittorent up and downs have definitely not been hindered.

However, one thing I have noticed, that's a bit worrying (outside the possible FP's) is ----

I'm now in the process of moving a fairly large pop3 mail store to the gmail cloud. Since my system's re-buid a couple of weeks ago I've been in the process of getting my e-mail back up and running. I decided to go IMAP and to move my POP mail store, held in a Thunderbird mozbackup .pcv file up to Google's servers.

The method I found easiest to do this was to restore the pop3 folders to Thunderbird and then instantiate an IMAP googlemail account in the same application. It is then a simple task of selecting each pop3 folder and copying or moving the contents to the inbox of the googlemail IMAP "virtual" folders that show up in Thunderbird. This causes the emails to be sent up the wire to my googlemail account, in there thousands.

I would have thought an action like that would have brought up requester from Avira requesting confirmation of so many emails heading out of my system in quick succession. However, nothing appeared and all my e-mails went up the pipe to googlemail unhindered and came back down to outlook on my works PC without issue. I expected a bit more of a fight but none was forthcoming from Avira!

As I mentioned in another post, Avira isn't giving me a warm and fuzzy. KIS is OK but I have problems with bittorrent (As I do with ESS) however I use something called BBC Iplayer quite extensively on my home PC and KIS doesn't like that one little bit, so it's pretty much a no go for personal use.

I'll be glad when ESS have fixed the V4 issues, but I'm a bit concerned about the poor customer service that seems to be coming out of ESET re: V4 connectivity issues. That kind of communication breakdown has, in itself, been reason enough in the past for me to seek out alternative security solutions, there are quite a few good alternatives out there, but ESET has up until now had the least impact on system performance, and has been my primary choice because of that!

Regards,

Greg