40 replies to this topic

[chimpy]

My AVG.85 found a trojan which I think might be a FP but to submit it to further testing I need to email a winrar file of it, I have just DL winrar for the first time and I have no clue how to get the virus from the vault in to a file to send to them, can anyone help?

[chimpy]

I have archived the file but I do not have a clue how to find it to send it as a attachment

Well I can find it but it wants to send via a windows mail account which I do not use, I want to send it via my yahoo account.

edit

Its ok I found out how to!

EDIT again!

If I scanned a file on jotti and virus total and it was in a winrar archive form would that affect the result? as only "sunbelt" mentioned <Encrypted Archive> when I scanned.

[swagger]

You might want to upload to Jotti or Virustotal with the file itself and not in the archive

[chimpy]

how do remove the file from the archive?

EDIT

I just got a email from AVG

Quote

Dear Sir/Madam,

thank you for your e-mail.

Unfortunately, the current virus database version may detect the
mentioned virus on some legitimate applications. We can confirm that
it is a false alarm. We would like to inform you that the false
positive will be removed in one of the next Definitions update. Please
update your AVG and if a new Definitions update was downloaded, check
whether the file is still detected.

If you need to restore deleted files from AVG Virus Vault you can do
it this way:
- Open AVG user interface.
- Choose "Virus Vault" option from the "History" menu.
- Locate the file that was incorrectly removed and select it (one
click).
- Click on the "Restore" button.

We are sorry for the inconvenience.

Best regards,

Ondrej Lukasek
AVG Customer Services

I take back anything bad I have said about AVGs customer support

[swagger]

Great news! In the future, you would just need to extract the archive to get the file back outside of the archive

[chimpy]

Ah right! Thanks!
Its a great little tool, I do know Why I have never thought to DL it before!
Shame it will only last for 40 days though.

[swagger]

You might want to try IZarc or 7-Zip. IZarc is freeware and 7-Zip is open source. Both do not require you to pay I have used both and like both.

[AdvancedSetup]

Pay WinRAR for the $29 and learn it. Probably the best archiving tool currently available.

Excellent tool and a lot of great features that Zip can not match.

[chimpy]

Thanks for those.

I noticed that when I sent the file norton that scan the files brought up a alert about it and could not scan it, It was not bigger than they can handle.
I extracted the file and ran it again via jotti and virus total

this is jottis which 3 of them found something!



and this is virus totals list that found 5!



its strange how unziping it means they found something and it means that there is something bad in it.

[swagger]

@AdvancedSetup,

I've never personally used WinRAR. Is it that good?

@chimpy,

None of the major A/Vs seem to flag it. I know those online scanners don't execute the files so maybe AVG's team tried to execute the file and found the malicious behavior?

[chimpy]

I do not know if the res shield (which is the thing finding it) executed it, it says "on open" when the alert happens but as norton could not complete the scan on the attachment with it as i was sending them the file through email I am worried now the file might have been corrupted and so they tested it with parts missing and thats why it might have come back clean

[AdvancedSetup]

Methods of coding, encrypting, and packing can all set off a scanner - but that does not mean that it's infected or malicious in and of itself.

I would try Virus Total for testing individual files as they now use 41 different scanners.

[AdvancedSetup]

swagger, on Sep 9 2009, 01:50 PM, said:

@AdvancedSetup,

I've never personally used WinRAR. Is it that good?

In my opinion it is but others may not agree. Take a look around the Internet and you'll find that RAR is probably the #1 archive format for distributing or sharing files. If Zip was that good then it would be the lead, but it's not.

[chimpy]

I did use virus total Advancedset up!
as well as jotti, look up a few posts and you can see the images I posted of them both.

[AdvancedSetup]

Yes I know you did, I'm just posting in general so that other users that visit this post will see and know.

Thanks.

[swagger]

I'll do a little homework. If I am correct, I believe RAR is the archiving choice on linux and unix platforms...

[chimpy]

Ah sorry Advanced set up, Would you say that VT finding 5 out of 41 a bit suspect alongside the fact Norton could not scan the attachment on the email I sent using Yahoo?

I have emailed AVG back with the extra info and hope I get a reply, I stopped using the product a few months ago so removing it is not a problem for me but I got this off a disc from a magazine called "Windows Vista The official magazine" at Christmas last year so you would think it was ok! (even though I know it says to scan before you DL anything from it)

[AdvancedSetup]

swagger, on Sep 9 2009, 02:28 PM, said:

I'll do a little homework. If I am correct, I believe RAR is the archiving choice on linux and unix platforms...

You're probably thinking of TAR on Linux.

[AdvancedSetup]

chimpy, on Sep 9 2009, 02:30 PM, said:

Ah sorry Advanced set up, Would you say that VT finding 5 out of 41 a bit suspect alongside the fact Norton could not scan the attachment on the email I sent using Yahoo?

I have emailed AVG back with the extra info and hope I get a reply, I stopped using the product a few months ago so removing it is not a problem for me but I got this off a disc from a magazine called "Windows Vista The official magazine" at Christmas last year so you would think it was ok! (even though I know it says to scan before you DL anything from it)

I'd actually want to review more things on the system rather then just assuming that because 5 vendors found something that it was in fact infected. You're correct though that 5 is starting to become noticeable - often if I only see a couple then without other signs of an issue I'd think they're a FP.

If you're really concerned then you should post scans in the HJT forum as we tell new users that think they're infected, otherwise I'd write it off as FP.

[chimpy]

I just received this email from them

Quote

Dear Sir/Madam,

thank you for your e-mail.

Please note that actually the file was detected by us but we removed
the detection as the file is not harmful. Other software can still
detect the file but AVG will not detect it anymore.

If you have any further questions, feel free to contact us again.

Best regards,

So looks like it was harmless then.
Panic over!