ciadoor.13, or nothing?

[Guest]

I put up a post about this in 'compatibility' but I suspect people don't look
there often, so I'm going to try again here, and with fresh information. I'd
much appreciate advice.

1. Yesterday, Defender completed its daily scan (clear as usual).
Immediately after it finished, AVG's resident shield jumped up detecting a
trojan (ciadoor.13) in an old program file that I haven't used for months
(mirc.exe), and which has been scanned hundreds of times before. It's now in
quarantine. (I should explain this is the new AVG combined
antivirus/antispyware Ewido-based system I'm using.)
2. I did a full scan afterwards with Adaware. It was clear.
2. Today I did an online scan with Kaspersky. It was clear.
3. Then I ran a manual full scan with AVG. It found ciadoor.13 again - but
this time somewhere in System Volume Information (A0073965.exe) - it's now in
quarantine.
4. For the first time I found where the AVG virus vault is, so I was able to
submit the two quarantined files (each of them precisely 1.93MB) to the
multiple scanner at http://virusscan.jotti.org/. Every scanner (including
AVG) found nothing in both files.

It looks like these AVG detections are false positives. What should I do?
Restore the files from the virus vault back to where they came from? But if I
do that, then AVG will pick them up again next time it scans, presumably.
I've sent an email to AVG, but I'd really like the opinion of you guys, if
you can comment.

It seems to me very odd that all this began just as Defender ended its
regular scan. Is that just coincidence do you think?

 

[Guest]

Alan,

It seems to me very odd that all this began just as Defender ended its
regular scan. Is that just coincidence do you think?

This is not unusual. In order to scan these files WD must access them,
during the acessing by WD the file access is being monitored by your other
resident scanning programs. I have had this happen when I scan with
Ad-Aware, which has been told to ignore a particular program, and my Virus
Scanner went off, which detects some PUPs, and has not been told to ignore
the program (the program is harmless buy the way, just questionable in how
it is used).

If all your other scans come up negitive and these are scans you usually
trust (Confidence Is High) I would say to UnQuarantine them if you are having
No Manifistation of malware and wait to hear back from AVG. Personally I
don't like "combined" programs myself.

By the way, quarantining the program from System Restore (System Volume
Information) May render that Restore Point InValid, I'm not sure. You might
want to make a Restore Point and Label it Accordingly.

?
Tim
Geek w/o Portfolio

 

[Guest]

Alan,

Though Tim's analysis is fine, it's likely that you'd have an issue moving
these from quarantine until the false positive detection has been removed
from AVG. Generally the Resident Shields don't flag the items as exclusions
automatically, so they will immediately detect the files again and return
them to quarantine.

What you need to do, beyond the correct steps you've already taken, is
research and/or report the issue to Grisoft directly. Unless you or someone
else does this, the issue may not be fixed for a while. The AVG Free Forum
and other support can be found here:
http://free.grisoft.com/doc/3/lng/us/tpl/v5

Of course, the simplest method in your case would be to uninstall MIRC,
since it sounds like you don't use it anyway.

Bitman

 

[Guest]

Just to be sure, you may want to scan with a-squared since it specializes in
Trojan detection.

 

[Guest]

I would also submit the files to VirusTotal for analysis, just in case. If
they prove clean, I would remove them from quarantine ONLY if they were files
that I use from time to time. Otherwise, if they are not missed, I would
keep them quarantined. You just can't be too careful, even with potentail
false positives.

ewido/AVG is a good tool and not nearly as prone to issuing false positives
as other AV/AS software. BUT ... with a half-million signatures with which
to contend, it is certainly open to human-induced errors. ;-)

 

[Guest]

Hi Alan

Found this on the Wilders Security Forum - looks like you are not the only
one and it could well be an FP. The link is there for an analysis if you wish
to submit

http://www.wilderssecurity.com/showthread.php?p=875963

Stu

 

[Guest]

By the way, quarantining the program from System Restore (System Volume
Information) May render that Restore Point InValid, I'm not sure. You might
want to make a Restore Point and Label it Accordingly.

Thanks for this Tim. I'd wondered about whether this would mess up System
Restore - maybe this is a good time for me to clear all the old restore
points anyway, after I've heard from AVG and done whatever they suggest.

 

[Guest]

Alan,

What you need to do, beyond the correct steps you've already taken, is
research and/or report the issue to Grisoft directly. Unless you or someone
else does this, the issue may not be fixed for a while.

Thanks Bitman - I sent them a more detailed email yesterday, outlining all
the steps I'd taken and what the results had been.

Of course, the simplest method in your case would be to uninstall MIRC,
since it sounds like you don't use it anyway.

Yes, definitely. My only concern is what happens if I try to uninstall it
when the main program (mirc.exe) is locked in quarantine. Is the Windows
uninstaller routine clever enough to cope with that?

 

[Guest]

Just to be sure, you may want to scan with a-squared since it specializes in
Trojan detection.

Thanks Mr Cat, for two reasons.

First - I didn't know about this scanner, so it's a useful addition to my
armoury. Second - it gave the all-clear on the two quarantined files, as well
as on an overall quick scan.

 

[Guest]

I would also submit the files to VirusTotal for analysis, just in case. If
they prove clean, I would remove them from quarantine ONLY if they were files
that I use from time to time. Otherwise, if they are not missed, I would
keep them quarantined. You just can't be too careful, even with potentail
false positives.

Thanks Scott. I'm just sent the two files to Virustotal, and those scanners
found nothing, either.

Do the files have to be kept in quarantine perpetually? Or can they simply
be deleted?

 

[Guest]

Found this on the Wilders Security Forum - looks like you are not the only
one and it could well be an FP.

Many thanks Stu. Interesting that Ewido reported it as a trojan in the
virustotal scan that was posted, whereas today Ewido gave mine the all clear
during the virustotal scan. Looks like they've corrected it - in Ewido, at
least.

I still haven't had a reply from AVG - but I suspect they're inundated with
emails like mine, from people who have mirc installed, requesting support!

 

[Guest]

:
The link is there for an analysis if you wish

to submit
http://www.wilderssecurity.com/showthread.php?p=875963

Well, the story has a slightly amusing ending, so I'll tell the tale: I sent
the file to the ewido test centre as Stu suggested, and I've just had an
email explaining that it was a false positive, with instructions to (1)
restore the file (2) update AVG (3) retest the file.

So of course, being very good at following instructions, but with brain
disengaged on this occasion, I proceeded to do exactly what they said in the
order they said; and while I was checking that mirc.exe had indeed been
restored, AVG sent in all its armies once more and arrested the intruder.
Quite reassuring really. At least I know the system works, now.

Anyway, I updated AVG, restored both quarantined files including the one
from System Restore, and the consequent scans were remarkably uneventful.
Entertainment over for today. Ciadoor.13 has left the building.

(Anyone out there reading this who's using AVG Antispyware and hasn't
updated it recently - please do, and avoid all this!)

 

[Guest]

LOL! At least you can rest easy tonight Alan. Glad it all worked out OK

Stu

 

[Guest]

Incidentally Alan. When it comes to keeping an eye out for updates. Do you
use the Calender of Updates web site? Its great for that - I check it out
every day. If not here`s the URL:


http://www.dozleng.com/updates/index.php?s=ec2c889bb6aa8bd9413269ff5ae0e3b9&act=calendar

Stu

 

[Guest]

Do you
use the Calender of Updates web site? Its great for that - I check it out
every day. If not here`s the URL:

http://www.dozleng.com/updates/index.php?s=ec2c889bb6aa8bd9413269ff5ae0e3b9&act=calendar

I didn't know about this - thanks Stu.

 

[Melvin \(math\) Klassen]

Yesterday, Defender completed its daily scan (clear as usual).

Immediately after it finished, AVG's resident shield jumped up detecting a
trojan (ciadoor.13) in an old program file that I haven't used for months
(mirc.exe), and which has been scanned hundreds of times before. It's now in
quarantine. (I should explain this is the new AVG combined
antivirus/antispyware Ewido-based system I'm using.)

AVG updates itself -- maybe, the "newest" definitions now contain detection
for it.

Create a '.zip' file with a password of 'virus', and E-mail it to
"virus-at-ca-dot-dom".
If it is something "new", a researcher will analyze it, and E-mail a reply
to you.
If it is something "old", or something non-malicious, you'll be told.

 

[Guest]

AVG updates itself -- maybe, the "newest" definitions now contain detection
for it.

Create a '.zip' file with a password of 'virus', and E-mail it to
"virus-at-ca-dot-dom".
If it is something "new", a researcher will analyze it, and E-mail a reply
to you.
If it is something "old", or something non-malicious, you'll be told.

Thanks - the issue (or rather, non-issue, since it was a false positive) has
been resolved now - the full story is in the rest of the posts in this thread.