Go Back   Steve's Digicams Forums > Digicam Help > General Discussion

Reply
 
Thread Tools Search this Thread
Old Oct 8, 2005, 3:04 PM   #1
Moderator
 
Join Date: Jun 2002
Posts: 1,139
Default

The latest version of AVG is summarily deleting executable slideshows made with PicturesToExe versions 4.3/4.31. AVG is mistakenly identifying these perfectly good executable files as containing the Trojan Horse PSW Banker.HMQ

AVG says it "heals" the file then says it "deleted" the files. They are in fact moved to the Virus Vault where they can supposedly be "recovered". When recovery is attempted the executable files no longer run.

I would suggest turning off AVG until they fix this problem unless you want to loose your work.

Lin
Lin Evans is offline   Reply With Quote
Sponsored Links
Old Oct 8, 2005, 3:39 PM   #2
Administrator
 
Join Date: Jun 2003
Location: Savannah, GA (USA)
Posts: 22,378
Default

Lin:

I'm running AVG (checking for new updates at 2:00AM every morning, and running a full scanat 4:00AM to make sure nothing "slipped through the cracks).

Are you sure you don't really have a trojan that's propagating itself within your slide shows?

I don't normally use PictureToExe.

But, I just downloaded Version 4.43 and created an.exe file with it (it runs fine except that it's got something letting you know it's unregistered on the images when you run the slideshow created with it since I haven't bought it and entered a keycode).

Then, I scanned the .exe it created with AVG and it couldn't find anything.

I also checked to see if I'm running the lastest Virus Protection Database (and it says it's the most current one).

AVG Version: 7.0.344 / Virus Database: 267.11.13/124 - Release Date: 10/7/2005

This is the free version of AVG. But, the virus database should be the same between them.
JimC is offline   Reply With Quote
Old Oct 8, 2005, 3:46 PM   #3
Moderator
 
Join Date: Jun 2002
Posts: 1,139
Default

JimC wrote:
Quote:
Lin:

I'm running AVG (checking for new updates at 2:00AM every morning, and running a full scanat 4:00AM to make sure "slipped through the cracks).

Are you sure you don't really have a trojan that's propagating itself within your slide shows?

I don't normally use PictureToExe.

But, I just downloaded Version 4.43 and created an.exe file with it (it runs fine except that it's got something letting you know it's unregistered on the images when you run the slideshow created with it since I haven't bought it).

Then, I scanned the .exe it created with AVG and it couldn't find anything.

I also checked to see if I'm running the lastest Virus Protection Database (and it says it's the most current one).

AVG Version: 7.0.344 / Virus Database: 267.11.13/124 - Release Date: 10/7/2005

This is the free version of AVG. But, the virus database should be the same between them.
Hi Jim,

Yes, I'm absolutely certain it's a problem with AVG. It's presently only identifying files made with versions 4.30 and 4.31 of PicturesToExe, but it's already destroyed files from dozens of PicturesToExe users. The profiles which began corrupting PicturesToExe executable files began on 10/5 and the problem was supposedly corrected by Grisoft with the 10/7 version, but it was NOT corrected and the current version continues to destroy executables created with versions 4.30 and 4.31 of PicturesToExe.

About a year or so ago Norton Anti-Virus had a similar problem which cost many users much time and effort to re-create their files. Symantec corrected their faulty code and now Grisoft has a similar problem. I can feed the program (AVG) archived executables which were created a year ago and it's summarily destroying the code which shows zero Trojan or any other problems with all other current anti-virus software. It's definitely a serious problem with AVG and must be corrected before any more damage is done. The files which it moves to the Virus Vault are corrupted and won't run after being recovered.

Best regards,

Lin
Lin Evans is offline   Reply With Quote
Old Oct 8, 2005, 3:58 PM   #4
Administrator
 
Join Date: Jun 2003
Location: Savannah, GA (USA)
Posts: 22,378
Default

I know it's not going to help anything now. But, it may be trying to "heal" what it thinks is avirus before it moves files into the Vault (hence, corrupting them).

In each area it scans, you've got separate settings for "Automatic Healing of Infected Files", which is checked on by default. I'm guessing (pure speculation) that it may not corrupt them if this is unchecked).

Unchecking the "Heuristic Analysis" may also help prevent false positives (then it would probably make sure it had an exact match to thedefinition in the database). Again, speculation.




Attached Images
 
JimC is offline   Reply With Quote
Old Oct 8, 2005, 5:00 PM   #5
Moderator
 
Join Date: Jun 2002
Posts: 1,139
Default

Hi Jim,

Unfortunately my paid version 7.0 doesn't have these settings as an option. In checking my AVG license I see that it expires on the 22nd of this month. I think I'll pass on AVG and go to another program such as Panda which has a better track record in that if finds more viruses and has had no false positives. I just can't have a program which is designed to protect my data instead destroy the data it should be protecting.

These problems do happen sometimes and Grisoft isn't the only company which has had these issues in the past. I know of at least two companies which have had similar problems, but I've never been able to get AVG to correctly protect my Eudora email and consequently have had numerous episodes connected with it.

If there were a way to conveniently connect to Grisoft by telephone and report this problem it could possibly have prevented a number of losses for users of PicturesToExe, but Grisoft has been reluctant to give out their telephone number. Even their U.S. distributor claims to not have a telephone number and says that they do all correspondence by "email" - something I find very difficult to believe. I've tried repeatedly to contact Grisoft but have had zero response as has been the case with others who have reported this problem. Perhaps it simply happened at a bad time for them and they are slow with responses, but I suspect I'll look for another anti-virus protection software. I've had AVG since their beta, but they just have not been very helpful or responsive so I'm throwing in the towel.

Best regards,

Lin
Lin Evans is offline   Reply With Quote
Old Oct 8, 2005, 5:11 PM   #6
Administrator
 
Join Date: Jun 2003
Location: Savannah, GA (USA)
Posts: 22,378
Default

I can understand your frustration. But, there is something very odd going on here, too.

I found the forum thread on this issue and saw where theiradmin posted a sample .exe file (zipped).

Well, even without any virus detection enabled, I can't open it with a Hex Editor.

One very old programming tool I've got can open it (but it can't read past the first byte in a 1.44MB .exe file).

I'm getting ready to try running a program against it now, opening it read only and ignoring errors to see what the deal is with it.

It could be that they did something strange with the sample posted in their forums. But, I don't recall ever seeing anything like this before. The newer .exe file I created with the version of PTE I downloaded doesn't have these problems.


JimC is offline   Reply With Quote
Old Oct 8, 2005, 6:03 PM   #7
Administrator
 
Join Date: Jun 2003
Location: Savannah, GA (USA)
Posts: 22,378
Default

Lin:

I'm not sure the problem is AVG. I'm getting very strange symptoms here, and I'm thinking it's a Windows issue somehow based on trying to read the sample .exe file

I don't recall getting any new Windows updates lately.

But, I shouldn't be seeing what I'm seeing with the PTE .exe file I'm playing with now (looks like the OS is trying to prevent me from reading it- yet when I rename it to a different type of file I can see it with my programming tools, even though the file contents are identical).

I'll keep you posted. Something very strange is going on with it.

Jim C.


JimC is offline   Reply With Quote
Old Oct 8, 2005, 6:19 PM   #8
Administrator
 
Join Date: Jun 2003
Location: Savannah, GA (USA)
Posts: 22,378
Default

The operating system is trying to intervene in some manner when it sees a PTE .exe file (the sample posted by their admin created with an older version of PTE).

I don't know how or why. But, the OS is trying to keep you from reading it. That's probably what is throwing off AVG.

It doesn't matter what the name of it is if it ends in .exe.

As soon as you try to open it -- access denied (every tool I've tried so far with it).

Yet, I can rename it to something without the .exe extension and bingo -- I can read it fine. If I try to copy it, access denied.

I can read what I rename it to just fine.

Rename it back to a .exe file. Same problem.

The OS won't let me read it with any tool I've got. Ditto for copying a renamed file (non .exe extension) to a different .exe name. The OS won't let you read it.

It's got to be a Windows problem somehow, some way (but, I've never seen anything like this before).

Other .exe files do not exhibit these symptoms. So, the OS has got to be seeing something in the file that's triggering this behavior (but it only looks if it's named with a .exe extension).



JimC is offline   Reply With Quote
Old Oct 8, 2005, 6:29 PM   #9
Moderator
 
Join Date: Jun 2002
Posts: 1,139
Default

Have you tried to simply "run" the executable? If so and it didn't work and you received the message "access denied" I would guess that it's one of the corrupted files which AVG has rendered useless. I have identical executable files (duplicates of the one's destroyed by AVG) which work perfectly on CD. There is no problem with the executables themselves, they have been working fine for over a year and work on all seven of our Windows based computers with operating systems including 98, ME, 2000 and XP Home Edition.

It's entirely possible that AVG simply corrupted your file as soon as it was downloaded. It's definitely a strange problem, but definitely an AVG rather than Windows issue because I can download the files from the CD to any of our systems where AVG is not resident and they work just fine. When I downloaded them to the system with AVG active it immediately corrupts them and Windows returns an "access denied" command whenI tried to run them..... Go figure.....

Best regards,

Lin
Lin Evans is offline   Reply With Quote
Old Oct 8, 2005, 6:40 PM   #10
Administrator
 
Join Date: Jun 2003
Location: Savannah, GA (USA)
Posts: 22,378
Default

Lin:

I'm testing with the one Ken Cox posted on their forums (suggesting an e-mail be sent to Grisoft with a link to it). So, I guess it's possible it's corrupted in some manner (but, I've never seen anything like this before).

The copy I've got is unchanged from the .zip he posted. Just to make sure, I even downloaded it again without any virus protection at all turned on.

VERY ODD.

Even if it is corrupted in some manner, that would not explain the symptoms I'm getting. Without ever trying to run it (just trying to read it using programs treating it as a binary file), the OS is stopping me with accessed denied errors (I'm trapping for the errors in the program). But,that only happens if it's still named with a .exe extension.

I have never seen this type of thing -- ever. It's almost if the operating system has some kind of special hooks in it whenever it sees a certain combination of bytes in the file you're trying to read.

I just now registered on the forums, and I'm going to make a post in the thread about it and see if anyone can explain it.


JimC is offline   Reply With Quote
 
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -5. The time now is 5:03 PM.