About recently, every time I start my computer AntiVir detects this;

7/17/2005,16:22:34 WARNING: Contains signature of the SPR/Madtol.C program!
C:\DOCUME~1\JERRY\LOCALS~1\TEMP\MC23.TMP

Now, this happens to be from THGuard.exe of the TrojanHunter program. Prevx Pro also detected it being;

Tried registry key: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVICES\MCHINJDRV\
Valuename: IMAGEPATH
Old Value: 0x
New Value: \??\C:\DOCUME~1\JERRY\LOCALS~1\Temp\mc23.tmp

Since then I have consulted the TrojanHunter support forum and they've confirmed it to be a false positive.

Anyone else having this problem lately?

I have tried the English Antivir forum to report this but I do not know how to use it or click for "new topic" because the whole menu is in German!


Thanks.

Hi Greenwhite,

that's very difficult to say: "That's a false positve". These message get users who installed different Antispyware programs (0190-Warner, Steganos etc.). It's detected as Riskware. Not only AntiVir recognizes this as Riskware.

H+BEDV does to know that. But your temp file "MC23.tmp" is a driver which provides for the facts that program code is injected in other processes. That's also a typical behaviour of maleware.

In the German forum is an interesting contribution to read about that. Unfortunately, only into German. But maybe mrrockford can translate these.

http://www.free-av.de/cgi-bin/ubb/ultimatebb.cgi?ubb=get_topic&f=12&t=006280&p=6#000088

Only solution is deactivating the "SPR" about the configuration of the AntiVir Guard. [Right click on the icon --> Configure AntiVir Guard --> Unwanted Programs -> uncheck the box "Security Privacy Risk (SPR)"]

Another interesting link who describes what i mean: http://forum.kaspersky.com/index.php?showtopic=511&view=findpost&p=3082

--- Edit ---

PS: Here the unofficial translation of the most important german texts: http://www.free-av.de/cgi-bin/ubb/ultimatebb.cgi?ubb=get_topic&f=22&t=000347

Howdy,

From www.free-av.com

New viruses and suspect files

Any viruses which cannot yet be detected or removed by the AntiVir Personal Edition or which appear suspect should be packed (WinZIP, PKZip, Arj etc.) and emailed as an attachment to virus@free-av.com. Since some email gateways use antivirus software, you should also give the file a password to prevent them from being unpacked without warning (please don’t forget to tell us the password in your email!).

Give them the same info from your post above and they will get back to you. Please let us know the results.

You might want to try Crap Cleaner to clear out your temp files as that is where the problem is located. CC is available in the download section located on the left side <----

Edited to add: mav beat me to the punch. I have read through the german board info and will be testing later this evening on an XP SP2 machine. I will post my results when completed.

Thanks for the feedback.

Mrrockford and mav1976,

I have sent the SPR virus to Antivir for confirmation and am awaiting their reply or suggestion. I will post the reply when I get it.

By the way, I make an effort to delete all the cache and temp files before I shutdown my computer using the Eraser program. I also have the latest CCleaner tool as a reference for Eraser so I can secure delete all the rubbish.

Thanks to both of you.

Others are having this problem:- /t127830-MC27_tmp_vir_spr_madtolc_programme.html

Trojan Hunter's activities have been giving 'riskware' problems in the past as well:- /t122599-PMS_Passview_160.html
Of course PMS (Possible Malicious Software) has now been replaced by SPR (Security Privacy Risk) in AntiVir's terminology.

Howdy,

I tried all the programs listed on the German Board that are giving problems except for the Steganos stuff and got no - repeat no detection! TH was also tested with same results. Maybe AVPE vdf update fixed it?

Sorry I can't give you a better answer other than to say that H&BEDV are aware of the problem and that you are not alone. I will be following the German thread to pass along any results posted there.

In the mean time clear out your temps and that should get rid of the problem. Something else you might want to try is to take TH out of autostart, reboot and then start TH manually, scan with AVPE and see if it is still detected.

I have the latest Antivir 6.31.0.223 vdf and I'm still encountering the problem upon every start.

I'm still waiting a reply from Antivir.

merockford, yes I disabled THGuard at startup previously and the alert stopped. It is a good temp solution but to enable it manually seems a like hassle as time goes on.

As such I'll bear with the alert for the moment though.

Thanks.

Edit: I've scanned the computer and there's no virus.

This excerp is from TopperID fro the link he provided and he described exactly the way it behaved. I hope TopperID don't mind.


"ops! Sorry benaround3, if it was found by the Guard it will be in your NTGRDRT.log! AVWIN is for the demand scanner. So from this I can determine that your AntiVir Guard is finding it during on-access scans but apparently the demand scans from the main AntiVir program are not finding anything.

What I think is happening is that Trojan Hunter is unpacking files during its scanning process and making copies in temporary locations which are then scanned and would normally be subsequently deleted. During this activity the temp file comes to the attention of the AntiVir Guard which then blocks and deletes it."

This is the reply I got from Antivir;

[ Start of e-mail ]

We thank you for your e-mail.

We recommend to rename the file regedit.exe to regedit.com in the DOS prompt and to start. Then restore the following entry in the registry: [HKEY_CLASSES_ROOT\exefile\shell\open\command]@=”\”%1”%*”

We would like to point out particularly, that changes in the registry can cause serious problems of your system. If necessary, please contact a specialist on location.

NOTE: We assume no liability at system changes such as entries in the registry. For this purpose, we ask for your understanding.

<Optional off>

In addition, we recommend carrying out a basic virus clearing up.
Please proceed for it as follows:

1. Update AntiVir; the virus definition file (VDF) 6.30.00.10 is currently up-to-date

2. In case that you use WindowsME or WindowsXP deactivate the system restoration

3. Start the computer at the secured modus

4. Please start the AntiVir main program at the secured modus and change to the configuration menu over options.
Please, cut he search for all files (not only program and macro files) under the point “search”

5. Scan all your drives and lists
6. Please, delete archives that cannot be deleted with the report (AVWIN.LOG) manually afterwards

7. To be certain, we recommend to carry out a security scan after the
virus clearing up again

8. Finally, restart the computer ( normal modus) and reactivate – if available – the system restoration


We recommend carrying out Microsoft updates regularly to close possible security holes.

If this procedure should not lead to the desired success, please send us the infected files as a zip file with password to the following address:
virus@antivir.de

We are available for further questions. [ END OF E-MAIL ]


I'm puzzled by the vdf file 6.30.00.10. Aren't we at 6.31.0.225 ?

What say you guys?

Phew! Well I don't know about you but I found that email rather difficult to read and understand.

Basically they are telling you do do the standard cleaning procedure in 'safe mode', configuring AntiVir to search within 'all files'; requesting you to submit to them any infected file you find.

The reference to vdf file 6.30.00.10 suggests this was a standard reply, that has been cut and pasted, and they haven't troubled to update it. For that reason I would not take much notice of it!

So let us hope that they will take on board the file submitted and find a solution.

I might add that disabling the SPR option in the Guard is a perfectly valid way of temporarily getting round the problem. It is not necessary to look out for 'riskware' during on-access scans. That sort of thing can be just as well left to demand scans with the main program. Riskware is not malware in any case.

I don't think its a custom respond to my e-mail. I've sent them the file and this is what I've got.

So I guess this is one of the drawbacks of a free program.

I just came from the TH support forum and siliconman has e-mailed them the MC23.tmp file.

Magnus has noted that there is nothing he can do about it and I really need to tell Antivir of the false positive.

I've seen other people are having the same problem too. Some for using Steganos, SpySweeper and other anti-spyware app. And all those have been quite a while before me but still no solution.

I know I can just disable the SPR detection but that remains not a solution.

In the meantime, I'll just lie low like everybody else who are having the problem and see what happens next.

Oh by the way, now its being upgraded to "very dangerous". From the latest definition 6.31.0.229

7/19/2005,0:23:46 WARNING: Contains a signature of the (dangerous) backdoor program BDS/Graybird.N.1 Backdoor server programs!
C:\DOCUME~1\JERRY\LOCALS~1\TEMP\MC22.TMP

What will they think of next?

It appears that disabling the SPR detection is not a solution after all - at least not now!

Finally, with the latest Scan Engine update, the problem has been solved.

Scan Engine 6.31.1.0
VDFFile 6.31.1.1
AVRep.dll 6.31.01.00

For those who are directly or indirectly involved with the replies, I'd have to say a big thank you for the time and effort spent.

Cheers.

I'm pleased to hear matters have now been resolved GreenWhite.

Thanks for letting us know.