EDIT: The only thing that avast couldn’t flag, whether it was boottime or not, was the actual EXE, im sure both scans would find the 2 temps that were caused after the exe was ran.***

Well, I would not know, but i can guess is the actual EXE that injects the trj to temp, the exe does not necessarily have the same build as the trj left behind after the exe is already ran.

So please correct me if I’me wrong, but the actual EXEs can pass scans but the damage left behind can still be fixed / detected by the same definitions as the scan?

If so, nod32 was able to detect that “sig” before the damage was done, and avast was not. Could the reason be the way the virus was packaged? like a method that avast is not aware of (that nod32 is)?

It made me think, which ability is more important, the ability to flag exes before they do dmg, or the ability to correct / detect the aftermath. Because obviously, it found the temp files infected and they were caused by the exe.

As for it not running in VM, ur own vm? or that feature from avast where it isolates the exe and runs in cloud (or watever)? Is this a practicable way of “testing” exes? Does it not running in vm cause you concern?

I forgot to mention my exact specs:

Running Windows 7 Ult 64 bit (UAC off and firewall restricted)
SP1 (up to date)
iMac Intel bootcamp 64

UPDATE:

As i said before, i have no reason to believe i am still infected… BUT After boottime scan from avast found those 2 temps, it claimed to delete them. I ran 1 quick scan with malwarebytes and found nothing. The full scan did find some false positives :wink: but other than that i think im clean, i will post any logs if i find anything els!