Adware

I received warnings during avast scaning that there is infection :
win 32 Adware-gen|Adw| (3X)…
Please could you repeat the procedure or what to do?
For the moment I sent them to the chest as recommended
BUT is it better now to rescan in safe mode ? ???
Thanks in advance
Topaze-

Hi topaze,

You would be better off doing a boot time scan with avast!:

Right click the scanner screen, select ‘schedule a boot time scan’ and reboot when requested.

As adware was detected, you would be well advised to run these free scanners which all detect adware and adware Trojans:

AVG Anti-spyware (requires Win2k/XP):

http://www.ewido.net/en/product/

a-Squared Free:

http://www.emsisoft.com/en/software/free/

Ad-Aware:

http://www.download.com/3000-2144-10045910.html

Spybot Search & Destroy:

http://www.safer-networking.org/en/download/index.html

Run them in Safe Mode as possible.

Thank you FreewheelinFrank,

select ‘schedule a boot time scan’ = local disc and archives ?

I have run a-squared and ad-aware they found the same ,was not in safe mode…

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

If you want confirmation of a good detection, you could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 30 different scanners. Post the results here.

Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can’t do this with the file in the chest, you will need to move it out.

Scanning archives will take longer but is a more thorough scan, although as far as I know active malware doesn’t run from an archive.

here are the results at the avast journal :

Adw "has been found in"D:\proga~1\bluewin\bluewin.dll"file
…"http://de.bluewin.ch/services/bluewin-tools/toolbar/4/downloads/bluewin-toolbar4-fr.exe\blue
Adw…found in "D:\Documents and settings\C…\Bureau\Nouveau Porte-document\bluewin-toolbar4-fr,ex…
Adw…found in "D:\System Volume Information-restore(A5871EDD-…etc…
Bluewin is my email acount(from 3 years never had any problems with).

Today the bluewin toolbar was off,when I wanted to redownload,avast was warning me!
Maybe I must speak with the bluewin team too-

So I have sheduled a boot time scan as you suggested and then reboot-
And next step ?

It could be a false positive. The toolbar is listed as safe here:

http://www.spywaredata.com/spyware/spyware-adware/toolbar/4/results.php

See here for dealing with false positives:

http://forum.avast.com/index.php?topic=7779.msg62586#msg62586

During the boot time scan you will have a number of options if malware is detected. There’s a screenshot here:

http://bcheck.scanit.be/bcheck/page.php?name=HIJACKED&page=7

There’s now also an option to ‘move to chest’ which is most often the best bet.

I too think it could be a false positive, but you need to confirm that using the links and advice in my last post. If confirmed as an FP, then follow the link frank gave to submit it to avast, exclude it from future scans and obviously restore them from the chest.

You might also want to do a forum search for bluewin, I recall bluewin from a previous topic, not sure if that was about detection though.

Thanks for replies both of you

I made a full scan with avast and syst,restore off.:nothing was found now-
Then I run a scan with Ad-aware and a squared in safe mode:nothing found -

@DavidR:

[tr][td]If you want confirmation of a good detection, you could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 30 different scanners. Post the results here.[/td][/tr]
Yes but corrupted files are into chest and I can’t scan them there .Do I take them off of there to be scanned ?

T.

As I mentioned in reply #3 yes you do.

In the chest, right click on the file and select extract (a copy), now you need to select a temporary folder to be able to upload and scan it.

You also mention corrupted files in the chest, do you mean infected files ?
Files that can’t be scanned because they are corrupt isn’t an indication they are infected just can’t be scanned.

I submited the file to Virus total,here are the results:

Avast 4.7.936.0 03.22.2007 Win32:Adware-gen.
AVG 7.5.0.447 03.22.2007 Adware Generic.OIF

Ewido 4.0 03.22.2007 Adware.BHO

Kaspersky 4.0.2.24 03.22.2007 not-a-virus:AdWare.Win32.BHO.al

Norman 5.80.02 03.22.2007 W32/BHO.CW
Panda 9.0.0.4 03.22.2007 Suspicious file

UNA 1.83 03.16.2007 Adware.BHO.A459 VBA32 3.11.2 03.22.2007 suspected of Trojan.Delf

So what do I have to do now?Send this to avast?
Sorry I feel very uncomfortable by manipulating all this pc stuff… :-
Topaze-

It won’t help as avast already detects it…
You need to send the file to avast Chest and do not execute (use) it…

"You need to send the file to avast Chest and do not execute (use) it… "

and I let it there sleep ?

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

Thank you for good advice

So it was a virus ,not a false positive ??

It doesn’t appear to be a false positive as it has been detected by a number of different AVs, but I still have my doubts. Your Bluewin is a webmail browser based email option, e.g. you view your email using your browser and this might have a BHO (Browser Helper Object) to help with this.

Adware is different to a virus, a virus infects other files, adware usually delivers adverts, usually in the form of pop-ups and or browser redirects, etc. often this is in the form of p - 0 - r - n - 0 - graphy and I don’t think you are seeing any of that (?) otherwise you would have said.

Since 4 of the detections mention BHO in the malware name it could be that as the file name you were also trying to download indicates a toolbar ‘bluewin-toolbar4-fr.exe’ so bluewin.dll may just be the library file. Does Bluewin deliver adverts with the email ?

I really do think this is a legit file for your Bluewin email, but I can’t give you a categoric assurance that it is an FP, but I would certainly suggest sending a copy to avast for analysis. Send the sample to virus@avast.com zipped and password protected with password in email body and possible false positive in the subject. Or you can also send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest.

Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a possible false positive and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

Can you still get your email without the toolbar ?

often this is in the form of p - 0 - r - n - 0 - graphy and I don’t think you are seeing any of that (?) otherwise you would have said.
Are you kidding?I’ve never gone this way and even not want to anyway.

Does Bluewin deliver adverts with the email ?No I didn’t receive any
adverts from Bluewin,it’s why I am very astonished -

Or you can also send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest.Can I do this directly from the chest whithout need to have an other email account? (f ex: outlook)because I haven’t configure this on my pc.

Can you still get your email without the toolbar Yes but I need a little more cliks!
I have told with the bluewin and they haven’t heard of any viruses infections inside bluewin toolbar-(!!)-
Topaze-

That is why I mentioned some of the symptoms likely to be experienced ‘if’ you had adware on your system (and unwanted/unsolicited p-0-r-n) if you aren’t seeing any of these symptoms then that too increases the likelihood that it is adware.

Sorry If you can’t send email from your system without having a pop3 based email client, so you would have to try and send the sample (zipped and password protected see below) I assume you can send email with attachments using Bluewin ?

If you are getting a virus warning that you believe is a false positive, then if you can zip and password protect (‘virus’, will do) the suspect file and send it to virus @ avast.com (no spaces), or send from the chest (after adding it to the User Files section of the chest).

Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a false positive and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

You would need to restore the file from the chest (right click on it and select Restore), avast will likely alarm, choose no action. You will need to add it to the exclusions lists:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions

Periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.