I just installed Avast 4.6 Home and after the system restarted, McAfee VirusScan (my previous virus scanner that I thought I had disabled before installing Avast, but I guess it didn’t afterall) found the Exploit-ScomRPC.gen in four different files in the Windows\Temp-Avast4_ folder. I checked the folder and it was empty.
I thought Avast was supposed to find Virii and trojans not be one?
Has anyone else seen this behavior and should I be worried?
No,no and no. avast! doesn’t contain malware and it’s certanly not one.
%TEMP%_avast_*
folder is used for unpacked files and for Web Shield component scanned files.
And when avast! unpacks it there,other AVs detect them there.
I have seen similar thing when using only Web Shield with NOD32 AMON.
When i excluded avast folder from AMON,everything worked just fine.
So, there are parts of Avast that appear to be a Trojan but are not actually a Trojan? I’m assuming that Avast is a reputable program, but it is a bit of a concern when it behaves like a Trojan (or at least appears to behave like one). If this is legitimate behavior, why isn’t it mentioned in the FAQ? I’m just trying to understand this, not lay blame.
Bawdyn, no part of avast! appears to be a trojan. You are simply experiencing a conflict between two antiviruses - it’s not a good idea to have two antivirus programs installed.
When avast! detects an archive during a scan, it unpacks it to a temporary file (to be able to scan its content). After the temporary file is scanned, it is deleted. However, as soon as avast! creates the temporary file on your computer, the resident protection of McAfee pops up, announcing a virus there.
So, the virus/trojan is already somwhere on your computer… and McAfee is interfering with avast!'s scanning process.
Bawdyn, no part of avast! appears to be a trojan. You are simply experiencing a conflict between two antiviruses - it's not a good idea to have two antivirus programs installed.
I agree. I had thought I had disabled McAfee (I wanted the option of going back to it easily if I needed to), but it still loaded.
When avast! detects an archive during a scan, it unpacks it to a temporary file (to be able to scan its content). After the temporary file is scanned, it is deleted. However, as soon as avast! creates the temporary file on your computer, the resident protection of McAfee pops up, announcing a virus there.
This is interesting, and it does make sense.
So, the virus/trojan is already somwhere on your computer... and McAfee is interfering with avast!'s scanning process.
I did a complete scan with McAfee and it found nothing. I did the complete scan on boot with Avast! and it also found nothing. The only detection was by Mcafee after the Avast Boot scan. Both complete scans didn’t find a trojan, so I wonder where it is and how I can get rid of it?
Well, that’s interesting. I think I can explain why none of those 2 AV detects the malware, but “both together” do - it could be caused by the fact that McAfee is not able (or simply does not) unpack those specific files, and cannot detect the malware without unpacking. avast!, on the other hand, is able to unpack the archive, but doesn’t detect either the packed, nor the unpacked version. However, if avast! unpacks the archive, McAfee is able to detect it.
(That’s just a theory, of course).
What is strange, however, that the files were left there during the boot-time scan - do I understand it correctly? Are you sure that the boot-time scanner is really the cause? I mean, I wouldn’t expect McAfee do be able at the time, and the boot-time scanner shouldn’t keep the files in TEMP (besides, the boot-time scanner doesn’t support many archives right now). I would rather expect McAfee to announce the malware during an ordinary avast! on-demand scan, or even when avast! resident protection is scanning something.
I guess it would be necessary to see those reported files to say more…
igor,i was experimentig exactly with this thingie.
avast! intercepts it first because of Web Shield. But Web Shield also unpacks (or lets say caches) everything into avast4 folder. And just before avast! would announce malware inside that file,another On-Access scanner “steals” it from avast! and shows warning. I was experimenting with NOD32 without HTTP scanning and got exacly the same results as bawdyn (except i was running NOD32 instead of McAfee,but that doesn’t matter). Adding “%TEMP%_avast4_” folder into exclusion list (for On-Access scanner) will resolve this problem while maintain full functionality of both antiviruses.
Thank you both for your insight. Just to clarify, here is the order I did things:
downloaded Avast!
Shutdown Mcafee (System Tray - Exit and Shutdown Service)
MSConfig - Disabled Service and Disabled Start for Mcafee
Installed Avast! with option to do boot scan on startup
Restart
Bootscan reports 4 files with Error: 0xC000030 (I think that was the error code, I wrote it down, but I’m now offsite and going from memory) (eg. ntfs.sys) all of these files were in NTUnInstall folders
Thought that was strange, wrote it down
Scan finishes, boot continues, Login to WinXP Pro
Intro Avast! popup, Avast Popup warning that invisible proxy might not work with ZoneAlarm
McAfee popup that it found the trojan (was four of them, maybe the same four files with the error?), didn’t I disable that?
Panic!
Breath!
McAfee says it doesn’t have the right to Delete the files, check the folder and they aren’t there.
Search Google groups, then Avast FAQ, then submit my post.
Try McAfee full scan to see if it still finds the Trojan, doesn’t.
I think RejZoR might be on to something. It may not have been the bootscan. I’ll know more when I get back and reboot the PC.
I’m still left with not knowing where the trojans are or if they even exist (or ever did exist). Maybe they are hiding in those UnInstall folders and are the files the Bootscan errored on? I think I’ll disable Mcafee again (I don’t know how it keeps coming back!) and then do a full scan in Avast (vs the bootscan) and see what happens.
Bawdyn, you’ll keep in danger only disabling McAfee… Better will be to uninstall it completely.
The boot time scanning crashes should due to two antivirus at the same machine
Shutdown Mcafee won’t solve in my opinion.
Can’t the files be blocked by avast while McAfee is scanning them?
Can’t the files be generated by avast while unpacking archives and scanning them…?
Better will be having just one antivirus.
If you find a virus keeps coming back after you delete it, it’s most probably infected the System Restore folder, the best way to solve this is to disable System Restore, reboot your machine and then enable it again. After all, run a full avast! scanning. System Restore cannot be disabled on Windows 9x.
If you have XP: Schedule a boot time scanning (Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot).
If you have Windows 98\Me: boot in SafeMode (repeatedly press F8 while booting): http://support.microsoft.com/default.aspx?scid=kb;en-us;315222
A full scanning with avast, Ad-aware, SpyBot and Microsoft Antispyware
I wanted to test drive Avast! first. I wanted to make sure I wanted to switch before actually deleting McAfee. Once I make the decision on which scanner to keep, I will uninstall the other one. Bootscan did not crash.
Can't the files be blocked by avast while McAfee is scanning them?
Yes, but that isn’t the point. I’m trying to determine if I have the Trojan or a false positive.
Followup on my previous post:
- Bootscan reports 4 files with Error: 0xC000030 (I think that was the error code, I wrote it down, but I'm now offsite and going from memory) (eg. ntfs.sys) all of these files were in NTUnInstall folders
It was five files, Actual error code was 0xC0000022, Folders were $NTUninstall...., Files were mup.sys, snmp.exe, ntkrnlpa.exe, ntoskrnl.exe, ntfs.sys.
Today:
Boot, disable McAfee, do Avast! full scan thorough
Found two completely different worms (one in e-mail message( kak), but since I use Mozilla it never got deployed, one in downloaded shareware that I didn’t get around to installing, guess I never will now)
Still don’t know what happened, but feeling more confident that I’m not infected.