Avast apparently fails to block detected viruses

Avast Free Antivirus / Premium Security
1

This past weekend a computer help forum I access was hacked. Avast detected the viruses and advised me there was nothing to worry about, that the viruses had been blocked. I then tried to do an online Panda scan. Again Avast warned me that Panda had also been infected and not to worry. I did get a screenshot of the Avast warning:

http://img205.imageshack.us/img205/8061/screenshot019ci3.jpg

However on doing a Kaspersky scan I find out that I have 4 viruses on my computer as well as other miscellaneous malware. Here is the relevant part of the scan:

KASPERSKY ONLINE SCANNER REPORTKASPERSKY ONLINE SCANNER REPORT
Wednesday, July 26, 2006 8:38:24 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build
2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 26/07/2006
Kaspersky Anti-Virus database records: 197487

  Scan Settings
  Scan using the following antivirus databasestandard
  Scan Archivestrue
  Scan Mail Basestrue

  Scan TargetMy Computer
  A:\
  C:\
  D:\
  E:\
  G:\
  S:\ 

  Scan Statistics
  Total number of scanned objects86993
  Number of viruses found4
  Number of infected objects39 / 0
  Number of suspicious objects0
  Duration of the scan process01:23:46

  Infected Object NameVirus NameLast Action
   

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\13N67CW6\adv596[1].htm Infected: 
  Trojan-Downloader.JS.Agent.ab skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\13N67CW6\adv596[2].htm Infected: 
  Trojan-Downloader.JS.Agent.ab skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\13N67CW6\bag[1].htm Infected: Exploit.JS.CVE-2005-1790.j 
  skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\13N67CW6\fillmemadv596[1].htm Infected: 
  Exploit.JS.CVE-2005-1790.j skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\13N67CW6\fillmemadv596[2].htm Infected: 
  Exploit.JS.CVE-2005-1790.j skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\13N67CW6\fillmemadv596[3].htm Infected: 
  Exploit.JS.CVE-2005-1790.j skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\13N67CW6\fillmemadv596[4].htm Infected: 
  Exploit.JS.CVE-2005-1790.j skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\13N67CW6\fillmemadv596[5].htm Infected: 
  Exploit.JS.CVE-2005-1790.j skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\13N67CW6\fillmemadv596[6].htm Infected: 
  Exploit.JS.CVE-2005-1790.j skipped 

        C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\PHKTU9CO\bag[1].htm Infected: Exploit.JS.CVE-2005-1790.j 
  skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\PHKTU9CO\bag[2].htm Infected: Exploit.JS.CVE-2005-1790.j 
  skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\PHKTU9CO\fillmemadv596[1].htm Infected: 
  Exploit.JS.CVE-2005-1790.j skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\PHKTU9CO\fillmemadv596[2].htm Infected: 
  Exploit.JS.CVE-2005-1790.j skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\PHKTU9CO\fillmemadv596[3].htm Infected: 
  Exploit.JS.CVE-2005-1790.j skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\PHKTU9CO\fillmemadv596[4].htm Infected: 
  Exploit.JS.CVE-2005-1790.j skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\PHKTU9CO\fillmemadv596[5].htm Infected: 
  Exploit.JS.CVE-2005-1790.j skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\PHKTU9CO\fillmemadv596[6].htm Infected: 
  Exploit.JS.CVE-2005-1790.j skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\PHKTU9CO\java[1].jar/GetAccess.class Infected: 
  Trojan-Downloader.Java.OpenConnection.aj skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\PHKTU9CO\java[1].jar ZIP: infected - 1 skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\PHKTU9CO\xpladv596[1].wmf Infected: 
  Trojan-Downloader.Win32.Agent.acd skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\PHKTU9CO\xpladv596[2].wmf Infected: 
  Trojan-Downloader.Win32.Agent.acd skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\YNSJ47SP\fillmemadv596[1].htm Infected: 
  Exploit.JS.CVE-2005-1790.j skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\YNSJ47SP\fillmemadv596[2].htm Infected: 
  Exploit.JS.CVE-2005-1790.j skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\YNSJ47SP\fillmemadv596[3].htm Infected: 
  Exploit.JS.CVE-2005-1790.j skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\YNSJ47SP\fillmemadv596[4].htm Infected: 
  Exploit.JS.CVE-2005-1790.j skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\YNSJ47SP\fillmemadv596[5].htm Infected: 
  Exploit.JS.CVE-2005-1790.j skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\YNSJ47SP\fillmemadv596[6].htm Infected: 
  Exploit.JS.CVE-2005-1790.j skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\YNSJ47SP\xpladv596[1].wmf Infected: 
  Trojan-Downloader.Win32.Agent.acd skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\Z2P7XCI1\adv596[1].htm Infected: 
  Trojan-Downloader.JS.Agent.ab skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\Z2P7XCI1\fillmemadv596[1].htm Infected: 
  Exploit.JS.CVE-2005-1790.j skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\Z2P7XCI1\fillmemadv596[2].htm Infected: 
  Exploit.JS.CVE-2005-1790.j skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\Z2P7XCI1\fillmemadv596[3].htm Infected: 
  Exploit.JS.CVE-2005-1790.j skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\Z2P7XCI1\fillmemadv596[4].htm Infected: 
  Exploit.JS.CVE-2005-1790.j skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\Z2P7XCI1\fillmemadv596[5].htm Infected: 
  Exploit.JS.CVE-2005-1790.j skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\Z2P7XCI1\fillmemadv596[6].htm Infected: 
  Exploit.JS.CVE-2005-1790.j skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\Z2P7XCI1\java[1].jar/GetAccess.class Infected: 
  Trojan-Downloader.Java.OpenConnection.aj skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\Z2P7XCI1\java[1].jar ZIP: infected - 1 skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\Z2P7XCI1\java[2].jar/GetAccess.class Infected: 
  Trojan-Downloader.Java.OpenConnection.aj skipped 

  C:\Documents and Settings\Owner\Local Settings\Temporary Internet 
  Files\Content.IE5\Z2P7XCI1\java[2].jar ZIP: infected - 1 skipped 

   

  Scan process completed.

Luckily I had an image archive created July 6 before all this happened. I restored this image and it seems free of all junk. Why did Avast not block these viruses which it had detected?

2

avast must have said that you shouldn’t ‘panic’… not worry about. Are you using the Home version?
If so, there is not an automated action although you have set the Silent Mode (on Advanced tab of the providers settings).
The WebShield could ‘block’ the infection… Which is the sensibility of this provider?

Anyway, right now the better will be get clean:

  1. Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;[LN];310405
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
  4. Use a-squared or ewido (trojan removers).
3

Tech… I know my post was a long one. It would have been much longer had I not edited the Kaspersky scan. At the end of my post I mention that I am now virus free. I restored an image of my system I had created July 6, before all this happened. Here are my Avast settings:

http://img67.imageshack.us/img67/4505/screenshot020dh7.jpg

Here is a screenshot of Kasperky scan after restoration of my Acronis True Image archive:

http://img62.imageshack.us/img62/378/screenshot002oe9.jpg

BTW, Ewido was able to remove two of the four viruses. But the question remains, Why did Avast not block these viruses as it claimed it had?

4

:slight_smile: Hi dld :

 The Avast screenshot you posted was of a "Win32:CTX" located
 in a Pandasoftware file has been discussed at :

 http://forum.avast.com/index.php?topic=17808.0
 http://forum.avast.com/index.php?topic=22240.0

 The Kaspersky Online scan reported 4 "viruses"; however, 
 those "Items" you did NOT copy & paste, so it is unknown
 what they might have been. However, probably unrelated to
 the Avast Warning screen. Those "miscellaneous"
"Temporary Internet Files\Content.IE5\" can be quite serious.
5
  1. “Viruses” in Panda files - Spiritsongs already explained
  2. “Viruses” detected by KAV in temporary internet files: benign files; see e.g. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1790 for a description of CVE-2005-1790 (it’s an old vulnerability in IE, patched by MS for at least half a year). All of the files are typically picked by antispyware apps - but in many cases, not by AV’s (but I’m not saying avast is not detecting exploits by definition; its exploit detection database is also numerous).

Thanks
Vlk

6

Thanks for the responses. The explanation of the Avast alert to Panda definitions was enlightening.

I was able to capture a screenshot of Avast\Panda alert because my computer was not frozen. That was not the case for the Avast\ComputerHelpForum alerts. There were a number of alerts showing up on the screen. These had to do with Exploit I do remember. I was just glad to hit that Avast abort button.

All in all, what may have happened is that Avast may have blocked some of these Exploit viruses but obviously let others go by to infect my computer. The best defense against any malware is still keeping multiple images of your system.

7

“Infect” is an extremely inaccurate word here. The javascript files were stored in the temporary internet files folder (i.e. the browser cache) - there’s NO indication the exploit was in fact activated, that is, the computer got “infected”.

Thanks
Vlk

8

I have a question to understand the behavior of WebShield.
Wasn’t it suppose to ‘block’ the files if they’re infected? I suppose so.
If they’re not infected but they have only a possibility to be explored (‘potential’ exploit), then you’re right, WebShield couldn’t block them.
Am I right?