Ok, after a recent hard disk failure…from which I successfully recovered, I reinstalled Vista Home Premium, since Hewlett-Packard (my laptop’s manufacturers) told me the hardware was completely incompatible with any other OS. then I started downloading stuff, and Avast!.
I took out a DVD with a bunch of backed up programs in it, and I knew it had the WIN32Pinfi worm. Good… I knew Avast! could clean them and it did…when I pasted them onto the hard disk, of course. As soon as I started browsing the DVD, on-access-scanner confirmed my knowledge about the virus content by giving me a virus warning. Now the problem began, I clicked no-action, as I find it quite obvious that Avast! cannot re-burn CD/DVD’s, thus it cannot change the files on them. I copied the files onto the hard disk, then Quick Scanned and Avast! gave me a warning of the multiple .exe’s that had been infected.
I witnessed Avast! successfully clean up the files when I clicked Repair All but they remained blocked. I did thorough scans on the entire "c:\program files" directory with no viruses. I had to INDIVIDUALLY go to the properties of each .exe file, then go to security settings and change the owner of the file, which resets all permission settings, otherwise I could not launch the program, as it was blocked.
This can get quite frustrating if the virus comes back from another old backup, and spreads through the system, and is then cleaned out again. I do not want to be dealing with some Avast! bug that falsely blocks files, even when they are cleaned.
I have ran the ex-infected .exe files hundreds of times and no change to my system was done. This means they were no longer a threat.
I am willing to bet that the fix for this is just a simple check box in the settings, but if it is, which one?
I don’t think there’s any checkbox to solve this, and I also don’t think it’s got anything to do with permissions either.
My guess is that when avast! resident protection (Standard Shield, in particular) detected the files you copied on disk, it remembered their infection status in its cache.
When you disinfected the files using Explorer Extension, the files were fixed - but the resident protection didn’t notice that, because it doesn’t intercept avast!'s own file access (if it did, you’d get virus warnings from avast! resident protection even when running an ordinary scan from Simple User Interface, for example). So, even when the files were already cleaned, the cache still contained the information that they were infected and should be denied access (so, you couldn’t start them).
Resetting the permission settings of a file were an “external change” to the file, which invalidated the cache record and made avast! rescan it on the next access (and allow the execution, as it’s already clean).
I am afraid that improving the behavior would be rather complex internally… and it’s quite a rare scenario, I would say.
The same effect (emptying the whole cache) could be achieved by simple Stopping (not Pausing!) the Standard Shield provider and starting it again. Restarting the computer would do the same, of course.
Or, when copying the infected files to your disk, you can use the Repair button right from the resident protection warning (instead of clicking “No action” and cleaning the files later with another scanner) - in that case, the files would not get blocked either.
I made a self-extracting archive (.exe) using Peazip.
Avast! almost immediately deemed the file infected with Win32:Parite. Coincidentially the worst worm attack I recall on my laptop which occured in November 2007, where Trend Micro House-Call successfully cleaned it up.
I click repair and the .exe file remains blocked, and I receive no error message.
I try to perform all sorts of stuff with the file (Delete, right-click, even scan with Avast!) and the application used to perform the action (Explorer.exe, CMD.exe and Avast!) either freezes and is forced to close, or does absolutely nothing.
I reboot and the steps repeated and I finally send it to the chest, as it is a special case, I trust Peazip and will test it again to see if it produces another file like this. If it does, I will remove it anf contact the manufacturer…and possibly put this into Alwil’s attention too.
{ADDED THE CHEST SCAN DETAILS}
Scanning of selected files
Program will try to scan 1 selected file(s) in the Chest
Move files to temporary folder: C:\Users\Stil\AppData\Local\Temp_avast4_\unp158308344.tmp
FileID: 0000000005 Original file name: C:\Users\Stil\Downloads\LAYOUT.exe New folder: C:\Users\Stil\AppData\Local\Temp_avast4_\unp158308344.tmp\5.exe
Scan files in the temporary folder: C:\Users\Stil\AppData\Local\Temp_avast4_\unp158308344.tmp
C:\Users\Stil\AppData\Local\Temp_avast4_\unp158308344.tmp\5.exe[UPX] – no virus –
C:\Users\Stil\AppData\Local\Temp_avast4_\unp158308344.tmp\5.exe\LAYOUT.REG – no virus –
C:\Users\Stil\AppData\Local\Temp_avast4_\unp158308344.tmp\5.exe\LAYOUT.DLL – no virus – C:\Users\Stil\AppData\Local\Temp_avast4_\unp158308344.tmp\5.exe Win32:Parite
Ok, I have come to a conclusion:
There is a chance that the virus is on the system, and probably has become invisible to Avast! and from experience I know the extreme severity of damage the virus can cause to software…scanning with trend micro house call and “c:\windows\system32\mrt.exe”.
The two files in the infected file are downloaded add-ons to the OS, where they allow the saving and restoring of desktop icon layout.
I have been using these since christmas, when I found them, so I do not believe they have even a single bit of maliciousness in them.
I tested Peazip and it passed with flying colours, no other .exe sfx did this.