I’m a little confused here. A friend consulted me about problems on his Windows 7 Home 32bit SP1 computer. A mere three days ago I had looked at it and it had been entirely free of malware, but yesterday he was unwary enough to let one of those scam “support” technicians into his computer. He eventually smelled a rat and cut off the call before being scammed for any money, but not before the scam artist had access for about 35 minutes. A lot of damage can be done in 35 minutes! On taking a look around, I could see that DNS UnLocker had been installed. A glance at the virus chest of his Avast Free 2016.11.1.2253, specifically configured to scan for PUPS, revealed that a DNS Unlocker executable had been quarantined. No related browser extensions had been installed. However a folder full of files existed at C:\Program Files\DNS Unlocker and DNS Unlocker was present in the list of installed programs. It seemed like a good idea to uninstall it.
So I proceeded to initiate just that, only Avast leapt up with a message that it couldn’t be done, run a Boot Scan. So I did, configured to “automatically fix”, and found that when it had finished and I was back in Windows, the DNS UnLocker program folder/files still existed. On looking at the Boot Scan log, I found that it had discovered/quarantined stuff to do with Optimiser Pro but made no mention of anything DNS Locker related or anything else.
I then ran a Malwarebytes Scan, which picked up all the DNS Unlocker folder/files, and related DNS changes in the Registry, + the ubiquitous SearchProtect, + CloudScout, + Palikan, + TeslaCrypt, + Amonetize. All of them, with the exception of TeslaCrypt detected as malware/trojan, detected as PUPs. Upon electing to ‘delete all’ and rebooting, all trace of them, including their Registry entries, was gone.
My question is, with Avast configured to scan for PUPs, and that option was certainly selected for the boot scan, why didn’t it find all the stuff that Malwarebytes subsequently found? Does Avast have a more limited definition of what constitutes a PUP?
And why didn’t Avast boot scan pick up the TeslaCrypt executable, located at C:\Users[user]\AppData\Roaming\qhwxvhe45.exe? Might it have done within Windows had there been an attempt to run it?
I’m not knocking Avast, I’ve used it for years and regularly recommend it. Just seeking clarification.