Avast boot scan missing obvious malware?

I’m a little confused here. A friend consulted me about problems on his Windows 7 Home 32bit SP1 computer. A mere three days ago I had looked at it and it had been entirely free of malware, but yesterday he was unwary enough to let one of those scam “support” technicians into his computer. He eventually smelled a rat and cut off the call before being scammed for any money, but not before the scam artist had access for about 35 minutes. A lot of damage can be done in 35 minutes! On taking a look around, I could see that DNS UnLocker had been installed. A glance at the virus chest of his Avast Free 2016.11.1.2253, specifically configured to scan for PUPS, revealed that a DNS Unlocker executable had been quarantined. No related browser extensions had been installed. However a folder full of files existed at C:\Program Files\DNS Unlocker and DNS Unlocker was present in the list of installed programs. It seemed like a good idea to uninstall it.

So I proceeded to initiate just that, only Avast leapt up with a message that it couldn’t be done, run a Boot Scan. So I did, configured to “automatically fix”, and found that when it had finished and I was back in Windows, the DNS UnLocker program folder/files still existed. On looking at the Boot Scan log, I found that it had discovered/quarantined stuff to do with Optimiser Pro but made no mention of anything DNS Locker related or anything else.

I then ran a Malwarebytes Scan, which picked up all the DNS Unlocker folder/files, and related DNS changes in the Registry, + the ubiquitous SearchProtect, + CloudScout, + Palikan, + TeslaCrypt, + Amonetize. All of them, with the exception of TeslaCrypt detected as malware/trojan, detected as PUPs. Upon electing to ‘delete all’ and rebooting, all trace of them, including their Registry entries, was gone.

My question is, with Avast configured to scan for PUPs, and that option was certainly selected for the boot scan, why didn’t it find all the stuff that Malwarebytes subsequently found? Does Avast have a more limited definition of what constitutes a PUP?

And why didn’t Avast boot scan pick up the TeslaCrypt executable, located at C:\Users[user]\AppData\Roaming\qhwxvhe45.exe? Might it have done within Windows had there been an attempt to run it?

I’m not knocking Avast, I’ve used it for years and regularly recommend it. Just seeking clarification.

NO security program have 100% detection or zero false positives
The malware world is not static, malware writers constantly change write new versions to avoid detection

if you want a check by a malware expert …

follow instructions here https://forum.avast.com/index.php?topic=53253.0
we need Malwarebytes and Farbar Recovery Scan Tool logs, attach the logs, 3 logs total

see below the box you write in … Attachments and other options

a log/malware expert will then assist you when online

While I very much appreciate your taking the trouble to respond, I thought I had made clear that the Avast Boot Scan/Malwarebytes Scan described did not take place on my own computer. I am therefore not at liberty to follow your suggestions.

I aso appreciate your point that no antivirus/antimalware program can be 100% right 100% of the time. However all of the malware picked up by Malwarebytes, but not by Avast, was established stuff, long in circulation. Perhaps there are things I could do with Avast, other than configuring to scan for PUPs, that would make it more likely find these things?

However all of the malware picked up by Malwarebytes, but not by Avast, [b]was established stuff, long in circulation[/b].
How do you know? ... you can`t tell just from the name

Mercedes has been around since 1885, many of them still look the same but are changed under the hood or got a facelift and some are completely new, but they are all named Mercedes

So unless you have the samples there is no way of knowing

Malware statistic >> https://www.av-test.org/en/statistics/malware/

What you are saying is that malware can change fast while retaining the same name. Fair enough, and that is one reason why virus definitions have to be updated so frequently. However since Malwarebytes picked up a cornucopia of malware that Avast didn’t, you are also saying that Malwarebytes keeps up with changes a lot faster than Avast does. I’m sure you didn’t actually mean to say that, but it is the logical conclusion from your comment.

May I ask why a simple question – how can I configure Avast better? – should result in such a hostile reponse?

There is also a lot that avast detects but MBam doesn’t.

Correct, Malwarebytes only target executable files (not fileinfectors) while avast target evrything malicious

Quote David H. Lipman > Malwarebytes forum

Malwarebytes' Anti-Malware ( MBAM ) does not target scripted malware files. That means MBAM will not target; JS, JSE, PY, .HTML, HTA, VBS, VBE, WSF, .CLASS, SWF, SQL, BAT, CMD, PDF, PHP, etc. It also does not target documents such as; PDF, DOC, DOCx, XLS, XLSx, PPT, PPS, ODF, RTF, etc. It also does not target media files; MP3, WMV, JPG, GIF, etc.

MBAM specifically targets binaries that start with the first two characters being; MZ
They can be; EXE, CPL, SYS, DLL, SCR and OCX. Any of these files types can be renamed to be anything such as; TXT, JPG, CMD and BAT and they will still be targeted just as long as the binary starts with ‘MZ’.

I then ran a Malwarebytes Scan, which picked up all the DNS Unlocker folder/files, and related DNS changes in the Registry, + [b]the ubiquitous SearchProtect[/b], + CloudScout, + Palikan, + TeslaCrypt, + Amonetize. All of them, with the exception of TeslaCrypt detected as malware/trojan, detected as PUPs. Upon electing to 'delete all' and rebooting, all trace of them, including their Registry entries, was gone.

SerchProtect examples:

MD5 73554f3944811c0c4b393826943be2ca
https://www.virustotal.com/en/file/98e45b97b0b87e6578b8c5930334fed34558fc0d3985dfd098669ce4f6c4923a/analysis/

MD5 0b813086a3400aafa1639d08823fbd46
https://www.virustotal.com/en/file/c967920dc9349c9d963838391a29718b64ed2686a06d82c4afe0363e462fb509/analysis/

MD5 0d8796b4b1061ce5eb8e4b8853d63b29
https://www.virustotal.com/en/file/8fa2fa7d626f98d2952e8b657e8df089a509cd2ebc4e585337ae902b48780d8c/analysis/

MD5 e408ea31af5e14642ae9d1d6e18cf99d
https://www.virustotal.com/en/file/256c49d62a007786e249061e4efad26ee6469c00b234949247d4adcd91e68f3c/analysis/

MD5 1caf9472c70fb3567b85e1977a393720
https://www.virustotal.com/en/file/55F173FB7CE33654D379663215DE48BD2F13CA4A607CBE4D90962DE33A4972E6/analysis/

and there are many, many, many more …