I am looking at a message from my Avast Behavior Blocker Event. I’m a little leary about this and wonder if i am looking at a virus. I’ve surfed for information on this file name, everything is in a foreign language. Even after translation the technical information was beyond my understanding.
If anyone is familiar with this file name and can advise how to respond to the three choices the event blocker has given me, i could really use your help right now. I’ll keep message up until i get a response.
Thanks in advance.
The event is Delete File
File Name is c:\System Volume Information.…\A00066290.exe
Program: svchost
Allow… Allow All… Deny
The file name is on that is randomly generated when sysrem restore creates a restore point in the c:\System Volume Information folder, rather than use the original file name it changes it but retains the file type. This is a security measure.
I have no idea why the avast Behaviour blocker might be doing this as by default it is not enabled, so you must have been tweaking avast.
So we need to know exactly what you were doing when the message appeared ?
e.g. were you trying to delete that restore point and if so why ?
Personally I would leave the avast Behaviour Blocker disabled as it will drive you nuts otherwise and interfere with normal operations on your system, depending on just what you have tweaked.
Yes, i did tweak avast to block writting to the system in hopes of giving myself just a bit more protection. This particular event concerned me because i was not on line at the time and my firewall was up. i had not been on my system for several hours but when i returned to do some work the message was already sitting there on the screen. Also, 2 days ago while at a web site i was not able to close. The system froze. Since i could not close out i unplugged my system and waited about 15 minutes and then tried again. i was able to bring up Task Manager and delete the processes that were not responding. Next i up dated avast but did not run the antivirus program. Everything seemed fine until i got this event blocker yesterday. My concern was that a legitimate exe file was being replaced by a harmful program. Again… Thanks for your help.
Well deletion isn’t really how the malware would go about this as that isn’t so subtly, it would modify or replace (which is I believe slightly different to delete), so for this to be effectively blocked then you would also have to block modification and that truly would send you bonkers, death by pop-up.
It also doesn’t make any sense why something would delete a restore point for no reason as the change of file name as I mentioned makes it too difficult to know exactly what it is that is being deleted. So the only other thing I can think of is if you have restricted the system restore size or have some house keeping in place that clears old restore points. Then I can’t see the purpose in deleting what is in effect an inert file in the c:\System Volume Information folder.
You may well have some issues with the operating system or possibly hidden or undetected malware.
If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).
SUPERantispyware On-Demand only in free version. - 2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.