Avast keeps saying there's a virus

I’m running Windows XP Home on a Pentium IV 3.19 GB Mhz computer with Avast and Kerio firewall free edition - using the Google toolbar as a pop up stopper. My IE 6 has all its updates and I’m using Spybot to stop spyware. I’m not running any other antivirus programmes but see last paragraph for further information.

Anyway I ran a full system scan with Avast set to Thorough scan and to scan archive files, I’m using the Demo version.

Of course it came up with the Panda files I’ve seen mentioned elsewhere in the forum and also a Trojan - Win32:RPCExploit[Trj]. I deleted it during a full scan having disabled System Restore and then restarted and scanned again - and it was still there but the file path read to within the Moved folder within Avast itself. I then double checked running an online scan with Panda and it was fine, said I was clean.

I looked in the Moved folder but there’s nothing showing up in it.

Avast is still coming up with the same Trojan warning every time and this page - http://www.avast.com/i_kat_322.html describes the exact problem I’m having in the first FAQ.

I’m wondering if there is a way to stop Avast coming up with this particular virus alert if the virus isn’t really there. At least that’s what I understand from the FAQ, that Avast is just showing that the file has been moved. The first time I scanned and found virus files I told it to move all the three Panda files and the trojan to the Virus Chest whilst I investigated.

I am not running any other antivirus programme but Symantec which I uninstalled when it started crashing XP suddenly last week is still all over the registry. Again I’m not sure whether to delete the Symantec registry entries or to leave them. At the moment I’m not experiencing any system problems except that XP froze on me when I turned System Restore back on and I had to restart and try again - it let me turn System Restore back on the second time though and I have created a Restore Point.

Sorry if I’m waffling I’m trying to give as much information as possible.

You can certainly put the referred folder to the list of exclusions - avast! will not scan its content.

OK I’m really having problems. Avast is still coming up saying there is the Win32:RPCExploit[Trj] on my computer and it is insisting that it’s in files within Avast. The exact path is c:/Documents and Settings/Gillie2tat/Local Settings/Temp/avast4/ then it goes into a variety of different folders beginning with unp followed by a numerical extension. It also says that a variety of files with the extension .dmp within the same folder could not be scanned.

Last night it was saying the virus was in the Moved folder.

I don’t know how to get it to ignore this - can’t figure it out, I don’t know whether I SHOULD ignore this or what to do about it. Is this a known issue? If I tell Avast to repair all files or to move all files to a folder it gets very very slow - about one file a minute - and my whole computer slows down.

I really need help here, not sure what to do. Incidentally some screenshots in your FAQs would be helpful to show people what you mean. I’m at the point of giving up, I’ve spent two whole evenings trying to resolve this.

Here is a screenshot of some of the files which it said had this virus, which are currently in my Moved folder (I finally decided to try moving files to it to see if they showed up because the Avast folder in the Temp folder in Windows appears to be empty when I navigate to it). All had the extension .dmp.

  1. Clear your temporary internet files.

  2. This is the avast chest folder were it unpacks (unp) files to scan them. If I remember rightly avast shouldn’t scan that folder avast4 as this is the location of avast virus chest?

  3. You go to the virus chest and delete the files in it, either naviagate to it or Start avast Scanner, from the menu, select Virus Chest. This will show you all the files safely secured in the chest, from here you can delete them.

  4. When you say. ‘the moved folder,’ was this within system restore, avast4 or are you talking about another location?

David

ANd I finally found the folder in the file path c:/Documents and Settings/Gillie2tat/Local Settings/Temp/avast4/. Here is what it shows and it’s saying those files are infected. Should I move them all to the Moved folder? It’s unable to delete them and I’m not sure whether I can just remove them manually and then empty the Recycle Bin.

Hi David,

Thank you for answering so quickly.

“When you say. ‘the moved folder,’ was this within system restore, avast4 or are you talking about another location?”

I’m talking about the folder c:/Program Files/Alwil Software/Avast/Data/Moved.

“Clear your temporary internet files.”

I’ve cleared my cache in both Netscape and IE to empty the Temporary Internet Files folder. I do that regularly anyway. However the files causing the problem are in c:/Documents and Settings/Gillie2tat/Local Settings/Temp/avast4/, not in my Temporary Internet Files folder.

"you go to the virus chest and delete the files in it, either naviagate to it or Start avast Scanner, from the menu, select Virus Chest. This will show you all the files safely secured in the chest, from here you can delete them. "

Part of the problem is that Avast can’t put those files into the Virus Chest, it just comes up with an error saying it was unable to move the file though it is able to move the unp files to the Moved Files folder within Avast/Data. I tried navigating to the folder within the Virus Chest but none of the virus files are within it. If it shouldn’t scan certain folders why is it doing so and how do I stop it from doing so?

We posted almost at the same time, so as you can see this is the avast chest location, how can you check that.

"Start avast Scanner, from the menu, select Virus Chest. This will show you all the files safely secured in the chest, from here you can delete them. "

David

As you can see from my screenshot, no files are showing up in my Virus Chest which they would if Avast had been able to move them to the Virus Chest and I did ask it to several times. I modified my answer whilst you were posting so if you would be kind enough to double check that nothing has been missed I’d be very grateful.

As a temporary measure you could add the path to avast4 to the list of folders that are not checked by avast.

Click on the avast icon and select Standard Shield > Customize > Advanced Tab > add the path to the avast4 folder, you don’t need to add sub folders they are excluded by default.

This will hopefully get rid of the nagging screen (the files are in a location that they are not going to be activated) and you should be perfectly safe.

Catch up tomorrow.

David

Just a thought, instead of having avast move the files… when they are detected Delete them permanently? That will make sure they are truly gone(I never have the “nasties” moved, they get deleted permanently.)

This is the other problem it won’t delete them, again says there was an error.

Ok I have one other thought - can I move them to the Moved folder and delete them manually from there? Or even just delete the avast4 folder from the Temp folder (c:/Documents and Settings/Gillie2tat/Local Settings/Temp/avast4/) and empty the Recycle Bin? Presumably if Avast puts them in the Temp folder whilst it’s installing them it doesn’t need them any more - it’s been installed for about thirteen days now and my understanding is that it’s safe to delete files from the Temp folder after they’re about a week old?

It doesn’t seem to be picking up that this virus is anywhere else on my system.

I am STILL trying to get rid of this trojan that Avast says I have on my computer. Nothing works, it can’t delete the files, it can’t repair them, it moves them but when I restart there are more of these .unp files in the Temp/avast4 folder mentioned above, it’s also coming up that it’s in two of my system files. I checked the Avast virus database, it’s on the ITW list and it’s an EXE virus but other than that there’s no information at all.

Can somebody please help I don’t want to lose my computer!

The system files it says have the virus are c:/WINDOWS/system32/crashlog.tar.gz/crashlog.tar/Memory.dmp and c:/WINDOWS/system32/crashlog.tar.gz/crashlog.tar

Is this anything to do with System Restore by any chance? The only symptom I have at the moment is that when I turn off System Restore having run Avast and restart, the computer freezes when I try to turn it on again. I have to switch off the power (not the best way to restart your puter) and restart and then it lets me switch System Restore back on. As it’s in the crashlog memory file I’m wondering if it’s something to do with XP’s and Avast’s caching system.

Just checked msconfig startup, nothing nasty running in there and when I used Control-Alt-Delete for something last night there were no unexpected programs running. So I don’t THINK this is active on my system, I think it’s a cache problem somewhere.

I’m about out of ideas, but you seem to keep getting infected/reinfected and it is probably down to not having your OS fully upto date. The very name RPCexploit indicates exploiting the Romote Procedure Call, a windows patch for this came out ages ago for this.

I did a search simply on Win32:RPCexploit and it returned 91 hits, this is just one. http://www.sophos.com/virusinfo/analyses/w32rpcspybota.html This may be of help, it also give a link to the MS patch.

Microsoft issued a patch for the vulnerability exploited by this worm on July 16, 2003. The patch is available from [url=http://www.microsoft.com/technet/security/bulletin/MS03-026.asp]www.microsoft.com/technet/security/bulletin/MS03-026.asp[/url].

If you haven’t got that patch installed you are going to keep getting infected.

I think you’ve got it, I don’t have the relevant patches although I run Windows Update regularly. Microsoft must have removed it from the list of Critical Updates because that particular patch never showed up. Darn them. Just run Windows Update again and those updates still didn’t show up.

I wasn’t able to get the scanner tool to work - I don’t know enough about DOS and I don’t understand how the different commands Microsoft list work - but I looked in Control Panel and those particular patches are not listed. Should I install them first, then turn off System Restore and run Avast and tell it to delete forcibly on restart? or try running Avast again and then install the patches?

Sorry to be a nuisance but I’ve never had this particular situation before, I’ve always had all patches in place. I don’t know why those patches haven’t come up in Windows Update which I run regularly.

Thank you so much for helping me with this and for taking the time to look for me. I did look on the Symantec web site and this particular virus didn’t seem to be listed, wish they’d install a search facility!

Also what the Sophos article seems to say is remove the worm and then install the patches but my understanding of what you are saying is it’s necessary to install the patches first and then get rid of the virus - I won’t get rid of the virus unless I’m patched? Is that correct?

From your previous post, I use google.com for all searches and they generally turn up the various antivirus companies’ pages relating to that search term. This is particularly useful because in many cases it will have a different name from one company to another, but it will also find it if it is an alias.

Personally I don’t think the order is important, You can try they suggested remove virus, install patch, reboot, scan again.

Having downloaded the patch from the link I gave you. Make sure that you are off line. Installing the patch doesn’t get rid of the virus, it patches the vulnerability so you don’t get reinfected when you go online.

You may need to disable system restore prior to removing virus (as per the instructions).

I won't get rid of the virus unless I'm patched? Is that correct?

No - the patch has nothing to do with getting rid of the virus - but if you haven’t got it installed, you will probably be reinfected on you very next venture online.

Take the next step.