Hi
I write with a cautionary tale for others.

I have used Avast for something like 15 years and (mostly) been very pleased with it, because what you don’t know, won’t disrupt that pleasure. In that time, it allowed in one very nasty rootkit which was a mother to get rid of, so overall you would want to forgive it one slip. We’re all human. However what I discovered today is the deal breaker. I discovered that I had not one, but two trojans on my machine, working away furiously and blissfully undetected. Looking at my backups, I’ve been host to them for at least 2 years - my backups don’t go back any further than that. With the computer on most days and an up to date Avast running, it absolutely did not find them. To share the blame a little, neither did Malwarebytes, but that’s another story.

The identity of the two trojans are:

Tonick.gen
Tiggre!plock

How I found them.
I had frequently read it said that it’s bad practice to have 2 antivirus programs running on the same PC (mine is Windows 10, by the way - and yes, all updated constantly). The advice was that if you use Avast you should disable Windows Defender. So long story short, I did the experiment of switching Defender back on and running a deep scan. That’s what found these trojans and that’s what removed them. Avast; null points.

So sadly, but pragmatically, today is the day I bid a sentimental fairwell to Avast and switch to Bitdefender. They come top in several contemporary (that’s the key word), reputable reviews that are backed by lab tests, and to sweeten the deal there’s a fat discount on offer, currently, for up to three machines. So, be warned. Complacent confidence in your virus protection is a great drug, soothing and soporific, which is exactly what the hackers need you to feel.

Au revoir, Avast.

And you have of course checked those files so you know it is not a windows’ defender false positive ?

Yes.

Avast like AVG has this trojan Downloader.Tonick (Worm) classified under a different name, as Worm/VB.AHSM [AVG].

Look for altered version of svchost.exe MD5: e4bc9ec9aa4874c66a6e21e56709609e
and
%TEMP%\tmp-3[b]msdto.exe[/b]
File name: msdto.exe
Size: 315.46 KB (315460 bytes)
MD5: c0213b45672715c77574c2722ee1a01f
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %TEMP%\tmp-3
Group: Malware file

Downloader.Tonick exists from 2013 henceon.

polonus

Ironically, I have had this issue on every AV I’ve ever used. I will buy a new license, and see one AV has a really good rating and I will try it out. I use it for a year or two and get a different AV. and everytime I get a new AV and run the first scan, it always finds very old stuff.

While my system has been infected for a very long time.

I don’t know of it is the cause, but I noticed on a new version, it does a full system scan right away. But I notice that it only seems to do a full scan once and marks things as safe. But it doesn’t seem to do a full rescan later, unless you manually do it yourself. It just scans new stuff coming in. My guess is a new virus isn’t detected, or it delays it’s activation since it was marked safe. then it sneaks in. and since it is new, there may not be a cure for it yet, so it runs without issue.

Just my guess, but it seems to happen to all AV software I have ever used, and I’ve been computing since the 80s. Not that there were a/v software in the 80s.

Heck, I even had virus found on the new AV software and existing a/v software suddenly finds it at the same time as the new one.

But I always manually run my A/V programs monthly or so, anymore.

Hello,
can you share the detected samples, please (https://support.avast.com/en-za/article/258/)? Or upload them to virustotal.com and share the scan result link, please?

Thank you,
Milos

Hello Milos,

I shared repeatably with avast another sample many days ago:
https://www.virustotal.com/gui/file/9f2fb97fea297f146a714d579666a1b9efd611edd8c1484629e0a458481307e5/detection

Proudly, avast still report “No issues found”:

Hi trnano,

When you look at VT scan results’ details, it comes with a non-validated (e.g. not-verified) MS signature.
MS Windows and other Operational Systems, I’d say no more,
Voodooshield would have probably stopped execution of the file in question in it’s tracks.
It often kept me from harm’s way, when I was not alarmed in another way.
Then it could also be no part of the collected avast’s defenitions.

polonus

It is old, so it could be they have a reason for not detecting it?

https://www.virustotal.com/gui/file/9f2fb97fea297f146a714d579666a1b9efd611edd8c1484629e0a458481307e5/details

History
Creation Time 2014-08-31 15:34:44
Signature Date 2017-09-29 04:22:00
First Seen In The Wild 2018-04-26 19:49:54
First Submission 2018-04-28 02:02:07
Last Submission 2021-05-11 07:09:37
Last Analysis 2021-06-07 19:59:56

File was dropped via malicious web-shell from
hxxp[:]//t[.]hwqloan[.]com/svchost.dat

In my opinion it is a clear piece of malware and I do not understand why avast is happy with this file around.

Hi, file 9F2FB97FEA297F146A714D579666A1B9EFD611EDD8C1484629E0A458481307E5 was resolved as malware and detection created.
URL t[.]hwqloan[.]com is already detected.

Thanks for report.

Was resolved, but after 3-4 weeks from my first submit (repeated weekly) of this file to avast lab.
And after some discussion about file in this topic
When I submit malware files to avast analysis system, I’m thinking ( or at least I hope) about reasonable time of definition update.
I have avast on 65+ workstations and servers, and I am not happy with this delay.
I am sure that many of the submitter’s are IT professionals…