avast! / SAS Q

I just installed SAS in my computer yesterday and ran my 1st Scan. It did find 2 Firefox Tracking Cookies and 2 Trojans. One Trojan was affiliated with RealPlayer and the other with NULLSOFT. They’re in quarantine right now.

Anyway, SAS ran fine with everything as is. My question is … is it OK to run a SAS Scan with avast! still fully Active? Or is it more recommended to set avast! to Pause Provider … or Stop Provider for possible better / faster / more reliable SAS scanning performance?

Personally I pause avast Standard Shield when do a scan with another security application.

It avoids any possible conflict however remote and it reduces duplicate scanning, which will reduce the overall scan duration. I have been saying this for ages but some don’t think it necessary, so I did a test an SAS Quick scan with avast standard shield enabled took just over 3 minutes longer than the same scan took with the standard shield paused (a little over 13 minutes against a little over 10 minutes, that is 30% longer).

So I think you can see why I pause the standard shield when doing scans with other security applications. I didn’t do a full SAS scan to test this theory further, life it too short.

I certainly concur with your line of thinking. Many times during my SAS Scan, I kept seeing the avast! “a” Blue Ball rotating away. I just kept thinking to myself that that MUST be Double Duty … Extra unnecessary work for the Microprocessor, which was no doubt slowing down and extending the duration of the SAS Scan. I did the FULL SAS Scan. I forget exactly, but I think it took roughly around 45 minutes on my slow, non-State of the Art computer. ;D So, if I can cut some time off from those Scans by Pausing the avast! Standard Shield, I will most definitely do it.

Yeah, cuz I was getting worried when just the Memory Scan portion of the SAS Scan seemed kind of slow. Then also parts of the Registry & File Scanning portions started out slow. I was thinking, “I am NOT liking this. avast! does a Full Thorough / Archive Scan of about 90,000 Files in my computer in about 1 Hour. At the rate SAS is going, it’s going to take HOURS to finish.” But, Nah! There were eventually areas in there where SAS scanned blazingly fast. Plus, SAS didn’t remotely scan 90,000 Files like avast! does.

Do I understand correctly? The default Setting for SAS is that it ignores scanning Files larger than 4 Meg?

Thanks for the elaborative Tip, David. It’s DUN! ;D Okay, not yet, but it WILL be DUN whenever I do my next SAS Scan.

It does ignore files greater than 4mb by default and that can be a lot of files, many of those are likely to be archives which don’t really present a high risk as they need to be extracted and rub before they are a risk.

You’re welcome.

Since you know every nook & cranny of SAS, I need some help / direction here:
I already deleted the 2 Firefox Tracking Cookies from SAS quarantine.
Now … below are the 2 Trojans I have in SAS quarantine:
Trojan: FakeAlert-Gen/Variant
C:\PROGRAM FILES\REAL\REAL PLAYER\PNMI 3260.DLL

Trojan: Unclassified-Packed/Suspicious
C:\PROGRAM FILES\COMMON FILES\NULLSOFT\VIDEO\ACTIVEX\PLUGINS\NSVPLAYX_VP5MP3.DLL

Question #1: As I understand it, the only options there in the SAS quarantine are Delete & Restore. Will clicking on Delete … delete just the Trojan itself? Or the Trojan AND the Infected File in that File Path?

Question #2: IF the entire File is going to be deleted along with the Trojan … are the 2 items above SAFE to delete? I don’t use RealPlayer. I don’t believe I use NULLSOFT. Isn’t that a MediaPlayer also?

I don’t know every nook and cranny, but I don’t bother having it even look for tracking cookies, that is how much of a risk I feel they are.

  1. Quarantine is the best initial option (never delete) and investigate, unlike avast SAS doesn’t allow you to extract it to a different location, which makes it safer to investigate. The malware name is also one which I wouldn’t have much confidence in FakeAlert-Gen (normally indicating generic) Variant, e.g. they think it is a possible variant of FakeAlert.

FakeAlert is a program that reports your system is infected in the hope you will either buy what they are peddling or visit a site and install the fix (which may well infect you). So if you aren’t seeing these symptoms it is unlikely that you have the fake alert scumware on your system, add to that the location it is in within Real Player, and audio/media player, which makes the detection less than 100% IMHO.

  1. I would treat this with a small pinch of salt based on what the detection is ‘Suspicious’ not 100% and the reason why it is suspicious is the method it was packed (compressed).

For both detections I would first google the file names and see what is returned, e.g. are there any associations with malware. Then you should upload the files to VirusTotal (you would most certainly have to restore them from quarantine to do this) for confirmation or otherwise of the SAS detections.

Yeah, where I live now, I definitely have an inferior AOL Connection Speed than what I had where I lived before. Where I lived before, I used to regularly, consistently log on to AOL at, I believe - 44,400bps . :slight_smile: Where I live at now, the most I can log on at is - 28,800bps and that’s 50% of the time. The other 50% of the time, Log Ons are at 26,400bps. :frowning: And I’m pretty sure it is an AOL thing … NOT a Phone Company / Phone Line Noise problem. This because those friends’ on whose computer I worked on, they live about 12 miles away and THEIR AOL also logs on at 28,800 or 26,400bps.

Anyway, when I first read your suggestion of sending the Trojan-infected Files to VirusTotal, I thought, “YES! Excellent idea!” But, I just checked and that RealPlayer alleged Infected File is almost an 11 MB File. With my SLOW Dial Up, which I just described, I don’t think I have the time to send an 11 MB File to VirusTotal. Not to mention that there’d be the matter of the NULLSOFT File also still to be sent to VirusTotal. Ahhh, speaking of that NULLSOFT alleged Infected File. Maybe you can tell me what’s going on here. I checked out the File Path of that alleged Infected NULLSOFT File. Yes, I found that PLUGINS Folder, but … there’s NOTHING in there. Is the alleged Trojan-infected File Hidden? I even ran an avast! Scan on that Folder and it showed that it scanned 0 Bytes.

I do download avast! straight from the avast! website. However, I’m thinking that the next time I have to download avast!, I might try downloading it from SnapFiles. So far, I have liked SnapFiles faster download speed than most other downloads I do elsewhere. I like reading the Reviews and other Info at C/Net download.com. I somewhat consider a Software App / Utility to be legit and SAFE when C/Net download.com gives it the 2 Thumbs Up. But, as for actually downloading anything from C/Net download.com … I have yet to be able to do that. I have ZERO luck with them. I don’t know if their downloads require a Windows version higher than Win98 or different Settings, but for me, downloads from C/Net download.com never complete.

Oops! A couple of seconds after I hit on my previous Post, it immediately dawned on me why I couldn’t find the alleged Infected NULLSOFT File at where its File Path indicated. The File is in SAS quarantine. That would explain there being nothing in the PLUGINS Folder.

Yes if you sent them to the SAS quarantine then they wouldn’t be in the original location.

Did you use google to try and get information on the file names, that would take less time and was the first suggestion. Interestingly (and usually suspicious) there was only one hit for PNMI 3260.DLL (this topic), which is extremely strange if it were a real player file.

However, I think that you may have put a space into the file name in error and without it PNMI3260.DLL returns more hits. One which relates to it being a Library for Real Player the page is Japanese.

The same single hit for NSVPLAYX_VP5MP3.DLL by google, again this topic.

So I’m at a loss as to what to suggest as you are so restricted in being able to upload to VirusTotal (VT). There is also an upload limit on file size for VT also of 10MB

Yeah, I too originally got NO Hits with the RealPlayer File Google search. I then did remove that extra space in the Filename and got some Hits. It did show up as a Module of RealPlayer. By the size of the File, like 10.7 MB, I gather it’s rather significant to RealPlayer. Thus, no doubt it’d be missed during RealPlayer operation. Ehhh, but I don’t use RealPlayer. As a matter of fact, about 2 weeks ago, I was looking into if I could use RealPlayer with this Net Radio Station to which I listen. I got a message that I needed to update RealPlayer. When I tried to update RealPlayer, I forget what the deal was, but I THINK it was something like that this version was no longer supported and that I had to download a whole new version instead. Not having the time for a Mega download, my curiosity subsided and I aborted that experiment.

As to the NULLSOFT File in question? I did Google it and got 0 Hits. I guess it’s possible I could have made an error there in one of the many characters in the Filename.

Don’t worry about it, David. I appreciate you trying to help. I’ll either keep those 2 Files in quarantine or delete them. As I mentioned, I use neither RealPlayer nor NULLSOFT. At least I’m little by little learning here on this forum the more logical steps to take when encountering Malware.

Hey, another question: On Saturday when I go run only the 2nd avast! Manual Scan ever on my friends’ computer, will the 4 Virus / Trojans currently in the Virus Chest show up on the Scan Results as still Infected Files? If so, will they show up as being in avast! Files? (The Virus Chest?) Or should I expect a case of since the 4 Files are in the Virus Chest, they will be invisible to the Manual Scan?

Files into Chest are safe, can’t go out of it, can’t be ‘scanned’ by outside and won’t be displayed when you run an avast scan.

Oh, Okay. Cool. Thanks, Tech. It’s just that I remembered seeing this FAQ before at the avast! FAQ section:

Q: How is it possible that avast! finds viruses’ in it’s own folder C:\Program Files\Alwil Software\Avast4\Data\Moved? Does it mean that avast! is infected?
A: No, the folder C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\DATA\MOVED is the default folder for moved infected files. If you find some viruses in that folder, it means that these files were found infected previously, and you selected to MOVE them - and avast! moved them to the mentioned folder (and changed their extensions to *.vir, so that you couldn’t activate them by mistake).

http://www.avast.com/eng/virus_detection_and.html

So, I wasn’t sure whether to expect that the 4 Files in quarantine in the Virus Chest were going to AGAIN show up on the Scan Results … in avast! Files instead of at their original locations.

Hmmm? So what ARE they talking about in the above FAQ? Is it something different than what I’m asking?

We’re talking about different things: files into Chest aren’t the moved files into the ‘moved’ folder. Files moved could be infected when avast scans, not the files into Chest.