Avast update brings virus ???

I apologize in advance if I’m wrong, but I suspect that the latest update of Avast is infected.

I have 3 computers in my home lan, and they are set up to automatic Avast updates. I have rebooted 2 of them today and both loaded Windows (2000) but the desktop remained blank (no taskbar no icons).

Of course I searched Microsoft knowledge base and removed some files they say may cause this, but nothing helped. Then I deciided to run Avast (I can still run programs by pressing Ctrl-Shift-Esc to bring up the task manager, and then choose File/Run from the menu).

When Avast loaded it discovered that there’s an infected process (explorer.exe). So I scheduled a boot scan and restarted. Avast found that \WINNT\explorer.exe is infected with Win32:Trojan (other), and deleted it. However Windows again booted to a blank desktop. I checked and discovered that the virus re-creates the false explorer.exe again and again.

After hours of trying to understand what is happening, I realized that there are more infected files in \WINNT and \WINNT\SYSTEM32. I performed a binary compare (FC /b) over the lan, and discovered differences even in some control panel applets (*.cpl files).

It seems that the virus infects some system files that load with Windows, so there’s no way to boot to a clean windows (even in safe mode Avast finds the virus in memory).

Of the 2 infected computers, one had nothing installed recently, and the only new programs are the automatic updates of Avast. I am sure about it because my wife uses it and she doesn’t even know how to download and install programs.

The third (uninfected) computer seems to be totally clean. However I’m afraid to reboot it because I think it downloaded the same Avast update and maybe after reboot it will also be infected. This one also had nothing new installed recently.

Can anyone confirm this? Any advice what I can do other than re-format and re-install everything?

Thanks,

J.

Can you send some of the “infected” files to virus@avast.com (with a brief description), please?

I have sent you an email with detailed description of what I see and attached RAR file that contains:

  1. explorer.exe from apparently clean computer.
  2. explorer.exe from apparently infected computer.

I hope it helps!

J.

I have this same issue!
same virus and same explorer.exe.

Unfortunately I deleted explorer.exe and now have nopo desktop icons or taskbar.
I have to use task mgr to do anything.

The avast scan seems to keep finding the virus even though I delete it.
Is this a new virus? What does {Other} in “win32:trojan-gen. {Other}” mean?
I can’t seem to find info on it.

Do I have to re-install???

I’d suggest to wait a while for the file analysis, before taking any “hard” actions.

OK, it seems it’s a false alarm - it will be fixed as soon as possible.
Sorry for the troubles.

levinut -

Don’t worry Windows keeps copies of explorer.exe and re-creates the file automatically (in fact that what made me think that a virus is running wild on my system - I just couldn’t get rid of explorer.exe no matter how hard I tried).

If for some reason Windows doesn’t re-create explorer.exe for you, it doesn’t, you can still copy the file yourself from (windir)\system32\dllcache or EXPAND the original file from the Windows installation CD.

If all else fails I can email you my explorer.exe …

To Avast team -

I’m glad that it turns out to be just a false alarm. I apologize for blaming Avast for bringing in the virus, but I hope you understand that when two different computers stop working after an update…

Anyway you deserve a big Thank You for a great free product!

J.

The update solving the false alarm is available now. Again, sorry for any troubles…

Pavel

Where people work, people make mistakes Pavel ;D
The good thing is that Alwil (Avast) is one of those companies that really listen to their customers and has a very fast response time !
Very much apreciated ! :smiley: :smiley: :smiley:

Well well well,

I’ll look forward to booting up my Win2000 with avast at home… ;D ;D

How come this false positive ?
Not tested on Win2000 ? or not on older/new versions patch-level-wise ??

? :wink:

Hello,

Same thing happened to me on two different computers. On one, I expanded and it work fine…

On the other, problems:

I deleted the “explorer.exe” in "c:\winnt" & "…\dllcache" - upon reboot the file is NOT recreated.

I copied “explorer.exe” from another machine and also expanded from the Win2K install CD.

Each time I try to run it via the Task Mgr/ command line i get the following error:

“Program too big to fit in memory”

Help is much appreciated.

Thanks,
-John

Hi John,

  • a reboot doesn’t help ?

  • try running
    SFC /scannow
    from Start → RUN (logged in as ADMINISTRATOR)
    (But I’m not sure if this works after you’ve deleted the copy in “dllcache” ?)

  • there should also be the right version of explorer.exe in
    C:\WINNT\ServicePackFiles\i386
    → try copying it from there (maybe after booting from Win2k-CD and going to the console ?

But maybe you should wait until someon from ALWIL team comes up with a suggestion…

:wink:

  1. Reboot does not help…

  2. ‘SFC /scannow’ ran successfully? (no response or errors) with same results

3)There is no ‘explorer.exe’ file in my 'C:\WINNT\ServicePackFiles\i386' directory…

Any ideas?

Thanks!

I am going to save all docs and re-install windows 2000 to the same directory.
I will let you know tomorrow if it works…

I have seen that on Win2k with SP3 , SOME computers do have the problem. No matter what, updating avast (it’s available now!) does the trick.

Other solution (we’ve tried it in between updates) is updating the windows 2000 to SP 4…

The “problem” virus definitions do not seem to influence the win2k with SP4…

Do the update. I just did and the false positive is gone.

I have the 8/3/04 version of Avast on that system and still my problem launching “explorer.exe”

At startup a DOS window launches and for a split second I can see the “Program too big to fit in memory” error message - attempts to start “explorer.exe” through the command window yeild the same results.

Thanks,
-John

Avast vps file version should be 0432-1.

This could be something else in my opinion.
what version of service pack are you using? I suggest updating to sp4.

start internet explorer in the taskmgr (iexplore) and then browse to the windows download site. you can also “browse” to your local folder (c:\ for example…)

(you can get an alternative to explorer if you launch taskmanager (ctrl-alt-del-> taskmanager) and in the file->run box you enter progman (it’s the old windows gui)

I did not re-install.
All I did was copy explorer.exe from I386 directory to WINNT directory and rebooted.
Everything works now! Thanks to all who helped.

SP4 did the trick - thanks!

-John