Bit of advice please :)

Hey guys,

New to avast! and using the avast! 4 antivirus Home Edition, which so far is very very impressive. A few weeks back, I got a MBR virus, or I think I did, downloaded a file by mistake with no extension on it, AVG never said anything about it, so I just deleated it. I thought it was a little bit odd so ran a virus scan, at the time I was using the AVG Free edition, all it reported is that my MBR had changed and my D drive partion table had, the same drive to where the file was downloaded to. Loaded up using my Windows CD (Vista) and it was saying my OS was installed on the D drive, where it was infact the C drive. So I went and formatted all of my HDD’s and everything seems ok now but would still like some reassurence.

When I load my Windows CD up, it’s reporting the correct location for my OS, the C drive, have ran avast! a few times, with all settings at the max, clean, ran online Virus scanners, clean. Installed COMODO Firewall Pro from the advice of a co-worker aswell to make sure everything is looking good, and it is, I think.

I just did a quick scan with the avast! Virus Cleaner Tool and it said everything was clean, am I just being paranoid? Below is the log file from it;

22/04/2008, 08:47:41 AM
Memory scanning started…
No virus body found in memory.
Memory scanning finished (8.7s).

Files scanning started…
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log… file could not be scanned!
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log… file could not be scanned!
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb… file could not be scanned!
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb… file could not be scanned!
C:\System Volume Information{14c0c9bf-0f4d-11dd-bbc5-e5dbc5cdcdf0}{3808876b-c176-4e48-b7ae-04046e6cc752}… file could not be scanned!
C:\System Volume Information{3808876b-c176-4e48-b7ae-04046e6cc752}… file could not be scanned!
C:\System Volume Information{40e5b063-0e97-11dd-8f4b-9e5b727478f0}{3808876b-c176-4e48-b7ae-04046e6cc752}… file could not be scanned!
C:\System Volume Information{4a584f6f-1034-11dd-837a-c7cc1f23d1f1}{3808876b-c176-4e48-b7ae-04046e6cc752}… file could not be scanned!
C:\System Volume Information{4bb9f6a0-0d2b-11dd-984d-8e2007f76cfb}{3808876b-c176-4e48-b7ae-04046e6cc752}… file could not be scanned!
C:\System Volume Information{4bb9f6ae-0d2b-11dd-984d-8e2007f76cfb}{3808876b-c176-4e48-b7ae-04046e6cc752}… file could not be scanned!
C:\System Volume Information{4bb9f6b4-0d2b-11dd-984d-8e2007f76cfb}{3808876b-c176-4e48-b7ae-04046e6cc752}… file could not be scanned!
C:\System Volume Information{4bb9f6f5-0d2b-11dd-984d-8e2007f76cfb}{3808876b-c176-4e48-b7ae-04046e6cc752}… file could not be scanned!
C:\System Volume Information{4bb9f705-0d2b-11dd-984d-8e2007f76cfb}{3808876b-c176-4e48-b7ae-04046e6cc752}… file could not be scanned!
C:\System Volume Information{f919a31f-0c70-11dd-acaf-efbc960275f5}{3808876b-c176-4e48-b7ae-04046e6cc752}… file could not be scanned!
C:\System Volume Information{f919a32d-0c70-11dd-acaf-efbc960275f5}{3808876b-c176-4e48-b7ae-04046e6cc752}… file could not be scanned!
C:\Users\Dan\ntuser.dat.LOG1… file could not be scanned!
C:\Users\Dan\AppData\Local\Microsoft\Outlook\outlook.ost… file could not be scanned!
C:\Users\Dan\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1… file could not be scanned!
C:\Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word~WRS{40E0B672-F561-4886-BA84-900415755A63}.tmp… file could not be scanned!
C:\Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word~WRS{7C6BC11A-A7EE-4501-8203-D9ACFD69588C}.tmp… file could not be scanned!
C:\Users\Dan\AppData\Local\Microsoft\Windows Defender\FileTracker{44259D1B-3F51-4007-81F2-A8DD18D803CF}… file could not be scanned!
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1… file could not be scanned!
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat… file could not be scanned!
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat… file could not be scanned!
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1… file could not be scanned!
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0… file could not be scanned!
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0… file could not be scanned!
C:\Windows\System32\catroot2\edb.log… file could not be scanned!
C:\Windows\System32\catroot2{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb… file could not be scanned!
C:\Windows\System32\catroot2{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb… file could not be scanned!
C:\Windows\System32\config\COMPONENTS.LOG1… file could not be scanned!
C:\Windows\System32\config\DEFAULT.LOG1… file could not be scanned!
C:\Windows\System32\config\SAM.LOG1… file could not be scanned!
C:\Windows\System32\config\SECURITY.LOG1… file could not be scanned!
C:\Windows\System32\config\SOFTWARE.LOG1… file could not be scanned!
C:\Windows\System32\config\SYSTEM.LOG1… file could not be scanned!
C:\Windows\System32\config\RegBack\COMPONENTS… file could not be scanned!
C:\Windows\System32\config\RegBack\DEFAULT… file could not be scanned!
C:\Windows\System32\config\RegBack\SAM… file could not be scanned!
C:\Windows\System32\config\RegBack\SECURITY… file could not be scanned!
C:\Windows\System32\config\RegBack\SOFTWARE… file could not be scanned!
C:\Windows\System32\config\RegBack\SYSTEM… file could not be scanned!
C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT… file could not be scanned!
C:\Windows\System32\SMI\Store\Machine\schema.dat.LOG1… file could not be scanned!
No virus body found.
Files scanning finished (100756 files, 0 infected, 741.4s).
Drives scanned: C: D: E: H:

Should I be worried from any of the files not scanned? Any help or advice will be greatly appreciated. :slight_smile:

Seems you’re ok… just that MBR is not overwritten by just formatting… you need partition tools to do that. But seems that avast has restored you to peace.

Did you change avast settings? If not, don’t worry, files in use, access denied, etc.
avast running at boot time should be able to access all that files.

There are many legitimate reasons why a file/s can’t be scanned and that reason is usually given in the list, unfortunately the reason why they couldn’t be scanned isn’t given, though these look like it could be access denied as Tech also mentions.

Many programs (usually security based ones) password protect their files for legitimate reasons such as AdAware and Spybot Search & Destroy, there are others (and avast doesn’t know the password or have any way of using it even if it did know it). Not the case in this instance.

Files that can’t be scanned are just that, not an indication they are suspicious/infected, just unable to be scanned.

Hey guys,

Thanks for the replys, really helpfull starting to get over my fear that somthing may still be hiding here. When I reinstalled Windows, I formated the drives, removed the partitions (All at the same time) but only from Windows, would this have been enough?

Also the avast! BART CD is that like a Live Linux CD? Where it boots from there and “dose it’s thing”?

Thanks again for the replys, really appreciate it. ;D

No problem, glad I could help.

I don’t know if you have seen this page, http://www.avast.com/eng/avast_bart_cd.html, the Bart CD is bootable.

Welcome to the forums.

Thanks. :slight_smile:

Got the Bart CD on trial at the moment, ran a scan and it found “Win32:PowerSpirder-f” marked as a trojan, removed it, scaned again and it said it was clean. Booted up my PC, used it all day, did another scan, it’s back. Did a Google on it found nothing, apart from a site that seemed to have made it, or know of its maker. :o

The file it is infected is called “C:\pagefile.sys”, anyone have any help or advise on how to remove this? Worries me that avast! or any online scanners never picked this up. :cry:

This is the virtual memory file, i.e., things that were active in memory.
It shouldn’t be detected as it is on avast Exclusion lists… did you remove it from there?
When you boot next time the contents of this file will be renewed. You shouldn’t worry.

All I changed on the Bart CD was to do a Thorough scan, and a place to extract to and the log file;

;******
;Scan header
;VPS file version: April 18, 2008 - [80418-0]
;Params: C:\ D:\ E:\ F:\ Scan: Full files, All files, Ignore targeting, Archive: All packers,
;Columns: File name TAB Status [OK,INFECTED,ERROR]
;******
C:\hiberfil.sys ERROR: Access is denied. Nr(5)
C:\pagefile.sys INFECTED: Win32:PowerSpider-F [trj]

Only thing that worries me is that it’s getting remade each time I boot up into Windows. ???

Can you check if pagefile.sys is on the Exclusion lists?

For the Standard Shield provider (on-access scanning):
Left click the ‘a’ blue icon, click on the provider icon at left and then Customize.
Go to Advanced tab and click on Add button…

For the other providers (on-demand scanning such as the screen-saver or the Simple User Interface):
Right click the ‘a’ blue icon, click Program Settings.
Go to Exclusions tab and click on Add button…

Took a quick look in there and it’s set to skip it, could it be the Bart CD giving a false positive? Or should I have avast! set to scan it?

It uses the same virus database as the avast for PC… so, if it is updated…

I’m not following you in this point… can you rephrase?

I'm not following you in this point... can you rephrase?

Sorry, on avast! antivirus Home Edition 4 it is set to ignore ?:\PAGEFILE.SYS, should I remove this from the list and have it rescan? My main worry is it’s getting removed with the use of the Bart CD, then when I load back into Windows, do my daily work on the PC, run the Bart CD again it’s there again. :frowning:

No, you should let this entry in the Exclusion list.