Hi can anyone help with this?

When I scan with Avast home, I get an alert message that a Trojan Horse has been found, so I move it to chest. I then scan again, and Avast results say its all clear. However, when I reboot and scan again, the same Trojan Horse is found again and the same thing happens again.

The Trojan it finds is named “Win32:VB-BLQ [trj]”
Original file name: aswAr1.log
Original folder C:\ProgramFiles\Alwil Software\Avast4\DATA\log ???

What a weird thing… seems that some script was logged into avast antirootkit or the log has an rootkit behavior?
Strange… can you open Notepad, then open the file aswAr1.log, select all and copy & paste the contents here?

hi the log file aswAr1 log is 1.8 meg too big when copyed to notepad.
the original aswAr1 log is 3.68 meg ,too big to post here.

hi i am now scanning by folder to try to shrink the size of the aswAr1 log :

use rapidshare.com or sendspace.com for upload your big thing here and give us the url for download it and Tech or any guy will see it

Firstly I only have one aswAr.log file (no aswAr1.log) and that is the grand total of 64KB.

The anti-rootkit log should only retain the data of the last anti-rootkit scan, commonly 8 minutes after boot and it should overwrite the previous contents and not append to the file, so it should essentially say small.

I don’t know if there is a setting somewhere that can be changed to overwrite rather than append to your file/s.
Presumably the contents of the logs have more than just the last scan ?
Since there is now a aswAr1.log I take it that the aswAr.log is no longer being used (last modified date in windows explorer) ?

hi thanks for looking in on this.
re :size of logs . The logs in the log files all seem to be overwriting ok,and are small.The aswar.log is modified after each scan as normal i think.
Also, I’ve seen that… if i scan with folder scan ,no aswar1.log appears. It’s only when i scan with local hard disks that,if i stop the scan,then go to avast log files,the aswar1 log is there.
Also , if i scan with local hard disks and stop before system32 .Then ,scan with quick scanner the aswar1 log that has appeared in the log files it shows result clean.
Now, if i scan local hard disk again and stop after system32 ,then scan the aswar1 log in the log files with the quick scanner, the trojan horse warning appears, move to chest etc.
So something in system32 ? :-\

You say the size of the files are small, but that isn’t what you initially reported of 3.86MB for aswar.log and 1.7MB for aswar1.log, so has this changed because there is no way this could be considered small.

The anti-rootkit scan when in the on-demand scans from the simple user interface, is I believe related to sensitivity (standard and thorough) and with the all local drives (because by limiting the scan to a particular folder, it is effectively stopping the aswar scan access to what it might need to scan).

So I don’t know what you mean by, no aswar1.log appears on folder scans, the3 anti-rootkit scan log doesn’t appear, but it updated and you can access that log using notepad. The only thing (in the home version) that appears would be a list of files that couldn’t be scanned along with a reason. So I’m not entirely sure as to what you actually mean here.
If you mean no avast alert appears, then I’m not entirely surprised as I believe the detection on the log file to have been a false positive detection.

You have already said that the aswar.log is updated (overwritten) after a scan, but is there then any activity on the aswar1.log that was originally detected ?

Personally I would get rid of the file and be done with it as avast would recreate it is required. You would however, need to use the avast Program Settings, Troubleshooting, section to Disable avast! self-defence module and then delete aswar1.log. Once you have done that enable the avast self-defence module again.

Hi Sorry for any confusion.

if you look back at my original report, it is the aswar1 log that is 3.86 meg and it becomes 1.8 meg when copied / pasted to notepad.

Just to be clear,all the other logs in the log folder, including aswar.log are small and when you view last modified date/time on the aswar.log it is updating.

It’s just this aswar1.log file that appears during a scan that ends up showing the trojan.

1. If i do a folder scan on the folder system32 only - no aswar1.log
2. If I do a hard disc scan and stop it BEFORE system32 - aswar1.log appears but a scan then of that log file shows clean.
3. If I do a hard disc scan and stop it AFTER system32 - aswar1.log appears and a scan then of that log file shows the Trojan.
   I have tried many times before to just delete both the Aswar.log and Aswar1.log files, but they both reappear (of course, I would expect the aswar.log to reappear).

With regard to if Aswar1.log gets updated. Because the file is moved to chest via Avast, I cannot answer. Should I not move to chest and do a further scan to check if it gets updated? Please let me know.

I still don’t know what you mean by no aswar1.log appears, do you mean no detection on the aswar1.log ?

If so that is hardly surprising if you are only scanning the system32 folder as it isn’t there but in the C:\ProgramFiles\Alwil Software\Avast4\DATA\log folder as you said.

That is my problem what do you mean by appears, to me that means pops-up as it is displayed/appears and the only thing that should appear as a result od an on-demand scan is the list of files that can’t be scanned.

If you stop a scan then there effectively shouldn’t be any reporting though the anti-rootkit is a separate part of the on-demand scan.

Sorry but that makes it no clearer for me at all and may just be making matters more complex when deletion of the file as I suggested would probably resolve this anyway.

hi sorry for the confusion

After i scan with the simple user interface.

In the LOG folder i have two aswar log files .

1 is aswar.log
2 is aswar1.log

The aswar1.log is infected with a trojan horse. When i delete this file (move to chest) it’s gone.
There is now only one aswar log file in the LOG folder.

Now when i scan again with the simple user interface.

In the LOG folder i have two aswar log files.

1 is aswar.log
2 is aswar1.log

The aswar1.log is infected with a trojan horse. When i delete this file (move to chest) it’s gone.
There is now only one aswar log file in the LOG folder,and so on.

As you explained ,you don’t have a aswar1.log.
The question is Why do I ,and why is it still infected ?.

Thanks again

I have no answer to why you have an aswar1.log and I don’t, I’m only an avast user like yourself.

However, as I suggested that you manually delete this file after disabling the avast self-defence module. I think you should do that, as it may be possible that the fore isn’t actually removed by avast if the self-defence module protects it, I don’t know.

hi still got the aswar1 log

I’ve just run " autoruns sysinternals"

showing this result for aswarkrn

aswArKrn File not found: C:\DOCUME~1\TIM~1\LOCALS~1\Temp\aswArKrn.sys

How can i get aswarkrn.sys back to where it should be ?

thanks

I don’t even know if this is an avast file as I cant find it on my system. So it may be that it is only created for a purpose and if it is an avast file based on the file name I believe it could be used as a part of the anti-rootkit scan as in asw (Alwil SoftWare) Ar (Anti-rootkit) Krn (Kernel), but that is a large degree of supposition on my part.

Again if it is an avast file, and it relates to the anti-rootkit scan, I’m not surprised it isn’t found, because this is a temporary location and I guess when it has completed its task it is removed from the temporary location.

Personally I don’t believe you need do anything other than establishing why autoruns even lists it. e.g at what point did you run it. If this were truly a startup entry, which I doubt then you should get an error at startup that the file is missing and since you haven’t mentioned it I can only presume you haven’t.

There is definitely some weird stuff going on on your system that I have no clue about.

Just smomething to try??
Do it at your own risk??

Suggest you when you locate the virus " aswar1.log " in the files of your computer, Note! not in the Avast Chest [make a note of its location to restore same to] then right on click same use “Cut” from dropdown menu and “Paste” into a newly folder on your desk top and “Cut” and “Paste” same to your memory stick [so as to not have same on your computer and from where you can copy same back if required]
This is way I recently removed another such trojan that kept activating it’s self on each of my compter startups???

REgards Colin [Australai]

Information on aswArKrn.sys :

http://spywaredlls.prevx.com/RRFDHF44675193/ASWARKRN.SYS.html

Check your file size to see if it is 138,080 bytes.

Possibly with further thinking to do the above I feel you have your computer “Show Hidden Files” and when you have the “Avast Viruse Warning” box come up you click on “No Action” [to leave the viruse present where it is] and then do a “Search” for the aswar1.log and then cut and paste same into the formed folder and add same to a Zip file [to contain it] and then from your computer cut and paste to your memory stick
This worked for me!

Regards

Hi,
I’m having the same problem. I keep running the scan and it finds the exact same malware problem: Win32:VB-BLQ

The file infected is: C:\ProgramFiles\AlwilSoftware\Avast4\DATA\log\aswAr1.log

When I look for that file, it doesn’t appear.
“Show all hidden files and folders” is activated in my file preferences.

Anyone know what is going on here?