Yesterday I’ve got a don’t panic message that some file was stopped during browsing. Then later I planned a bootscan and Avast found this file Win32 Agent ONZ [trj] in the cooledit (waveform editor) folder (both on C and on F, but the names of the infected exe files were different) and also in the volume system information folder of C and F.
I also found this info on the forum:
avast’s Web Shield can scan http traffic on port 80 before it is saved into
your browser cache so the web page, images, etc. can be displayed. So if
something harmful is detected it can be intercepted.
How can it be that Avast blocks a file and then still finds it on my PC when I scan it later? Is removing files from the chest sufficient (I did a bootscan later and nothing was found anymore)?
A trojan does not run on itself unless I click it, I think. How can it be able to install itself, but not be able to run itself? That seems weird. I mean how does it know what files to infect if it is not running?
Does it matter if I use avast bootscan in safemode or not? With safemode I mean Start > Run > msconfig > Boot.ini > /safeboot checked
Can I install and run AVG on XP if Avast is installed on it too?
Viruses have their tricks…
Anyway, the System Volume Information is the System Restore folder.
You can disable System Restore - deleting the infected restore points - and reenable it after that. Of use avast at boottime to scan and send the files (infected) to Chest.
Files are safe into Chest and can’t harm your computer. Let them there for further investigation: you will kept the possibility of restoring the files (false positives) or have further info about what is happening in your computer. Chest is safe.
Which is your Standard Shield sensitivity?
avast can let inert virus files (into archive files) to be saved (it does not scan it on-access to not drop the performance of the computer). If the file is unpacked, extracted from that archive, avast will detect it.
Viruses have their tricks...
Anyway, the System Volume Information is the System Restore folder.
You can disable System Restore - deleting the infected restore points - and reenable it after that. Of use avast at boottime to scan and send the files (infected) to Chest.
If copies are present in system restore, does that mean the files have been on the computer since shutdown the day before?
Which is your Standard Shield sensitivity?
avast can let inert virus files (into archive files) to be saved (it does not scan it on-access to not drop the performance of the computer). If the file is unpacked, extracted from that archive, avast will detect it.
The sensitivity is high in all fields (slider in mid position). But then how does it recognize the cooledit program? (the paths of the program (C) and the install (F) are completely different) How is it put in there?
I didn’t understand how it could find these 2 files on seperate drives. But now I think I know. I’ve retrieved a back up of the file from Februari 2006 with the same result. So the infection is almost 2 years old and was copied to the other disk during installation. I think it took that long because it wasn’t in the Avast virus definition before. At least I assume that is what caused it and I think the browser attack the same day was then indeed stopped succesfully but having nothing to do with it. It just happened to be a coinciding event. That’s my theory.
Avast is the only one returning something. The others return a hyphen. I guess you are right. Antivirus Version Last Update Result Avast 4.7.1098.0 2007.12.20 Win32:Agent-ONZ
Do you maybe also know how I can turn off autorun? When I plug-in my USB drive it starts to run the files. I’ve tried this key, but that didn’t help yet
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom
AutoRun
Value 0 (used to be 1, but changing to 0 doesn’t help)