Fake Anti-Virus Infection not removed

Having Avast updating twice a day and running successfully for a long time has lulled me into a false sense of security.

A couple days ago, a persistent baddie snuck in on a Java applet (I think) from a trusted website.

Avast responded, chirping “THREAT HAS BEEN DETECTED” and claimed the url was blocked and no further action was required.

Wrong. It got through anyway. Suddenly pop-up windows appeared warning me the computer was unprotected and to “click yes” to activate an Anti-virus app. If I clicked “NO” all access to desktop icons was frozen with a message “infected file, no access.” If I clicked “YES” it attempted to open a browser window and “call home.” I stopped this by unplugging the internet connection.

----Avast had been disabled, listed in the Security pane as “OFF”
----Right clicking on the fake pop-up and checking Properties revealed it was located in USERS\NAME\DOCUMENTS AND SETTINGS
----I temporarily stopped it by logging off my user name and re-logging in to XP under a different name as Administrator.

Ran Avast scan—nothing detected. Ran Boot Scan. 2 infections found and stopped. Wrong. Was still in there.

Finally snagged and exterminated by running SpyBot S & D which reported 10 infected files including 2 trojans all of which got by Avast.

I am astonished (and now worried) that Avast was totally helpless in this case.

I suggest you try Hitman Pro - Second Opinion Malware Scanner

How to Start Hitman Pro in Force Breach Mode

Read the instructions, download and burn (maybe from another computer), finally use one of this rescue CD’s:

  1. Dr. Web
  2. Avira
  3. BitDefender
  4. Kaspersky
  5. F-Secure

You can check also this comparison article.

what’s Avast self-defense module doing during that time ??? ::slight_smile:

edit: mentioning again that Avast services can be disabled without entering any password, and self-defense module activated. Do I need a HIPS again to protect Avast processes against termination, like I was doing with 4.8 (and def+) ???

+10

off topic: strangely I just got advised (with the “new replies” button) about your answer…and you posted it 4 hours ago ???

okay what I wanted to say, the self-defense module seems only to be able to prevent external programs from modifying Avast files, or stopping easily Avast processes, but it’s not meant to stop anything from bringing down Avast…and that’s the problem, there’s nothing to do just that, prevent Avast services from being terminated. The services aren’t protected at all. No access denied warning when you attempt to stop them manually, no password prompt…and I have no idea how this can be achieved. Only thing I know is that’s its doable >>> CIS does that, protects its own services efficiently. But it’s got a HIPS and that helps…
I’ve mentioned a few times (with no feedback) that something seemed to be planned, based on a paragraph found in the Firewall help section:

Process control Here you can define which programs can, and cannot, run other applications that have access to the Internet or can connect with other computers on your network. This is useful as it can prevent an incoming connection from simply launching another application, which may then be used to perform unauthorized actions. This is a trick commonly used by hackers to collect personal or sensitive information without the user's knowledge.

If a program is not listed in either category, avast! will decide automatically whether or not the process should be allowed by carrying out various checks, for example whether the program that is trying to launch another application is a recognized program and one that would normally be expected to behave in this way.

…this could do the trick for Avast itself if that was implemented, but that seems to be planned for AIS only, so…