Got a virus -- are my settings wrong?

Using Avast Home 4.8.
Background: WIN XP SP2 would not complete boot yesterday. Errors: “Windows Explorer has encountered a problem and needs to close…” followed “DR. Watson has encountered a problem…” Tried it again just to make sure.
(The previous day, Avast had picked up 3 occurrences of what it called something like “suspicious white space” in incoming emails. I had selected Delete. All 3 had the subject line “LED LIGHTS,” which is slightly odd because that would be a valid subject for me to receive.)
Booted into Safe Mode and ran a complete scan. Avast picked up several viruses, mostly in the attachments folder of Eudora. (I sent them to the Chest.) After the scan was finished (24 hours for two medium size HD’s), computer booted normally – no problem.

My questions are:

  1. Why were the viruses found in the manual scan not caught earlier? 1b. Do I have something set incorrectly?
  2. Is there a way to tell which virus caused the problem (and was it the emails intercepted or one of the ones found in the manual scan)?
  3. Can I schedule scans?

Thank you for any pointers!

XP SP3 has already been available. Please Update your XP.

Can you please post your warning log?

Could be a lot of things:

  1. Depending on the virus, your sensitivity level (customized) could be lower than the Normal (best) level.
  2. The virus definitions were added after the email arrived, so only a further scanning could detect them.

Probably the ones detected by manual scan.

Right now, only in the professional version.

In reply to the two posted replies (and thanks!) –

Where do I find the warnings log?

And the level was default set to Normal. I just moved it to High. Those are the only two options.

I’d been holding off on SP3 because I’d read of problems, and the advice I’d received was that if SP2 was working OK, it wasn’t worth the risk of upsetting the apple cart. All other MS updates are installed weekly.

Got another two intercepted emails just now with “Suspicious whitespace sequence.” Same subject line. Never had the siren alert notices before last week.

Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe

  • Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.

Use malwarebytes.org lol

SP3 issues have been resolved ages ago.

SP3 provides performance and stability improvements as well as Critical Updates.

http://www.xp-updates-made-easy.com/xpsp3.html

Thanks – found the warning log. Here’s the most recent info:

9/23/2009 4:27:52 PM 1253737672 Administrator 1484 Sign of “Win32:BredoPack [Cryp]” has been found in “F:\EUBackup-2009-09-05.bdz\Attach\D62e3e4db.zip\D62e3e4db.exe” file.
9/23/2009 5:10:09 PM 1253740209 Administrator 1484 Sign of “Win32:BredoPack [Cryp]” has been found in “F:\EUBackup-2009-09-05.bdz\Attach\Dbd0a53b9.zip\Dbd0a53b9.exe” file.
9/23/2009 5:11:46 PM 1253740306 Administrator 1484 Sign of “Win32:BredoPack [Cryp]” has been found in “F:\EUBackup-2009-09-05.bdz\Attach\M93c05c5a.zip\M93c05c5a.exe” file.
9/23/2009 6:25:27 PM 1253744727 Administrator 1484 Sign of “Win32:Trojan-gen {Other}” has been found in “F:\Eudora\Attach\1252915553.zip\1252915553.exe” file.
9/23/2009 6:26:05 PM 1253744765 Administrator 1484 Sign of “Win32:Trojan-gen {Other}” has been found in “F:\Eudora\Attach\475456.zip\475456.exe” file.
9/23/2009 6:26:50 PM 1253744810 Administrator 1484 Sign of “Win32:Trojan-gen {Other}” has been found in “F:\Eudora\Attach\4754561.zip\475456.exe” file.
9/23/2009 6:26:51 PM 1253744811 Administrator 1484 Sign of “Win32:Trojan-gen {Other}” has been found in “F:\Eudora\Attach\4754562.zip\475456.exe” file.
9/23/2009 6:28:25 PM 1253744905 Administrator 1484 Sign of “Win32:BredoPack [Cryp]” has been found in “F:\Eudora\Attach\D62e3e4db.zip\D62e3e4db.exe” file.
9/23/2009 6:28:35 PM 1253744915 Administrator 1484 Sign of “Win32:BredoPack [Cryp]” has been found in “F:\Eudora\Attach\Dbd0a53b9.zip\Dbd0a53b9.exe” file.
9/23/2009 6:31:25 PM 1253745085 Administrator 1484 Sign of “Win32:BredoPack [Cryp]” has been found in “F:\Eudora\Attach\M8b7f2cc9.zip\M8b7f2cc9.exe” file.
9/23/2009 6:32:55 PM 1253745175 Administrator 1484 Sign of “Win32:BredoPack [Cryp]” has been found in “F:\Eudora\Attach\M8b7f2cc91.zip\M8b7f2cc9.exe” file.
9/23/2009 6:33:06 PM 1253745186 Administrator 1484 Sign of “Win32:BredoPack [Cryp]” has been found in “F:\Eudora\Attach\M93c05c5a.zip\M93c05c5a.exe” file.
9/23/2009 6:33:45 PM 1253745225 Administrator 1484 Sign of “Win32:Trojan-gen {Other}” has been found in “F:\Eudora\Attach\nz.zip\nz.exe” file.
9/23/2009 6:33:47 PM 1253745227 Administrator 1484 Sign of “Win32:Trojan-gen {Other}” has been found in “F:\Eudora\Attach\nz1.zip\nz.exe” file.
9/23/2009 9:13:08 PM 1253754788 Administrator 1484 Sign of “Win32:Trojan-gen {Other}” has been found in “I:\downloads\eufo.zip\EuFO.exe” file.
9/24/2009 12:35:45 AM 1253766945 Administrator 1484 Sign of “Win32:BredoPack [Cryp]” has been found in “I:\EUBackup-2009-09-05.bdz\Attach\D62e3e4db.zip\D62e3e4db.exe” file.
9/24/2009 12:44:23 AM 1253767463 Administrator 1484 Sign of “Win32:BredoPack [Cryp]” has been found in “I:\EUBackup-2009-09-05.bdz\Attach\Dbd0a53b9.zip\Dbd0a53b9.exe” file.
9/24/2009 12:45:57 AM 1253767557 Administrator 1484 Sign of “Win32:BredoPack [Cryp]” has been found in “I:\EUBackup-2009-09-05.bdz\Attach\M93c05c5a.zip\M93c05c5a.exe” file.
9/24/2009 1:54:29 AM 1253771669 Administrator 1484 Sign of “Win32:Trojan-gen {Other}” has been found in “I:\Eudora\Attach\1252915553.zip\1252915553.exe” file.
9/24/2009 9:39:26 AM 1253799566 Administrator 1484 Sign of “Win32:Trojan-gen {Other}” has been found in “I:\Eudora\Attach\475456.zip\475456.exe” file.
9/24/2009 9:44:58 AM 1253799898 Administrator 1484 Sign of “Win32:Trojan-gen {Other}” has been found in “I:\Eudora\Attach\4754561.zip\475456.exe” file.
9/24/2009 9:45:00 AM 1253799900 Administrator 1484 Sign of “Win32:Trojan-gen {Other}” has been found in “I:\Eudora\Attach\4754562.zip\475456.exe” file.
9/24/2009 9:48:33 AM 1253800113 Administrator 1484 Sign of “Win32:BredoPack [Cryp]” has been found in “I:\Eudora\Attach\D62e3e4db.zip\D62e3e4db.exe” file.
9/24/2009 9:48:53 AM 1253800133 Administrator 1484 Sign of “Win32:BredoPack [Cryp]” has been found in “I:\Eudora\Attach\Dbd0a53b9.zip\Dbd0a53b9.exe” file.
9/24/2009 9:54:52 AM 1253800492 Administrator 1484 Sign of “Win32:BredoPack [Cryp]” has been found in “I:\Eudora\Attach\M8b7f2cc9.zip\M8b7f2cc9.exe” file.
9/24/2009 9:54:55 AM 1253800495 Administrator 1484 Sign of “Win32:BredoPack [Cryp]” has been found in “I:\Eudora\Attach\M8b7f2cc91.zip\M8b7f2cc9.exe” file.
9/24/2009 9:54:57 AM 1253800497 Administrator 1484 Sign of “Win32:BredoPack [Cryp]” has been found in “I:\Eudora\Attach\M93c05c5a.zip\M93c05c5a.exe” file.
9/24/2009 9:56:58 AM 1253800618 Administrator 1484 Sign of “Win32:Trojan-gen {Other}” has been found in “I:\Eudora\Attach\nz.zip\nz.exe” file.
9/24/2009 9:57:05 AM 1253800625 Administrator 1484 Sign of “Win32:Trojan-gen {Other}” has been found in “I:\Eudora\Attach\nz1.zip\nz.exe” file.

I think the Win32:BredoPack is a fake/rogue security program
http://www.virustotal.com/analisis/99b1003f70087ee5e72f97e887302f4173f1d998094b35422a69362d1075965d-1252521318

Try Malwarebytes and Superantispyware

I guess one of my main questions is: why didn’t Avast pick these up before I ran a manual scan? Doesn’t it check email attachments as they come in? (An antivirus program should, right?)
And why did it pick up just those “suspicious white space” emails?

No av is perfect, avast home has mail scanner but (not many free av’s do),
there is no av that detects 100% of viruses.
Your setting probably arn’t wrong.
try these tools (MAKE SURE TO MANUALLY UPDATE AND RUN FULL SCAN

www.superantispyware.com/ (use free version)

www.malwarebytes.org (also use free)

I wonder if it is likely the malware is quite new, and was not detected by the AV when it arrived on your computer, but that the detections have been added since.
That is a possibility, at least…I don’t know this malware, or its release date, nor when definitions for it were added, but it seems a likely scenario.

Running without SP3 many infections are possible new or old.

It looks like an infected email within Eudora:
9/23/2009 4:27:52 PM 1253737672 Administrator 1484 Sign of “Win32:BredoPack [Cryp]” has been found in “F:\EUBackup-2009-09-05.bdz\Attach\D62e3e4db.zip\D62e3e4db.exe” file.

avast! only checks attachments when they are opened as far as I know.

Thanks all!

Hello123: can www.superantispyware.com and www.malwarebytes.org run in concert with Avast?

YoKenny: That attachment dates back to early Sept (and I’m pretty sure I wouldn’t have opened it) but the problem only started at bootup three days ago, so wouldn’t that mean it must be something else?

OTOH, the problem began the day after Avast warned several times of “Suspicious whitespace sequence” in some emails. (And I got more of those same emails and alarm pop-up warnings today….had Avast delete them, same as I did before. Should I worry?)

Also : can viruses in attachments “go active” without being opened? If so, and Avast only checks attachments when they are opened, that seems a serious drawback…?

Sorry to pester on this. But it freaked me out a bit to have the computer not boot all of a sudden and then it’s fine after running a day-long Avast scan. I like to know causes of things and how to keep them from recurring.

Hello123: can www.superantispyware.com and www.malwarebytes.org run in concert with Avast?
Jepp, no problem, that is what everyone in here is doing