Here are Some Avast Errors & Warnings

Hello,

I had a thread here http://forum.avast.com/index.php?topic=50737.0, which explains more in detail but have lost my Avast contact & still don’t have clear answers to some questions. Mainly, why have I been receiving so many errors & warnings over the past 2 weeks that included a couple of “cannot scan selected file” messages? I have never received so many of such errors & warnings in such a short time. As can be seen in the other thread, I was told that two of those files seem to be ok but I have yet to receive a response from Avast pertaining to the Yahoo Messenger file. None of the logs indicate an actual infection & all scan consistently come up clean, as do MBAM & AdAware.

I have included below the most recent errors & warnings from the logs as well as some older log entries that seem to have been either cleared up or were temp issues. Assistance would be appreciated. Thank you!

WARNINGS

07/23/2009 2:47:31 PM SYSTEM 1356 Sign of “JS:Redirector-E [Trj]” has been found in “http://www.hudsoncountry.org/newsletterjan08c.html” file.

07/23/2009 2:47:33 PM SYSTEM 1356 Sign of “JS:Redirector-E [Trj]” has been found in “C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\Cache\2A9E2060d01” file.

07/25/2009 3:19:35 AM Owner 3692 Sign of “Win32:Bifrose-EGW [Trj]” has been found in “C:\WINDOWS\Installer\d221ed1.msp” file.

08/05/2009 9:52:52 PM SYSTEM 1436 Sign of “JS:Pdfka-MQ [Trj]” has been found in “http://pansdale.com/nic/p11.php\{gzip}” file.

10/10/2009 9:09:32 AM SYSTEM 1428 Sign of “JS:Pdfka-JR [Expl]” has been found in “http://wmdaly.com/flash/pdf.php” file.

10/12/2009 11:29:15 AM SYSTEM 1412 Sign of “JS:Pdfka-JR [Expl]” has been found in “http://modloaded.com/flash/pdf.php” file.

11/05/2009 7:49:44 AM SYSTEM 1392 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js (C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js) returning error, 0000A413.

11/05/2009 11:58:11 AM SYSTEM 1392 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js (C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js) returning error, 0000A413.

11/05/2009 2:57:20 PM SYSTEM 1392 AAVM - scanning warning: x_AavmCheckFileDirectEx: http://ads.blogherads.com/static/bottomtxt2.js (C:\WINDOWS\TEMP_avast4_\unp6316365.tmp) returning error, 0000A413.

11/05/2009 6:31:51 PM SYSTEM 1392 AAVM - scanning warning: x_AavmCheckFileDirectEx: http://api.facebook.com/restserver.php?v=1...at=json&cal (C:\WINDOWS\TEMP_avast4_\unp20623191.tmp) returning error, 0000A413.

11/06/2009 2:21:19 AM SYSTEM 1344 AAVM - scanning warning: x_AavmCheckFileDirectEx: http://clients1.google.com/complete/search...P3QZj&cp=13 (C:\WINDOWS\TEMP_avast4_\unp212433553.tmp) returning error, 0000A413.

11/07/2009 12:44:13 AM SYSTEM 1400 AAVM - scanning warning: x_AavmCheckFileDirectEx: http://help.twitter.com/javascripts/tiny_m...ditor_plugin.js (C:\WINDOWS\TEMP_avast4_\unp221421909.tmp) returning error, 0000A413.

11/07/2009 3:07:11 PM SYSTEM 1412 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js (C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js) returning error, 0000A413.

11/08/2009 12:35:13 PM SYSTEM 1412 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js (C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js) returning error, 0000A413.

11/08/2009 1:46:22 PM SYSTEM 1412 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js (C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js) returning error, 0000A413.

11/16/2009 10:30:42 AM SYSTEM 1460 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\0wir55g9.default\sessionstore-1.js (C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\0wir55g9.default\sessionstore-1.js) returning error, 0000A413.

11/17/2009 11:08:48 PM SYSTEM 1460 AAVM - scanning warning: x_AavmCheckFileDirectEx: http://www.gazellethemes.com/wp-content/th...azelle/js/tt.js (C:\WINDOWS\TEMP_avast4_\unp17426775.tmp) returning error, 0000A413.

ERRORS

11/05/2009 7:49:44 AM SYSTEM 1392 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js failed, 0000A413.

11/05/2009 11:58:11 AM SYSTEM 1392 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js failed, 0000A413.

11/05/2009 2:57:20 PM SYSTEM 1392 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of http://ads.blogherads.com/static/bottomtxt2.js failed, 0000A413.

11/05/2009 6:31:51 PM SYSTEM 1392 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of http://api.facebook.com/restserver.php?v=1...at=json&cal failed, 0000A413.

11/06/2009 2:21:19 AM SYSTEM 1344 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of http://clients1.google.com/complete/search...P3QZj&cp=13 failed, 0000A413.

11/07/2009 12:44:13 AM SYSTEM 1400 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of http://help.twitter.com/javascripts/tiny_m...ditor_plugin.js failed, 0000A413.

11/07/2009 3:07:11 PM SYSTEM 1412 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js failed, 0000A413.

11/08/2009 12:35:13 PM SYSTEM 1412 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js failed, 0000A413.

11/08/2009 1:46:22 PM SYSTEM 1412 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js failed, 0000A413.

11/16/2009 10:30:42 AM SYSTEM 1460 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\0wir55g9.default\sessionstore-1.js failed, 0000A413.

11/17/2009 11:08:48 PM SYSTEM 1460 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of http://www.gazellethemes.com/wp-content/th...azelle/js/tt.js failed, 0000A413.

Please read:
Every 3.6 seconds a website is infected
http://www.scmagazineus.com/every-36-seconds-a-website-is-infected/article/140414
http://forum.avast.com/index.php?topic=49886.0

The sites are infected and the Webmaster has to fix the infections.

YoKenny,

Good reading & thanks & just to be safe, I run every new site that I enter through McAfee Site Advisor & am practice safe internet :wink: I also use SpywareBlaster which help IE more than FF, which I prefer. I TRY to get my wife to practice the same principles but…

Anyway, are you saying that the sites listed in the logs have been logged because they have been infected? If so, this doesn’t seem to mean that my machine was infected, does it?

Also, not all errors & warnings seem to be from websites but many seem to pertain to Firefox, although I do not understand what the problem is. The few other issues such as Sign of “Win32:Bifrose-EGW [Trj]” has been found in “C:\WINDOWS\Installer\d221ed1.msp” file, I believe were confirmed as FP’s by Avast back when.

So, what does all this mean to me & my machine? Talk to me like I am seven. After all this trying to determine what’s happening, I want to be clear. And again, why all the errors & warnings all of a sudden? And fyi, Gazelle themes is the site of my tech support friend who created my website templates so I can’t believe that his site is infected.

I don’t think you are seven if you are you are too young to be married in most countries. ;D

McAfee SiteAdvisor is hopelessly out of date and sometimes lists sites as safe with known malware.

avast! protects your system from those sites so you have nothing to worry about.

You should get your tech support friend visit this topic as they need to update their software for creating Web sites.

I am sure a more experienced person will help out in this topic soon.

Still waiting for that “more experienced person”…

Can anyone from Avast assist me?

Is the support any better if I was using the Pro version?

Hi,
you can zip samples to archive with password “infected” and send to virus@avast.com to analyze. Use subject “False positive”.

Thank you
Milos

Hi Milos,

I don’t think I understand what you mean??

Can you give me some thoughts on the logs that I posted above?

I sent one file to igor last week & never received a response. It’s late here so I will check back tomorrow. Thanks!!

If you have still the files, you can pack them to password protected zip archive (You can use free tool named 7-zip) and set password to “infected”, without quotes, to prevent scaning and attach to e-mail with subject “False positive” and send to virus@avast.com to analyze them to know if they are false positives or not.

Milos

Can’t I extract the log files from Avast, save them & then email them? Rather than go through password zipping them. I did that for igor with one particular file although I have not heard back. I am looking for some resolution here & I need to know if my machine has been compromised.

Hi Bub12,
which is your current VPS?

Milos

Virtual Private Server? I’m sorry, but I do not understand. What does all of this have to do with a VPS? My thread is in reference to my home pc.

VPS in relation to avast is the virus signatures (virus database, check about avast ), current is 091120-0

Thanks David…I was really beginning to think that we all were just not on the same page here :slight_smile:

VPS 091120-0

VERSION 4.8.1356

You’re welcome, hopefully that will help Milos.

I hope so too all though I have not heard back yet. One new bit of info is that I downloaded & ran Super Anti Spyware & it found this:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/20/2009 at 02:42 PM

Application Version : 4.30.1004

Core Rules Database Version : 4297
Trace Rules Database Version: 2167

Scan type : Complete Scan
Total Scan Time : 00:28:53

Memory items scanned : 426
Memory threats detected : 0
Registry items scanned : 5920
Registry threats detected : 5
File items scanned : 45626
File threats detected : 0

Rogue.Component/Trace
HKLM\Software\Microsoft\A8FFF9A5
HKLM\Software\Microsoft\A8FFF9A5#a8fff9a5
HKLM\Software\Microsoft\A8FFF9A5#Version
HKLM\Software\Microsoft\A8FFF9A5#a8ff5425
HKLM\Software\Microsoft\A8FFF9A5#a8ff3dc0

Still trying to figure out what these are as SAS support said “Those are randomly generated by Rogue anti-spyware solutions. The names are never the same.”

Not sure exactly what that means. Don’t know if I am infected or these are FP’s. I NEVER downloaded a bogues AV/AS program. Avast never picked such files up though.

Thanks,
there was a possibility, that VPS updates are not working correctly, but you had right VPS version, so we are debugging the mentioned errors.

The errors don’t mean that you are infected.

Milos

Milos,

Thank you! Look forward to your reply but, as I mentioned in my last post, SAS picked up rootkits that Avast did not & I am working with Bleeping Computer to rid myself of them as I do not know how to get rid of them.

Before dealing with them, submit samples of those detected by SAS to avast so as to improve detections.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already in the chest) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.