How to restore default setting for detecting suspicious files?

Avast Free Antivirus / Premium Security
1

hi everyone…am new to avast and i am not sure if this is the right place to post my problem…
i just installed avast 5 home on my netbook…and so far am totally loving it…
there is just one doubt i have…when i first installed it came up with a warning that a suspicious file behaviour has been detected using heuristics… it was a false alarm,the file was netbook file i knw to be clean…so it gave me two options “ignore” and “delete”…i selected ignore and also checked “do not show files of this type”…i need to know if i can uncheck that option ? plz help:)

2

This appears to be the anti-rootkit scan (8 minutes after boot), see image, is this correct ?

It really would have been best to have asked that question before changing the setting as I don’t know if there is a way to reverse it, certainly not in the avastUI.

Can you remember what the file name and location of the file was ?

It might be in the avast5.ini file there used to be something in the old avast4.ini file for something like this, but I don’t know if it would be in avast5.ini or what section of that file it might be in.

Check the C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\avast5.ini (XP location) or C:\ProgramData\Alwil Software\Avast5\avast5.ini file (Vista or Win7 location)

3

try this settings (See picture)

those three under suspicious put the settings to ask let see if effective :wink:

4

This is being detected by the anti-rootkit scan, so the file system settings have zero effect on that scan.

5

Justing adding this so I can follow it. Very interesting.

6

yeah i got the similar image…i couldn’t find the settings to reset it…and as you said they probably aren’t there in first place…so i reinstalled avast…all working fine now…i still get that message so i keep choosing ‘ignore’ now… :-\

7

the file it keeps flagging is c:/windows/system32/explore.exe this is the HCL file…

8

is there any way to exclude it?

9

if we do not have an access to anti-rootkit scan, ??? it is safe to modify this ini file? ??? and how to do it?. (see avast.ini)
we know that this is a typical action of user. for the case that user is in the middle of his/her work, and the alert keep bothering him/her. it is being put “don’t show message anymore” but its only want to “don’t bother me this time im busy” ;D ;D ;D
if this is process is safe to simple user (modified the ini file) can you post the the right procedure to do it?
and thanks!!!

@simran.k

you can make an exclusion by clicking setting > exclusion the brows the file(s) see image(exclusion)
but it is not advisable to exclude the rootkit. for the reason that rootkit have the ability to engineer their parts. it can gather information in your system and if this rootkit have enough information in system it will highjack your system. to exclude that thing meaning giving a chance to evolve :wink:

beter idea is to submit that to virus lab for investigation and wait for update. :wink:

Regards!!!

10

@bong2x… thanks…you did put it correctly wen u said “dont bother me this time im busy”,that was precisely what i meant;D
i guess i’ll do nothing for now for the fear i might do something i dont intend to do ::)…will just submit it to virus lab… :slight_smile:

11

@ bong2x

  1. I generally don’t mess with the ini file and should really only be done for a specific purpose and when suggested. Your image only shows a very limited subset relating to what can be put into the avast5.ini file. These are commonly settings which are either not present in the avastUI or changes to default settings in the avastUI.

The only option in the avast5.ini in your image relating to the anti-rootkit scan is if it should run or not.

  1. I don’t believe the avast settings, exclusions work in the anti-rootkit scan (technically I would say it isn’t an on-demand scan), exclusions are one of the things which can be added in the avast5.ini file for the rootkit scan. However, I never recommend exclusion, where ever they might be unless you are 100% sure that they are clean/clear and that certainly isn’t the case here. So suggesting exclusion in this case is wrong

  2. If the user chooses to check the don’t show this again, then that option must be recorded somewhere and the avast5.ini file seems a prime candidate. The intention was for simran.k to Look for any such entry and report not Modify the avast5.ini.

@ simran.k
As strange as it may seem in this case Ignoring it is best, but always submit it to the labs, this will push for it to be analysed.

What do you mean this is an HCL file as there are many Definitions for this acronym ?

The file name seems to be playing on what are legitimate file names, explorer.exe (windows explorer) and iexplore.exe (Internet Explorer). I have no such explore.exe on my system, so I have to wonder as to its legitimacy (there are instances of this explore.exe being a virus, see below) or if you made a typo in recording the file name ?

http://www.bleepingcomputer.com/startups/Explore.exe-14978.html

12
explore.exe file information

The process explore.exe belongs to the software explore.exe or Windows Explorer or EXPLORE.exe" or applehebi or intervalhehehe by Microsoft or applehebi Install.

Description: explore.exe is located in the folder C:\Windows\System32. Known file sizes on Windows XP are 9,728 bytes (53% of all occurrence), 110,592 bytes, 14,336 bytes, 32,768 bytes, 73,728 bytes, 111,616 bytes.http://www.file.net/process/explore.exe.html
There is no file information. explore.exe is not a Windows core file. Program starts when Windows starts (see Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell). File explore.exe is an unknown file in the Windows folder. The program is not visible. explore.exe is able to record inputs, hide itself, monitor applications. Therefore the technical security rating is 68% dangerous, however also read the users reviews.

Recommended: Identify explore.exe related errors

If explore.exe is located in the folder C:\Windows then the security rating is 82% dangerous. File size is 147,456 bytes (28% of all occurrence), 9,728 bytes, 772,096 bytes, 147,968 bytes, 94,208 bytes. The process has no file description. The program is not visible. The file is an unknown file in the Windows folder. It is not a Windows system file. Program uses ports to connect to LAN or Internet. explore.exe is able to record inputs, hide itself, monitor applications, connect to Internet.

If explore.exe is located in a subfolder of C:\Windows then the security rating is 90% dangerous. File size is 1,930,240 bytes. There is no information about the maker of the file. The program is not visible. It is an unknown file in the Windows folder. The file is not a Windows system file. Program uses ports to connect to LAN or Internet. explore.exe is able to hide itself.

If explore.exe is located in a subfolder of “C:\Documents and Settings” then the security rating is 46% dangerous. File size is 61,440 bytes.

[b]External information from Paul Collins: There are different files with the same name: 
"explore" definitely not required. Added by any number of VIRUSES, WORMS or TROJANS!
"Explore" definitely not required. Adult content dialler
"explore.exe" definitely not required. Added by the GRAYBIRD.G TROJAN!
"SystemExplorer" definitely not required. Homepage hijacker - file located in the "Services" folder in Common Files
"Video Services" definitely not required. Added by the GAOBOT.GL WORM!
"Window" definitely not required. Added by the GAOBOT.ADW WORM![/b]</blockquote>

Cont on link including readers comments[url=http://www.file.net/process/explore.exe.html]

http://www.file.net/process/explore.exe.html[/url]

13

How do you know that what Avast! is reporting is a false alarm? Assuming that explore.exe is not a typo and after reading Nesivos post and DavidR post, you should download MalwareBytes Free and run a FULL scan. Make sure you update it first.
http://www.malwarebytes.org/

Please post the results here.

14

THANK DavidR FOR THE CLEAR EXPLANATION
THATS MAKES CLEARER TO OUR FELLOW USER :slight_smile: NEVER TOUCH AVAST.INI

15

HCL (hindustan computers limited) is the name of the computer/netbook manufacturer…i just purchased it recently…interestingly malwarebyte also flagged it when i did a full scan with it,so i ignored it then as well…i think this is the hcl file because of the icon…i use internet sparingly and that only for work and the netbook is new (bought like 15 days back)…i really cant see how it got infected so soon??? :confused:
i’ve submitted the file to virus lab…should i zip it and put it up here also or is it sufficient?

16

this is the hcl link:
http://www.hclstore.in/hcl_me_laptop_AE1V0685

also this is the file stored in malwarebytes’ logs ‘protection-log-2010-11-16’

19:59:32 harvinder vir singh MESSAGE Protection started successfully
19:59:38 harvinder vir singh MESSAGE IP Protection started successfully
19:59:38 harvinder vir singh MESSAGE IP Protection stopped
19:59:42 harvinder vir singh MESSAGE IP Protection started successfully
20:04:46 harvinder vir singh DETECTION C:\WINDOWS\system32\EXPLORE.EXE Backdoor.Bot ALLOW
20:04:49 harvinder vir singh DETECTION C:\WINDOWS\system32\EXPLORE.EXE Backdoor.Bot ALLOW
20:04:49 harvinder vir singh DETECTION C:\WINDOWS\system32\EXPLORE.EXE Backdoor.Bot ALLOW
21:31:04 harvinder vir singh MESSAGE Protection started successfully
21:31:14 harvinder vir singh MESSAGE IP Protection started successfully

17

It isn’t that it could become infected so soon, but what it actually does and why it is a hidden process. These are questions that you will have to address to HCL telling them about the avast and MBAM alerts on their file.

The name is really a bad choice as in itself I would have been suspicious already before any alert as it is too close to regular system file names, a common tactic of malware creators. Add to that they placed it in the system32 folder also a common tactic of malware creators. Then add the google hits about the explore.exe being highly associates with malware.

So you need some plain answers from HCL as to exactly what it does and why it is needed and why some anti-virus/malware applications consider it at the very least suspicious if not infected.

No need to attach it, we don’t want the forums become a possible malware distribution center and you never know we don’t want the forums alerting on an uploaded file (you can’t attack zip files anyway).

You could also check the offending/suspect file at: [url=http://www.virustotal.com/][b]VirusTotal - Multi engine on-line virus scanner[/b][/url] and [b]report the findings here[/b] the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called [b]Suspect[/b] in the [b]C:\[/b] drive. Now exclude that folder in the [b]File System Shield, Expert Settings, Exclusions, Add[/b], type (or copy and paste) [b]C:\Suspect\*[/b] 
That will stop the File System Shield scanning any file you put in that folder.
18

EDIT: Had something to add but was already in DavidR post. Sorry about this post.

19

@DavidR/Charyb…ok will do that…and paste the result here…thanks :slight_smile:

20

You’re welcome.