I can't see where the trojan / worm is exactly

How can i determine where is the virus/worm/trojan . I received messages of this type, but I don’t see the complete way to the suspicious file.

What can I do ?

I would like not consider some of this messages as a virus/worm/trojan and put them in exceptions.

http://img377.imageshack.us/img377/6879/greenshot20080807142730by8.jpg

http://img187.imageshack.us/img187/5215/greenshot20080807143821zq3.jpg

You shouldn’t need to know the original location, to take action, e.g. Move to Chest, being the best option.

The avast Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.

Or you can open this file with notepad, C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log (if you installed avast in the default location). That is where the information comes from that is displayed in the avast log viewer.

Thanks DavidR

:smiley:

To be sure you’re clean, I suggest:

  1. Disable System Restore and then reenable it again.
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  4. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.

Sorry DavidR, I have the spanish version of Avast! free edition for personal use :

These are my archives :

http://img359.imageshack.us/img359/1431/greenshot20080807184940mu9.jpg

I don’t see in anyone the information.

Thanks Tech, but a the moment I don’t have any virus.

I take this information for a next time.

Thanks.

It is very strange (if not an error) that there is no Warning.log after an avast alert, it should be automatically created if one doesn’t exist upon detection.

Did you try to open the avast log viewer ?

Try this Web Shield Test - http://www.eicar.org/download/eicar.com, this is a harmless test file to check your AV alerts, we know yours alerts, but I’m trying to see if this will create the Warning.log.

Now access the avast log viewer and open the Warning section and see if there are any entries if so that should have created the warning.log file. Unfortunately we won’t be able to use that for the earlier information.

Did you take any action when these were detected or did you select No Action ?
If you took no action you can run the scan again, but just on the Folder Selection option and select the Documents and Settings folder shown in your images. This saves scanning the whole drive to find them.

I take no action : it’s a christmas.exe with no danger.

I see the visor, not the warning.log (advertencia in spanish)

http://img389.imageshack.us/img389/8232/greenshot20080807201338lp3.jpg

When I try http://www.eicar.org/download/eicar.com I received this message.

http://img58.imageshack.us/img58/3174/greenshot20080807203713nq0.jpg

David : discovered.

Really amazing.

I think because image restoration from other units. The system goes well, but some thing go to the unit K: , instead of the unit M: , and so on.

I need to manipulate the avast! configuration in order to succeed in the creation of warning.log in this system.

Actual system with windows xp pro installed : in unit M:

First system I restored over M: from K:
(I have manipulated the windows register to do so)

Excuse my language.

http://img139.imageshack.us/img139/2787/greenshot20080807203953wf9.jpg

http://img378.imageshack.us/img378/3533/greenshot20080807204159hq5.jpg

http://img293.imageshack.us/img293/7079/greenshot20080807204209me3.jpg

What are the exactly files of Avast! configurations ?

I need to replace whenever says “K:” for “M:” in the actual installation (Avast! configuration files) . Oh I think so…

The process I followed was obtain an image of K: partition. I restored with Acronis in another unit M:
Then, I do multiple replaces in the windows registry with jv16 utilitie.

But , after all this work, something continues pointing to K:

Have I explain this well ?

Thanks

I have in the past the same situation with another programs : launchy, autocad 2002…

For drive path, I think only in registry, maybe into avast.md file into /Data folder.

I’m surprised this will work… there are a lot of other applications that will crash/bug in this situation… you’re cloning the HDD, a lot of applications, specially avast, will complain about possibly piracy of this method…

I’ll see the avast.md .

"about possibly piracy " . Oh no. it’s the same pc . I have a license of windows xp pro that let me install many times the operating system in the same pc.

I follow the activation method by phone.

Clone an installation with SelfImage, Acronis, Clonezilla is not piracy. I think so…

I see

K:\Archivos de programa\Alwil Software\Avast4\DATA\Avast.db or the equivalent in each partition.

Avast4.ini , where I see the exceptions.

I don’t find avast.md

I’m not saying that this is piracy, just that some software could ‘think’ so as the partition is not the same.

Sorry, my fault, avast.db.
As far I know, the avast.db is partition dependent due to to the folder installation.
But I’m not sure, maybe, it interprets %programfiles% variable and make the adjust.

Excuse me Tech. Understood.

Do you know any freeware software to open this db ?

I’ve tried with Microsoft Access 2002 and OpenOffice.org Base v2.4 , but I don’t understand very much this programs.

How can I open this database avast4.db ?

Thanks.

P.D. I have created five systems from one. This in spanish is : cacharrear con el sistema operativo (a strange use of the operation system capabilities), but the result in this moment is not bad. Only a few secondary problems. I have seven systems , two of them were restorate from image copies from the old hard disk - I have problems with the prior systems hard disk .

I do these modifications in 04.2008 and my pc is functioning “normally”: some programs reorient initial configuration from the original installation. System restoration of windows have an anormal behaviour. And, for example, emule p2p program have an unusual behaviour allowing me to share folders between several systems.

I have several windows installations for years with no problem. The special software that detects or not permit multiple installations is only used in one partition :

  • an account program
  • Microsoft Outlook version 2002 and vodafone sms software installed on it. And a HP pda that uses MO.
  • a technical program

Others program take advantage of “my system” like Ditto, Phrase Express, RoboForm (share users between installations with IE7) , Goldmine (a CRM software), stickies, etc. , sharing configurations and data.

;D

It was a database file, maybe MS Access or OpenOffice related.
But what I can’t understand is why do you have to copy the partition and change the registry. Do you have this partition copy for backup purposes? Why do you use it as it is the main partition? Why don’t you just copy it back in case of problems with the main partition?

Microsoft Access and OpenOffice.org Base would be my suggestions for avast4.db

I have so many partitions with operating system installed by problems years ago :
system technics
system ocium
system general
system proofs
……

Last time i lost the image copies of several partitions so I decided to installed an “image typical” and restore in five systems.

Initially i have four systems. Now I have seven and Linux in another partition.

::slight_smile:

I have so many programs that I prefer this way.

I am a lover of freeware and opensource programs.