Latest update is crying wolf?

Viruses and worms
21

All settings on both PCs concerned are HIGH except on Network Shield where I set it to High and then enabled Logging which of course changed it to Custom.

On the Standard Shield, which is on High, the settings are as follows:

Scanner (Basic): All check boxes checked.
Scanner (Advanced): Scan files on open checked. Scan files with these extensions blank. Always scan WSH script files checked. Scan created/modified files checked with All Files radio button selected.
Blocker: Block operations only in files with extensions: Default extension set checked. Additional extensions blank. Blocked Operations boxes all unchecked. If an operation… Allow the operation radio button selected.
Advanced: Show detailed info and Silent mode both unchecked.
List of locations not scanned contains 11 entries which I have not modified since installation of avast! :

?:\CONFIG.SYS
?:\MSDOS.SYS
*\PAGEFILE.SYS
*\WIN386.SWP
*\SYSTEM.DA?
\USER.DA?
C:\WINDOWS\TEMP*.TMP
C:\WINDOWS\TEMP_AVAST4_\UNP
C:\WINDOWS\WINSXS*.MANIFEST
C:\WINDOWS\WINSXS*.CAT
C:\WINDOWS\WINSXS*.POLICY

If you need any more information, I can include an INI files or whatever you ask for.

Repair only works if the infected file is one that VRDB has scanned (mainly system files, .exe, dll, etc.) and the VRDB has been generated. The alert dialogue usually gives you the recommended action as the focused button.
Thank you. I didn't realise that the VRDB was so limited but now I can aim off for that.

One further piece of odd information which arose today. A virus alert came up from the resident scanner which let me know that there was a virus on the root:

C:\install.exe[Yoda][UPX] [L] Win32:Trojan-gen. {VC} (0)

I was surprised that it only did this when I opened Windows Explorer to look at the partition. I told it to move to chest which it did. But I got no further alerts. Later on, I decided to check and found that the same alert came up on EACH partition whenever I opened them in Explorer.

Once I had cleaned them all out, I discovered an INF file on the roots which apparently relates to another virus (pointing to megaspaware.com - I had to go to a rival antivirus site for information). The virus which apparently put that file there was no longer present, but avast! didn’t provide any advice to remove those files (I deleted them and checked they were not present on reboot).

When I started the avast! scanner after the reboot to do a full scan again, in the initialisation process when it checks memory/startup etc, I happened to notice [UPX] indicated in the list of files being scanned, but I cannot find any reference to UPX in the startup folder, Run branch of registry etc. I am assuming this is a normal part of Windows, but if you know different, please advise!

I am also finding something strange in the list of files not scanned by avast! when I do a full scan because they are “in use”. The files are all C:\WINDOWS\Temp\Perflib_Perfdata_???.dat (where ??? are some numbers/letters). I am “assuming” that these are files relating to WMI Performance Adapter which is a Microsoft Service starting with Windows, but I don’t like assuming! If you know that those are OK, I would be pleased.

Thanks for the help. I have now repeated the scans (in Windows and boot-time) and manually deleted anything in the reports which I am not sure of (no, I haven’t messed up my system files :stuck_out_tongue: )

The only other idea I have is to use the Virus Cleaner on the drives, but I understood that would do nothing that avast! scanner doesn’t do so I await any advice on that.

Apart from those, the only possibility I can think of is that somehow a system file which avast! cannot scan has been infected. Is that possible? If so, wouldn’t the boot-time scan identify it?

22

If avast! can’t detected it in normal scanning, probably it won’t be detected in anyway, as the problem is on the virus database.
But, if the problem is just access, then if you boot in Safe Mode (F8), maybe you can scan and detect it.
Is there any kind of possibility of knowing the name and the path of the infected system file?

23

Whilst avast is primarily an anti-virus it does detect some adware and spyware, but there are specialist tools out there for adware/spyware detection and removal, these not only remove the file but go after the registry entries, etc.

If you haven’t already got this software (freeware), download, install, update and run it.

  1. Ad-Aware
  2. Spybot Search and Destroy
  3. Spywareblaster Don’t install this until you are clean.
  4. Download HijackThis.zip - HiJackThis Tutorial

Whilst I don’t believe this is the problem in your case, there are now some viruses that can hide themselves very well (not system files) these are often noticed by the fact that despite removing a virus if comes back time and again. This is slightly different to having poor security, browsing habits and or visiting sites that keep reinfecting the computer.

So better forearmed and forewarned - RootKitRevealer from system internals - http://www.sysinternals.com/utilities/rootkitrevealer.html, this will check if there is in fact a rootkit type virus deeply hidden.

24

Well, that’s the way it is, I am afraid; you may call it a limitation of the Home Edition of avast!. In the Professional Edition, you can configure the task to perform automatic actions (or, don’t do anything).
In the Home version, you may check the “Don’t show again” checkbox in the Virus warning dialog - but only after the first virus has been found (because you won’t see the virus dialog until then).

Decompression bomb is a file that may be rather small, but decompresses to an enormous amount of data (when processed as a packed archive). Such file are not malicious per se, but they may block an antivirus program when it tries to scan them.
This kind of files is rather hard to detect (and avoid) precisely - so, it is possible that there are some false alarms. It’s not a big problem in this case, however - the “decompression bomb” announcement actually means something like “The file has a very high, maybe even suspicious, compression ratio and the AV is not going to scan the archive content”.
I’d suggest to ignore these files.

Well, this case is similar to the previous one. avast! is telling you that it wasn’t able to unpack the archive to scan its content. BUT - the archive doesn’t really have to be corrupted in some cases - it’s just not in the format avast! expects it to. I mean - a known case of “corrupted archives” are Java .class files. They are actually ZIP files, but have an incorrectly filled checksum in the headers. While it actually is a corrupted ZIP file, it doesn’t have any effect on Java functionality - the files were always there, Java doesn’t care about the checksums. Also, there is nothing wrong about password protected files, there’s no need to perform any actions.

Honestly, I don’t know. If you had a network share open (for example) and another computer was infecting the files on your disk, I wouldn’t know how to find it out (using avast!).

There’s something strange going on here. There may be a few explanations, but they wouldn’t answer all your problems:

  1. The Created/Modified files are not scanned (but you say that you have Standard Shield set on High, so they should be)
  2. Something puts the files on your disk right after the computer is started, before avast! starts up; theoretically possible, but I think it’s rather unlikely, avast! starts quite soon
  3. The detection of the particular malware has been added to the virus database after the file was already on your disk (which is hardly the case of Tenga, but it may be the case of the Trojan-Gen).

UPX is not a file itself. UPX is an executable packer - so it is shown when a packed EXE file is unpacked and processed as an archive by avast!. So, C:\install.exe[Yoda][UPX] is actually a file install.exe, placed in the root of C: drive, packed by UPX and additionally packed by Yoda cryptor.

Yes, those files are use by Windows internally - it’s perfectly normal that they cannot be accessed.

I don’t think it can bring anything new/useful.

25

Thanks for all the advice. I am working on trying to isolate a file which I can send in to the techies - I don’t hold out much hope as I am more interested in getting this clean and STAY clean (not helped by the fact that the Windows firewall, even set to ALL ON allows a LSASS attack to get as far as the avast! network shield (and then avast! stops it). Strange though!

DavidR - I routinely scan with the latest Ad-Aware - I didn’t realise one should use more than one kind of this software.

igor - it would appear that the Trojan-Gen was the culprit in being found after the inclusion of the signature 9so much for heuristics?)

26
DavidR - I routinely scan with the latest Ad-Aware - I didn't realise one should use more than one kind of this software.
In the case of non resident anti-adware/spyware then one backs up the other as the signature files are likely to include different adware and spyware detections, AdAware and Spybot S&D work well together as non-resident on-demand scanners. SpywareBlaster is a passive blocker and you just need to keep the detections up to date.

It is no bad thing to have a secondary non-resident AV to back-up avast, many use BitDefender or use one of the on-line scanners (Not Panda’s or expect FPs from its unencrypted signature files by avast! later).
RejZoR’s Website - Security Ops
On-line Virus Scanners and other useful Links Security-Ops.eu.tt