I got a notice that Avast! has detected Win32:Allaple and when I look in the log viewer there are two entries and under the Application column it says 600 and 596. What do those numbers mean? Does that tell me where the infection is coming from?

Also, the pop-up disappeared, where do I go to delete the suspect file?

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.

I would hazard a guess that it matches something PID (Process ID) in the Task Manager but I doubt it is very helpful as these can change on reboot. If you check the Task Manager soon after detection it will be more meaningful, but even then it may only be the avast process that detected it. I have one entry that gives an application of 1368 of which the PID in Task Manager is ashServ.exe the main avast scanning engine, so no help at all really.

When you get an alert you should have a number of options, which did you choose, move to chest, delete, what ?
As I mentioned above the information on the detection is contained in the log viewer, you may need to expand the column width to see the complete text/path of the infected file.

Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.

OK thanks. I had just connected to a wifi link at this hotel I checked into and thought maybe it was a port number or something. PID makes more sense.

The info in the log is:

date/time stamp SYSTEM 600 Sign of “Win32:Allaple [Wrm]” has been found in "C:\WININT\system32.exe"file.

date/time stamp SYSTEM 596 Sign of “Win32:Allaple-IC [Wrm]” has been found in "C:\WININT\system32.exe"file.

just noticed the second one is a -IC variety… I sent them both to the chest. Deleted the first one after a little research, but then the second one up. The second one is still in the chest.

I was just thinking if it is on the hotel wifi network, I should let them know about it. Hence the concern it came in over one of the ports.

Strange… the file seems not to have a name, just an extension.
Which is your Windows? NT?

I suggest you run a boot time scanning with avast.
After, running antitrojan tools won’t harm to (AVGas, SuperAntispyware, SpywareTerminator, for instance). Links here: http://forum.avast.com/index.php?topic=30654.msg253722#msg253722

I’m running Win2000 with SP4 (and the latest update for Allaple from MS)

You think there’s something still out there that Avast didn’t see? I just ran a full C: drive scan and it came up clean.

Ack! Just got another hit. The log PID is linked to ashServ.exe so it’s just logging who found the problem.

Would still like to know where it’s coming from, on my system or the hotel’s system…

Well If it were coming from the web it should be picked up by the web shield, but if it came over a network not using http port 80 it wouldn’t be scanned by the web shield so it must be being picked up on creation by the Standard Shield.

I don’t know if you should uncheck the ‘Ignore local communication’ in the web shield, customize, basic tab, if that might make any difference I don’t really know.

One thing I do know to place files in the systems folders requires admin privileges, so what ever is doing it is inheriting your user account privileges. Perhaps you should consider a limited user account when using Hotel networks or check out DMR below.

You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP. Check Bob’s, setup instructions and importantly the dropmyrights.msi file needed as MS have now cleared the original link.
http://mysharedfiles.no-ip.org/dropmyrights

Proactive, a most excellent idea! Never thought about a lower level logon for when I’m on the road. I’ll do that. Thanks again.

No problem, welcome to the forums.

If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.

Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

Thanks for the pointers Tech. Things seem to be working as before. At least no more notices from Avast about Allaple.

The only way things would be working as before is if one of the tools suggested found something.
If so what was found and by what tool ?