Loopholes in AVAST for Viruses,Worms-(rhccttajOe3e1.exe)

Loopholes in Avast for Trojans,Worms

(1)wJQs.exe,(2)rhccttajOe3e1,rehcttajOe3e1.exe(multiplys into different names for the first five digits,on each attempt to delete it and with another spurious name ‘AntivirusXP 2008’)(3)kdjcd and kdjcd.exe(4)Trojan.Downloader.Banload.ma.1 (5)JOKE/BSOD.B as\6.tmp in system32.

These are the Trojans,Worms and Malwares entered in my computer while running AvastPro(On-access scan) and Spywareterminator(Realtime).

I use Avast & Spyw.Terminator simultaneously which gave complete protection for the past 8 months.On 08-08-‘08,When I was seeing the search results of rapidbolt Search engine,suddenly Avastpopup came with usual siren-sound and ‘Caution a Virus is detected’ warning with options to terminate connection…I applied it but it could not block it.Again warning popup came with option to ‘delete’,‘delete all’ and ‘move to chest’, I tried these 3 times when popup came again & again.So,that means it already entered my PC.Then I disconnected internet.By the time the rogue intruders placed an icon on my desktop resembling’Windows Deffender’s’icon with a file name’AntivirusXP2008’.It already deleted my windows desktop-theme and put its own ‘light blue theme’ with middle banner showing ‘AntivirusXP has found 1195 viruses on your computer’.Windows Firewall blocked the installation of this software,but I located its folder in Programs in C:\ and moved its uninstall icon to F:\ and I erased with ‘Eraser’ the other files.
I found the ‘System Restore’to switch to previous point and Taskmanager to end processes are frozen.

Then I took each weapon from my arsenal:-Ad-Aware2008free has deleted the worm & a malware,Spyw.Terntr.on demand scan has removed the other malwares.Nothing could delete the Trojan’rhccttajOe1.exe’.( I have Quick scanned with Avast,it gave ‘Caution’ but could not delete,once it could move it toChest,but the Rogue jumped out of it) I tried to open it with Notepad & erase the content-program,but again it came as’ephcpttajOe1’.

Then I used the Brute Force"DELAny", a small 2KB program(got from softpedia.com made by seconfig.sytes.net).It killed the Trojan in seconds.The remaining nails&tails of these ‘rogues’ were removed by SuperantispywarePro.
Using regedit.group-policy modification I regained the Desktop-tab & Screensaver,Theme-tabs removed from Dislay Properties by these rogues and reinstalled WindowsXPTheme.

The story ends there…(Sorry for the lengthy narration,but may be helpful for users who face such attacks).
--------------//----------
Avast Developers are requested to plug the loopholes to make it more trustworthy.Suggestions:-
(1)Append one Brute Force Program like DELANY in Avast so that it can delete any rogues that are not rootkitted and crept-in through Avast to the user’s PC.
(2)Make the User Interface some more informative.The present one looks modern but very crude.The user requires information as to what it does when it Scans the PC on demand.Now nothing is seen except for a small lightly glowing line(and the user is made “Baby Sitting” with the scan).Avast must be able to show progress of scan,time taken& remaining,where it scans:-memory,registry,files etc.Progress of the scan is to show what it captures with their path for the users’ choice to delete,move to chest,ignore.If it does not take any action the user should be able to see the ‘paths’ to locate it.
Instead,now it gives a Notepad with the scanlog.The user can’t do anything with that.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.


Sorry, I have already destroyed it with the Brute Force program ‘DELANY’ without leaving any file-trace.I noted down each & every file name before it was deleted ,which I reproduced in my topic.I narrated my story in order to help other users who face difficulty to remove those ‘rogues’. You can get the file from other people who has this Trojan AntivirusXP2008,
see this also:- http://forum.avast.com/index.php?topic=37737.0

This little beastie is continually changing and NO AS or AV will catch them all. Don’t forget that it is the malware writers leading, all the AV and AS community can do is play catch up. Use of heuristics may catch some but, at the expense of a lot of false positives. It is a fine balance to try and achieve. All antivirus and Anti-spyware programmes suffer from this. When I conduct cleaning on my other forum ALL Av’s are affected none escape.

but could not delete,once it could move it toChest,but the Rogue jumped out of it
You probably still had the infector in the LSA Authorization part of the registry and as an innocuous file somewhere in system32
Instead,now it gives a Notepad with the scanlog.The user can't do anything with that.
No but a trained person can.

It is a never ending battle, and some cleaning programmes are now so potent that misuse can wreck your system

After deleting the ‘rogue file’ I scanned the entire Registry with Advanced Windowscare Personal(IOBIT) and found some ‘nails & hairs’ of the beast and AWP has deleted them.Again to make sure I used TweakNow Registry cleaner and got my Registry as All Clear.
Otherwise I won’t be able to use that computer nor log into Internet.This I am typing with the same computer and same Browser 'Firefox 2.0.0.16.(yes…I battled with that beast for 2 days…& can say succeeded)… :slight_smile:

The thing is a registry cleaner will not find this

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 [b]C:\WINDOWS\system32\qoMFwXQj[/b]
The bolded element is where the trojan allows itself access at windows start

I have run Rootkit Revealer(sysintrnal’s) on Windows startup and the results did not contain any suspicious
hidden trojan traces.Then I have run 3 Antirootkits,namely,AVG,Panda and Sophos;
and no-one reported any rootkits. I think this will be enough to confirm that no traces or hidden or masked trojans are left ??
I don’t know what is “qoMFwxQj”?(I think this is a new threat reported in incodesolutions.com on 6-8-'08
qomfwxqj.dll)

i think im infected by wJQs.exe but i tested many solutions (programs) and i cant confirm or remove
i dont see really a difference on my computer but i saw wjqs.exe shut down. its the reason why i think im infected
anyone have a solution ? im not interested to format and i hope i have a other solution…you are my last option before the format.sorry for my english, i know it isnt good…
anyone can help me PLZ?

i just find 2 links about wjqs:. this avast post and this link http://www.prevx.com/filenames/2129194514198174408-0/WJQS.EXE.html

Please start a new topic.

I suggest:

SuperAntiSpyware Free
Spybot - Search & Destroy
Spyware Terminator (exclude the Crawler, add on, and the ClamAV module)
MalwareByte’s Anti-Malware

quote:rabb on today:-
" i think im infected by wJQs.exe but i tested many solutions (programs) and i cant confirm or remove
i dont see really a difference on my computer but i saw wjqs.exe shut down. its the reason why i think im infected
anyone have a solution ? im not interested to format and i hope i have a other solution…you are my last option before the format.sorry for my english, i know it isnt good…
anyone can help me PLZ?

i just find 2 links about wjqs:. this avast post and this link http://www.prevx.com/filenames/2129194514198174408-0/WJQS.EXE.html "

No need to format.I removed wJQs.exe from my pc as said above.First try Ad-Aware 2008 Free or Spyware Terminator. These two are freeware, if you don’t have it ,download/install it from softpedia.com or download.com or directly from spywareterminator.com or lavasoft.com, both are capable of removing this ‘Malware/Trojan downloader’. Sometimes,this 'rogue will leave some traces in your computer.SuperantispywarePro(free vn. only scans,will not remove) will remove the remains or use Bitdefender Antivirus 2008 free.
If it comes back in the name of something like ‘rhccttajOe3e1.exe’, you may install the free tool ‘DELANY’ from softpedia.com,take that ‘roguefile’ into its window and delete.
Antimalware 1.24 will also remove it completely, from malwarebytes.org,but it is not freeware.
Please try and inform.