Malfunctioning Standard Shield

I think there seems to be some problem with the standard shield in my Avast! home edition.

I am using the latest signature as well as program updates.

A little while earlier, i double clicked on a program setup on a CD a friend gave to me. Avast! warned that it was infected with W32.Parite.B virus and i guess it should have stopped access to the file immediately.

Unfortunately, in a little while longer, warnings began to pop up that some of the files in C;\Windows were infected by the same virus.

I had scanned my computer earlier in the day and before this incident my computer was virus free for sure.

I have the standard shield set at high.

Any comments?? Anything i didnt do right??

Don’t panic…
Maybe avast was just unpacking the file to the temporary folder of windows and scanning it…
Did you scan the HDD after the ‘infection’?

Hmm, that’s strange… Standard Shield certainly shouldn’t allow any infected file to be started.

What’s your OS, avast! version, settings of the Standard Shield…?

hi

im using win98 se.

my signature database is dated 08/17/04, program version is 4.1.418.

my standard shield is running at high sensitivity.

hi

looked up the virus chest, the infected files were not temp files.

they include clspack.exe,msnmsgr1.exe, drwatson.exe…
and a couple of others.

they are windows system files i guess, other than msnmsgr1.exe i guess.

Even this way you can boot your computer?
Maybe the virus disable avast protection… Like Igor said it’s strange but let’s try to solve it. Can you follow the link ‘Virus Clean’ in my signature. Whocares gives us a lot of save procedures to get rid from virus… ::slight_smile:

hi

well i finally got rid of the virus.

booted from my windows rescue disk, started nod32 for dos and cleaned the infected windows files.

may i suggest (correct me if im wrong) that avast! add a dos based scanner to the main program which we can run using the avast! signature in case windows is infected. you could keep the dos scanner in a rescue disk and ask it to locate signatures in the avast! antivirus directory.

im sure it could work and above all no virus could infect signature files as they are not executable.

plus, such a thing could work with all versions of windows whether ME or XP or anyother as long as they use FAT for their hard disk (there is a way out even in case of NTFS).

thnx and regards

satish

add a dos based scanner to the main program...
Avast has a boot time scan which you could have used.

Avast has also a free dos version which you could have used.

Avast also has the BART cd which you could have used.

Next time a doing a little research first? :wink:

Well, for Parite virus, I’d rather suggest the integrated avast! Virus Cleaner (that should have been offered in the avast! Virus dialog). That is the easiest way to remove the virus.

Satish, of course you can suggest but I think the policy of Alwil is just release the Windows version for free (home and non-commercial use). F-Prot, for instance, make for free only the DOS version, not the Windows one…

You can use avast for DOS in FAT (FAT32) partitions… (or boot time if on XP).
If you have NTFS, just use the boot time scanning (as you will be with Windows 2k/XP).

Anyway, glad that you find a solution 8)

guys

you have misunderstood my point here.

when the virus infected setup got executed inspite of an active standard shield, i could not trust in any windows based program to check for the virus, there was no certainty that it would not have been infected.

same goes for any other executable file in my hard disk (read the boot up scanner).

so my suggestion was to enable the user to put a dos based scanner , whether you call it boot up scanner or whatever, onto a floppy to scan his/her computer when windows itself got infected as in my case.

plus, i did some research on the parite virus and i found it to be a fast infector, infecting a huge number of programs in a short while.

so most probably, the boot up scanner would have also been infected in the mean time and so the story moves on further…

so my suggestion was to have a program onto a floppy disk which uses the signature files on a hard disk (that way it fits onto a floppy) and you can therefore avoid running a n infected scanner.

also, running the avast! cleaner while the virus was active in the memory did not seem to be a good idea to me, but still i tried it and it unfortunately failed.

it too got infected i guess.

in essence, what i am suggesting for is to use an existing piece of technology and adapting it for a new/additional use to get better protection.

thats it !! ;D

The boot-time scanner is not an ordinary executable module - so, the virus cannot infect it such that the “infection moves on”. In the worst case, its executable may be corrupted and stop working, but it wouldn’t spread the infection.

Can you be a little more specific about the failure/output?
avast! Virus Cleaner is designed specifically to be working when the virus is active in memory (in general, it’s better to run it when the virus is in memory than trying things like booting to safe mode).

hi

im sorry if i am raising a storm here and coming across as ignorant :).

i guess i mistook the “repair” option in the pop up warning for the cleaner and in my case, the “repair” did not work and avast! gave me an error message.

just to check everything i ran the infected setup again (after backing up my inportant data). again i got infected inspite of avast! standard shield running.

but i should say, i started avast! antivirus and during the memory check, it detected the virus in memory and gave me a “clean from system” option and it did its work and cleared the infection.

but the fact remains that i got infected…

i did a bit of analysis (if u can call it so … :)), the setup itself was certified clean by avast! but it seems some other files which were part of the package were infected and these were executed by the setup and hence the infection…

i still believe that the execution of these files should have been stopped in the first place.

but finally, no harm done…

thnx and regards

satish

but it seems some other files which were part of the package were infected and these were executed by the setup and hence the infection....
Are these archives, perhaps even pasword protected?

no, these were all exe files, perhaps a whole lot of them were executed at once and avast! couldnt cope with the whole lot of them, but this i merely speculation.

A .exe can still be a (pasword protected) archive.

maybe so, but shouldnt the process still be stopped?

unfortunately i deleted the files in question so i wouldnt be able to say.

also, even if the .exe files were encrypted or archived, the would be extracted in some temporary location to be executed, so shouldnt the process be stopped at that time atleast??

in my case, warnings started to pop up everywhere showing windows system files to be infected…

You are right, of course - the infected file should never be started. I would certainly like to know how it really happened. I know how the Win9x part of the Standard Shield works… and it’s really strange.

You’re saying that “warnings started to pop up” - it means that the virus was already active in memory and started infecting the files. The warnings came from the Standard Shield scanning “created/modified files”. This feature (scanning created/modified files) checks the files “on close” - so it cannot prevent the intection, the warning occurs when the file is already infected (and it cannot be done in a better way).

The scanning of the executed files (and scanning “on open”), however, is performed before the files are accessed (unless the file is on the list of avast! exlusions) - and if they are found infected, the access is denied, of course. So, the question is how the infected file was started at the first time. If it were started before avast! was loaded during Windows startup, it would be possible - but how would the file get to your hard disk if your Standard Shield setting is on High ???

hi

this must all seem pretty strange to you and it is… ::slight_smile:

ok, so here’s what actually happened. my office 97 cd developed a crack on the inner hole and i was afraid it would get bigger and damage the cd, so i gave it to a friend (who has a cd writer) to make a backup of it.

unfortunately, he seems to be infected with the Parite virus and somehow ended up infecting all .exe files in the office 97 package.

but somehow, the setup file remained uninfected (dont know how ???). i know this for sure because later on i scanned the cd and found a lot of exe files like word, access etc infected while the setup itself was clean.

so my guess is that when i executed the setup from the cd, it must have executed the infected exe files somehow and that ended up infecting windows and that is when i saw warnings pop up all over.

i am sure the infection came from this very source since i had scanned my computer with avast! just earlier in the day and everything was ok then.

so if you want to replicate this incident, you could take a copy of the office 97 package and infect all exe files other than the setup file, copy it on to a cd and then try running the setup on a win98se machine with avast! resident shield on high sensitivity.

pretty unusual huh!! :wink:

thnx and regards

satish