I must say … I was overtaken by a sense of having been coerced into downloading some awful program and destroying my system when I clicked on the Thumbnail on the Avira Web page and a popup got past Firefox. That popup was about an evil looking game of some sort. It opened another Firefox tab and left it open but I was quick to close it out of fear. I must say I was EXTREMELY reluctant to boot their CD after I saw that. Then when I booted the Avira CD another evil looking cartoonish character appeared in the upper left corner of the screen. Nonetheless I did boot up and after about 10 seconds the evil little character disappeared. This is not a good way for Avira to give a very comfortable feeling about their product(s).
I have transcribed all of the information on the Avira screen below.
Below that are a couple of concerns that I have.
========================================
Items found by Avira Rescue CD:
/media/Devices/sda1/ComboFix/n.pif
ALERT: [HIDDENEXT/Crypted] /media/Devices/sda1/ComboFix/n.pif <<< The file contains an executable.
This however, is disguised by a harmless file extension (HIDDENEXT/Crypted) not removable
file renamed. (Avira did not say to what it was renamed.)
/media/devices/sda1/Documents and Settings/Aloha/Local Settings/Temporary Internet Files/Content.IE5/OTE30PE3/horoscopes[1].css
WARNING: archive not completely scanned: contents exceed 191397888 bytes
/media/devices/sda1/Documents and Settings/Aloha/Local Settings/Temporary Internet Files/Content.IE5/SI058REH/CADFBH79
WARNING: archive not completely scanned: contents exceed 191397888 bytes
/media/Devices/sda1/TEMP/ComboFix.exe
ALERT: [HIDDENEXT/Crypted] /media/Devices/sda1/TEMP/ComboFix.exe → 32788R22FWJFW\n.pif <<< The file contains an executable.
This however, is disguised by a harmless file extension (HIDDENEXT/Crypted) not removable
file renamed. (Again, Avira did not say to what it was renamed.)
archive: /media/Devices/sda1/WINDOWS/system32/files.zip → loader.exe extract error )ALL files in archive are encrypted.)
/media/Devices/sda1/WINDOWS/system32/files.zip
WARNING: archive not completely scanned: contents encrypted
/media/Devices/sda1/WINDOWS/system32/wh.exe
ALERT: [TR/Crypt.XPACK.Gen] /media/Devices/sda1/WINDOWS/system32/wh.exe <<< Is the Trojan horse TR/Crypt.XPACK.Gen
not removable
file renamed.
------ scan results ------
directories 14339
files: 689228
alerts: 3
suspicious: 0
repaired: 0
deleted: 0
renamed: 0
quarantined: 0
Warnings: 3
scan time:00:59:12
========================================
Do I need to be concerned about the two warnings where the files were supposedly too large to completely scan?
Personally I doubt that /…Local Settings/Temporary Internet Files/Content.IE5/OTE30PE3/horoscopes[1].css is greater than 191397888 bytes.
What about the archive that was not completely scanned because it was encrypted?
After rebooting I looked for the above items to see to what they had been renamed.
The first item /media/Devices/sda1/ComboFix/n.pif appears that Avira removed the “/n.pif” and it now appears as a folder in the root of the C:Drive with the same icon as “My Computer”. When I click on the “plus” (+) next to it it opens up and appears the same as “My Computer” with the entire hierarchy down to but not including “My Network Places”. I am afraid if I delete it it will wipe out my entire hard drive.
The second item:
/media/devices/sda1/Documents and Settings/Aloha/Local Settings/Temporary Internet Files/Content.IE5/OTE30PE3/horoscopes[1].css
is damaged also in that the hierarchy goes as far as
/media/devices/sda1/Documents and Settings/Aloha/Local Settings/Temporary Internet Files
then there is no Content.IE5 or anything below that.
When I right-click on Temporary Internet Files and click properties it reports that it is 432mb with 14,523 files AND 24 folders but I cannot see the folders. When I look at the files alphabetically the Content.IE5 is not in the list as a folder or otherwise.
Needless to say I cannot find the horoscope file or the other file?folder.
ALERT: [HIDDENEXT/Crypted] /media/Devices/sda1/TEMP/ComboFix.exe → 32788R22FWJFW\n.pif
was found in the TEMP folder of the C:Drive (sda1) renamed to ComboFix.exe.XXX
archive: /media/Devices/sda1/WINDOWS/system32/files.zip
this file is dated 7/1/2009 at 1:03 AM and is only 20KB
I manually renamed it to files.xxx.zip.
ALERT: [TR/Crypt.XPACK.Gen] /media/Devices/sda1/WINDOWS/system32/wh.exe <<< Is the Trojan horse TR/Crypt.XPACK.Gen
This file was renamed to wh.exe.XXX and is dated 7/1/2009 at 1:03 AM and is 34KB
Obviously these two are related since they are dated the same and timestamped the same.
My biggest concern is with the ComboFix file/folder/My Computer or whatever it is.
The properties say it is 6.56 mb, contains 197 files and 1 folder.
I feel somewhat that it may be the ComboFix I downloaded yesterday and it gave a “false positive” to Avira.
BUT what do I do with it now?
By the way, I still have 50 instances of ashMaiSv.exe and NO instances of ashWebSv.exe.
When I restart avast detected an unauthorized modification to ashDisp and I was asked if i wanted to run it anyway.
I said no and thus, ashDisp is not running but ashMaiSv has 21 instances running in the first 5 minutes. Also, ashServ and aswUpdSv are running but no other ash modules.
Should I uninstall and reinstall AVAST again?
One piece of good news is that I no longer get the message that I am not authorized to shutdown or restart windows.
Thanks,
Jay Gee