I had been using Avast for almost 3years now and had always been a great fan of the product. I had introduced the product to quite a number of friends. However, my experience recently, to be precise just yesterday and today had been most discouraging and had shaken my faith in the product.
My Avast virus signature had just been update on the late night of 15Nov. On 16Nov, I visited a normal website that was unfortunate hacked as I was given to know later. On opening the page, Avast gave a virus warning and I shut the webpage immediately and unplugged the internet. Did a full scan immediately and moved whatever virus found to the chest. I even did a boot time scan which I thought would rid the notebook of whatever virus (I am travelling in PRC currently and the notebook is my only access to the internet). After entering windows, Avast again gave a Virus warning, in fact a few which I sent all to the Chest and did another scan, there was no indication of virus found. Just to be sure, scheduled another boot time scan and what happened, the same thing happened when Windows opened after the boot time scan. The same viruses found. What I found out was when the notebook boots up and enters Window, the malicious program(s) created programs in the System32 folder and Program Files folder. Repeated actions meant the whole of 16Nov is gone trying to catch the Trojan & Worm viruses.
What frustrated me was 2 points. Firstly, when I asked my fried to access the same webpage, his virus scanner (Kaspersky) was able to break the connection to the webpage immediate and his system was not infected at all. Secondly, why Avast wasn’t able to find and “kill” the initiating program(s) but keep issuing warnings on the “created files”. “Move to Chest” on virus found…rescan to try and ensure that there aren’t anymore…scheduled a boot time scan…re-boot…windows open with exactly the same virus infection…frustration !!! Close my notebook and went to sleep.
Woke up on 17Nov and the first thing is to try again but with the same results. Had no choice but to get online to look for some online scanners. What is worst is now Avast does not give virus warnings anymore. However, the connection speed came to a crawl and I figure that something is still wrong somewhere as I can find those “extra files” in the System32 and Program Files folders. Left with no other choices, went to a friend’s place to download the trial version of NOD32 onto a flashdisk. came back to the hotel and install it on my notebook. A full scan (almost 4 hours) immediately reveals a 23 intrusions and successfully quanrantined all the files. Things seems to be back to “normal” and I don’t get those “extra files” again, internet connection time also is back to normal. Thus I have no choice but to uninstall my long beloved Avast and kept NOD32 on.
I think Avast will have to improve on this somehow, stop the connection to the website immediately when virus is detected and not let it get into the system. A good look at the scanning logic as why it is not able to find the initiating program but only the “created programs”.
Below are the viruses found by Avast as copied from the Chest:
Win32:Agent-MDY
Win32:Nileage-JY
Win32:AutoRun-BS
Win32:Lmir-OK
Win32:OnLineGame-ALS/BHW/AUU
Win32:Delf-DQP
I am writing this in the hope that Avast will improve and not let me done.
Getting infected by a hacked website means you have insecure software on your computer which allows ‘drive-by’ installation and download of malware. Scan for out-of-date and insecure software using Secunia Software Inspector and update any vulnerable software: this will help to prevent future infections.
Sorry for your problems.
However, this has obviously nothing to do with “scanning logic” or not terminating the connection when the virus is found. The problem here was the only some of the files were detected, while others were not (so, they slipped through) - and they were active, downloading or dropping other (already detected) files.
In addition to what FreewheelinFrank said, if Opera was your browser & you used a real-time anti-spyware program like SuperAntiSpyware Professional (not free) or Spyware Terminator (free), you might not have become infected.
Thanks all of you for the advices. As a new guy to the forum, don’t know how to PM Igor, can anyone help?
Also, I have a related question. I noted that the malware source seems to be hiding deep in several folders:
C:\Documents and Settings\Useer\Local Settings\Temporary Internet Files\Content.IE5\75M5RROV
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\PC3FLL53
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\SQOGBR1Q
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\TJOSCAM9
Search through using the WinExplorer but couldn’t find these folders, even using the DOS prompt was also unable to locate these folders. Can anyone tell me how to get to these folders?
Though I had uninstalled Avast, I found a small Avast file in the temp directory ( avast/unp181534466.tmp). Don’t know whether that will be of any help. Anyway, the gist is still why Avast found those initiating malwares in those folders but failed to kill it in the normal scan and boot time scan and finally failed to detect them at all.
The IM icon to the left of his post, that allows the use of the forum PM function. However there could be a problem as there is a restriction in the use of the PM function.
I can’t recall if users with less than 20 posts can’t use it or they have to enter a captua code when they use it. This is interpreting an image with 3 characters and entering the code, this was introduced after the PM function was used to spam members. So I don’t know if you would be able to use the PM function.
You could enter the URL here but make sure that the link isn’t active by putting breaks in the link to avoid accidental exposure, e.g. http :// www . demonstration.com /demo-web-page.html
Those are regular temp internet folders and you should be able to see them in explorer, I doubt that the folders are hidden, but you can check. Tools, Folder Options, View, scroll down to the hidden files and folders section and adjust as required, see image.
The avast folder is where avast unpacks (hence the unp prefix) files for scanning, usually it is cleared on successful completion of the scan, I don’t know if it will help.
There may well have been an undetected or hidden downloader that would try to download more (which may be what avast was detecting) but the source was undetected. A good firewall with outbound protection may have stopped the unauthorised outbound Internet Connections.
One ot he malware names you mentioned, Win32:AutoRun-BS may also have meant that you could also have been infected from a USB pen drive if you also used that in other systems…
As regards those directories, I had already done what you had indicated and the result is as I had indicated. I had used a utility to clear the Temporary Internet Files directory.
Also I used F-Secure online to scan again and the results are in a file.
I don’t know whether Igor can PM me so that I can reply and also send him the report file from F-secure for checking and infor also. What I hope is that such virus information should be shared to improve AV programs for the better of all.
This is what I see, see image, the IM is the one on the right arrowed. If you can’t see that it loks like it is not available at all even with the captua function.
You can attach .txt or .log files to your posts, click the Additional Options, Browse, navigate to the report file and select it.
That won’t ‘stop’ you getting infected but it will limit the potential damage (IMHO) if it can’t create registry entries or place files in system folders. So irrespective of whether you use a limited user account or use DropMyRights, etc. you should still keep your software up to date.
Try clicking on the Igor’s name in the forum…it will then bring up his profile and at the bottom of his profile page will be a request to send this user a message. Hope this way can work for ya, Huainian.
No need to go to those lengths, clicking the IM button/icon in any of his posts will have the same effect. However, as my earlier post and image shows. There is a restriction in the use of the forums IM/Personal Message use and that is 20 posts. So unfortunately Huainian won’t be able to use the forum PM/IM function.