I have a Windows 7 beta x86 system with Avast Free installed. All plugins are active including IM/Web scanning & db is up to date.

Last night my daughter (with no admin access) had issues with an MSN worm causing her id to send messages of the form
foto?? haha http://XXXmsnimages.org/gallery.php?MYEMAILADDRESS

A quick scan (full scan takes ages as I have millions of files…) didn’t show up anything, nor did I notice anything in the logs.

HOWEVER I also have microsoft live family safety scanner running and the logs report

Program Description Web address Last visited ▼ Visits
hiddenX.exe gDGTEvDF http://XXXhi5gallery.net 3/24/2009 6:54 PM 1

Edit: I’ve added XXX in that URLs above to prevent anyone accidentally going there!

SInce this isn’t web browsing per se it doesn’t block, only report. Also the above is 5 minutes after I received the first “spam” msn message but is the only remotely suspicious entry I can see

So questions include

• Should avast have protected me?
• Is there an issue with using MS FSS and avast together?
• Am I likely infected?
• What is the virus, how to clean?

Needless to say “education” is on my list too… I’m also planning to do some manual hunting with hijack this and a full scan tonight.

My hope is that whilst the .EXE was launched it would have been unable to update anything … but if this was the case why didn’t avast real time scanning pick it up??

Just because you have an Anti-Virus installed, it doesn’t mean that it knows about every virus ever made. Sometimes viruses get through, it can happen to any A/V program.

My advice would be to upload the .exe file to http://www.virustotal.com and have it analyzed.

If it is considered a virus, then it may be helpful to send it in a password protected zipped file to virus@avast.com with virus in the subject and the password to open the zip file in the body of the message.

Also, it may be beneficial to download malwarebytes from http://www.malwarebytes.org and run a quick scan.

I think that MSN’s messenger program is ran either in a secure tunnel or the connection is encrypted, so that may be the reason that Avast wasn’t able to pick it up. I’m not totally sure about that one though.

Ran a full scan with avast (and spybot) and avast found a generic Win32:Trojan-gen in temporary internet files

No sign of it elsewhere. Nothing running. No signs of bad behaviour. No reoccurance (it only happened/got run once)

So I think whilst the exe was launched it couldn’t do anything (wasn’t running as admin)

… I hope…

I did also double check by downloading the eicar test virus that the realtime scanner kicked in fine, so I’m still confused why the real time scanner may have missed this trojan

Anyway think things are ok for now.

Good to hear!