Hi,

Yesterday I downloaded and installed Avast 4 Home Edition and I scanned my local drives to check for any virus. After a couple of minutes Avast sounded the alarm because there was a (worm)virus found in one of the DLL-files located in the WINDOWS\System32 map or directory (I use Win XP Home Edition on a P4 2,4 GHz Tulip notebook running 512 MB internal memory shared with 32 MB video memory). Then Avast “asked” me what to do with the infected DLL-file: Move/Rename it, Delete it, Repair it, Move it to Chest, or do nothing and leave the file infected by going on with scanning. Of course I wanted to get rid of the virus, so I chose the option Repair to remove the virus from the infected (DLL-)file. Then Avast “said” the virus cannot be removed from the file because this DLL-file is in use by (an)other component(s) of Win XP. Is there any solution for this? Am I doing something wrong? How can I check which component uses this DLL-file? If there is no solution for this problem and I didn’t anything wrong, probably the only way to remove viruses from files which are normally in use by the Win OS is to exit Win and run an antivirus program under MS-DOS (I must admit, in some situations I miss the good-old DOS very, very much!).

Another question.
When I download Avast 4 Home Edition, do I have to download Avast Virus Cleaner seperately, or is Avast VC a component of the Avast 4 HE package?

Many thanks to those who answers/answered my questions.

John Doe, NL.

What were the DLL files affected and what virus did avast! announce inside?

avast! Virus Cleaner is not part of avast! Home/Pro (currently). However, it doesn’t mean you have to download it. Virus Cleaner is a standalone tool to remove specific viruses - the number of viruses is very limited and the list of them is given on the corresponding web page. You are not supposed to download it unless you really are infected by one of the viruses on the list.

avast! itself uses a different, generic approach to file repair - VRDB. However, in a future version (hopefully 4.1) the virus-specific cleaning procedures used in Virus Cleaner should be integrated in avast!, too - thus combining the power of VRDB and the Cleaner.

You can start your windows in safe mode and delete it than. And you should clean any reference to that dll in the Registry.

FMI: What is the exact name Avast give that malware?

In reply to the above answers:

The following 9 files are infected;

1. Name: pav.sig
   In map: C:\WINDOWS\system32
   Infected by: Win95:Matyas
   Message after attempting to remove the virus:
   The file was not repaired.
   Cannot process “C:\WINDOWS\system32\pav.sig” file

2. Name: imscan.dll
   In map: C:\WINDOWS\system32\ActiveScan
   Infected by: Win32:Kuang2
   Message: File was successfully repaired.

3. Name: pav.sig
   In map: C:\WINDOWS\system32\ActiveScan
   Infected by: Win95:Matyas
   Message: The file was not repaired.
   Cannot process “C:\WINDOWS\system32\ActiveScan\pav.sig”
   file

4. Name: WinStart001.exe
   In map: C:\Windows\System
   Infected by: Win32:Trojan-gen. {VC}
   Message: The file was not repaired.
   Cannot process “C:\Windows\System\WinStart001.exe” file

5. Name: A0019897.exe
   In map: C:\System Volume Information
   _Restore{6F41619F-E3DD-419C-B8D4-ABC18B018CE1}\RP229
   Infected by: Win32:Trojan-gen. {VC}
   Message: The file was not repaired.
   Cannot process “C:\System Volume Information
   _Restore{6F41619F-E3DD-419C-B8D4-ABC18B018CE1}\RP229
   \A0019897.exe” file

6. Name: A0020631.dll
   In map: C:\System Volume Information
   _Restore{6F41619F-E3DD-419C-B8D4-ABC18B018CE1}\RP238
   Infected by: Win32:Kuang2
   Message: The file was not repaired.
   Cannot process “C:\System Volume Information
   _Restore{6F41619F-E3DD-419C-B8D4-ABC18B018CE1}\RP238
   \A0020631.dll” file

7. Name: A0020646.dll
   In map: C:\System Volume Information
   _Restore{6F41619F-E3DD-419C-B8D4-ABC18B018CE1}\RP239
   Infected by: Win32:Kuang2
   Message: The file was not repaired.
   Cannot process “C:\System Volume Information
   _Restore{6F41619F-E3DD-419C-B8D4-ABC18B018CE1}\RP239
   \A0020646.dll” file

8. Name: A0020657.dll
   In map: C:\System Volume Information
   _Restore{6F41619F-E3DD-419C-B8D4-ABC18B018CE1}\RP239
   Infected by: Win32:Kuang2
   Message: The file was not repaired.
   Cannot process “C:\System Volume Information
   _Restore{6F41619F-E3DD-419C-B8D4-ABC18B018CE1}\RP239
   \A0020657.dll” file

9. Name: A0020713.dll
   In map: C:\System Volume Information
   _Restore{6F41619F-E3DD-419C-B8D4-ABC18B018CE1}\RP239
   Infected by: Win32:Kuang2
   Message: The file was not repaired.
   Cannot process “C:\System Volume Information
   _Restore{6F41619F-E3DD-419C-B8D4-ABC18B018CE1}\RP239
   \A0020713.dll” file

Question 1: Why can’t process Avast these infected files?

Note/Question 2: In spite of the message File Was Successfully Repaired,
every time I scan again my local drives with Avast, file
“number 2” - imscan.dll, located in map
C:\WINDOWS\system32\ActiveScan\ - stays infected by
the Win32:Kuang2 virus. How is this possible?

Note/Q. 3: So once a while I also use for a second opinion some free online
virus scanners like BitDefender Antivirus, Panda ActiveScan,
Symantec Security Virus Detection, or TrendMicro HouseCall
Antivirus. When I look to the map
C:\WINDOWS\system32\ActiveScan\ (see number 2 & 3) I think
that this map is used by the online Panda ActiveScan(ner)
software because of the same name (“ActiveScan”). Am I right?

Note/Q. 4: Does someone know what the function is of the file
WinStart001.exe which is located in map C:\Windows\System
and infected by the “Win32:Trojan-gen. {VC}” virus (see no. 4)?

Note/Q. 5: Every time I use the Avast 4 Home Edition Virus Scanner to scan
my local drives for viruses the number of infected files increases
by one. Again, how is that possible?

Note/Q. 6: Last question. What is the function of the map with the long
name “C:\System Volume Information
_Restore{6F41619F-E3DD-419C-…” (see no. 5 - 9)?

The files belong to Panda(PAV.SIG,. IMscan.DLL) are false alarms(delete it)
, for the winstart001 take a look here: http://www.avast.com/forum/index.php?board=4;action=display;threadid=698;start=0

For the files which are located here: C:\System Volume Information
look here: http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

Doing this and than ask the Questions which are left over.

Edit: If you want to know more about the Panda files, make a boardsearch or Panda

Hi, only
4) & 5) need to concern you

Name: WinStart001.exe
In map: C:\Windows\System
Infected by: Win32:Trojan-gen. {VC}
Message: The file was not repaired.
Cannot process “C:\Windows\System\WinStart001.exe” file

the other ones are false positives in PANDA-AV-Files because Panda don’t encrypt there Files properly.

-look at TrendMicro or mcafee for the winstart.Trojan
follow the removal procedure

-you need to disable Win-SystemRestore to get rid of the viruses/warnings from the restore-folder (procedure should be explained on Mcafee/symantec, too)

Mennoo… ;D

Irgendwann muss ich ja mal schneller sein!

BTW: Nutzt du Avast und Antivir regelmaessig?

Auf einem PC Avast wegen der autoupdates…
auf nem anderen AVPE

Sorry but I cannot speak and read German. Could you please try it in English or Dutch (Dutch is my homelanguage)? Thanks! JD, NL.

Just smalltalk! I am only able to read and understand a bit dutch.
The realy important is written in english.
Sorry…

Once again to all who are getting a virus as

“Win95:Matyas”
or

“PAV.sig”
or

“imscan.dll”

These are not viruses. They are unencrypted Panda Virus scan files. If you have ever installed any Panda antivirus including running an online free scan from Panda website, these files are generated and saved on your PC. Avast detects them as a virus because they are not encrypted. They are false-positive and you can ignore them. Set Avast to ignore/exclude them next time you run the complete scan. If you no longer needs the files (if you installed Avast, you should no longer need them) dlete them.

Even better, since Panda does not encryt their files correctly, stay away from Panda services.

Yeah! ;D