Text (.txt) files aren’t scanned by default on creation or modification, that is why I suggested downloading the com (or exe version, which I see isn’t included in the samples on the site) of the test.
I think it would be worth while to email support on this and attack it from both directions, it is certainly weird.
Could it be that this is somehow being stealthed/protected in some way. avast usually hooks .exe files so they are scanned before they are executed. Check and ensure that standard .exe files are in fact scanned, enable the ‘Show detailed info on performed actions’ in standard shield and execute some normal exe files and see if they are scanned or watch the Last scanned: in standard shield detailed view.
You didn’t mention your standard shield settings check the Customise button, Scanner Advanced.
Which are your Standard Shield configurations at this time?
[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
.
The log will be long - use multiple posts if you need to.
That is good news that you have been contacted, I had hoped for and tried to get some input from one of the Alwil team. Hopefully they will be able to get to the bottom of it as beyond my limited knowledge of avasts inner workings.
I suspect that QEHNick is aware of this 04 entry as he has intimate knowledge of the RavMonE.exe file (see Reply #17).
QEHNick’s problem is that although the file is detected by avast signatures on an on-demand scan, it isn’t detected with the on-access scan and avast allows it to execute.
The 022 entries are fine, they appear on the latest Trend Micro HijackThis v2.0.0 (BETA) version but not on HJT 1.99.1, when they first appeared on my first use of the 2.0 version I checked them out fully.
For sure that’s where ravmone.exe is loading. The problem is I was half expecting to see something stealthy here (or see no entry at all) to explain the avast! behavior, but it’s just out in the open running as a start up.
If you fix this line in HJT
O4 - HKLM..\Run: [RavAV] C:\WINDOWS\RavMonE.exe
and delete these files
C:\WINDOWS\RavMonE.exe
C:\WINDOWS\ADOBER.EXE (if present)
you will clean the individual computer, but the scanning mystery will remain and you will still need to prevent potential reinfection through the LAN or via USB drives.
I don’t have a solution to that but the following may help clean this:
On an infected computer download SDFix and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press “Enter”.
Choose your usual account.
In Safe Mode, double click SDFix.exe and install to the default location by clicking Install. The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically ‘C:\SDFix’) Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool. Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log.
You probably already know this but its likely a copy of ravmone.exe is present in c:\windows\adober.exe. If this is the reality of your situtation and avast! does not see it then there may be a rootkit hiding the copy rather than the primary file. SDFix should clean it.
Also remember that this is very capable of stealing information so you should be taking steps to protect sensitive data.
Now we’re getting somewhere. That trz##.tmp file is still sitting on a cleaned PC although with a different name.
So now I had better check some of these PC’s for rootkits. edit seems that it’s not a root kit. The PC I had looked at had simply been reinfected by the users USB Device.
I have infected a PC several times (on purpose) but it has not once been infected with the trz##.tmp part of the virus. I wonder why.
Still doesn’t answer why Avast! doesn’t detect “on access”.
na the lab people dont respond…the only way ur sure that wat u mailed them has been noticed is they include it in the future updates… and the response is very slow…if the malware is of no serious threat…
This has downloader capability and may be responsible for the trz##.tmp files. There are several tools we could run against it but I still recommend SDFix first.
Is there any chance of keeping those USB drives away from the PCs for now? They will just continually re-infect them (if I’m not mistaken files transfers from an infected USB drive carries some risk even with autorun turned off).
No, it doesn’t. Nor does it make sense to allow the infection to continue while a solution to the scanning dilemma is being worked on.
It looks like you’ve had this problem since at least 22 March and, while I have every confidence if the ability of the analysts to solve the scanning dilemma, a two pronged approach seems logical.
I’m aware of RJUMP connecting to sites to download other malware. Luckily our Webfilter software (websense) blocks all attempts by any malware at connecting to these sites. So at least that avenue is closed to it.
All in all, it causes little impact on our systems, however, it is still an unwanted process.