Hi,
a few days ago I have found and quarantine some virus with SUPER Anty Spayware.
Today I try to remove frome the quarantine, because I do not noticed problem on my pc (I try to erase definitely).
Here the problem is.
After I have selected the quarantine files and click on remove, Avast alarm me:
Trojan Horse blocked
Object: C:\Document and settings…{3CA63800-D381-41EF-AB9C-450867E12916}
Infection: Win32:Crypt-HXA [Trj]
Action: moved to the trash
Process: C:\Programmi\SUPERAntiSpyware.exe
What mean? I have a virus on my computer?
I have successfull deleted the quarantaine virus?
I watch in the avast trash and I have 4 file (the file of the allarm).
{3CA663800-D381-41EF-AB9C-450867E12916} C:\Document and Settings\pc\Data applications\SUPERAntiSpyware\Quarantine\Quarantine-10-25-2010-18-31-06
Win 32:Crypt-HXA [Rrj]
{52633578-60E6-4BB8-8DF1-BA079CB778C6} C:\Document and Settings\pc\Data applications\SUPERAntiSpyware\Quarantine\Quarantine-10-25-2010-18-31-06
Win 32:Crypt-HXA [Rrj]
{7A7E58BE-1359-4878-BC4B-CD3F02AC8DDC} C:\Document and Settings\pc\Data applications\SUPERAntiSpyware\Quarantine\Quarantine-10-25-2010-18-31-06
Win 32:Crypt-HXA [Rrj]
{A014AC5C-CFC9-4958-A686-5923046BBC14} C:\Document and Settings\pc\Data applications\SUPERAntiSpyware\Quarantine\Quarantine-10-25-2010-18-31-06
Win 32:Crypt-HXA [Rrj]
OK, panic over, this is not saying that superantispyware.exe (SAS) is infected, just that it was SAS that created the object in the docs and settings folder.
What type of scan were you doing when these were detected ?
Were you doing an SAS scan at or about the time of the detection (as these are items in the SAS Quarantine)?
Also either your signature is out of date also or the version of SAS is out of date, the latest version is 4.46.1000, so it is essential that you keep all security applications up to date.
I have SAS Pro and have no such detection, though I don’t have any detections on any of my software (system clean).
What I find strange is that the SAS Quarantine isn’t encrypted which would stop avast being able to scan the contents. Though given the malware name given by avast Win32:Crypt-HXA [Rrj] (Crypt being encrypted) it might well be encrypted and why avast is alerting.
So I would add the SAS Quarantine (C:\Document and Settings\pc\Data applications\SUPERAntiSpyware\Quarantine) to the avast exclusions, avastUI, Settings, Exclusions.
I would also do some housekeeping and clear the SAS Quarantine if these are old detections by SAS, over 3 weeks and no adverse effects on your system.
I follow the suggestion “Leave them in there for a few weeks and if no adverse effect you can delete/remove them.”
I try to remove from bascket and I have this virus allarm.
OK it looks like what was previously detected and moved to the SAS Quarantine (mentioned in the first link you gave) is being detected by avast as something different, because of the encryption involved.
Since this is well over 3 weeks since the original SAS detections, these files in the SAS Quarantine can be deleted. Reviewing those detections from the first link you gave, I believe them to have been good detactions so you should have no problem in deleting them from the SAS Quarantine. That should prevent avast detecting them in the future.
However, one crucial question I asked remains unanswered, what type of scan were you doing ?
e.g. an avast Quick, Full System or Custom scan.
If custom scan what were the settings, as I believe that these may not have been scanned on the default settings of the Quick or Full System scans.
Sorry for my bad English, I try to explain better
1 - The files that I had mentioned I had found with SuperAntiSpyware a few weeks ago
2 - The files were in the Trash of SUPERAntiSpyware and Yesterday I try to permanently delete from it
3 - I was not doing any scanning when deleting files from SUPERAntiSpyware, Avast gave the alarm without I start it, only for the selection of their removal from SUPERAntiSpyware.
4 - The files originally in the basket of SUPERAntiSpyware now there are no more, only 4 of them are in the Avast basket after Avast detected them alone during their elimination with and by SUPERAntiSpyware.
5 - I can not even update the program SUPERAntiSpyware, You can see the version I downloaded(00/00/0000)
6 - I did not do any scan with Avast, however, when I do the scans in general with the antivirus programs I scan full system.
Is it a problem with the program SUPERAntiSpyware since I can not update properly?
Ps.I have scan now the pc with Avast and it give to me this report:
@ gpf
It may be that the act of accessing the files to remove them from the SAS Quarantine triggered the avast real-time scanner, the File System Shield. That has meant they were moved to the avast chest, they can do no harm there and wouldn’t be scanned by avast; you can safely delete them from the avast chest.
The windows XP firewall has zero outbound checking, so it isn’t that which is blocking the update and the exceptions in the XP firewall aren’t for outbound permissions.
I feel that the SAS installation may have become corrupt if it can’t update. Since it doesn’t have a repair function (like avast) I think it easiest to uninstall it, reboot and reinstall it. Since you have tried that and find the same problem you say it can’t update properly, are there any errors when trying to update SAS ?
Since you also have MBAM installed, it may just be easier to uninstall SAS and leave it off for now. Avast has anti-spyware built in to the main scanner and having installed MBAM, you should be quite well covered.
I uninstalled SAS restart the pc and reinstalled the latest version just downloaded from the internet.
The problem remain the same. I can’t update the program and the version of the archive remain 00/00/0000 00:00
I can download the version, install, but when I open it I see this version (00…) and if I try to update manualy i see the error above.
I don’t know why that is, presumably avast and MBAM update without problem, so it is unlikely to be malware trying to block security applications updating.
So it may well be bets to just uninstall it and leave it at that.
I just noticed your firefox is also out of date (or you signature), the latest version is 3.6.12, and many of those will have been security updates. It is essential to keep internet facing (and security) applications, your browsers, email programs, etc. up to date.
I do not understand, why on an other PC SAS work good and on my computer it do not work and I have to uninstall it?
I have update firefox at the last version, but the problem with SAS remain…
…this must be a virus.
I can’t just leave the computer as it is now because the virus maybe can act on Avast and MAB in the same way…
Other suggestions?
If you can’t update it for whatever reason on that system, yet it is OK on other systems, keeping it is pointless if the signatures can’t be updated.
I’m not sure that you do have a virus that is acting against security applications or you would likely see it acting on all and you would be likely to see it trying to prevent access to security web sites also.
There would also likely be other unusual activity present also and you aren’t reporting any of these symptoms.
The avast report from an earlier post is fine, those with the “Can not access the file. The file is being used by another process” are just files that can’t be scanned and the reason. Files that can’t be scanned are just that, not an indication they are suspicious/infected, just unable to be scanned.
The one thing I would suggest is that you get a firewall:
Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
There are many freeware firewalls such as, PCTools Firewall Plus, Online Armor and recently released, Outpost Firewall free 7.0
Many forum users are using these:
PC Tools Firewall seems to have the least user headaches as it doesn’t seem to be constantly asking the user questions about this and that.
Online Armor for the most parts fine.
Outpost Firewall free, a cut down version of the Outpost Firewall Pro version, which should still provide good protection http://free.agnitum.com/. Download, http://www.filehippo.com/download_outpost_firewall/. However there is now a free suite version from Agnitum and that comes with an AV, which you don’t want to install, so you would need to do a custom installation.
They aren’t infections as such, just changed registry values.
These would change some of the explorer options to show MyDocs and Help, MBAM doesn’t actually delete these but changes the values back to the default.