Hello, I have Avast 4.7 Pro, and upon every time I start up, I reveive an alert from the on-access scanner that the file ‘vook.sys’ in Windows32 folder has a virus called ‘Trojan-gen {Other}’. I tried to repair this file, and even delete it (probably not a good idea, but it comes back anyways…!?), move it to the chest, you name it… I have no performance issues as of yet with my computer, but this virus alert everytime I log on gets very obnoxious… How might I go about removing or repairing this??
There are about 5 vook.sys files in my virus chest, but it keeps reappearing. I’m not sure to believe whether it’s an actual system file or a virus…??
Scanning of selected files
Action was completed successfully!
Virus has been detected!
File Name: vook.sys
FileID: 5
Virus Description: Win32:Trojan-gen. {Other}
Scanning of selected files
Program will try to scan 1 selected file(s) in the Chest
Move files to temporary folder: C:\DOCUME~1\Owner\LOCALS~1\Temp_avast4_\unp3982337.tmp
FileID: 0000000005 Original file name: C:\WINDOWS\system32\vook.sys New folder: C:\DOCUME~1\Owner\LOCALS~1\Temp_avast4_\unp3982337.tmp\5.sys
Scan files in the temporary folder: C:\DOCUME~1\Owner\LOCALS~1\Temp_avast4_\unp3982337.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp_avast4_\unp3982337.tmp\5.sys Win32:Trojan-gen. {Other}
Trojans generally can’t be repaired (either by the VRDB or avast virus cleaner), because the entire content of the file is malware, so it is either move to chest or delete, move to the chest being the best option (first do no harm). When a file is in the chest it can’t do any harm and you can investigate the infected warning.
Files that keep coming back tend to have multiple components and Ewido should be able to find the other components. It may also indicate that your firewall doesn’t prevent unauthorised internet connection. What is your firewall ?
Windows in its infinite wisdom protects files in use (even malware), so it is likely that avast! can’t delete or move files in use. So schedule boot-time scan in avast’s menu if you have XP, win2k or NT, otherwise boot into safe mode and run an avast scan. This should ensure that the file isn’t in use and avast should be able to deal with it.
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode Ewido anti-spyware If using winXP.
Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.
Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.
Thanks for the advice… I downloaded Ewido and scanned… It found many high and medium-risk threats, which it got rid of… I also did the boot-time scan with Avast, but afterwards, vook.sys still set off Avast. Is there anything else I should do? If I allow this trojan to remain in my computer, what might eventually happen??
Also, I am not using any special programs for a firewall, just the firewall that comes in Windows XP… I suppose using a firewall program would be a good idea?
edit: is it possible that all components of vook.sys are secure in the virus chest, but Avast is still going off because it is in that folder? I tried searching for it in my system folder but it returned no results… but upon searching in all folders, I only could find it in the virus chest folder… whats up with that?
For something this serious I would ask the experienced
Experts on the forums of your antiSPYWARE Provider; if
you know of none, I recommend the Ad-Aware oriented
Forums at www.landzdown.com .
Get a firewall XPs doesn’t provider a defence against unauthorised outbound internet connections, it is better than nothing. It provides a false sense of security as people think it provides full firewall protection when it doesn’t.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
I followed the tutorial, I downloaded autoruns, deleted ‘squell’ registry and the vook file in system32 (i said windows32 before didnt i… sorry about that, this whole thing is beyong me). I booted back into normal mode, and off goes Avast! I’ll try again… maybe I messed up somewhere…
Also, I got ZoneAlarm free firewall and Avast came up with a message that it has issues with it… Is it ok to run ZoneAlarm anyways?
edit: I deleted a file called ‘svch0st’ in a temp folder, and i no longer receive this virus alert… i thought I had gotten rid of it though, but I rechecked and squell has reappeared, … but no virus alert!?
If you are using ZoneAlarm Free you should click NO, because privacy features are not present in ZoneAlarm Free this will not turn off webshield transparent mode proxy.
Use a text editor and edit the avast4.ini file, the default installation location is C:\Program Files\Alwil Software\Avast4\DATA\avast4.ini (I would advise you copy avast4.ini before editing it, just in case). Locate the line containing ZoneAlarmCompatibility= and delete that line. Save the edited avast4.ini file.
If you are using ZoneAlarm Pro and Privacy Control in ZoneAlarm is set to High and if you click YES in avast comptability dialog box the transparent mode proxy in webshield will be turned off you have to manually configure browser to access internet. To manually configure your browser watch instructional video
As Tech said there is no issue with the free version of ZA as it doesn’t have the Privacy function (Pro version only) that causes the problem.
Now you are possibly in the clear it is time to take preventative measures to stop files being dumped in to the system folders, etc.
Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.
Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.
Hi esouths :