Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: john36 on April 16, 2005, 07:06:24 PM
-
Hey Guys,
While doing a scan today I was notified that a virus was detected.
It was the "Win32: Mugly-C worm. It was recommended that I move the virus to the Chest.
I have moved the virus to the Chest and I'm not sure what I should do now. Do I just leave it in the Chest or delete or remove it from the chest.
Also, I did a search on this worm and supposedly it comes via an e-mail attachment and the download is an old man with a scrunched up face.
Is that correct. I know I did not download anything like that but other people use the PC so I don't know if they downloaded this or not.
The PC is a Dell 8400 desktop running Win XP MCE 05.
I'm on a home network of 4 PC's and so far just the one PC seems affected.
Thanks for any feed back,
John
-
In which file was to detected, exactly?
Was it picked by the on-access scanner, or during a manual scan?
-
What was the filename, where was it found
example (C:\windows\system32\infected-filename.xxx)?
Leave it in the chest for there it can do no harm, here you can investigate as you have (if you want to find out more about what it does, etc.) a google search is usually best. It is possible there may be other means of infection or this was found in your old email folders?
After a perion of a week or so there is no adverse effect of having moved the virus to the chest you can delete it from there.
-
In which file was to detected, exactly?
Was it picked by the on-access scanner, or during a manual scan?
I was actually running a scan with Microsoft Antispyware and Avast came on during this scan and said this virus had been detected.
It listed the file as: C:\i386\bszip.dll and also listed Win32: Mugly-C and also, C:\windows\system32
I assume this is only one infection.
I then did a manual scan with Avast and it also noted the virus detection.
Besides leaving it in the Chest for a week or so and then deleting, should I be doing anything like changing passwords or deleting personal info.
I spoke with everyone who had access to the PC and nobody remembers downloading an e-mail attachment like this. Is that possible, considering the graphics of this file?
Thanks again for everyones help,
John
-
In which file was to detected, exactly?
Was it picked by the on-access scanner, or during a manual scan?
It listed the file as: C:\i386\bszip.dll
In this folder ? this sounds like a false positive -> please submit the file from the chest to ALWIL
What was the FILENAME of the file detected in
C:\windows\system32
? ;)
-
In which file was to detected, exactly?
Was it picked by the on-access scanner, or during a manual scan?
It listed the file as: C:\i386\bszip.dll
In this folder ? this sounds like a false positive -> please submit the file from the chest to ALWIL
What was the FILENAME of the file detected in
C:\windows\system32
? ;)
Right now in my Virus Chest there are 2 entries because I moved one there during the Microsoft Antispyware scan and another one during the Avast manual scan.
I believe they are the same infection.
First entry is "bszip.dll" original location is "C:\windows\system32" virus is "Win 32: Mugly-C
Second entry is "BSZIP.DLL" original location is "C:\I386" virus is "Win 32: Mugly-C
Maybe you could help me as far as sending the file to ALWIL.
During the e-mail wizard it wants to know whether the incoming mail server is pop3 - IMAP - HTTP and then there are two boxes for incoming and outgoing mail.
I know I should know how to fill these boxes out but I'm not sure. I mainly use a Yahoo account for e-mail.
Thanks again for helping,
John
-
1. You will need to move them out of the virus chest to a temporary folder.
2. You can check then the offending/suspect file (you can't check them whilst they are in the chest) at: Jotti - Multi engine on-line virus scanner (http://virusscan.jotti.org/) if any other scanners here detect them it is less likely to be a false positive.
3. If you are getting a virus warning that you believe is a false positive, then if you can zip and password protect ('virus', will do) the suspect file and send it to virus @ avast.com (no spaces).
Give a brief outline of the problem, the fact that you believe it to be a false positive and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.
You will probably find it easier to do this outside of the avast chest, from the moved/temporary location or if you believe them to be a false positive from the original folder (having moved them back).
-
DavidR,
Thanks for the info. I have no idea whether it's a false positive or not.
I just want to be rid of it, whatever it is.
Can someone list a step by step procedure for removal of this virus.
Other Anti virus manufacturer's list step by step removal instructions for this virus, involving editing the registry and other files. Will I need to do this to get rid of this virus?
You'll have to forgive me but I'm a little challenged when it comes to trying to understand some of this virus stuff.
Please keep it simple and thanks for hanging with me,
John
-
I just want to be rid of it, whatever it is.
If it is a false positive you DON'T WANT to get rid of it, until you are sure it is not, or you could be disabling a program or your system in the worst case.
The blue text in my post is a link to the Jotti site where you can submit the file for checking.
-
I just want to be rid of it, whatever it is.
If it is a false positive you DON'T WANT to get rid of it, until you are sure it is not, or you could be disabling a program or your system in the worst case.
The blue text in my post is a link to the Jotti site where you can submit the file for checking.
That statement I made about wanting to get rid of it whatever it was, was very stupid and thanks for straightening me out. I'm a little frazzled.
One last thing before I try the jotti website.
The main problem seems to be the Mugly-C virus and it is mainly located in the "C:\Windows\system32\bszip.dll file.
When Avast detects the file and recommends moving to the Chest, it moves the file to the Chest but somehow the file keeps coming back to the same location. If the file is in the Chest how can it return to the C:\windows\system32\bszip.dll file?
Also, I tried to run another MSAS scan after moving that file to the Chest and I got a pop up box from Quick Books with an error message saying " error 1304. Error writing to file "C:\Windows\system32\bszip.dll. Verify that you have access to that directory."
One last thing, Avast also detected another infected file with the Mugly-C virus and it was "A0007078.DLL with a location of C:\system volume information\_restore.
I'm really confused now. As far as checking these files at the jotti site, can I just create a new file on the desktop and name it virus and move the infected files from the Chest to this new file and check them from there at jotti's site?
I really appreciate all the help and I'm sorry for all the long posts. Hopefully, we will figure out what's going on.
John
-
Windows xp is clever but also dumb, when you remove/delete something from one of the system folders, windows xp in its infinite wisdom saves a copy of it using system restore, these are saved in the protected storage area System Volume Information, in restore points like the instance you gave (in case you deleted it by mistake, this makes life difficult when it comes to getting rid of virus infection).
Disable system restore, this removes all restore points after you reboot they are gone. When you are in the clear then you can enable system restore again.
Win XP-ME - How to disable System Restore (http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm)
You can create a new temporary folder on your C: drive (in explorer), the name is unimportant 'VirusCheck', etc. move the file you want to check there (if it is in the avast chest), if it is still in the same place it was found, C:\Windows\system32\bszip.dll file, then there is no need to move it. The only reason for moving it was if it is in the avast chest, Jotti can't scan it there (avast protects that area).
Once a file is outside avast's chest it can be scanned by Jotti, click on the Browse button on the page and navigate (a little like explorer's tree structure) to where the suspect file is and then you can submit it.
-
"Win32: Mugly-C worm. It was recommended that I move the virus to the Chest.
The PC is a Dell 8400 desktop running Win XP MCE 05.
John
I have almost identical problem as John with mugly worm.
It arrived yesterday and was in same files also quickbooks, which I opened briefly 1st time with this new computer. (same as above)
I was surprised when worm was again detected upon booting up this morn, since I thought it contained in Chest.
John, please let me know if suggestions worked for you, since I'll have to do same with mine, being so identical.
thanks
-
Windows xp is clever but also dumb, when you remove/delete something from one of the system folders, windows xp in its infinite wisdom saves a copy of it using system restore, these are saved in the protected storage area System Volume Information, in restore points like the instance you gave (in case you deleted it by mistake, this makes life difficult when it comes to getting rid of virus infection).
Disable system restore, this removes all restore points after you reboot they are gone. When you are in the clear then you can enable system restore again.
Win XP-ME - How to disable System Restore (http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm)
You can create a new temporary folder on your C: drive (in explorer), the name is unimportant 'VirusCheck', etc. move the file you want to check there (if it is in the avast chest), if it is still in the same place it was found, C:\Windows\system32\bszip.dll file, then there is no need to move it. The only reason for moving it was if it is in the avast chest, Jotti can't scan it there (avast protects that area).
Once a file is outside avast's chest it can be scanned by Jotti, click on the Browse button on the page and navigate (a little like explorer's tree structure) to where the suspect file is and then you can submit it.
DavidR.
I did as you suggested and moved the files to a new folder in C:\virus check.
I then tried to upload them to the jotti web site and got this message "The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading the file."
I then shut down Zone Alarm and tried again to upload the files but I still get the same error message from jotti's.
Any other suggestions? I'm lost here.
atmlt, If I ever figure out this problem I will surely let you know.
John
-
Any other suggestions? I'm lost here.
What is the file size on your HDD check with explorer (you may well have avast alarm when you check the folder)?
I doubt it is zero bytes, you may have pointed Jotti at the 'c:\virus check' folder and not at the file you put into the folder 'c:\virus check\suspectfile.x??'.
-
DavidR,
The Avast alarm does go off when I check these files.
I put 3 different files into this folder and each file has a size of 52kb.
When trying to upload to Jotti's I made sure the path was correct. IE: C:\virus check\bszip.dll and I continue to get the same error message.
The folder that these 3 files are in is 156kb.
John
-
DavidR,
I also used notepad to create a .txt file and then moved this .txt file to a new folder located in C:\testing\jotti.
I then went to Jotti's site and uploaded this file with no problems. Of course no infections were found with any of the scanners.
So, I know that Zone Alarm is not the problem.
John
-
Are the files still in the avast chest?
How did you get them out of the chest into c:\virus check\?
Files in the chest are I think encrypted so if you copied them to c:\virus chest\ using explorer they could be encrypted and Jotti won't scan them, perhaps this is why they are reported as 0 bytes, I don't know, I have never heard of this before.
If you have the files in the chest you can restore them using the Chest, Menu, File, Restore, that should put them back where they were originally. Then you could try Jotti again using the original location. Sorry I'm running out of ideas too.
-
Are the files still in the avast chest?
How did you get them out of the chest into c:\virus check\?
Files in the chest are I think encrypted so if you copied them to c:\virus chest\ using explorer they could be encrypted and Jotti won't scan them, perhaps this is why they are reported as 0 bytes, I don't know, I have never heard of this before.
If you have the files in the chest you can restore them using the Chest, Menu, File, Restore, that should put them back where they were originally. Then you could try Jotti again using the original location. Sorry I'm running out of ideas too.
DavidR,
I got them out of the Chest by extracting them to the "virus check" folder.
I did as you suggested and went back to the Chest and picked one of the files and restored it to it's original location, "C:\Windows\system32\BSZIP.DLL and then went back to Jotti's site and tried to upload the file from this original location and still got the same error message.
I appreciate all your help.
So, now I have these virus files in 3 places that I know of.
1. The Chest 2. C:\virus check 3. C:\Windows\system32\BSZIP.DLL.
I also have system restore turned off as well as Zone Alarm.
I know your running out of ideas as well so do you know of anywhere else I could get some answers?
-
Hi John,
of cause you need to PAUSE avast Shield(s) when you try to upload this stuff;
otherwise avast will BLOCK access to the file (as is his job)
;)
-
Hi John,
of cause you need to PAUSE avast Shield(s) when you try to upload this stuff;
otherwise avast will BLOCK access to the file (as is his job)
;)
Hi whocares,
Do I pause all providers or just certain ones?
Why would I be able to upload the .txt file I created and not have to pause Avast's shields but you're saying to upload the suspected infected files I need to pause Avast's shields.
Thanks for helping,
John
-
Pause Web Shield and see if that is sufficient, if not you may need to pause the Standard Shield.
Because Web Shield/Standard Shield scans your .txt file and finds no infection, so it would pass through with no problem.
-
Pause Web Shield and see if that is sufficient, if not you may need to pause the Standard Shield.
Because Web Shield/Standard Shield scans your .txt file and finds no infection, so it would pass through with no problem.
DavidR,
Good Morning.
I think we're finally getting somewhere.
I had to pause Avast's Standard shield as you suggested, tried the web shield first but still couldn't upload.
I uploaded 3 different infected files and each time they were scanned at Jotti's only Avast recognized them as infected. All other scanners came back as "nothing found".
So I'm assuming that these are false positives?
If they are, what do I do to stop Avast from alerting me with the alarm boxes and do I just "restore" all these files to their original location from the Chest?
Also, If I need to send these files to Avast could you please tell me how to do this in real simple terms?
Thanks a ton,
John
-
Do you have a zip program such as WinZip?
If so, you can zip and password protect ('virus', will do for the password) the suspect file/s and send it to virus @ avast.com (no spaces).
Right click on the file (from the original location, not chest) and select WinZip from the context menu, then 'Zip and email Plus'. In the pop-up tick the password box (see image) and click OK, enter the password (and confirm password) and click OK this will create the password protected file (so avast can't scan it) open your email program and attach the zip file, enter the To address. virus @ avast.com (no spaces).
Give a brief outline of the problem, the fact that you believe it to be a false positive and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.
-
Do you have a zip program such as WinZip?
If so, you can zip and password protect ('virus', will do for the password) the suspect file/s and send it to virus @ avast.com (no spaces).
Right click on the file (from the original location, not chest) and select WinZip from the context menu, then 'Zip and email Plus'. In the pop-up tick the password box (see image) and click OK, enter the password (and confirm password) and click OK this will create the password protected file (so avast can't scan it) open your email program and attach the zip file, enter the To address. virus @ avast.com (no spaces).
Give a brief outline of the problem, the fact that you believe it to be a false positive and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.
DavidR,
I downloaded the WinZip program and when I bring up the Zip and e-mail plus box there is only a box there to tick to encrypt the file.
I checked it and was given a new box to create a password which I did (virus).
I then went to hotmail to send the e-mail and attachment but after clicking send I get an error message saying a virus was detected in this e-mail and that it could not be sent.
Any ideas on how I can send this to Avast? I also tried using Outlook Express but apparently it's not configured correctly because I get error messages after clicking on send and no messages are sent.
My Win 98 machine can send and receive messages fine with Outlook Express and I'm not going to try to copy this file to my Win 98 machine.
I have Outlook Express configured on the XP PC the same as the 98 PC so why can't I send this file?
This is getting ridiculous,
John
-
What said there was a virus, avast or hotmail?
Do you not have a regular pop3 email account you can send it with rather than hotmail?
The attachment can't have been encrypted and password protected it couldn't possibly be scanned without a password or the encryption. When you think you created the zip file what was the extension, .exe (self-extracting encrypted zip file) or .zip regular zip file?
If it was an .exe file as in above it could be unencrypted automatically and possibly be detected, though not certain.
I have an earlier version of winzip (8.1) so that may be the reason for the slight difference. You will need to check the winzip help file about creating a password protected zip file.
You could try 7zip as another option (freeware), but first check out the winzip help file to see if you can create a password protected zip file (not self-extracting), even if you have to create it saved on your HDD and attach it to an email that you initiated.
-
DavidR,
You've been a great help through all these problems and thanks for sticking with me.
Apparently Avast doesn't need this file now anyways.
Last time I scanned with Avast there was nothing detected.
Also, I went to Jotti's site and uploaded the same files as before and none of the scanners were detecting this virus.
So apparently it was a false positive and the good people at Avast have fixed this problem.
I'll be signing off now, so again DavidR and whocares and all others, thank you very much for your help,
John
-
You too persevered and didn't give up, especially when what we were trying to do (report a false positive, once identified) would help avast and indirectly other avast users and not yourself directly.
But it has been a learning experience for you so it wasn't time wasted.
-
Hi
Some days past, Avast! notified me of the mugly-c worm.
It seemed to have contained it, as I've since run many thorough scans with not only Avast!, but Windows anti-virus, and AVG also. Everything seemed fine.
Until scanning tonight. (Wed. 20th)
A message came on during the scan from Windows which said:
"Files that are required to run properly have been replaced by unrecognized versions. To maintain system stability, windows must restore the original version of these files."
Something to do with a wrong CD, and wanting am original.
Does this have anything to do with the Mugly worm?
The message was not telling what CD I should use. And if I need to do anything else before using it.
Any ideas about this? It is very vague.
thanks
-
Hi
Some days past, Avast! notified me of the mugly-c worm.
It seemed to have contained it, as I've since run many thorough scans with not only Avast!, but Windows anti-virus, and AVG also. Everything seemed fine.
Until scanning tonight. (Wed. 20th)
A message came on during the scan from Windows which said:
"Files that are required to run properly have been replaced by unrecognized versions. To maintain system stability, windows must restore the original version of these files."
Something to do with a wrong CD, and wanting am original.
Does this have anything to do with the Mugly worm?
The message was not telling what CD I should use. And if I need to do anything else before using it.
Any ideas about this? It is very vague.
thanks
[/quote
atmlt,
As you probably know by now, the Mugly-C worm warning on my pc was a false positive. Apparently Avast has fixed that problem.
Not sure what type of "Windows antivirus scan" you did but I never got any of those types of messages with my problems.
You didn't delete any files while you were getting the Mugly-C warnings did you?
Hopefully one of the experts here will jump in and try to help.
Good luck,
John