Avast WEBforum

Other => Viruses and worms => Topic started by: flclempire on July 05, 2008, 02:24:26 AM

Title: Can't take actions when Avast! finds this virus.
Post by: flclempire on July 05, 2008, 02:24:26 AM
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1169006133jtun_symlceng1080.x00.full.zip\SymKBFix.msi\Binary.SymLCSVC.9E3C0E2F_0873_4AD9_995B_D9DAAF9B9E76\[Embedded#XINSTALLDLL]\[Embedded#DODGY]

  Thats the "file name" listed when the infected file is scanned and when the move.rename, delete, and move the chest options appear they all give an error saying something along the lines of "action is not available for this archive type", or something.  I've been trying to get rid of this for 2 days now and Avast! 4.8 is the only program that has been able to find it so far. Ad Aware and SUPERantispyware both don't recognize it.

  I've tried the popular multistep directions that involve turning off restore, doing an Avast boot scan, then scanning with SUPER antispyware, but the boot scan can't perform actions on the found viruses either.  There seem to be multiple instances of the listed virus, usually about 3-5 and sometimes 1 or 2 of them are able to be deleted.  I'm pretty sure its replacing the ones that I manage to delete though. 

  Oh yes, I've also tried doing an Avast scan in safe mode, but it seems to freeze up at around the same place everytime so I just stopped trying that.  I'd really rather not do a reformat so please give any tips :P  I've tried to get to the "infected" file specifically in the zip, but when I try to open the zip it gives a corrupted file error.  This isn't a false report, is it? :(
Thanks.

 
Title: Re: Can't take actions when Avast! finds this virus.
Post by: DavidR on July 05, 2008, 02:55:37 AM
The [Embedded#DODGY] suffix to the path makes me think this isn't a a cast iron detection.

Basically I believe it can't extract the suspect/detected file inside the SymKBFix.msi file from the within the zip file. That may be what is also triggering the corrupt file message as it can't fully extract it. Was this corrupt file message an avast one ?

I wouldn't even consider a format, this is a pain in the rear rather than a really serious issue.

What symantec applications do you have, as this symantec live update could be removed if you don't have any, beware there are some sneaky ones, I have winfax pro which was bought out by symantec, so I have live update although I don't let it do anything.

Have (or did) you another AV installed in this system, if so what was it and how did you get rid of it ?
Title: Re: Can't take actions when Avast! finds this virus.
Post by: flclempire on July 05, 2008, 03:22:46 AM
The [Embedded#DODGY] suffix to the path makes me think this isn't a a cast iron detection.

Basically I believe it can't extract the suspect/detected file inside the SymKBFix.msi file from the within the zip file. That may be what is also triggering the corrupt file message as it can't fully extract it. Was this corrupt file message an avast one ?

I wouldn't even consider a format, this is a pain in the rear rather than a really serious issue.

What symantec applications do you have, as this symantec live update could be removed if you don't have any, beware there are some sneaky ones, I have winfax pro which was bought out by symantec, so I have live update although I don't let it do anything.

Have (or did) you another AV installed in this system, if so what was it and how did you get rid of it ?

I get the corruption error when I try to open the zip directly. 
As far as I know I don't have any Symantec apps, my rig is mainly for gaming.

Um, I believe Avast and Ad Aware have been the only programs on this pc, although there is a sliiiim possibility that AVG was installed like 2 years ago.  My memory is pretty hazy o.0  Oh, and SUPERantispyware was just installed today upon common recommendations.
I have moved the zip into my recycle bin for the moment but haven't perma-deleted it yet.

Thanks for responding so quickly :)  I'm quite afraid of this being a keylogger or something and I am needing to purchase something I want online for 30+ dollars less than usual and I have no idea how long the sale will last, so your help means alot to me :)

I just finished another scan as I was typing this msg.  It found 4 instances of it (supposedly) and 2 of them were moved to the chest and the other 2 recieved errors when I try to perform an action.  The other embedded dodgy was in my C:\windows\install (or installer) folder, but I can't find that folder even after revealing all folder types in the folder options.

EDIT:  This is the specific error it gives- "Error occurred during *ACTION*:This operation is not supported for this type of archive."
I've uninstalled symantec stuff and the instance in the c:\WINDOWS\Installer folder is the last one, but I can't find the folder
Title: Re: Can't take actions when Avast! finds this virus.
Post by: DavidR on July 05, 2008, 03:44:14 PM
1. It is possible then that the file is actually corrupt nothing you can do about that.

2. There is a folder called liveupdate, C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate, check it for a file called Product.Catalog.LiveUpdate open it with notepad (it is just a text file) and it should say what programs are monitored by live update.

Quote from: Example contents of mine
[Product0]
DESCRIPTIVENAME=LiveReg
LANGUAGE=English
MONIKER={3FB88041-151C-11d3-ACF4-00104B1F44B6}
PRODUCT=LiveReg
PRODUCTNAME=LiveReg
VERSION=2.2.0
[Product1]
DESCRIPTIVENAME=LiveReg
LANGUAGE=English
MONIKER={EB590EBD-7D5B-47bd-9714-406908E8FB79}
PRODUCT=LRConsumer
PRODUCTNAME=LRConsumer
VERSION=1.0
[Product2]
DESCRIPTIVENAME=WinFax PRO
LANGUAGE=English
MONIKER={4E4CAD9D-50C7-4C63-B927-664171E9AD8D}
PRODUCT=WinFax
PRODUCTNAME=WinFax
VERSION=10.03

The final product name is the one that it is concerned with. So see if that folder and file exist and report any products named ?

Some new systems come with all sorts of c**p installed.

3. it isn't a key logger, an msi file is an installation file and it is something deeply embedded within that installation file that the alert is on. So it effectively isn't a running file.

If it were a keylogger then the avast malware name would most likely have said that, but you haven't said what the malware name was for any of the detections. File names and full locations are important information (even repeat ones) otherwise I'm groping around in the dark ?

4. Folders can be hidden so you need to ensure hidden files and folders are not hidden. From windows Explorer, Tools, Folder Options, see image of the relevant settings marked with the red line.

Title: Re: Can't take actions when Avast! finds this virus.
Post by: flclempire on July 06, 2008, 02:56:23 AM
Heh, I actually uninstalled Symantec stuff and live update yesterday as I couldn't find any programs that used it.  I built my pc so it doesn't have any preloaded stuff.  And you're right, it was labeled as a trojanGen, not a keylogger so thats a relief. 

I have my folders set to show hidden and system files and such but I still can't find the c:\windows\installer folder, and neither can my friend.  It seems to be the only instance of the "trojan" left after I killed all of the symantec stuff.
Thanks again for the replies :)

EDIT:  Just ran 2 thorough scans.  Both didn't detect it anymore o.0  So strange...what do you make of this?  It removed itself upon reboot after I uninstalled all the the symantec stuff?
Title: Re: Can't take actions when Avast! finds this virus.
Post by: DavidR on July 06, 2008, 02:54:53 PM
It certainly is strange that since you didn't install any symantec stuff (that you are aware of) that those folders would be there.

However, having got rid of them it looks like you got rid of the contents and the detected file/s. So it looks like you are in the clear.

A belated welcome to the forums.
Title: Re: Can't take actions when Avast! finds this virus.
Post by: Lisandro on July 06, 2008, 03:27:51 PM
I built my pc so it doesn't have any preloaded stuff.
And even doing so you don't know what is Symantec stuff doing there? ???
Strange...
Title: Re: Can't take actions when Avast! finds this virus.
Post by: flclempire on July 07, 2008, 01:03:34 AM
That is strange now that I think about it o.0  Maybe I used a product of their's in the past.  I have a pretty horrible memory and this pc is over 3 years old.
Title: Re: Can't take actions when Avast! finds this virus.
Post by: Lisandro on July 07, 2008, 09:10:04 PM
That is strange now that I think about it o.0  Maybe I used a product of their's in the past.  I have a pretty horrible memory and this pc is over 3 years old.
1) Remove NAV through Add/Remove programs from Control Panel. Boot.
2) Use Norton Removal Tool for Windows 2000/XP/Vista (http://fileforum.betanews.com/detail/Norton_Removal_Tool_for_Windows_2000XPVista/1169144666/1). Boot.
3) Install avast! (or repair the installation) and boot.
Title: Re: Can't take actions when Avast! finds this virus.
Post by: wcg1729 on July 10, 2008, 01:31:49 AM
I also cannot take action against a virus found by Avast!. I have identified the file, but I cannot gain access to the infected file. It is in my Documents and Settings file folder,but when I attempt to remove, delete or scan these files I am denied access. Any suggestions?
Title: Re: Can't take actions when Avast! finds this virus.
Post by: jonzku777 on July 10, 2008, 07:47:10 PM
I also cannot take action against a virus found by Avast!. I have identified the file, but I cannot gain access to the infected file. It is in my Documents and Settings file folder,but when I attempt to remove, delete or scan these files I am denied access. Any suggestions?

I have had lots of those kind of situations too..
Have you trie deleting those in safe mode???
You might also find some disinfectors but be careful when searching them.

Is it possible to move files to avast chest manually if it is try that???
Title: Re: Can't take actions when Avast! finds this virus.
Post by: Lisandro on July 11, 2008, 12:54:29 AM
Try to do it in Safe Mode.
If it fails, try using Unlocker (http://ccollomb.free.fr/unlocker/) or KillBox (http://killbox.net/) or MoveOnBoot (http://www.snapfiles.com/get/moveonboot.html) or Delete FXP (http://www.jrtwine.com/) to see if you can delete that file.
Title: Re: Can't take actions when Avast! finds this virus.
Post by: psychochief on July 12, 2008, 10:54:23 AM



eeeeeeeeeeeeeeeeeeeeek symantec the anti christ !!!!!!!!  ;D