Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: patsz2 on July 22, 2008, 01:02:09 AM

Title: Viruses in chest...
Post by: patsz2 on July 22, 2008, 01:02:09 AM
Today I got a message that malware was on my computer so I ran a scan.  It said it found several Win32:trojan-gen, and several Win 32:RootKil gen.  Are these real viruses?  I never go to a site that does not get the green light from my McAfee SiteAdvisor.  Can't imagine how I would get a virus!  What do I do with them?  I have a screen shot but can't see how to post it. There are other files in there but they say there is no virus.  Do I delete them? Thanks.
Title: Re: Viruses in chest...
Post by: DavidR on July 22, 2008, 02:57:09 AM
Quote from: patsz2
Today I got a message that malware was on my computer so I ran a scan.

What notified you that you had malware on your system ?
That soundl like some scamware or rogue program.

Don't look at the all chest files, your only concern is the Infected Files as that is a collation of all the chest sections. The files in the System Files section are back-up copies of important system files so leave them alone they aren't infected.

As for the files in the Infected Files section - There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

The scui.cpl is most certainly the Fake alert that you got, see http://www.google.co.uk/search?q=scui.cpl (http://www.google.co.uk/search?q=scui.cpl).
Title: Re: Viruses in chest...
Post by: patsz2 on July 22, 2008, 03:23:00 AM
Hello!

Thank you for your reply.  I am almost sure that it was Avast that told me that there was malware on my system.  It said not to be upset, or something like that, so I just ran a scan immediately. 

Okay, I will just leave those files there for the two week period, scan them inside the chest.  If there is not virus at that time do I return them somehow, or just leave them????

I will check that other one (scui.cpl) on Google.  Perhaps it will tell me if I should just delete it.

I have never had a virus....the last time it was a false positive.

I will also do a Trend Micro Housecall and see if they find anything.

Thank you.... again....
Title: Re: Viruses in chest...
Post by: Tarq57 on July 22, 2008, 03:23:39 AM
Those look real to me. A "google" of some of the file names indicate the presence of a rogue program: Antivirus 2009 (or possibly 2008). A comment on one of the sites I looked at indicates that this seems to most usually be installed when the user installs a codec, that is, of course, malicious.
SiteAdvisor cannot really protect you from a non-malicious site that has been exploited, nor anything you may choose to install yourself.
Disabling cross site scripting can make a difference; getting software from reliable sources can make a difference.

As stated above, only the infected files in the chest are the ones to examine, some of those others are generated by the VRDB, and shouldn't be deleted.

If I were you, right now, I'd be inclined to run another scan (Boot time scan) with Avast, and additionally with a good antispyware like Superantispyware or MBAM. Download either (or both) from the authors' site(s).

You'd probably be well advised to turn off system restore then reboot, first. And if anything else was found, afterward, too, then re-enable it.

The malwares found can do no harm in the chest. (ie: don't be paranoid that they're there.)
Title: Re: Viruses in chest...
Post by: DavidR on July 22, 2008, 02:04:16 PM
Thank you for your reply.  I am almost sure that it was Avast that told me that there was malware on my system.  It said not to be upset, or something like that, so I just ran a scan immediately. 

Okay, I will just leave those files there for the two week period, scan them inside the chest.  If there is not virus at that time do I return them somehow, or just leave them????
<snip>

That does sound like avast! it should have been accompanied with the usual visual alert though (depending on when it was detected and by what shield, etc.), see image.

If after a few weeks you scan within the chest and they are found not to be infected (probably FP which has been corrected) you can restore it. Remember a copy will remain in the chest, confirm the file has been restored to the original location and delete the copy in the Infected Files section of the chest.
Title: Re: Viruses in chest...
Post by: patsz2 on July 22, 2008, 05:25:33 PM
Thank you, David and Tarq,

Yes, that was the visual alert that I got.  I guess I did not quite know how to explain it.

I have not gotten any software from anywhere recently, I don't visit many sites, the only thing I do is save graphics from two forums which are very secure and free of bad stuff!

I did run another scan when I booted up this morning.  However, I am unable to read the results...Status Info., Last scan results, and view scan results are all grayed out.
I ran Spybot Search and Destroy and for the first time ever it found something...Fraud.xpAntivirus, 2 entries.  It fixed them and backup is is Recovery.
SpywareBlaster is up to date
Windows Defender says, "No unwanted or harmful software detected"
AdAware....I ran a deep scan and it found 1 MRU
TrendMicro Housecall found no threats.

So, does it appear to you all that my computer is not infected now????  I do find Avast a bit hard to figure out!  It is highly recommended so I got rid of AVG, which I could understand. (I am a 78 year old self-taught computer lady)  I NEVER open anything unless I scan it, but Avast doesn't always tell me that the scan is complete, it just flashes on and off.  Sometimes, though, it seems to take a few seconds and the numbers change and it appears to be scanning.  I always wonder about the downloads from e-mails that it just seems to instantly flash on, then off.  Are they really scanned????? I can never be sure.

Thank you so very much for your time and expertise!
Title: Re: Viruses in chest...
Post by: DavidR on July 22, 2008, 07:26:04 PM
That is fine the alert is correct.

avast dealing with the two you mention as rootkit-gen may well have enabled S&D to find something that would otherwise be hidden. The detection is connected to what avast found as it too is a type of fraud as many of the hits in the google search link I gave attest.

The avast Last Scan Results (in the Home version) are only available during the session of an on-demand scan, they aren't retained once you have closed the Simple User Interface. The learning curve might be a little steep but worthwhile and you know where to come for help ;D

I assume that you mean the right click context menu (ashQuick.exe) scan, that is by its nature a quick (but thorough) scan and the idea is if it finds nothing it just closes. If it does find anything all hell will break loose (like the initial one you experienced) and you will know something was infected.

You can however, have these results displayed, avast Program Settings (right click the avast icon), Common section and check the 'Show results of Explorer Extension, see image.

What was the file name and location of the file S&D detected ?

I find that adaware is now very ineffective and the MRU (Most Recently Used) really is a minor issue and not one I would even consider worth worrying about.
Title: Re: Viruses in chest...
Post by: patsz2 on July 22, 2008, 08:05:15 PM
Hello,

First I want to commend you all for your quick thorough response to my inquiry.  With this help  so readily available, I should be able to figure this Avast out.  I have not had it for very long.

I am not too enthralled with AdAware.  Is there another FREE program that you suggest that is better?  I thought I was well protected, and since I am so careful about things, I was surprised to find that I had a problem.

I followed those directions but could not get the results of the last scan to show.  I will just run another one later this afternoon and watch it.

I don't know where that file was that S&D found.  I did a search and all I could find is that there are two zipped files in  S&DRecovery.  The name is "Fraud XPAnrivirus".  Seems to me I should just delete them, 

Thank you so very much!!!
Title: Re: Viruses in chest...
Post by: DavidR on July 22, 2008, 09:43:51 PM
Personally I don't look at any scan results as a) if there is an infected file, the scan will be paused awaiting your input, b) if there are any files that can't be scanned (not a problem) they will be displayed. So unless you have any of those there will effectively not be anything in that Last Scan Results option, so the option will be greyed out, image 1. The information is retained in the pro version so it can be checked after a scan.

Normally after a scan there will be limited scan information displayed in the in the Simple User Interface, image 2.

I haven't used S&D for some time but the Recovery rings a bell see if the information is retained there (try right clicking on the entry and select properties), otherwise don't worry about it.
There is no rush to delete (leave a few weeks) it is in quarantine and should be safe.

I use SUPERantispyware (http://www.superantispyware.com) as my on-demand anti-spyware, I would use that as a replacement for ad-aware it is far superior and you can retain S&D as that is still effective to a degree.
Title: Re: Viruses in chest...
Post by: Tarq57 on July 23, 2008, 12:35:53 AM
Another well regarded replacement for AdAware is Malware Bytes Antimalware http://www.malwarebytes.org/mbam.php (http://www.malwarebytes.org/mbam.php)
Free (demand) and pay versions available.
Title: Re: Viruses in chest...
Post by: patsz2 on July 23, 2008, 12:38:38 AM
Thank you again, David!  I have uninstalled AdAware and have installed SUPERAntispyware.  I ran a scan and it found nothing.  I really do like the program and it is very easy to understand.  I also find it much faster than AdAware.

Thanks for everything.  It is good to know that you all are here, but I just hope I won't need you!!

Pat
Title: Re: Viruses in chest...
Post by: DavidR on July 23, 2008, 01:02:37 AM
You're welcome.

The only thing I would suggest is open the Preferences section, Scanning Control, disable the scan for tracking cookies (a waste of processing effort IMHO), ther are not a security risk but a very minor privacy issue.
Title: Re: Viruses in chest...
Post by: patsz2 on July 23, 2008, 01:57:19 AM
Thanks Tarq and David!  I really appreciate your prompt good advice.

Pat
Title: Re: Viruses in chest...
Post by: DavidR on July 23, 2008, 02:32:11 AM
No problem, that is me for the night, 1:31 a.m. here and my bed is calling.
Title: Re: Viruses in chest...
Post by: patsz2 on July 23, 2008, 01:53:13 PM
Good morning!

One more thing...is it necessary for Avast to be on the start-up?  I turned it off since, I try to keep those at a minimum, but then, I thought maybe it is necessary.

Thanks!!
Title: Re: Viruses in chest...
Post by: Tarq57 on July 23, 2008, 02:36:42 PM
Depends. What "start-up" do you mean?
In general terms, Avast should start with Windows, and will from the time it's installed. That's (one of) its default setting. I don't even know if it's possible to change that, nor think its desirable to.
Title: Re: Viruses in chest...
Post by: DavidR on July 23, 2008, 03:11:05 PM
If you want to be protected yes avast is a resident on-access anti-virus and it needs to be running.

You don't say what you stopped ?
I suspect ashDisp.exe (which is a user startup item) the avast system tray icon.

There is much to be said for keeping things that start-up on boot to a minimum (I do the same myself), but the exception to this is security applications like your anti-virus (boot-time is a time where viruses load if on your system) and your firewall. So the rule is only absolutely essential applications to be allowed to start on boot after your security applications.
Title: Re: Viruses in chest...
Post by: patsz2 on July 23, 2008, 03:18:09 PM
Oh, dear, I am sorry. I had a "senior moment".  I really meant should SUPERAntispyware be running at start up? And I did not change Avast, nor did  I try.
I have a wireless network and a router, or course, so after much consideration I removed my Zone Alarm Firewall.  It made the computer so slow.  I hope the Windows Firewall is sufficient protection considering how we old folks use our computers.

Sorry to have cause your this trouble and thanks again for your wonderfully fast replies and your expertise!!
Title: Re: Viruses in chest...
Post by: Tarq57 on July 23, 2008, 03:25:24 PM
Superantispyware doesn't really need to run at startup, but the manufacturer's recommendation is that it does, if for no other reason that it has a self protection that only works effectively if it is running.
I agree that it is best not to have too much starting with Windows, and tend to minimize this list myself.
In the end it's up to you. Personally I think you'd have to be a bit unlucky to encounter a situation where a particular malware targeted SAS, and was able to disable it just because it's not running, but I don't really know.
An advantage of having it start with Windows is that the context (right click) menu scan for a file is then always available, and I believe you can also set it to auto update. Might increase the start up time slightly, but probably not by much.

Senior moment? I used to dreeem of senior moments!
Title: Re: Viruses in chest...
Post by: DavidR on July 23, 2008, 03:32:47 PM
SAS is an on-demand scanner but it does have a service that runs, this is required if you choose the option to allow it to scans files on-demand via the right click context menu in explorer. If you have no intention of doing that you can disable startup in SAS Preferences.

Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall. The same is true of your modem/router/firewall it doesn't provide outbound protection (unless it specifically says so).

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

- There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated (as you found) with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.

See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0 (http://forum.avast.com/index.php?topic=30808.0)
See http://www.matousec.com/projects/firewall-challenge/results.php (http://www.matousec.com/projects/firewall-challenge/results.php).
Title: Re: Viruses in chest...
Post by: Tarq57 on July 23, 2008, 03:38:20 PM
Oh, by the way, having a two way firewall like ZA is important if you do online banking, have credit card info and passwords stored anywhere on the computer etc.
The Windows firewall is very good, stealths all ports, but only works inbound. The idea with outbound protection is that you have control over what is allowed to connect. (This can take some study..figuring out what is legitimate, and what might need further research.)
I use Comodo firewall, version 2.4, and have confidence in it, but to be honest, the popups would probably put the average user off completely. It just gets too tempting to click "allow" to every frequent alert. If this is the likely situation, I reckon you're better off with the XP firewall, and scan regularly with Avast and SAS. There's two very good security softwares, there, and in my limited experience of looking at the logs of infested computers, most are infested because of out of date, vulnerable applications like Java, or a flash player, or  users downloading cracked software. Keeping all applications updated is probably one of the most important things you can do, aside from running a good AV.
If you're interested in that, pay a visit to www.secunia.org , and take the online scan, to get an idea how patched everything on your computer is.

[EDIT] Sorry, x-posted, there. I'd take David's advice.
Title: Re: Viruses in chest...
Post by: patsz2 on July 23, 2008, 06:02:24 PM
Thanks, Tarq,

I did the Secunia scan and found I needed to update Real (so I removed it and downloaded Real Alternative and don't know how it works...lol) and FlashPlayer.  Thank you for that site.

Need to think about Firewall...considering banking, etc....

Pat
Title: Re: Viruses in chest...
Post by: Tarq57 on July 24, 2008, 12:24:35 AM
Real Alternative (and Quicktime alternative) work well. They're basically a trustworthy open source codec pack.
The associated Media Player Classic (latest, and last version) has a reported vulnerability in the rendering of .AVI files.
Don't ask me what that means...I'm not a programmer. But I avoid playing files with an .AVI extension using it.
It should install just like any installable program, Info here: http://www.free-codecs.com/download/real_Alternative.htm
Info about the vulnerability here: http://secunia.com/advisories/26806
I use the player, but only use it for trusted files, which is a good enough workaround for me.
Title: Re: Viruses in chest...
Post by: patsz2 on July 24, 2008, 01:27:26 AM
Thanks, Tarq!

I already have Quicktime Alt., but when I ran that Secunia scan it found Apple Quicktime!!  I had uninstalled it quite a few weeks ago, ran Revo and got rid of all files that it showed, I did a search.... no files...can't imagine where Quicktime is!!!

I had used Real just for playing my own classical CD's which I downloaded to my computer.  I used Windows Media Player today...could not yet figure out Real Alt.

THANKS!!
Title: Re: Viruses in chest...
Post by: Tarq57 on July 24, 2008, 03:48:48 AM
Your "Apple Quicktime" is probably in the form of a plugin for the browser. This doesn't necessarily mean you have installed an Apple program, it refers to the proprietary name of the software. (So Quicktime Alternative installs plugins  by Apple. Probably a copyright thing.)
Try a computer search for anything "Apple".
IMO a player that can handle Apple formats (QT, MOV) is worthwhile, because there are a lot of these around. If oyu don't have the plugin, some embedded files in web pages can't be played. Real Player files abound, but seem to be a little less prolific. (Terrible player, the Real. Almost virus-like. Gets in everywhere.)
Available at Secunia is a program called PSI, which is basically the installed version of its online scanner (which I like and use). If this is installed, it can be set to monitor all your programs for patches etc. After it has completed its first scan, you can locate any file you want, by mousing over the file name, and a balloon window will appear giving you the installation path of that software. Kind of handy. It can do more besides that, including  a wizard to streamline/offer guidance for updating all sorts of software, and the range of software it examines is greater than that of the online version.
The program is technically a Beta (RC3) but I haven't had, nor heard of, any problems with it.
There are other software vendors that offer similar programs, Comodo have one, there are probably a few others.
Title: Re: Viruses in chest...
Post by: patsz2 on August 30, 2008, 10:53:22 PM
Hello...

Me again with a question about these files in the virus chest....is it safe to delete them?  I have had no problems functioning without them and they have been in there for over a month.

Thanks!







Title: Re: Viruses in chest...
Post by: Lisandro on August 30, 2008, 11:10:53 PM
I have had no problems functioning without them and they have been in there for over a month.
Go ahead, you can now delete them...
Just to be sure, right click, scan, certify they're infected (yet) ;)
Title: Re: Viruses in chest...
Post by: patsz2 on August 31, 2008, 03:03:17 AM
Thank you so very much.

You all surely are quick to respond!

Appreciate it!!
Title: Re: Viruses in chest...
Post by: wyrmrider on August 31, 2008, 05:01:11 AM
What tech was implying was to rt click scan them before deleting
implying that if they are now clean that they were false positives
If it turns out that after a month they are still infected I google them to see if they are usually found in context with something else bad
Title: Re: Viruses in chest...
Post by: patsz2 on August 31, 2008, 02:01:12 PM
Hi,

Yes, I knew to right click them to scan to see if they were clean...they weren't.  Too late to Google check, though, they are gone.  At least, I hope they are!!  Hope I don't need them!

Thanks!