Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Yezinki on December 09, 2008, 04:30:39 AM

Title: Boot scan?
Post by: Yezinki on December 09, 2008, 04:30:39 AM
Hi there,

Am new to the forums & is my first post.

Installed Avast 4.8 Free Ed on a fresh install of Vista.

After installation, before any updating, it asked for a reboot to scan local drives to which I agreed.

On boot scan it detected a Trojan in a file on one of the other partitions.

Prompted me to use various options..... selected 1 to Delete the file.

After reboot & updating ran the scan again, the file was still there & it did not even detect it??

Any clues?

How can one enable a boot scan of drives?

Hoping to hear from you smart geniuses,

Regards,

Yezinki.
Title: Re: Boot scan?
Post by: Tarq57 on December 09, 2008, 09:48:00 AM
Hi Yezinki, and welcome to the forum.
I believe a possible cause is that the detection could have been a false positive, which was later corrected, so that following the update is was no longer detected. Since the file seems to have somehow re0created itself, it is either a system file with the ability to do that, or it is indeed malware. Can you post the full name and path of the file detected, and if you remember, the name of the trojan as described by Avast, please?

In general terms deletion is never a good first option, it's always better to quarantine, or even to ignore while further investigation is carried out, in case it is a false positive. The file concerned can then be examined, "Googled", uploaded to an online scanner service etc for checking.
It's always a good idea to update any database of security software before a scan.
To run a boot-scan, start Avast, (Right click the tray icon, select "start Avast...") it will take half a minute for the GUI to load, select "menu", then halfway down the list, "schedule boot time scan", and follow the prompts.
Generally a boot scan is only indicated if you have an infection that is proving difficult to remove. Otherwise a normal scan without archives is usually adequate.

In your case further investigation of the file involved is recommended.

[Edit] PS, thanks, but I'm not sure I qualify as a "smart genius".  ;D (although some parts of me have been described as "smart" before, the word "genius" has never been involved in those compliments. Other words....)
Title: Re: Boot scan?
Post by: Lisandro on December 09, 2008, 11:48:49 AM
The better, in all cases, is trying to send the file to Chest for further analysis and not directly deleting them.
Can you post the file name and path?


See how to enable boot time scanning: http://www.digitalred.com/avast-boot-time.php
Title: Re: Boot scan?
Post by: Yezinki on December 10, 2008, 06:56:48 AM
Thanks Tariq57 & Tech,

Man you guys are real smart.

I appreciate your responses.

With out your help I would not have ever found the way to do a boot scan.

Strange isn't it...it found on a boot scan but on real time windows scanning, after updating to the latest, it failed.

Shall let you know....

It didn't even delete it...probably it was on another partition & not the Primary Active one??

Regards,

Yezinki.
Title: Re: Boot scan?
Post by: Tarq57 on December 10, 2008, 09:03:49 AM
Quote
Thanks Tariq57 & Tech
Happy to try and help  :)
Quote
Man you guys are real smart
Well, I think Tech is. I'm pretty average, truth be known.
Quote
It didn't even delete it...probably it was on another partition & not the Primary Active one??
Check this OP:
Quote
On boot scan it detected a Trojan in a file on one of the other partitions.
Can you remember which partition, and maybe the file name? (another good reason to select "quarantine", not "delete".
If you can, try scanning that partition again. When or if you find the file, note the name and path, and upload it to http://www.virustotal.com/ (http://www.virustotal.com/) where it will be scanned by a large number of online virus/malware scanners.
Be interesting to find out. 
Title: Re: Boot scan?
Post by: Yezinki on December 10, 2008, 11:27:20 AM
Hi Tarq57,

You really are smart & genius too.

It's Virus. Win32 Trojan, detected by Avast 4.8 & from the link you sent i.e. Virus Total, only by Ikarus & as a Suspicious file by eSafe.

I use a combo of Avast & Spybot on my Vista machine.

Since you seem to be a pretty specialized in windows virology, what are your views about this combo?

Lastly what are the safest settings for Avast besides High, against viri malware heuristics?

& what exactly is the usefulness of VRDB generation?

Regards,

Yezinki.
Title: Re: Boot scan?
Post by: Lisandro on December 10, 2008, 02:48:31 PM
what exactly is the usefulness of VRDB generation?
It's an old technology that will (hopefully) help restoring infected executable files.
Nowadays, not that much useful and will be drop in the next avast version.
Title: Re: Boot scan?
Post by: Tarq57 on December 11, 2008, 01:16:06 AM
Quote
I use a combo of Avast & Spybot on my Vista machine.
 what are your views about this combo?

Lastly what are the safest settings for Avast besides High, against viri malware heuristics
Avast & Spybot OK, but I would choose an additional antimalware for demand scans. http://www.malwarebytes.org/mbam.php (http://www.malwarebytes.org/mbam.php) and http://www.superantispyware.com/download.html (http://www.superantispyware.com/download.html) are both similar in function to Spybot, both have free and pay versions, both are very good.
Personally I leave Avast at pretty much the default settings (standard) and find that more than adequate. I also use Firefox as a browser, with the NoScript and Adblock extensions, which is helpful, and use the MVPS hosts file, which is a little like having the immunity in Spybot activated.
I don't think there is a need to have the sensitivity in Avast set to high, but then I don't deliberately go looking for trouble, either.
Title: Re: Boot scan?
Post by: Yezinki on December 12, 2008, 08:47:02 AM
Thanks Tarq57,

1. I use FF too but despite making it my default browser, in windows default, some applications like MSN Live use IE 7 rather than FF ......can this be fixed?

2. If it were for you what combos would you use for Vista/XP MCE...... FF with settings you mentioned Correct?.......in place of Spy bot which would you recommend out of the 2... SuperAntiSpyware OR AntiMalwarebytes or both ?

3. IKarus is great but a hogger like Bitdefender or Symantec......what is your personal opinion as to Avira?

Hoping to hear your views like always.

Yezinki.
Title: Re: Boot scan?
Post by: Yezinki on December 12, 2008, 08:53:06 AM
Hey Tarq57,


Quote
I also use Firefox as a browser, with the NoScript and Adblock extensions, which is helpful, and use the MVPS hosts file, which is a little like having the immunity in Spybot activated.


Sorry am a noob .......could you please explain how do you do this?

Thanks again.


Title: Re: Boot scan?
Post by: Yezinki on December 12, 2008, 09:23:38 AM
Tarq57 smart man,

A few more queries if you would care to address:

1. After a fresh install of Vista or XP MCE at what step do you create a backup image  of the OS?

2. & at what step do you make a complete backup of system registry?

Sorry to be such a pain in ...........$$   ;)
Title: Re: Boot scan?
Post by: Yezinki on December 12, 2008, 09:32:14 AM
Malwarebytes' Anti-Malware 1.31
Database version: 1492
Windows 5.1.2600 Service Pack 3

12/12/2008 1:26:32 PM
mbam-log-2008-12-12 (13-26-23).txt

Scan type: Full Scan (C:\|G:\|)
Objects scanned: 133193
Time elapsed: 44 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Vaio\Application Data\m (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Vaio\Application Data\m\shared (Trojan.Agent) -> No action taken.

Files Infected:
C:\Documents and Settings\Vaio\Application Data\drivers\srosa2.sys (Worm.Bagel) -> No action taken.
C:\Documents and Settings\Vaio\Application Data\m\list.oct (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Vaio\Application Data\m\srvlist.oct (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Vaio\Application Data\m\shared\Chameleon (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Vaio\Application Data\m\shared\Learn Tarot (Trojan.Agent) -> No action taken.


Scan report of AntiMalwarebytes on my Sony Vaio VGC-LS1 desktop running XP MCE 2005......why didn't Spy bot pick em up??
Title: Re: Boot scan?
Post by: Yezinki on December 12, 2008, 10:06:23 AM
Quote
I use a combo of Avast & Spybot on my Vista machine.
 what are your views about this combo?

Lastly what are the safest settings for Avast besides High, against viri malware heuristics
Avast & Spybot OK, but I would choose an additional antimalware for demand scans. http://www.malwarebytes.org/mbam.php (http://www.malwarebytes.org/mbam.php) and http://www.superantispyware.com/download.html (http://www.superantispyware.com/download.html) are both similar in function to Spybot, both have free and pay versions, both are very good.
Personally I leave Avast at pretty much the default settings (standard) and find that more than adequate. I also use Firefox as a browser, with the NoScript and Adblock extensions, which is helpful, and use the MVPS hosts file, which is a little like having the immunity in Spybot activated.
I don't think there is a need to have the sensitivity in Avast set to high, but then I don't deliberately go looking for trouble, either.


Tried the links you sent & testing it on my trial machine.....I'd probably use a combo of AntiMalwarebyte & Avast on my new Dell XPS note book.......plus the settings of FF that you suggested.

What do you thinks genius man?
Title: Re: Boot scan?
Post by: Yezinki on December 12, 2008, 10:09:03 AM
Do 2 types of antispywares softwares clash with each other like 2 antiviruses on the same machine?
Title: Re: Boot scan?
Post by: CharleyO on December 12, 2008, 10:23:46 AM
***

No, they will not usually conflict if one is set as the resident (active) scanner and the other(s) are set as on demand scanners.

As an example, I use Spybot-S&D as my resident scanner with Spyware Terminator & MBAM as on demand scanners.


***
Title: Re: Boot scan?
Post by: Yezinki on December 12, 2008, 10:26:47 AM
***

No, they will not usually conflict if one is set as the resident (active) scanner and the other(s) are set as on demand scanners.

As an example, I use Spybot-S&D as my resident scanner with Spyware Terminator & MBAM as on demand scanners.


***

Thanks CharleyO,

How does one set one as active & others on demand?

Title: Re: Boot scan?
Post by: Yezinki on December 12, 2008, 02:23:07 PM
Tarq57 & Tech,

Have you ever tried this registry utility........http://www.larshederer.homepage.t-online.de/erunt/
Title: Re: Boot scan?
Post by: Lisandro on December 12, 2008, 03:11:16 PM
Have you ever tried this registry utility........http://www.larshederer.homepage.t-online.de/erunt/
I use it daily, scheduled backup of the registry done at 12AM ;)
Title: Re: Boot scan?
Post by: Yezinki on December 12, 2008, 03:18:37 PM
Smart Indeed.

1. Why is Default first back up made in C>Windows.......Can't one give it a different path?

I know the logic of being in windows folder to access if OS fails......

2. I use it too, but the back ups are made in My Documents each day, but the default first one is in C> Windows?

3. Since am doing a clean install of Vista on my laptop when should I make the first back up?

4. Should restoration, if required be done in safe mode or normal windows mode?

Thanks.
Title: Re: Boot scan?
Post by: Lisandro on December 12, 2008, 03:28:36 PM
1. Why is Default first back up made in C>Windows.......Can't one give it a different path?
Yes. Use the command-line options:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

3. Since am doing a clean install of Vista on my laptop when should I make the first back up?
Whenever you want... you can do other later...

4. Should restoration, if required be done in safe mode or normal windows mode?
Normal mode... restart of the computer will be necessary.
Be sure to backup all the users data (and on Vista, use the application with elevated rights).
Title: Re: Boot scan?
Post by: Yezinki on December 12, 2008, 03:31:15 PM
Thanks Tech again.
Title: Re: Boot scan?
Post by: CharleyO on December 12, 2008, 08:50:41 PM
***

***

No, they will not usually conflict if one is set as the resident (active) scanner and the other(s) are set as on demand scanners.

As an example, I use Spybot-S&D as my resident scanner with Spyware Terminator & MBAM as on demand scanners.


***

Thanks CharleyO,

How does one set one as active & others on demand?




Spybot is the resident scanner because I have the TeaTimer (resident) active. MBAM is on demand because it is the the free version that can only be used as on demand. I have set Spyware Terminator as on demand through it's user interface.


***