Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Gillie2tat on June 04, 2004, 01:03:05 AM
-
I'm running Windows XP Home on a Pentium IV 3.19 GB Mhz computer with Avast and Kerio firewall free edition - using the Google toolbar as a pop up stopper. My IE 6 has all its updates and I'm using Spybot to stop spyware. I'm not running any other antivirus programmes but see last paragraph for further information.
Anyway I ran a full system scan with Avast set to Thorough scan and to scan archive files, I'm using the Demo version.
Of course it came up with the Panda files I've seen mentioned elsewhere in the forum and also a Trojan - Win32:RPCExploit[Trj]. I deleted it during a full scan having disabled System Restore and then restarted and scanned again - and it was still there but the file path read to within the Moved folder within Avast itself. I then double checked running an online scan with Panda and it was fine, said I was clean.
I looked in the Moved folder but there's nothing showing up in it.
Avast is still coming up with the same Trojan warning every time and this page - http://www.avast.com/i_kat_322.html describes the exact problem I'm having in the first FAQ.
I'm wondering if there is a way to stop Avast coming up with this particular virus alert if the virus isn't really there. At least that's what I understand from the FAQ, that Avast is just showing that the file has been moved. The first time I scanned and found virus files I told it to move all the three Panda files and the trojan to the Virus Chest whilst I investigated.
I am not running any other antivirus programme but Symantec which I uninstalled when it started crashing XP suddenly last week is still all over the registry. Again I'm not sure whether to delete the Symantec registry entries or to leave them. At the moment I'm not experiencing any system problems except that XP froze on me when I turned System Restore back on and I had to restart and try again - it let me turn System Restore back on the second time though and I have created a Restore Point.
Sorry if I'm waffling I'm trying to give as much information as possible.
-
You can certainly put the referred folder to the list of exclusions - avast! will not scan its content.
-
OK I'm really having problems. Avast is still coming up saying there is the Win32:RPCExploit[Trj] on my computer and it is insisting that it's in files within Avast. The exact path is c:/Documents and Settings/Gillie2tat/Local Settings/Temp/_avast4_/ then it goes into a variety of different folders beginning with unp followed by a numerical extension. It also says that a variety of files with the extension .dmp within the same folder could not be scanned.
Last night it was saying the virus was in the Moved folder.
I don't know how to get it to ignore this - can't figure it out, I don't know whether I SHOULD ignore this or what to do about it. Is this a known issue? If I tell Avast to repair all files or to move all files to a folder it gets very very slow - about one file a minute - and my whole computer slows down.
I really need help here, not sure what to do. Incidentally some screenshots in your FAQs would be helpful to show people what you mean. I'm at the point of giving up, I've spent two whole evenings trying to resolve this.
-
Here is a screenshot of some of the files which it said had this virus, which are currently in my Moved folder (I finally decided to try moving files to it to see if they showed up because the Avast folder in the Temp folder in Windows appears to be empty when I navigate to it). All had the extension .dmp.
-
1. Clear your temporary internet files.
2. This is the avast chest folder were it unpacks (unp) files to scan them. If I remember rightly avast shouldn't scan that folder _avast4_ as this is the location of avast virus chest?
3. You go to the virus chest and delete the files in it, either naviagate to it or Start avast Scanner, from the menu, select Virus Chest. This will show you all the files safely secured in the chest, from here you can delete them.
4. When you say. 'the moved folder,' was this within system restore, _avast4_ or are you talking about another location?
David
-
ANd I finally found the folder in the file path c:/Documents and Settings/Gillie2tat/Local Settings/Temp/_avast4_/. Here is what it shows and it's saying those files are infected. Should I move them all to the Moved folder? It's unable to delete them and I'm not sure whether I can just remove them manually and then empty the Recycle Bin.
-
Hi David,
Thank you for answering so quickly.
"When you say. 'the moved folder,' was this within system restore, _avast4_ or are you talking about another location?"
I'm talking about the folder c:/Program Files/Alwil Software/Avast/Data/Moved.
"Clear your temporary internet files."
I've cleared my cache in both Netscape and IE to empty the Temporary Internet Files folder. I do that regularly anyway. However the files causing the problem are in c:/Documents and Settings/Gillie2tat/Local Settings/Temp/_avast4_/, not in my Temporary Internet Files folder.
"you go to the virus chest and delete the files in it, either naviagate to it or Start avast Scanner, from the menu, select Virus Chest. This will show you all the files safely secured in the chest, from here you can delete them. "
Part of the problem is that Avast can't put those files into the Virus Chest, it just comes up with an error saying it was unable to move the file though it is able to move the unp files to the Moved Files folder within Avast/Data. I tried navigating to the folder within the Virus Chest but none of the virus files are within it. If it shouldn't scan certain folders why is it doing so and how do I stop it from doing so?
-
We posted almost at the same time, so as you can see this is the avast chest location, how can you check that.
"Start avast Scanner, from the menu, select Virus Chest. This will show you all the files safely secured in the chest, from here you can delete them. "
David
-
As you can see from my screenshot, no files are showing up in my Virus Chest which they would if Avast had been able to move them to the Virus Chest and I did ask it to several times. I modified my answer whilst you were posting so if you would be kind enough to double check that nothing has been missed I'd be very grateful.
-
As a temporary measure you could add the path to _avast4_ to the list of folders that are not checked by avast.
Click on the avast icon and select Standard Shield > Customize > Advanced Tab > add the path to the _avast4_ folder, you don't need to add sub folders they are excluded by default.
This will hopefully get rid of the nagging screen (the files are in a location that they are not going to be activated) and you should be perfectly safe.
Catch up tomorrow.
David
-
Just a thought, instead of having avast move the files... when they are detected Delete them permanently? That will make sure they are truly gone(I never have the "nasties" moved, they get deleted permanently.)
-
This is the other problem it won't delete them, again says there was an error.
-
Ok I have one other thought - can I move them to the Moved folder and delete them manually from there? Or even just delete the _avast4_ folder from the Temp folder (c:/Documents and Settings/Gillie2tat/Local Settings/Temp/_avast4_/) and empty the Recycle Bin? Presumably if Avast puts them in the Temp folder whilst it's installing them it doesn't need them any more - it's been installed for about thirteen days now and my understanding is that it's safe to delete files from the Temp folder after they're about a week old?
It doesn't seem to be picking up that this virus is anywhere else on my system.
-
I am STILL trying to get rid of this trojan that Avast says I have on my computer. Nothing works, it can't delete the files, it can't repair them, it moves them but when I restart there are more of these .unp files in the Temp/_avast4_ folder mentioned above, it's also coming up that it's in two of my system files. I checked the Avast virus database, it's on the ITW list and it's an EXE virus but other than that there's no information at all.
Can somebody please help I don't want to lose my computer!
-
The system files it says have the virus are c:/WINDOWS/system32/crashlog.tar.gz/crashlog.tar/Memory.dmp and c:/WINDOWS/system32/crashlog.tar.gz/crashlog.tar
Is this anything to do with System Restore by any chance? The only symptom I have at the moment is that when I turn off System Restore having run Avast and restart, the computer freezes when I try to turn it on again. I have to switch off the power (not the best way to restart your puter) and restart and then it lets me switch System Restore back on. As it's in the crashlog memory file I'm wondering if it's something to do with XP's and Avast's caching system.
-
Just checked msconfig startup, nothing nasty running in there and when I used Control-Alt-Delete for something last night there were no unexpected programs running. So I don't THINK this is active on my system, I think it's a cache problem somewhere.
-
I'm about out of ideas, but you seem to keep getting infected/reinfected and it is probably down to not having your OS fully upto date. The very name RPCexploit indicates exploiting the Romote Procedure Call, a windows patch for this came out ages ago for this.
I did a search simply on Win32:RPCexploit and it returned 91 hits, this is just one. http://www.sophos.com/virusinfo/analyses/w32rpcspybota.html (http://www.sophos.com/virusinfo/analyses/w32rpcspybota.html) This may be of help, it also give a link to the MS patch.
Microsoft issued a patch for the vulnerability exploited by this worm on July 16, 2003. The patch is available from www.microsoft.com/technet/security/bulletin/MS03-026.asp (http://www.microsoft.com/technet/security/bulletin/MS03-026.asp).
If you haven't got that patch installed you are going to keep getting infected.
-
I think you've got it, I don't have the relevant patches although I run Windows Update regularly. Microsoft must have removed it from the list of Critical Updates because that particular patch never showed up. Darn them. Just run Windows Update again and those updates still didn't show up.
I wasn't able to get the scanner tool to work - I don't know enough about DOS and I don't understand how the different commands Microsoft list work - but I looked in Control Panel and those particular patches are not listed. Should I install them first, then turn off System Restore and run Avast and tell it to delete forcibly on restart? or try running Avast again and then install the patches?
Sorry to be a nuisance but I've never had this particular situation before, I've always had all patches in place. I don't know why those patches haven't come up in Windows Update which I run regularly.
Thank you so much for helping me with this and for taking the time to look for me. I did look on the Symantec web site and this particular virus didn't seem to be listed, wish they'd install a search facility!
-
Also what the Sophos article seems to say is remove the worm and then install the patches but my understanding of what you are saying is it's necessary to install the patches first and then get rid of the virus - I won't get rid of the virus unless I'm patched? Is that correct?
-
From your previous post, I use google.com for all searches and they generally turn up the various antivirus companies' pages relating to that search term. This is particularly useful because in many cases it will have a different name from one company to another, but it will also find it if it is an alias.
Also what the Sophos article seems to say is remove the worm and then install the patches but my understanding of what you are saying is it's necessary to install the patches first and then get rid of the virus
Personally I don't think the order is important, You can try they suggested remove virus, install patch, reboot, scan again.
Having downloaded the patch from the link I gave you. Make sure that you are off line. Installing the patch doesn't get rid of the virus, it patches the vulnerability so you don't get reinfected when you go online.
You may need to disable system restore prior to removing virus (as per the instructions).
I won't get rid of the virus unless I'm patched? Is that correct?
No - the patch has nothing to do with getting rid of the virus - but if you haven't got it installed, you will probably be reinfected on you very next venture online.
Take the next step.
-
Well Avast isn't able to remove the virus from the look of things so I'll try installing the patches first. Thank you!
-
New development - managed to work out how to run the kb824146scan tool, this is the result it gave - looks like I'm patched after all. The command I used was kb824146scan.exe localhost. So what's the next step?
I too did a search on Google.com and it looked as though there might be more than one virus using this as a name:-( but the main one I agree looked like the Spybot one.
I'm beginning to think if I'm patched and Avast can't deal with it, Sophos site says there's an IDE to deal with it, maybe I should switch to that one to fix this and then come back to Avast later.
-
OK I booted the computer in Safe Mode, turned off System Restore using msconfig and not the right click on My Computer method. I then ran a full system scan using Avast (was up until 2.00 am).
I had to restart a couple of times to get System Restore back on using msconfig and stop the puter coming up with msconfig has been modified - all fixed now.
(1) as of now since I last ran Avast there are no more unp files in the C:\Documents and Settings\Gillie2tat\Local Files\Temp\_Avast4_ folder. For the moment I propose to leave things as they are and not do any more scans for a few days to see if they reappear. If they don't and then reappear when I run Avast next time it's something that's happening through Avast. Otherwise it's spotting infected mail and so on just fine.
(2) There is a very odd file in my Windows System folder which is the one that was spotted by Avast as being infected. Should I just navigate to the Windows folder, delete it and empty recycle bin and see what happens? Avast is unable to delete it as such and although it can move it it reappears in that folder.
There are no other warnings coming up from Avast at all about any other folders other than the two I've mentioned (except that it put the unp files in the Administrator/Temp/_Avast4_ folder whilst I was logged into the Administrator section in Safe Mode) and I'm wondering if it's safe to back up My Documents. Fortunately I back up onto CD-Rs and not CD-RWs so I'm not relying on just the one disk set!
Another screenshot coming up!
-
Also should I e-mail this crashlog.tar.gz to Avast for analysis? I did a search on Google for crashlog.tar.gz and for crashlog.tar, it didn't come up with anything at all. Is the file slass.exe anything to do with all this because it's running on my system (used control-alt-delete to check that).
Off to work now, be back later.
-
Strange that there is a crashlog.tar.gz in the windows\system folder, .tar and .gz are forms of zipped file, it certainly is not a windows zip style that I am aware off.
Could it possibly be that it originates from some third party system tool or even an online scanner that compresses virus definations in a .tar.gz format in the hope not to confuse anti-virus programs? The name however would point to the first guess.
I would tend to rename the file first, rather than delete (especially if avast is not reporting it), you can always delete it if after some time there is no ill effect.
The Lsass.exe is a system file - Local Security Authority Service
. I don't think that it is connected with the file.
http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/ (http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/)
Hopefully you are coming to the end of your journey.
-
I would tend to rename the file first, rather than delete (especially if avast is not reporting it), you can always delete it if after some time there is no ill effect.
But that's just it, this is exactly the file in the System32 folder that I mentioned earlier which Avast IS reporting as infected. It's reporting c:/WINDOWS/System32/crashlog.tar.gz/crashlog.tar/crashlog.tar/Memory.dmp and c:\WINDOWS/System32/crashlog.tar.gz/crashlog.tar as the two infected system files - each and every time. Double file extensions like that always ring warning bells for me.
The crashlog.tar.gz and unp files are the ONLY ones which are coming up labelled as infected now. I just checked again on rebooting and again there are at present no unp files in my C:\Documents and Settings\Gillie2tat\Local Host\Temp\_avast4_ folder at all, infected or otherwise.
I can't tell you where it came from though I do have quite a lot of third party software on my system so it is possible that it came from a third party tool.
I will await your further advice :) I hope I'm coming to the end of my journey too.
I did a search on Google for crashlog.tar.gz and crashlog.tar and it didn't come up with anything which suggests to me it's not a system file. If it were it would probably be listed at least on Microsoft.com.
If you still think I should rename the file should I move it to a folder in My Documents or should I leave it in my system folder and just change the file extension - and if so what should I change the file extension to?
-
I did a search on crashlog and that turns up 829 hits and some of those are programs, that obviously create some form of crashlog, perhaps you might find on that's familliar.
Double file extensions like that always ring warning bells for me.
They do normally for me, but I have seen this one as a legitimate compression format on some download sites.
As I said rename would have been my first option, since that wouldn't work, it doesn't leave much else other than deletion. It is not a windows system file.
David
-
I think I see why you say renaming the file wouldn't work, but I'm a bit concerned that although Avast has successfully moved that file and changed the extension to .vir it just came back. That suggests to me something going on in the Registry.
The fact also that the infected unp files only appear when Avast is run suggest to me that something is going on with Avast itself.
OK we'll see what happens. But I'm backing up first.
-
the .tar.gz is a compressed file, in order for any anti-virus program to check it, it has to Unpack (upn) it and as far as I am aware it does this in _avast4_ which I believe I mentioned before.
If it keeps coming back, dont just temp disable System Restore using msconfig (don't see how you did that) anything that you delete from the system folders will I believe be regenerated at re-boot.
Any changes you make in msconfig, don't take effect until after a re-boot and I don't believe that system restore was properly disabled.
Go the distance and do it properly and then re-boot. Scan, resolve the problem, re-boot, check for infection and enable system restore once you are clear and re-boot.
Any backup that you do prior to cleaning could be leaving yourself vulnerable to reinfection if you use the backup.
-
We have liftoff! I am clean at last!
What I did was:-
1. Delete crashlog.tar.gz from my System32 folder but leave it in the Recycle Bin just in case.
2. I then disabled System Restore correctly - Start-Control Panel-click on System and check the Disable System REstore box. REstart computer and check that crashlog.tar.gz was not in my System folder - no it wasn't.
3. Disable my screensaver.
4. I started a scan and it didn't pick up any infected unp files but it picked up the crashlog.tar.gz file in the Recycle Bin. I stopped the scan, emptied out the Recycle Bin (it was teh only file in it anyway, I emptied it yesterday!)
5. Avast picked up more infected unp files on the next scan, so I stopped the scan and deleted them from the Temp/_Avast4_ folder and emptied the Recycle Bin. I double checked System32 again but the file crashlog.tar.gz was not in it thank goodness.
6. I ran a full clean scan.
7. I restarted the computer and ran another full clean scan (I did go online again adn double checked your posting above, and Avast downloaded some updates whilst I was doing it - so the scans were absolutely up to date).
Tomorrow I plan to redo that backup - it's needed urgently now - and I will destroy those disks I burned today.
I am pretty certain now that the virus is gone and would like to thank you very much indeed for all your kindness and help over the last few days. I don't know where I'd have been without all your patience, advice and help.
I do a lot of computer graphics and have my own web site so if I can do anything for you in that line please contact me and I'll be glad to help.
Avast were recommended to me by the principal of the web school where I study, Richard Dean of http://vu.org. I have yet to find him wrong on software of any kind!
-
I'm glad that you stuck with it, many would have given up.
Fingers crossed your problem is finally resolved, with a clean system and avast it sholud be easier to keep that way.