Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Bellzemos on May 12, 2010, 02:31:51 PM

Title: What is this?
Post by: Bellzemos on May 12, 2010, 02:31:51 PM
(http://www.shrani.si/f/35/ER/23u420aX/false.jpg)

Are these Avast's legit files? It doesn't seem like a FP.  :-\

http://www.virustotal.com/sl/analisis/8fccc57ac017de22278793f7a6b6314c451a232e7e1dd9744fea89fe2bda25cf-1273667216

http://www.virustotal.com/sl/analisis/8fccc57ac017de22278793f7a6b6314c451a232e7e1dd9744fea89fe2bda25cf-1273667219

http://www.virustotal.com/sl/analisis/8fccc57ac017de22278793f7a6b6314c451a232e7e1dd9744fea89fe2bda25cf-1273667223

http://www.virustotal.com/sl/analisis/8fccc57ac017de22278793f7a6b6314c451a232e7e1dd9744fea89fe2bda25cf-1273667227

Please help!
Title: Re: What is this?
Post by: doktornotor on May 12, 2010, 02:42:48 PM
Those are NOT avast files. Those are files that avast scanned, using that directory as temporary placeholder. The fact that they are lingering there still would suggest that you have some conflicting antivirus/antimalware installed which prevented avast from deleting those *.tmp files.

You shouldn't run two AVs in realtime first; in case you run something like Immunet Protect or whatnot (claimed to be compatible w/ other AVs), to prevent this from occurring again, you should exclude that directory from scanning in whatever other security SW you have installed.
Title: Re: What is this?
Post by: Lisandro on May 12, 2010, 02:46:16 PM
False positives of avast temporary files.
I don't think MBAM has an exclusion list (to add them previously).
Title: Re: What is this?
Post by: Bellzemos on May 12, 2010, 02:47:49 PM
Look at the VirusTotal links I posted, they are not FP's. How do I get rid of those nasties for good? And no, I don't have two AV's or any conflicting software (see my signature). Thank you!
Title: Re: What is this?
Post by: doktornotor on May 12, 2010, 02:49:12 PM
False positives of avast temporary files.
I don't think MBAM has an exclusion list (to add them previously).

MBAM won't cause them to stay there. Normally this stuff gets deleted once avast is done doing it's job. If something else locks the files meanwhile, fighting w/ avast for control over them, then they may be left there and the clutter will cummulate in that directory. So, what I means is NOT to exclude the directory in MBAM, but to prevent those from staying there in the first place.  ;)

P.S. Just delete them to get rid of them.  ;D
Title: Re: What is this?
Post by: logos on May 12, 2010, 02:49:19 PM
those files could be avast crash dump temp files I think, generated while the actual dump files are saved in the alwill folder in program data...they shouldn't be flagged by MBAM >>> FPs

ps: my guess is that the dump files must contain traces referring to an actual infection, explaining the detection.
Title: Re: What is this?
Post by: Bellzemos on May 12, 2010, 02:52:00 PM
Please look at the VirusTotal links in my first post.

I think that these are the files that were created by Avast when I scanned an infected rar or zip file and Avast didn't detect them. So:

1. Are these files able to harm my computer?

2. How do I get rid of them and why didn't Avast delete them?

Thank you!
Title: Re: What is this?
Post by: logos on May 12, 2010, 02:52:33 PM
I edited my last post, see ps . Whatever, these are genuine Avast temp files may be just referring to avast detections. I made a mistake though ::) : I referred to dump files because they got the same unp naming.
Title: Re: What is this?
Post by: Bellzemos on May 12, 2010, 02:57:52 PM
OK, I deleted them (all four), but left the Webshlock.txt file there, is that OK?

Can someone tell me if the infected files that are NOT detected by Avast can "escape" from that Temp folder and do harm?

I had to copy those 4 files out of the Temp folder to be able to upload them to VirusTotal (because it said that the folder has access denied). But I deleted them with ni problem in Windows Explorer. Why weren't they deleted by Avast already? I'll reboot my PC now, to see if they will be really gone then...

Thank you.
Title: Re: What is this?
Post by: logos on May 12, 2010, 02:59:53 PM
OK, I deleted them (all four), but left the Webshlock.txt file there, is that OK?

Can someone tell me if the infected files that are NOT detected by Avast can "escape" from that Temp folder and do harm?

I had to copy those 4 files out of the Temp folder to be able to upload them to VirusTotal (because it said that the folder has access denied). But I deleted them with ni problem in Windows Explorer. Why weren't they deleted by Avast already? I'll reboot my PC now, to see if they will be really gone then...

Thank you.

these are not infected files, they're just avast temp files from Avast with references to detections, or updates, I'm not sure at all >>> your system may be really infected, I don't know. You should have attempted to open them with a word processor to read the content.
Title: Re: What is this?
Post by: doktornotor on May 12, 2010, 03:01:50 PM
But I deleted them with ni problem in Windows Explorer. Why weren't they deleted by Avast already? I'll reboot my PC now, to see if they will be really gone then...

See... I already tried to explain. I can reproduce the issue very easily once I install e.g. ClamWin or Immunet Protect and forget to exclude that folder. Yeah, you can delete them perfectly fine after that - but, avast cannot delete them at the time it tries since something else is holding a lock on those files when it tries. Naturally, avast stops caring after that and won't try indefinitely to wipe them.

Are you running the SAS/MBAM stuff in realtime? (I.e., are those the paid versions you use?)

Another thing that'd come to mind is the windows indexing service causing this. Try to disable indexing for that directory.
Title: Re: What is this?
Post by: Lisandro on May 12, 2010, 03:03:24 PM
MBAM won't cause them to stay there.
Who's saying that? ???

So, what I means is NOT to exclude the directory in MBAM, but to prevent those from staying there in the first place.  ;)
It's a matter of conflict, not to prevent staying there... There will be always a moment when avast is scanning and MBAM also...
Title: Re: What is this?
Post by: logos on May 12, 2010, 03:05:55 PM
there's another thread here about these unp files found in win temp folder
http://forum.avast.com/index.php?topic=56153
Title: Re: What is this?
Post by: Bellzemos on May 12, 2010, 03:09:02 PM
I use SAS and MBAM free versions (on demand only), so there's no conflict with Avast. That files were created when I scanned an infected package (but not detected by Avast). I would like to know it the files created when Avast scans a package can infect my PC. And I don't know why Avast couldn't delete them.
Title: Re: What is this?
Post by: doktornotor on May 12, 2010, 03:10:32 PM
And I don't know why Avast couldn't delete them.

Are you actually reading my replies? If something holds a lock on them, it can't delete them... Whether the lock is released later on is irrelevant, they'll stay there. Once again, disable the indexing for that directory and see whether the issue is gone.
Title: Re: What is this?
Post by: logos on May 12, 2010, 03:10:51 PM
files created by avast infecting your PCs ??? you're kidding ;D >>> no :) again there must have been references to infections in these temp files, explaining the detection by mbam.
Title: Re: What is this?
Post by: logos on May 12, 2010, 03:12:35 PM
And I don't know why Avast couldn't delete them.

Are you actually reading my replies? If something holds a lock on them, it can't delete them... Whether the lock is released later on is irrelevant, they'll stay there. Once again, disable the indexing for that directory and see whether the issue is gone.


well I doubt the OP has ever been playing with the index, and system folders (temp in Win in this case) are not indexed by default. If there's a lock on these files, it's from Avast.
Title: Re: What is this?
Post by: doktornotor on May 12, 2010, 03:15:31 PM
well I doubt the OP has ever been playing with the index, and system folders (temp in Win in this case) are not indexed by default.

Well, they definitely are indexed by default on XP SP3. I just checked on a completely fresh XP install now. Fact being, the entire drive is indexed by default on XP installed on NTFS.
Title: Re: What is this?
Post by: logos on May 12, 2010, 03:19:37 PM
well I doubt the OP has ever been playing with the index, and system folders (temp in Win in this case) are not indexed by default.

Well, they definitely are indexed by default on XP SP3. I just checked on a completely fresh XP install now. Fact being, the entire drive is indexed by default on XP installed on NTFS.

yeah I was referring to Vista or Seven. But even on XP, must just be "allowed to be indexed", and not indexed at all. There was an old and completely outdated indexing system on XP that had to be purposely activated to index anything, made obsolete and replaced by Windows Desktop Search that would never have indexed system files/folders either by default.

edit: could you show a screen shot of what tells that windows folders are indexed on XP/SP3? don't know what interface you're referring to...

edit again: indexing wouldn't lock any file anyway
Title: Re: What is this?
Post by: doktornotor on May 12, 2010, 03:55:49 PM
edit again: indexing wouldn't lock any file anyway

Yes, it does lock... Actually had this issue a couple of times with normal folder. Using the Unlocker utility, I found that I can't delete the file because it's locked by Windows indexer.
Title: Re: What is this?
Post by: DavidR on May 12, 2010, 05:19:23 PM
Look at the VirusTotal links I posted, they are not FP's. How do I get rid of those nasties for good? And no, I don't have two AV's or any conflicting software (see my signature). Thank you!

avast unpacks or sends temporary files it is going to scan there, this _avast5_ folder should be cleared after a successful scan by avast. Why some files were left there after a scan is unknown.

You could have MBAM exclude the _avast5_ folder from scans, just in case there are any remnants of temporary unpacked files (periodically run a temp file cleaner or check to see if any files are regularly left behind). These files since they are in a different location and have a different file name to the original are effectively inert, but under normal circumstances they are removed after a successful completion of a scan.
Title: Re: What is this?
Post by: Bellzemos on May 12, 2010, 05:59:32 PM
I deleted the files myself, rebooted and did a MBAM scan again - the infected files from Temp folder are gone and everything seems OK. Thank you all for your help! :)
Title: Re: What is this?
Post by: DavidR on May 12, 2010, 06:16:37 PM
You're welcome.

I think it worthwhile to exclude that folder in MBAM and save yourself any heartache in the future.