Avast have problems with win32:cod-bas-12[trj] and win32:startpage-006[trj]

[Tonanet]

Hello guys!

1- I was testing some viruses that I have with Avast.

2- One of the files detected (online[1].chm) was detected as win32:codbas-12[Trj] and inside of it Avast found another virus called win32:startpage-006[trj] (its a random name dll).

3- Avast fails to put it in quarantine and to delete it... It always return a message when avast try to do something with this virus.

4- The other viruses (not related with this chm file) found were removed without a problem.

5- This chm file is not in use, and can be deleted by hand without a problem. I did it a lot of times while testing avast against this virus...So I dont know why avast cant do anything with it. (I tried with AVG... And Avg detects only the chm file and remove it, the entire chm file, so the dll that is inside is removed too)

6- Boot scan makes no good...Nothing happens with this file...

It seems that Avast cant remove the dll inside of the chm and cant remove the chm itself either...
Is this behavior normal? Should the users of Avast delete by hand this viruses? Or Avast have some kind of problem with it?

Theres no chance to get infected with this virus because avast block it.. so dont worry.. It just matter of the remove of it.. (delete or quarantine)

Should I send this file to Alwil to check if its normal? And maybe see if it can remove this virus using avast only without having to delete by hand?

Thanks for your time,

Elminster

[DavidR]

If it is an avast detected virus, I doubt there is any reason to send it to avast.
2. Which provider detected the online[1].chm file?
    Where was/is the file located?

3. Why does avast fail to put it in the chest? - what error/message is displayed?

[Tonanet]

Hello,

Here are the answers:

1- I tested with on demand scan and with on access scan (not webshield because the file is on my computer)

2- The file is located at "c:\teste", is a dir that I created for this tests...

3- Its not seems to be a normal error.. When the result form appears afetr the scan, beside the name of the virus have a info telling that was not possible to move to chest or to delete the file depending of the action that I asked for...

Thanks for your time,

Elminster

[DavidR]

1. Have you tried a right click scan of that file?

2. I was just wondering if it was in a system folder that windows might be protecting.

3. When the virus was detected, did the on-demand scan stop and wait you action/input?
    Do you have the Pro version and have you set options for the actions, etc?
    Or do you have the Home version and use silent mode general answer=no and send to chest?

[Tonanet]

Hello,

1- Yes, I tried make a scan on the folder and using right click on the file...Same results...

2- No, the folder isnt protected... Its not like the restore folder.. its a simple folder..

3- I have the home version... And its not set to silent mode... Here whats happens: First ask for a scan in the file, Avast find the codbas virus in chm file and ask me what to do.... I ask to delete or quarantine, then the alert appears again.. but this time to the startpage-006 that is inside of the chm file...I also ask to delete or quarantine. The scan is over and a result screem appears telling me that 1 codbas virus file in c:\teste\online[1].chm could not be quarantine/delete and that c:\teste\online[1].chm\randoname.dll could not be deleted/quarantined...

The weird thing is that you can delete the file without problem...

Thanks for your time,

Elminster

[igor]

Elminster, what are the exact error messages you get?

In any case, the support for archives is somehow limited:
- all supported archives can unpack (i.e. scan) the content, but
- only some formats allow removing the files from archives
- even fewer formats allow repacking of archives (needed when a file is "repaired" and should be stored back to the archive, or when a file was removed from a nested archive and the modified archive should be put into the parent archive).

So, removing files from archives may not always work. CHM, as far as I know, can only be "unpacked", no actions are supported.

[Tonanet]

Hello Igor,

2 infections are found in the chm file: (1.htm) and (randoname.dll).
Both I ask to quarantine/delete
After that I ask it for each one 2 message box from Avast appears telling me the following for each infection:

-->Sharing violation (Red title)
-->Its not possible to proccess the following file: c:\teste\online[1].chm\1.htm

And the next one with the same title say:

-->Its not possible to proccess the following file: c:\teste\online[1].chm\randoname.dll

Other Avs that I tested, like AVG and mcafee just delete the chm file without problem... Why Avast cant just delete the chm file itself, like the others?

Thanks for your time,

Elminster

[igor]

OK, the "Sharing violation" is a mistake, the correct message should have been "The action is not supported for this archive type". The reason is that avast! was trying to delete the file from inside of the CHM archive, not the whole CHM file, and this action is not implemented.

Actually, it would be quite easy to implement deleting of files from CHM archives; however, we discussed it with Vlk today and decided that deleting the whole CHM archive would probably have more sense in this case (since it's not very likely that you'd meet a "legal" CHM file having only one internal file infected by mistake). So, the behavior will be changed in the next version (regarding CHM files only).

[Tonanet]

Hello!

Really? You guys will change the behavior of Avast against chm files because of the problem that I did bring up?

I feel myself usefull!

Thanks for your time,

Elminster