Newbie requires help with viruses in chest

[melbguy1]

Hi, i have some viruses which Avast picked up and moved to chest.

FYI, I run Windows XP with the following programs;

- Main AV - Avast Home edition
- On demand AV - AVG free edition
- Resident protection - (Other than Avast); - Spyware Terminator, Advanced Windows Care (free ed)
- Spyware programs - Super Antispyware, AVG Antispyware, Spyware Terminator, Zone Alarm spyware scan (enabled)
*Nb: Zone Alarm's Kaspersky av disabled in favour of Avast

The viruses are as follows: -

1. ilteex2i.exe (Win32:Small-IKO [trj]) - Location: C:\DOCUME~1\David\LOCALS~1\Temp
2. pdm2rt.ppl (Win32:Agent-RGO [trj]) - Location: C:\WINDOWS\System32\ZoneLabs\avsys
3. rw62syza.exe (Win32:Small-IKO [trj]) - Location: C:\DOCUME~1\David\LOCALS~1\Temp

What I want to do is decide the best option - Delete the infected files, or try to restore them safely if appropriate  

The one infected file which seems a worry seems be one of ZoneAlarm's Antivirus files. Any advice would be a great help! Thanks.

[DavidR]

First AVG AV isn't an on-demand scanner but a resident scanner and that can cause conflict issues. BitDefender free is an on-demand AV, if you wanted a second opinion or use one of the on-line scanners.

On-line Virus Scanners and other useful Links Security-Ops.eu.tt

You have done the right thing, 'first do no harm' don't delete, send virus to the chest and investigate, as you are.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

What version of Zone Alarm do you have (I think avsys would indicate it also has some AV element that could also clash), as one of the detections appears to belong to that ?

[melbguy1]

Hi David, thanks for your info. Yes, you're right as an 'out of the box' product, AVG free ed antivirus does have a resident scanner, however I disabled the resident scanner when I installed it so as to avoid conflicts.

I did run a Trend House Call scan tonight and picked up 2 greyware items. A repeat scan picked nothing up (obviously it wouldn't pick up the viruses in the chest..)

I am using ZA's full Security Suite version - 7.0.462.000 . I ran an update & it is showing the program is up to date. I have allowed ZA's AV program however to get out of date, and maybe that's why a file from it has become infected? Not sure about that. As above, I have disabled ZA's av so that Avast is the primary av and resident scanner.

Thanks again, I will leave the items in there & re-scan within the chest to check the status of the infected files in a month's time.

 

[DavidR]

No problem, glad I could help.

A lot depends on how you say you have disabled the resident scanner, the other issue is that virtual device drivers (registry Legacy keys) are created and these may also cause a conflict.

My personal feelings are if you want a back-up on-demand scanner start with one that is on-demand only, I think the BitDefender free would be better than AVG in this respect or use on-line scanners as a back-up no need to install it nor keep the signatures up to date.

[melbguy1]

THanks for the tip,

I'll uninstall AVG antivirus and install Bit Defender free ed as my on demand scanner. I'd still occasionally use House Call regardless as it's rock solid. [Edit: Did some research, BD is resource heavy & leaves behind files when you try to uninstall it. My research indicates a 2nd 'on demand' scanner is a waste of time. Just use KAV & Trend Microsystems online scans instead].

It is possible an av conflict weakened the antivirus (referring back to your comment about resident scanner registry keys)...hmmm

In any case, so far there has been no performance problems I can detect. But since one of the infected files was a ZoneLabs av file, as a precaution I reinstalled the latest version of ZA Security Suite from ZA's website and did a 'clean install' (to be on the safe side). That way, the corrupted file should be replaced. The other 2 files had not infected a windows file, so i'm not so concerned about them.

I still rate Avast Home Ed as the best free av around, and better than many commercial products (Kaspersky being one).

Cheers. 

[DavidR]

I don't have an on-demand AV for a back-up scanner, but an on-demand scanner shouldn't be using resources when you aren't doing a scan with it. If I need a check scan I would use an on-line scanner.

The conflict in itself shouldn't leave you weaker but the problem is it could cause a lock up as both residents fight for control if both can detect the same infected file. One scanner would intercept attempts to run an executable whilst it scans it, the other scanner may also get in on the act trying to intercept calls to execute/run a file. This is where you could get a conflict which may lock your system and allow a virus to get established.

[melbguy1]

Yes, agreed. Currently after some changes I have ZA Security Suite with AV disabled. I believe disabled, with ZA there are no conflicts with other AV programs since in the installation, it actually asks you if you want to run another av or not, and hence disable ZA's AV. Secondly, I have uninstalled AVG Antivirus as you recommended, and now just run Avast Home Ed as my primary AV & Resident Scanner.

I should mention I use Spyware Terminator which uses a spyware resident scanner, but have found no apparent conflicts with Avast's Resident scanners.

So now i have ZA as my firewall/anti-adware/privacy protector/junk email filter/anti-spyware on demand scanner etc, AVAST as primary AV/Resident Scanner, SuperAntispyware/AVG Antispyware as my ad scanners, Spyware Terminator as my adware resident scanner & AWC as my tune up program + adware immunisation. There shouldn't be any conflicts. There is no duplication in the resident scanners based on my settings.

Re: the three viruses, they are still in quarantine. I will send the the two different types to Avast and see what they say. In the meantime I will wait a few weeks as you suggest then rescan them from within the chest and see what comes up. Depending on what Avast say (if they reply), I may just delete the files anyway. I have re-installed ZA, thus replacing any previously infected ZA file, whilst the other two trojans are attached to temp files.

[DavidR]

Spyware Terminator is fine with avast, I used it for a while myself, resident anti-spyware applications don't normally cause any problems with a resident anti-virus application. It is just advised to have only one resident scanner in each category, 1 AV and 1AS.

None of the three files in the chest shouldn't need to be sent to avast unless you doubt the detection (in which case you need to confirm that see below) or a file wasn't detected and you think it is infected (not the case here).

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.