avast isn't deleting infected files

[currag]

some virus installed in my pc, so i programmed avast to run before windows starts, it founds the virus so i choose delete all. ok, now, in windows, i run a scan on c:\windows and it keeps finding infected files!

before this i've already scan the system using spybot search & destroy and ad-aware, in safe mode. the 3 programs are up to date. once windows started again after the avast scan, i use regseeker to clean the registry.

thanks!

in the win log i found:

Sign of "Win32:Agent-AFHL [Trj]" has been found in "c:\windows\system32\msenv32.dll\[Morphine]\[UPX]" file.  
Sign of "BV:AutoRun-W" has been found in "c:\windows\system32\autorun.i" file.  
Sign of "Win32:Puvbed [Trj]" has been found in "c:\wllbpi.exe" file.  
Sign of "Win32:Rootkit-gen [Rtk]" has been found in "c:\windows\system32\sndintd.sys" file.  
Sign of "Win32:Walivun [Trj]" has been found in "c:\windows\system32\servises.exe" file.  
Sign of "Win32:Cutwail-J" has been found in "c:\windows\system32\drivers\ndis.sys" file.  
Sign of "Win32:Trojan-gen {Other}" has been found in "c:\windows\system32\csrcs.exe" file.  
Sign of "Win32:Trojan-gen {Other}" has been found in "c:\documents and settings\gabriel\menú inicio\programas\inicio\fmnupd32.exe" file.  

[DavidR]

First deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest and investigate.

You don't say why avast can't delete ?
I would suggest it is possibly airing on the side of safety with files in the system folders.

However based on the file names and their locations it would appear that the detections are good. Some are using file names (misspelt or very close) to look like system files or have the same name but are in a different location to the genuine file.

Google some of the file names to get some idea on the files, e.g.:
http://www.bleepingcomputer.com/startups/CSRCS.EXE-13520.html
http://www.prevx.com/filenames/2290640277889144661-X1/MSENV32.DLL.html
http://www.systemlookup.com/search.php?type=filename&client=malwaresearch-ff&search=sndintd.sys


What is your firewall ?

AdAware is IMHO a waste of hard disk space, whilst S&D is better I fee there are better out there:
If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

• 1.  MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
• 2. SUPERantispyware On-Demand only in free version.

[currag]

i don't know why it doesn't delete them, i assume that since the files are still in the computer after the scan..

for firewall i only use the windows one

downloading those 2 freewares! thanks from argentina!

EDIT: another thing, the avast icon in the tray, and many other programs ( actually all of them) have been desactivated from the start up :S

[DavidR]

You're welcome.

It would normally give a reason at the time when you try to delete, possibly that relies on windows which isn't fully running at that time you could check the C:\Program Files\Alwil Software\Avast4\DATA\report\aswBoot.txt file which is created and the C:\Program Files\Alwil Software\Avast4\DATA\log\aswBoot.log file, which may list any errors.

[currag]

this are the files created in the avast scan. in the report file look for the last scan i forgot to delete the rest jeje

i run both Malwarebytes' Anti-Malware and SUPERAntiSpyware, the first one found 22 objects, removed, the second couldn't find anything else

[DavidR]

You seem to have copied the same log twice but under two different names as they are identical, you haven't posted the C:\Program Files\Alwil Software\Avast4\DATA\report\aswBoot.txt, see image example of one I ran some time ago. From that image you will see it is a summary of files scanned and files detected and it doesn't match either of yours.

This is the only strange thing I see in the aswboot.log (log.log & your report.log)
Going to disable files:
*RAW:C:\WINDOWS\system32\drivers\fab0f6f8.sys
I don't see any indication of errors anything in that aswboot.log.

A google search on that file returns no hits, so I don't know if this is a file name randomly created by avast's boot time scam and it is just cleaning up ready for the restart.

[currag]

  sorryyyy, here's the report file

[Tarq57]

And here is a web-based translation of it. 

[DavidR]

Well that shows that the files were deleted as I believe the log is generated after the fact and if problems were encountered, I can only assume that that would have been included in the log. However, none of these are those you mentioned before, so those must have been detected during other scans and not the boot-time scan.

The file I considered strange was in fact a rootkit and avast was stopping that in the other file so that it could be deleted.

Hopefully having removed that C:\WINDOWS\system32\drivers\fab0f6f8.sys rootkit, which can a) hide other malware and b) protect other malware, that my have been what prevented the deletion. But I suggest you get out of the delete habit (send to the chest and investigate) or you are likely to end up deleting in haste repent/regret at leisure.

Now run another avast normal on-demand scan and see if anything else is detected, run both the MBAM and SAS scans and post the logs.

[currag]

finally, nothing found!

can you recommend me any free firewall?

[DavidR]

Me being slightly biased, would suggest the free version of what I'm using, Outpost Firewall Pro, the free version has all the same firewall protection elements.

See http://www.matousec.com/projects/firewall-challenge/results.php.

Many forum users are using all of the above:
- PC Tools Firewall seems to have the least user headaches as it doesn't seem to be constantly asking the user questions about this and that.
- Online Armor for the most parts fine but it has caused some users grief after avast program updates and that is something you have to watch out for.
- Comodo is now a suite and you have to do a custom install so as not to install the antivirus element (or use the add remove programs to remove the AV element if already installed), of all the firewalls listed this seems to be the noisiest in asking questions, depending on settings and elements used, so it could be daunting for those not to familiar with firewalls or their systems.
- Outpost Firewall 2009 free, a cut down version of the Outpost Firewall Pro version, which should still provide good protection, http://free.agnitum.com/. Download, http://www.filehippo.com/download_outpost_firewall/