I've been using Avast! for nearly a couple of years now, and it has proven itself to be a fantastic AV. I've been especially appreciative of the way it goes about protecting email systems, since part of my duties for my job include having the network's email routed here (which is also my home personal computer). The only problem I ran into was when the last Sober variant came out, and it absolutely flooded my inbox. Because I knew pretty much all of the subject lines, I began turning off Avast! when I'd open up the inbox (having it individually scan hundreds of mail first thing in the morning was rather time consuming. Unfortunately, it was still off when I was hit with this exploit. Mind you, it wouldn't have helped a great deal, because my machine was infected in the early morning hours of Dec. 27 (starting at about 1:38 AM EST). I had the red X appear in my system tray with the whole "Spyware has been detected!" warning, and thought, "That's odd... I have the MS Security Center disabled"... immediately after, it dawned that something was wrong.
So... I clicked to restart the AV, and was immediately met with:
Sign of "Win32:Hoaxalarm-K [Trj]" has been found in "C:\WINDOWS\tool2.exe" file.
Sign of "Win32:Trojano-3110 [Trj]" has been found in "C:\Documents and Settings\Proteus93\Local Settings\Temporary Internet Files\Content.IE5\OD6Z8L2V\child[1].exe" file.
Sign of "Win32:Trojano-3110 [Trj]" has been found in "C:\DOCUME~1\PROTEU~1\LOCALS~1\Temp\6BC.tmp" file.
Sign of "Win32:Trojano-3144 [Trj]" has been found in "C:\Documents and Settings\Proteus93\Local Settings\Temporary Internet Files\Content.IE5\SDAZ05U7\adtech2006a[1].exe" file.
Sign of "Win32:Trojano-3144 [Trj]" has been found in "C:\windows\adtech2006a.exe" file.
Sign of "Win32:Qoologic-AB [Trj]" has been found in "C:\WINDOWS\system32\wuauclt.dll" file.
Sign of "Win32:Qoologic-AB [Trj]" has been found in "C:\WINDOWS\system32\wuauclt.dll" file.
Sign of "Win32:Qoologic-Z [Trj]" has been found in "C:\WINDOWS\system32\vgactl.cpl" file.
Sign of "Win32:Qoologic-Z [Trj]" has been found in "C:\WINDOWS\system32\vgactl.cpl" file.
Sign of "Win32:Qoologic-AA [Trj]" has been found in "C:\DOCUME~1\PROTEU~1\LOCALS~1\Temp\f629807835.exe" file.
Sign of "Win32:Tsupdate-J [Trj]" has been found in "C:\Documents and Settings\Proteus93\Local Settings\Temporary Internet Files\Content.IE5\OD6Z8L2V\stub_113_4_0_4_0[1].exe" file.
Sign of "Win32:Trojano-2873 [Trj]" has been found in "C:\Documents and Settings\Proteus93\Local Settings\Temporary Internet Files\Content.IE5\4TUNG96F\MTE3NDI6ODoxNg[1].exe" file.
Sign of "Win32:Trojano-2873 [Trj]" has been found in "C:\MTE3NDI6ODoxNg.exe" file.
Sign of "Win32:Trojano-3173 [Trj]" has been found in "C:\program files\common files\microsoft shared\web folders\ibm00001.dll" file.
Sign of "Win32:Runner [Trj]" has been found in "C:\WINDOWS\system32\pgws.exe" file.
Sign of "Win32:Trojano-3173 [Trj]" has been found in "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll" file.
Sign of "Win32:Trojano-1152 [Trj]" has been found in "C:\Program Files\Common Files\VCClient\SS1001.exe" file.
All of this seemed to be a result of the exploit, in which time, I was also starting to get a popup of WebSheriff installing and so forth... some Sudoku thing was appearing as well, among other things. Too little, too late. Netstat started showing signs of multiple connections via SMTP and I was getting a load of connections attempting through port 8558. Then Avast! started up with that "Connection timed out" message... over and over and over. Hundreds of these things were showing up, heavily enough that they were effectively DDOSing my machine. Through netstat -b, I was told that it was svchost responsible for all of the traffic, and no specific programs were making the connections, making it impossible for me to track down a simple offending process and destroy it.
All in all, I ended up spending the entire day of the 27th fighting with the machine, disconnected from the web, and having to use another machine to browse for troubleshooting... of course, since it was a 0-day, I was finding squat. By the end of the day, using a combination of anti-spyware programs and some digging through my machine to get it all out (I think I got it all, at least). Anyways, congrats on having excellent coverage on the problem now. I've gone back to just letting it scan through all of the email so I don't forget to turn it back on again. That leads me to the question, though - is there any possibility of a feature to have Avast! simply delete viruses and worms it finds in email instead of having the big popup each time that requires me to hit delete and select delete again when given the second window regarding scanning at start-up if necessary? Not a default feature that just does it, but rather, a setting in the program that allows me to simply tell it to do so, and to always perform the same action each time? That would be fabulous.
Apologies on the long, rambling post... and cheers.
P93