Avast and ClamWin VBS LoveLetter

[Toaster]

I have 3 antivirus programs loaded on a secretary's system at work. Avast Free Ver., ClamWin and AVG Free Ver.. This morning Avast popped up a window stating that it has found a worm LOVELETTER, and naming the file location. The log states the following:

13/06/2006 08:50:29 AM SYSTEM Sign of "VBS:LoveLetter" has been found in "C:\docume~1\secret~1\locals~1\temp\clamav-c7397cbe8fd8e3c8\script.html" file.

14/06/2006 09:13:38 AM Seretary Sign of "VBS:LoveLetter" has been found in "C:\docume~1\secret~1\locals~1\temp\clamav-71123026b98965e4\script.html" file.
Can someone explain why a virus/worm would be in a ClamWin file? Should I worry? Should I allow Avast to transfer file to its vault? Should I delete the file?

[DavidR]

Clamwin I believe is fine as it is an on-demand scanner, but AVG and avast are resident on-access scanners and shouldn't be on the same system they may conflict.

Unless it is in clamwin virus signature file (I don't know which they are), then it needs to be checked.

You could also check the offending/suspect file at: Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.
Or VirusTotal - Multi engine on-line virus scanner

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and check scan it periodically using the ashQuick scan (right click scan), when it is no longer detected then remove it from the exclusions.
Also see (Mini Sticky) False Positives

[mauserme]

Hi Toaster,

I'm not so sure those actually are ClamWin files.

I also have ClamWin and the paths you specify are not on my computer.  Nor can I find any html files in any of the ClamWin directories I do have.  The update files are

C:\Documents and Settings\All Users\.clamwin\db\daily.cvd
C:\Documents and Settings\All Users\.clamwin\db\main.cvd

This is a default installation so unless you've changed the file locations I would be suspicious.

It seems best to me to put them in quarantine for now, scan them again in a couple weeks and, if still detected as Loveletter at that point you can delete them. 

Also, as David said, ClamWin does work just fine alongside avast! but AVG did give me some problems when I had the two installed several months ago (even with AVG resident protection off).  If you want a third, on-demand scanner you could try BitDefender Free as it seems to be conflict free.

M

[Toaster]

Thanks for all the help/support. I had posted in the CalmWin forum as well and received this response from and admin:

"The infected file found in the TEMP dir was most likely a result of an error in the .chm file (compressed html help) unpacking in the clamwin where a /html file was left behind. Nothing to worry really. We will do better TEMP dir cleanup in V1."


Wheeeew!!

With reference to me having two other AV running, I really haven't noticed too much of a problem, but I'm no techie. The most I have seen is the system hang up one in a green moon, and I concluded that it must have been the two AVs. I my non technical mind I thought that running at least two AVs would be better and the occassional glitch was worth the added protection. Am I wrong? Is it that risky to the system to run two AVs? What should I do? Uninstall one? Please respond in layman's terms.

Thanks again for the support.

Toaster

[mauserme]

Thanks for the update.  I will keep this in mind in case I ever find the same with my ClamWin installation .  It might save me a lot of worry some day.

In regard to having 2 resident scanners running, the potential problem is if they both identify malware at about the same time.  This could lead to a fight between them where they both try to quarantine, or one tries to quarantine and the other delete, etc leaving the AVs locked up and the malware to continue on its merry way.

EDIT

btw - the conflict I had when trying to use avast! resident and AVG on -demand was that the combination killed my avast! tray icons.  More an annoyance than anything else, but I took this to be a sign of other possible problems and decided to remove AVG just in case.

[DavidR]

Am I wrong? Is it that risky to the system to run two AVs? What should I do? Uninstall one?

avast looks for other AV being installed and if it find them, there is a strong likelihood that it will disable elements of avast to avoid conflict. So you may not be aware that you aren't fully protected until it is too late.

So you should make your choice and based on the many happy avast users (formerly AVG users), I would suggest you get rid of AVG and here is where it gets interesting, it has a habit of leaving stuff behind, on occasion it is harder to get rid of AVG than a virus.

There are other tools that can be run with avast to further enhance your protection, Ewido Security Suite If using winXP. or a-Squared free if using win98/ME.

[DaveD]

Am I wrong? Is it that risky to the system to run two AVs? What should I do? Uninstall one?

So you should make your choice and based on the many happy avast users (formerly NAV users), I would suggest you get rid of NAV and here is where it gets interesting, it has a habit of leaving stuff behind, on occasion it is harder to get rid of NAV than a virus.

I believe it is AVG Free that Toaster has, not NAV.
Either way, I also say stick with avast!.

[DavidR]

Thanks Dave, original edited, c-nile virus strikes again