Avast removed propsys.dll

[REDACTED]

Hello to the Avast experts on this forum!

My PC is set up with dual boot, to Windows 7 and also to Windows XP (which I keep around for playing old games, so please don't yell at me for XP  ).

I purchased Avast for both sides in 2016. When I run Avast, it scans both sides (though it lacks access to the Users and Program data on the 'other' side).  The current version on the XP side is 18.6.2349 (build 18.6.3983.0), definitions version 180908-6. 

When I ran Avast last night from the XP side, it reported that it had removed propsys.dll from two folders on the Windows 7 side (the H drive on my PC):

* Scan name: Full Virus Scan
* Started on: Friday, September 07, 2018 8:04:02 PM
* VPS: 180907-0, 09/07/2018
*
H:\Windows\System32\propsys.dll [L] Win64:Malware-gen (0)
File was successfully moved to chest...
H:\Windows\winsxs\amd64_microsoft-windows-propsys_31bf3856ad364e35_7.0.7601.17514_none_89c51b2d31299255\propsys.dll [L] Win64:Malware-gen (0)
File was successfully moved to chest...

Based on my limited internet research today, I am very concerned that I will be unable to boot to Windows 7, or worse, that I might even cause damage in the attempt, so I have not done so. I have not found any reference to this specific issue on the internet or in this forum, so I am posting it here.

My previous scan was on August 28, so something seems to have happened in the past 10 days ... either that those files became infected somehow, or I suppose there's a possibility of a false positive resulting from a recent definition update. So here are my questions for you good folks out there:

-   Have you seen this propsys.dll issue before?
-   Could this be a false positive?
-   Should I use the "Send for analysis" function, or is there anything else I should do first?
-   If propsys.dll really was infected somehow, can I simply paste a copy of propsys.dll from the H:Windows\SysWOW64 folder (which thankfully was NOT removed) into those two folders?

Thank you in advance for your time and your support!    - Bill -

[Asyn]

Test the file at VT (https://www.virustotal.com) and post the link to the result here.

[REDACTED]

Hi Asyn,

I restored the file from the Virus Chest, uploaded to VirusTotal, and here is the link to the result:

https://www.virustotal.com/#/file/be43ec62548e9ff89a9495a1722e22dbb76eec3764f86e64057b636f27d15765/detection

It seems to look good, so maybe this was a false positive after all. Please share your thoughts. Thanks!  - Bill -

[Asyn]

You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php

[Milos]

Hello,
it should be fixed now.

Milos

[REDACTED]

Hi Milos,

I will restore the 2 files from the Virus Chest to their original locations, and will let you know if it happens again.

Thanks very much!  - Bill -

EDIT: 

Seems I spoke too soon! Avast successfully restored the file to the H:\Windows\System32 folder. 

However, it returned a message "Whoops, error occurred. This file can't be restored" when it attempted to restore to
H:\Windows\winsxs\amd64_microsoft-windows-propsys_31bf3856ad364e35_7.0.7601.17514_none_89c51b2d31299255

AvastSvc.exe is running as SYSTEM according to Task Manager, so I hope this isn't some kind of security issue?

What might trigger that "Whoops" error message?

Please advise, and thanks!  - Bill -

[DavidR]

Did you ensure that you had the latest virus signatures before restoring from the virus chest (that would be how this issue would have been corrected) ?

[REDACTED]

Hi DavidR,

Avast updates the definitions when I connect to the internet, so the latest version (after note from Milos) should have been in place.

Current Version: 180912-6
Release Date: 9/12/2018 11:17:02 AM

(I'm in the USA Eastern GMT -5, and it looks like this forum is hosted in GMT +1, so the time may not look right for you.)

I just tried again and got the same "Whoops" message when trying to restore to
H:\Windows\winsxs\amd64_microsoft-windows-propsys_31bf3856ad364e35_7.0.7601.17514_none_89c51b2d31299255

Would the virus signatures affect whether or not Avast could restore the file?

Would Avast somehow be lacking Write privilege to a folder it can Delete from ?

[DavidR]

Personally I would have done a manual virus definitions update to be 100% sure you have the latest version.

That said I have the same virus definitions update, the difference in time zones are about right for me in the UK.  That said 2, milos post was on 11 September 2018, 08:12:09 (probably Central European Time) so it should have filtered through by now.

It could well effect restoring a file as when it hits the new/original location it is probably going to be scanned by the avast on-access scan. If you don't have the corrected virus definition then it could well block it.

You could try pausing the shields before trying it again.

[REDACTED]

Hi DavidR,

I disabled the Avast shields (while offline) and tried the Restore again, but unfortunately, got the error message again. 

Some online research about the Windows/winsxs folder indicated that it holds all the components of the Windows 7 operating system, and also implied that it is (intentionally) difficult for the ordinary user (like me) to gain access to it.

So I must ask again: Would Avast be lacking Write privilege to Windows\winsxs even though it can Delete from that folder ?

Approaching it another way: Can I somehow give Avast the Write privilege needed to Restore that file to Windows\winsxs ?

Thanks!   ~ Bill ~

[DavidR]

As an Avast User, I don't know if avast would lack write privilege to Windows\winsxs. 

Though I wouldn't have thought so as Avast would be operating at a low level and not a user level.  I would have though it would be more difficult (permissions wise) to delete files from the Windows\winsxs folder.

I guess we will need to get an answer from an Avast Team member.

[REDACTED]

Hi DavidR,

Thanks again for all your help! How do we obtain the advice of an Avast Team member?

i.e. Do you flag this post for their attention, or do I open a ticket with technical support, etc?

(Sorry to be such a newbie here, and not familiar with the procedures.    )    ~ Bill ~

[Asyn]

How do we obtain the advice of an Avast Team member?

Contact support: https://support.avast.com/contact

[DavidR]

Hi DavidR,
Thanks again for all your help! How do we obtain the advice of an Avast Team member?

i.e. Do you flag this post for their attention, or do I open a ticket with technical support, etc?

(Sorry to be such a newbie here, and not familiar with the procedures.    )    ~ Bill ~

Since one of the Avast Team Milos (Virus Labs) was involved in this topic, he should get notifications of new replies in the topic.  Short of that happening the support ticket link given by Asyn above my post.

[REDACTED]

I have opened request number 07257217. Thanks again !   ~ Bill ~