Odd files that Avast seems to see that don't seem visible to the OS

[sgolux]

Hello.

I am experiencing some odd behavior.  Avast seems to be scanning some "phantom" files on my system, files that are not visible to me through windows explorer or even with the DIR command of the command prompt.


These phantom files all seem to be in phantom directories that have the verbiage "PartNo_0#xxxxxxxxxx" in them.

One of these files is caught by the Avast scanner and listed in the "Results of Last Scan" dialog after a scan.  The result is "Unable to scan:  This file is a decompression bomb".

The file is

        c:\users\sgolux\realestate\PartNo_0#3063058665\PartNo_0#1214222702\on the 7th.#169843410



Now, I do have a directory c:\users\sgolux\realestate, and that directory has a number of files in it, there are no subdirectories or files below it that have this kind of weird naming convention.  And as I said, I can't find this file in windows explorer, or with the command line prompt.... it seems to be completely invisible except to Avast.

If I try to "Move" it from the Results dialog, I get an error that says it doesn't exist, but if I scan again, it shows up again.

And if I watch the progress of the scans, it does show a number of files that are named similarly to this file being scanned (but they don't generate errors).

Any clue as to what might be going on here?

Many thanks.

[Will91]

Could they be hidden files?  Under Windows Explorer, when you click Tools/Folder Options/View do you have "show hidden files" checked?

[sgolux]

Thanks, already checked.  They are NOT hidden files.  All hidden and system files are visible to me.  Also, can't find then with "Search" even when "look for hidden and system files" is checked.

[alanrf]

These files are the names assigned during the unpacking of large files by avast during the scanning process.  They are temporary files that exist only during the unpacking process and are deleted once the scanning process is completed. 

[sgolux]

Thanks -- but why would AVAST then say that there is a problem in one of these files?  Do I need to be concerned that there is an underlying problem in the file that AVAST is unpacking?  And shouldn't these files really go into a temp directory rather than in my own documents directory?

I guess the third question is just speculative, but the first two are substantive... this error message makes me a bit nervous.  Perhaps because I don't know what a "decompression bomb" is, but it sure doesn't sound good...

Thanks again for any additional insight.

    -s

[alanrf]

avast would say that there is a problem in one of these files because it found suspicious information in it.  So it would suggest that the file avast is unpacking is infected.  As to the location of the unpacked files - well all mine seem to stay in the directory of the parent file.  Why would the placement bother you? (I can make up my own answers - but I would like to hear yours).

If it was a decompression bomb you would get a different avast warning. 

I find that the only files that seem to be treated by avast in this way (probably because they are my largest files) are all files belonging to email systems (Outlook and Thunderbird in my case).    Again, to be honest, I have found that avast's handling of any errors in this circumstance are, to my view, not entirely satisfactory. 

Are you comfortable letting us know what kind of files these are in your case? 

[sgolux]

This directory has several very large files in it.  How can I determine which one is infected?  It seems odd that Avast tells me that its own temp file is infected -- or more precisely, a "decompression bomb" -- but doesn't tell me which of my files is the one that that was being unpacked that led to this problem.  So I don't know how to find the problem.

The large files in that directory are large PDF files, and some autoCAD files.

In answer to the question of putting temp files in my directory... I guess it is a question of good programming practice.  This comes from my own prejudices and bias as a software engineer.  My feeling is:

- you should never call a user's attention to a temp file  you create -- and certainly not if it has a virus or some other problem in it.

- placing a temp file in a user's directory is tricky and usually a bad idea.  There is always a remote possibility of overwriting a file the user placed there.  As a matter of good housecleaning, using a directory designed for temporary files is better practice.

But thanks for the insights.  This does seem like odd handling though.

[alanrf]

I would suspect that the "on the 7th" part of the filename is most unlikely to be an avast imaginative creation.

I too am a (very old) software engineer, manager, senior manager etc ... and avast and I have not always seen eye to eye on their views of the placement of temporary files.  However, they are professionals too and I cannot imagine that they have not taken care of the overwriting issue and I have to doubt that the naming is likely to be an issue in this case.

If they have determined a problem then you should find it is reported in the log at the end of your scan ... if this is an on demand scan of your system.  Is that not the case?     

[Vlk]

The PartNo_xxx notion is used by the MIME unpacker (used to "unpack" MIME-encoded files and emails).
Is "c:\users\sgolux\realestate" file or directory? If the former, what does it contain? Is it a text file?

Thanks
Vlk

[igor]

Please, go to program settings and enable the creation of the report file; let everything, even "OK files", be included there.
Then, scan the c:\users\sgolux folder and post the result here (or sent it to me by IM, whatever you prefer).
Thanks.

[sgolux]

In answer Vlk:  c:\users\sgolux\realestate is a directory.  That directory has many files in it, and many are large.  There are some text files in that directory that are backup copies of Thunderbird email files that could easily have MIME-encoded files in them.  Perhaps I am learning that it is one of those files which is the problem?  But from the naming convention of the temp file, I am unable to learn which of those files is the case.

In answer to igor:  To do what you suggested, I right clicked on the AVAST icon in my status bar which gave me a context menu.  In that menu, I selected "Program Settings..." and then "Logging" in the list box on the left side of the window.  Then I moved the slider with "Logging Level" all the way to the bottom, to the setting marked "Debug".  Then I did the scan you requested.  At the end of the scan, there was a beep and a "Results of Scan" window popped up.  This has the following verbiage in it:

Name of File:  c:\users\sgolux\realestate\PartNo_0#3063058665\PartNo_0#1214222702\on the 7th.#169843410

Result:  Unable to scan.  The file is a decompression bomb.

Then I went to the Log Viewer, by right clicking on the Avast icon, and in the context menu selecting "avast! Log Viewer".  I looked at the log entries in every category, Emergency, Alert, Critical, Error, Warning, Notice, and Info.  There were no entries in Emergency, Alert, or Critical.  In Error, there were some entries, but the time/date stamps are at least one day old, and I can find nothing which relates to this issue.  Most of the entries are about "GetQueuedCompletionStatusFailed, which I have learned in other threads of this forum is something that should not cause concern (even though it ends up in the Error log!)

The Warning Log also has no new entries from this last scan (a day old at least) and they are all about something I have also investigated elsewhere on this forum and told not to worry about, a protection violation on attempts to scan a file that is on another computer on my network.

The Notice Log just has entries of last updates to the Virus encyclopedia.

It appears that the only entries generated by this last scan were generated in the Info Log.  I exported that log, and have included the entries here.  I am in the U.S. Eastern Time Zone.:

4/13/2007 7:35:56 AM   Sgolux   2144   aswSplash - program run information: CaswAvastDlg::OnInitDialog() - timer is active. 
4/13/2007 7:35:56 AM   Sgolux   2144   aswSplash - program run information: CaswAvastDlg::OnTimer() - Test memory started.. 
4/13/2007 7:36:11 AM   Sgolux
4/13/2007 7:36:12 AM   Sgolux   2144   aswSplash - program run information: CaswAvastDlg::OnCancel(). 
4/13/2007 7:36:12 AM   Sgolux   2144   aswSplash - program run information: CaswAvastDlg::RunMainApplication(). 
4/13/2007 7:36:12 AM   Sgolux   1124   ASWSIMPLE program run information: Initialization of libraries is correct. 
4/13/2007 7:36:13 AM   Sgolux   1124   ASWSIMPLE program run information: CaswSimpleStandardDlg::SetResidentLevel() is called. 
4/13/2007 7:36:13 AM   Sgolux   1124   ASWSIMPLE program run information: CaswSimpleStandardDlg::SetResidentLevel() !ResidentSettingsDlg. 
4/13/2007 7:36:13 AM   Sgolux   1124   ASWSIMPLE program run information: Standard. 

[igor]

In answer to igor:  To do what you suggested, I right clicked on the AVAST icon in my status bar which gave me a context menu.  In that menu, I selected "Program Settings..." and then "Logging" in the list box on the left side of the window.  Then I moved the slider with "Logging Level" all the way to the bottom, to the setting marked "Debug".  Then I did the scan you requested.  At the end of the scan, there was a beep and a "Results of Scan" window popped up.

I'm afraid that's not what I meant...
Not the "Logging" page, but rather "Report file". It will create a text file with all files that have been scanned...
Thanks.

[sgolux]

*
* avast! Report
* This file is generated automatically
*
* Task 'Simple user interface' used
* Started on Saturday, April 14, 2007 8:21:33 PM
* VPS: 000733-2, 04/14/2007
*

C:\Users\sgolux\realestate\Brel\PartNo_0#2201854813 [E] File was skipped because of scanner settings. (42016)
C:\Users\sgolux\realestate\Brel\contract.doc#1353778413\WordDocument [E] File was skipped because of scanner settings. (42016)
C:\Users\sgolux\realestate\Brel\contract.doc#1353778413\_1_CompObj [E] File was skipped because of scanner settings. (42016)
C:\Users\sgolux\realestate\Brel\contract.doc#1353778413\1Table [E] File was skipped because of scanner settings. (42016)
C:\Users\sgolux\realestate\Brel\contract.doc#1353778413\Data [E] File was skipped because of scanner settings. (42016)
C:\Users\sgolux\realestate\Brel\contract.doc#1353778413\_5_DocumentSummaryInformation [E] File was skipped because of scanner settings. (42016)
C:\Users\sgolux\realestate\Brel\contract.doc#1353778413\_5_SummaryInformation [E] File was skipped because of scanner settings. (42016)
C:\Users\sgolux\realestate\Brel\contract.doc#1353778413

• is OK

C:\Users\sgolux\realestate\Brel [E] File was skipped because of scanner settings. (42016)
C:\Users\sgolux\realestate\Complete History\PartNo_0#3063058665\PartNo_0#1214222702\on the 7th.#169843410 [E] The file is a decompression bomb. (42110)
C:\Users\sgolux\realestate\Complete History\PartNo_0#3063058665\PartNo_0#1214222702 [E] File was skipped because of scanner settings. (42016)
C:\Users\sgolux\realestate\Complete History\PartNo_0#3063058665 [E] File was skipped because of scanner settings. (42016)
C:\Users\sgolux\realestate\Complete History\Mozy.RDADS:$DATA [E] File was skipped because of scanner settings. (42016)
C:\Users\sgolux\realestate\Complete History [E] File was skipped because of scanner settings. (42016)
C:\Users\sgolux\realestate\Copenhagen\PartNo_0#966425580 [E] File was skipped because of scanner settings. (42016)
C:\Users\sgolux\realestate\Copenhagen\Mozy.RDADS:$DATA [E] File was skipped because of scanner settings. (42016)
C:\Users\sgolux\realestate\Copenhagen [E] File was skipped because of scanner settings. (42016)
C:\Users\sgolux\realestate\Funding\PartNo_0#1009169858 [E] File was skipped because of scanner settings. (42016)
C:\Users\sgolux\realestate\Funding\PartNo_1#100984300 [E] File was skipped because of scanner settings. (42016)
C:\Users\sgolux\realestate\Funding [E] File was skipped because of scanner settings. (42016)
C:\Users\sgolux\realestate\Old Stuff

• is OK

C:\Users\sgolux\realestate\True West\PartNo_0#3143296240\PartNo_0#1200873431 [E] File was skipped because of scanner settings. (42016)
C:\Users\sgolux\realestate\True West\PartNo_0#3143296240 [E] File was skipped because of scanner settings. (42016)
C:\Users\sgolux\realestate\True West [E] File was skipped because of scanner settings. (42016)
C:\Users\sgolux\realestate\Virginia Wolf\PartNo_0#4234298933 [E] File was skipped because of scanner settings. (42016)
C:\Users\sgolux\realestate\Virginia Wolf [E] File was skipped because of scanner settings. (42016)
C:\Users\sgolux\realestate\VYP\PartNo_0#3486526080 [E] File was skipped because of scanner settings. (42016)
C:\Users\sgolux\realestate\VYP\PartNo_1#3090691051 [E] File was skipped because of scanner settings. (42016)
C:\Users\sgolux\realestate\VYP [E] File was skipped because of scanner settings. (42016)
Infected files: 0
Total files: 29
Total folders: 2
Total size: 210.4 MB

*
* Task stopped: Saturday, April 14, 2007 8:21:37 PM
* Run-time was 4 second(s)
*

[Lisandro]

Sgolux, somewhere in forum is was reported that these are not 'files' but 'links' created by Vista.
There were something about don't care about them. Sorry I don't use Vista right now.

[sgolux]

Thanks for the suggestion.  I don't care so much about the weird files, although earlier in this thread, it seems to suggest that these files are created by AVAST to deal with encoding.  But I can live with ignoring the file.  It is dealing with ignoring the "decompression bomb" that is a bit harder to swallow.  This can't have anything to do with Vista, or am I missing something?