avast! detected unauthorized modification

[Dirigo]

Howdie!

This morning when I powered up my system I received the following avast: warning:

"avast! detected unauthorized modification of this file:

D:\Program Files\ALWIL Software\AVAST$\ASHMAISV.EXE

Continuing can be dangerous.  Run Anyway?

Y/N"

Now I have all the so-called proper software, i.e., trojan scanners, virus-protection, etc. to help detect from the varmints, but evidently one may have slipped through as it appears avast! itself has detected something that may have been caused by one of those unwanted varmints.

OK, I selected the "No" option ... obviously I have been wringing out myself trying to locate any such problem, but in the meantime, what is the best way to go about replacing the indicated corrupted ASHMAISV.exe?  Should I simply uninstall avast! or is there a way to simply replace it (maybe that can't even be done)?

Thanks in advance.

[igor]

You can go to Control Panel / Add/Remove Software, select avast! Antivirus, "Change" and select "Repair".

Anyway, it's strange... the file should not get modified. If you run avast! on it, do you get any warning? (You may also try some other online virus scanners...)

[techie101]

Dirigo,

An "unauthorized change" can also be the result of a file corruption.
All Avast is trying to tell you is that Avast did not make the change as part of its' normal functioning.

Review the Avast Log Viewer under WARNING section to determine if there is more detail that can help us.

A "Repair" might do the trick, but since we do not know what caused the change, and how extensive it is, you might need to do a clean install. ( I am not afavorite of uninstalls unless I know why I am doing it in the first place but sometimes it is easier and in the long run....better)

Once installed, reset the defaults of the On Access Protection Modules/Standard and Internet to High.
Run a full Avast AV scan of all drives with the settings to Thorough and include Archives.  See if you can get a full scan completed.  If not, then slower readjust the sensitivity of the scanner until it completes but let me know if you go below the NORMAL setting.  This would mean we might miss something vital.

Ok.  After running Avast full scan, I would do a second scan using one of the more reliable online scanners.  I use Kaspersky and Symantec.  TrendMicro also has been used by Forum users with great reliablility.

If the warning occurs again, we will need to do an indepth evaluation to determine where the culprit lies.

PS: If you were thinking "Well, maybe a false positive?"....
Not likely.  I have not seen this warning before.  Since it is directly related to the Avast ashmaisv file, then I tend to believe it is only an "inadvertant" file corruption that we need to fix.

If the REPAIR utility works, then this would be more support for that theory.

Good luck
techie

[Dirigo]

Howdie igor and tech101,

Thanks for your responses.

I did as you both suggested.  I ran Repair and it seemed to do the trick, thus, perhaps confirming tech101's (and igor's) suspicion of a corrupted file.  In addition, I did the full scan using, at that time yesterday, the latest and greatest virus database.  Nothing was found.  I then commensed to do additional scans using both Symantec's and MicroTrend's free scan capabilities.  Again, both scans came up clean.  On boot-up this morning, no problems ... except the occassional trying to connect to avast! servers for updating the virus database.  After polling two of the servers, it connected and updated to 401-16 virus database.

I also did check the logs at the time of the Warning notice and I found nothing recorded there in regards to the actual Warning notice.  I thought this a bit strange in the sense I would think such a notice would at least get logged for later reference.  Perhaps, it did, after the fact as I have not gone back to double check.

But what I can say IMHO, you folks have done a nice job of developing this product.  I liked some of the logs I perused.  Some good detail that could help you resolve problems in the future.

techie101 and/or igor - would you please re-read my post regarding "steps for manual updating" if no internet connection.  I tried to explain it in a different light ... Scenario:  Given the situation for whatever reason, the avast! client software cannot connect to the various avast! servers to update the virus database, but where I have internet connection and access to the avast! web site.  I found the web page where one can download the vpsupd.exe (or vpsupd40.exe) database file to be used to manually update the virus database.  The question I have is "If I download the appropriate virus database file, where do I need to download it to, i.e., which avast! folder or temp folder and how do I initiate the update process on my computer manually?"

Also, I have a question or two re: C:\Windows\Temp and how avast! actually uses it.  My interest in this is I would like to move that avast! activity to my D: hard disk drive (HDD) by creating say, D:\Temp or D:Windows\Temp, and change the appropriate lines of code within the autoexec.bat file.  But I don't want to do that until I understand the interaction of avast! and Windows portion.

Thanks again to both of you.  Have a great day and I'm sure I'll be back with more questions in time.

[igor]

The vpsupd.exe file is just an executable; start it from wherever you want - it will detect where avast! is installed and extract the virus database into the appropriate folder.

I believe that the TEMP folder is determined by the system TMP/TEMP environment variable. So, try to put the following line into autoexec.bat (you are using Win9x, right?), it may help:
SET TEMP=D:\Temp