Author Topic: What happens to viruses in the chest after uninstall?  (Read 3984 times)

0 Members and 1 Guest are viewing this topic.

JohnM

  • Guest
What happens to viruses in the chest after uninstall?
« on: March 24, 2004, 06:17:53 AM »
I did a search for "uninstall" but didn't find any information on this topic.

I had a version of the Oplaserv worm in the virus chest, since Avast couldn't delete the file. One of the problems this worm caused (ZA kept it from accessing the internet) was eating up my swap file (WIN385.SWP) space until it crashed the computer.

I had to do an uniinstall/reinstall on Avast and when I did, there was no trace of the worm, except now my swap file is  filling up again, only at a slower pace.

I tried running a thorough scan of my system including archives and Avast did not fiind the worm. Is it still hiding in my system or is some new problem to blame?

I'm using Windows 98, and Avast 4.0

Thanks

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:What happens to viruses in the chest after uninstall?
« Reply #1 on: March 24, 2004, 10:32:32 AM »
The swap file is a kind of "memory extension". During the runtime of the operating system, Windows write there its data not needed at the moment (to free the physical memory for other data that are needed at the moment). When you shutdown your computer, the swap file content is discarded (it's never used anymore, even though the file may stay as big as it was at the end).
If something fills your swap file - it may mean that there is a memory leak in one of your applications. You may try to run some task manager tool to find out if any of your running processes is eating an extraordinary amount of memory. However, I wouldn't blame a virus for it (especially if avast! didn't find it; and no, the viruses cannot "escape" from the Chest).

One more thing: Windows 9x has a strange (politely said!) default memory management behavior. To make the system usable, you should tune the settings in system.ini. In particular, you should limit the maximum size of Windows cache ([vcache] section) and put the ConservativeSwapFileUsage=1 value to [386Enh] section. I'm sure google has a number of references for this.

JohnM

  • Guest
Re:What happens to viruses in the chest after uninstall?
« Reply #2 on: March 24, 2004, 04:15:17 PM »
Thanks, I've tried limiting the swap file memory but this doesn't help the problem.

My primary question still remains: The Oplaserv worm was in the Virus Chest, I had uninstalled and reinstalled the program, and the worm was "gone." Since Avast said it couldn't delete this particular worm, where did it go after the uninstall?

Thanks,
John

PS The Swap file was stable up until the infection, and returned to stability once the worm was put in the chest, since I haven't installed any new software then I'm guessing the worm may have gotten loose again.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:What happens to viruses in the chest after uninstall?
« Reply #3 on: March 24, 2004, 04:37:36 PM »
If avast! said it cannot delete the file, it stayed where it was. The uninstall process has nothing to do with it.

When a file is put to Chest, it is deleted from the original location and stored in an encrypted form in avast! folder. There is no way it could "get out" of the Chest - unless you extract it manually.

JohnM

  • Guest
Re:What happens to viruses in the chest after uninstall?
« Reply #4 on: March 26, 2004, 04:59:26 AM »
Thanks Igor.

Your post inspired me to find the file marked "chest" (ok, that was a little embarrasing that I didn't think of it myself.) There was a file in there marked 000001, which was the right size to be the virus.

I deleted the file manually, figuring that the worst that would happen was that the original file would return and Avast could catch it.

The file never came back, but my swap file did return to its normal behavior.  Apparently, the worm was somehow still active. I will pass this information on to support@avast so they can research it if they desire.