Boot scan deleted several false positive files

[Acco]

I updated my Avast Home to 4.8.1296 (VPS 081128-0) on my XP-Home SP3 laptop, and ran a scheduled boot scan. Not sure if this affects boot scans, but I had the Avast GUI control panel set to "Thorough" scan, with "Scan Archives" checked. Also, I noticed, whenever the Avast Control Panel opens, it shows the Resident Scanner setting to be "Custom"(??), rather than normal or high. (I presume this is normal considering the varied settings in the On-Access modules settings, correct??).

Now to the main point,, while in the boot scan, Avast detected several older files as infected with Win32:Trojan-gen {Other}, which I selected "Move to chest" on each occurance. Then the scan resumed and Avast listed several files as "Installer archive is corrupted", and then detected a few other files with Win32:Trojan-gen {Other}, which Avast , without user input, "Moved"(Not to chest, tho,, ??).
Avast then began showing it was detecting many more files (mostly in an older downloaded Anti-Trojan TDS-3 Program in my downloads folder,, not installed), as well as several other various files, all many times previously scanned with Avast and found "clean". The big problem is,,, Avast began listing repeatedly Error 0xC0000034 {Object Name not found.}, and began automatically deleting each file without my choice or input. Before the boot scan, I had the boot scan advanced settings to be "Ask for action" and at no time during the scan did I ever input "Delete", "Delete All", "move All to chest", etc, etc.

I believe all of these deleted files were false positives, and in ANY case, Avast should not have began deleting them without my input. Upon noticing this ongoing self-deletion process, I hit the escape button to abort the scan and abort further deletions. I have attached the BootScan log for help in figuring out what went wrong.
Your troubleshooting will be appreciated!

~Acco~

[igor]

Sorry, but avast! doesn't remove anything by itself, unless you tell it to do so.
So, either you configured an automated action in the boot-time scanner scheduler (which you didn't, because there are different actions logged in the report), or you selected "Delete all" instead of "Delete" during the scan (quite likely, I'd say, possibly by mistake).

Regarding the "Object name not found" error... it's a bit confusing, but unrelated. The viruses (were they real or false alarms) were found in an archive (multiple files in one archive) - but the whole archive was removed during the processing of the first detection, and the subsequent removals (of the other detected files from the same archive) returned this error, because the archive was already gone.

[Lisandro]

Delete (and even less Delete all) is not the best option.
At least, send files to Chest and allow further analysis and even restoration (in case of false positives).

[Acco]

Sorry, but avast! doesn't remove anything by itself, unless you tell it to do so.

I'm going to have to definitely disagree in this instance, igor. Referring back to the log (attached in my 1st post), I monitored the boot scan and sent the first 2 files to the chest (clicking option #5 in bootscan, which is "move to chest"), and not "move all to chest", nor "delete", nor "delete all".
These 2 files that I successfully sent to chest were the 2 MSGBOX.exe files (in different folders)(as shown in the log), then I walked away to the other side of the room, but still within sight of my monitor.

While across the room, it was scanning thru the "Installer archive is corrupted files" for the Jasc PSP\psp901enp.exe files, which it always has previously listed in previous scans,, however,, when it got to the point, as shown in the following lines in my log,,:

File C:\Documents and Settings\Hank Jr\My Documents\DwnLoads-LT\JiWire Hotspot Helper Trial\JiWireInstaller.exe\$INSTDIR\JiWireIE.exe\$INSTDIR\JiWireIE.dll is infected by Win32:Adware-gen [Adw], Moved
File C:\Documents and Settings\Hank Jr\My Documents\DwnLoads-LT\JiWire Hotspot Helper Trial\JiWireInstaller.exe is infected by Win32:Adware-gen [Adw], Move: Error 0xC0000034 {Object Name not found.}, Deleted
File C:\Documents and Settings\Hank Jr\My Documents\DwnLoads-LT\TDS-3 Trojan Detection\tds3setup.exe\{app}\tds3smtp.exe is infected by Win32:Trojan-gen {Other}, Deleted

...it shows a "Moved" () execution (I was still across the room, but in sight of my desktop), and then it follows with "Deleted" executions on it's own, without my input, as I was still about 4 to 5 meters away. I then noticed the different pattern of text on my monitor from all the "Object Name not found" errors (which I agree 100%, is a separate non-issue due to the previous file's deletion).

The exact problem seemed to occur at the JiWireInstaller.exe file Move: Error 0xC0000034 {Object Name not found.}, Deleted instance (as shown above, and copied/pasted from my log). I had not touched the computer since sending the first two MSGBOX.exe files to the chest. I am VERY careful to never use the "xxxx ALL" action and always handle each files action individually.

Why would the action go from "Move to chest" (with my user input, all ok), to "Moved" for the next detection occurrence while I was 5 meters away, and then to "Deleted" for the subsequent files, also occurring definitely before I got within arms reach of the keyboard?

[igor]

From what I can see in the log, somebody pressed Delete all on this line:
File C:\Documents and Settings\Hank Jr\My Documents\DwnLoads-LT\JiWire Hotspot Helper Trial\JiWireInstaller.exe is infected by Win32:Adware-gen [Adw]
- that explains all the rest.

Anyway, you can post this file: <avast4>\DATA\log\aswBoot.log
It contains more detailed information about the scan (e.g. the keypresses read from the keyboard).

[Acco]

OK,,
My aswBoot.log is in the attachment below.  (I forgot about this boot log, and had only sent the boot report from Avast's Program report folder, sorry).
Hope this can clear it up.

~Acco

[igor]

I'm not sure if the log really clears things up...
The log is rather huge (compared to the usual logs) - and most of it consists of logged keypresses. The "Space" key seems to have been pressed (continuously without letting go, i.e. not pressed repeatedly) during the "first half of the report".
Then, there are some other keypresses ("4", "2", "/" - pressed simultaneously in this order, let go in the opposite order), "8", "2" repeatedly, "8" repeatedly, "5", "2", "1", "3" held for quite a while, "7", "5", "9", "5"...

I'm not saying that there isn't something suspicious about the communication with the keyboard in this case, but I believe the keypress "2" (the one after "8") means "Delete all". When the subsequent delete operation failed, avast! may have shown other messages and asked for alternatives - but it probably remembered the "Delete all" choice and applied it where possible.

[Acco]

Greatly appreciate your time & help igor, in this puzzling occurrence, as well as Tech's recommendation (which I already fully agreed with). thx

Altho not quite "tech savvy" enough to fully understand the contents of my aswBoot.log, it did seem VERY lengthy to me, considering my actual keypresses, or input of any kind, was minimal (less than 3 or 4 keypresses) in this short aborted bootscan. I definitely never held down the space key at any point, or the other listed key combinations, for that matter.
This problem occurred on my laptop (using my desktop now), which has had the keyboard replaced 2x prior, due to sticking and/or non-functioning keys. Your info surely makes me believe there is a problem in my keyboard, or in it's communication with my system, and not avast.

Other than hitting key "5" for "Send To Chest" (twice, each individually), on the first 2 avast detections, I did hit the ↑ and ↓ arrow keys briefly (to try to see more of the scan data on my monitor), just before hitting the "Esc" key to abort the scan to avoid further file deletions. But I assure you, NO other keypresses took place.

Luckily, most of the file deletions were older, outdated programs (i.e. TDS-3 Trojan Detection, J-Wire, etc.), which were uninstalled from my systems or never installed. These files were simply in a "downloaded files folder". I really don't care that these particular ones were deleted, but my MAIN concern is that anything was deleted without my input or desire.

I plan to try to recover all these deleted files, with a recovery program, only to submit them to Avast, as I believe most, if not all, of these deletions were false positives. Since they were detected, I would like to have Avast take a closer look at them.