Avast get viruses, but don't stop them.... why??

[eluis]

Hi,

I have a 49 license pack for Avast Professional.
I bought it a few months ago but I'm getting disappointed.

It allready happened 3 times. Avast detects the virus but don't stop him from spreading to the disk and infect the computer.

Today happened again with a virus. Avast detect him but didn't stop him and the computer is now a mess.
Why did I payed a lot for this 49 licenses ?? Just to know that a virus entered on a computer?

[Lisandro]

Can you say what is the infected file name, where was it found (C:\windows\system32\infected-file-name.xxx)?
What avast! version and virus database are you using? (see About dialog of avast!)
Which is the virus name detected?

[eluis]

Ok, tomorrow I'll give all details.
Avast is the latest version. Allways updated.
There were many random dll files on windows\system32.

I'll give you all details in about 12 hours.
Thanks.

[Lisandro]

There were many random dll files on windows\system32.

A symptom of infection for sure...
I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster.
8. Check if you have insecure applications with Secunia Software Inspector.

[eluis]

I just have this for now:

Arquivo C:\Programas\Microsoft Studio Files\lsass.exe está infectado por Win32:Trojan-gen {Other}, Excluído
Arquivo C:\Programas\Microsoft Studio Files\vcdg.bat está infectado por IRC:Malware-gen, Excluído
Arquivo C:\Programas\skmw\barclays.exe está infectado por Win32:Spyware-gen [trj], Excluído
Arquivo C:\Programas\skmw\bb.exe está infectado por Win32:Bancos-BBK [trj], Excluído
Arquivo C:\Programas\skmw\bradesco.exe está infectado por Win32:Bancos-BBK [trj], Excluído
Arquivo C:\Programas\skmw\caixa.exe está infectado por Win32:Bancos-BBK [trj], Excluído
Arquivo C:\Programas\skmw\gf.exe está infectado por Win32:Bancos-BBK [trj], Excluído
Arquivo C:\Programas\skmw\iek.exe está infectado por Win32:Trojan-gen {Other}, Excluído
Arquivo C:\Programas\skmw\live.exe está infectado por Win32:Trojan-gen {Other}, Excluído
Arquivo C:\Programas\skmw\mlst.exe está infectado por Win32:VB-KDO [trj], Excluído
Arquivo C:\Programas\skmw\mon.exe está infectado por Win32:Trojan-gen {Other}, Excluído
Arquivo C:\Programas\skmw\msgex.exe está infectado por Win32:Trojan-gen {Other}, Excluído
Arquivo C:\Programas\skmw\rds.exe está infectado por Win32:Bancos-BEF [trj], Excluído
Arquivo C:\Programas\skmw\Readme.exe está infectado por Win32:VB-KOZ [Wrm], Excluído
Arquivo C:\Programas\skmw\replay.exe está infectado por Win32:Trojan-gen {Other}, Excluído
Arquivo C:\Programas\skmw\santander.exe está infectado por Win32:Bancos-BBK [trj], Excluído
Arquivo C:\Programas\skmw\scrypt.exe está infectado por Win32:Spyware-gen [trj], Excluído
Arquivo C:\Programas\skmw\upfile.exe está infectado por Win32:Trojan-gen {Other}, Excluído
Arquivo C:\Programas\skmw\varios.exe está infectado por Win32:Bancos-BBK [trj], Excluído
Arquivo C:\System Volume Information\_restore{5FF46723-159A-43D8-A7EE-A72E3B9F85E6}\RP290\A0033347.exe está infectado por Win32:Trojan-gen {Other}, Excluído
Arquivo C:\System Volume Information\_restore{5FF46723-159A-43D8-A7EE-A72E3B9F85E6}\RP290\A0033348.bat está infectado por IRC:Malware-gen, Excluído
Arquivo C:\System Volume Information\_restore{5FF46723-159A-43D8-A7EE-A72E3B9F85E6}\RP290\A0033349.exe está infectado por Win32:Spyware-gen [trj], Excluído
Arquivo C:\System Volume Information\_restore{5FF46723-159A-43D8-A7EE-A72E3B9F85E6}\RP290\A0033350.exe está infectado por Win32:Bancos-BBK [trj], Excluído
Arquivo C:\System Volume Information\_restore{5FF46723-159A-43D8-A7EE-A72E3B9F85E6}\RP290\A0033351.exe está infectado por Win32:Bancos-BBK [trj], Excluído
Arquivo C:\System Volume Information\_restore{5FF46723-159A-43D8-A7EE-A72E3B9F85E6}\RP290\A0033352.exe está infectado por Win32:Bancos-BBK [trj], Excluído
Arquivo C:\System Volume Information\_restore{5FF46723-159A-43D8-A7EE-A72E3B9F85E6}\RP290\A0033353.exe está infectado por Win32:Bancos-BBK [trj], Excluído
Arquivo C:\System Volume Information\_restore{5FF46723-159A-43D8-A7EE-A72E3B9F85E6}\RP290\A0033354.exe está infectado por Win32:Trojan-gen {Other}, Excluído
Arquivo C:\System Volume Information\_restore{5FF46723-159A-43D8-A7EE-A72E3B9F85E6}\RP290\A0033355.exe está infectado por Win32:Trojan-gen {Other}, Excluído
Arquivo C:\System Volume Information\_restore{5FF46723-159A-43D8-A7EE-A72E3B9F85E6}\RP290\A0033356.exe está infectado por Win32:VB-KDO [trj], Excluído
Arquivo C:\System Volume Information\_restore{5FF46723-159A-43D8-A7EE-A72E3B9F85E6}\RP290\A0033357.exe está infectado por Win32:Trojan-gen {Other}, Excluído
Arquivo C:\System Volume Information\_restore{5FF46723-159A-43D8-A7EE-A72E3B9F85E6}\RP290\A0033358.exe está infectado por Win32:Trojan-gen {Other}, Excluído
Arquivo C:\System Volume Information\_restore{5FF46723-159A-43D8-A7EE-A72E3B9F85E6}\RP290\A0033359.exe está infectado por Win32:Bancos-BEF [trj], Excluído
Arquivo C:\System Volume Information\_restore{5FF46723-159A-43D8-A7EE-A72E3B9F85E6}\RP290\A0033360.exe está infectado por Win32:VB-KOZ [Wrm], Excluído
Arquivo C:\System Volume Information\_restore{5FF46723-159A-43D8-A7EE-A72E3B9F85E6}\RP290\A0033361.exe está infectado por Win32:Trojan-gen {Other}, Excluído
Arquivo C:\System Volume Information\_restore{5FF46723-159A-43D8-A7EE-A72E3B9F85E6}\RP290\A0033362.exe está infectado por Win32:Bancos-BBK [trj], Excluído
Arquivo C:\System Volume Information\_restore{5FF46723-159A-43D8-A7EE-A72E3B9F85E6}\RP290\A0033363.exe está infectado por Win32:Spyware-gen [trj], Excluído
Arquivo C:\System Volume Information\_restore{5FF46723-159A-43D8-A7EE-A72E3B9F85E6}\RP290\A0033364.exe está infectado por Win32:Trojan-gen {Other}, Excluído
Arquivo C:\System Volume Information\_restore{5FF46723-159A-43D8-A7EE-A72E3B9F85E6}\RP290\A0033365.exe está infectado por Win32:Bancos-BBK [trj], Excluído

[Lisandro]

Don't skip step 3...

[Dwarden]

if i understand "Excluído" means exclusion ...

so btw. do you have any special exclusions set ? maybe that's reason it get execute even if it's detected ...

usually incorrect exclusion with too strong regular expressions sets lead to such fails ...

{but ofc this not exclude other issue}

[eluis]

Excluído means excluded... or better... means DELETED.

I configure Avast to delete files infected and not quarentine. Nowadays, there are no good files infected. The virus came on a single file to infect, so, I delete them.

[alanrf]

Then forgive me but I believe your configuration to be foolish.

avast (along with any other antivirus product) is not infallible.  It does, from time to time, detect perfectly good files as false positives.

Quarantining files which which prevents any harm from them while allowing the chance for recovery in the event of a false positive is always a better path to take.

 

[DavidR]

I echo Alan's comments.

Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest and investigate.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

[Lisandro]

Don't skip step 3...

I do suggest...