Are These Legimate Avast Files

[Jerry Cassem]

   I just had a problem with my XP Machine, was taken over by a Virus, I have scanned with a reinstall of Avast, finds nothing in safe mode. In real mode it wants to delete all the windows files like Notepad, an system files. I have found 2 files what I think might be the culprit. I did a search for Avast*.* and I came up with these 2 files that weren't in Avast Directories. They are

Avast.setup-295443AF.PF
Avastss.scr-00276811.PF

  I did a properties on the second one and under summary here was My Permission settings that have had Admin Locked out. I couldn't get updates or go to any websites Like Avast Or Superantispyware. or Microsoft. I deleted the Avastss.scr-00276811, after giving my permissions back. Then I went right out to Avast and downloaded a new version.....Now I'm trying track down whats going on... I use Avast Free Home.

   Thanks.
             Jerry

[!Donovan]

I couldn't get updates or go to any websites Like Avast Or Superantispyware. or Microsoft.

Did you try Malwarebytes' Anti-Malware?

You might can break the virus's redirecting by using the websites IP insted of its real address.

[DavidR]

These will have been in the windows pre-fetch folder and they aren't actually files, but details of their location on the Hard Disk, supposedly to speed their loading.

The actual files are legitimate avast file names:
- avast.setup in the C:\Program Files\Alwil Software\Avast4\Setup folder
- avastss.scr in the C:\Program Files\Alwil Software\Avast4 folder.

See image of my prefetch folder and the avast file references in it.

####
-- HOSTS file redirect a common malware tactic to block AV sites making it difficult to remove malware - 127.0.0.1 check your HOSTS file using notepad or a text editor of your choice, C:\WINDOWS\system32\drivers\etc\hosts or do a search for HOSTS to find it if not there.
 
Once open you are looking for entries with avast.com on the line, you may well see other AV sites, post the contents of the hosts file. http://en.wikipedia.org/wiki/Hosts_file

[Jerry Cassem]

  
   I can get to the websites after setting the permissions on the summary tab of the avastss.scr-00276811.pf file, but I don't think these are legimate Avast Files. If you could do a search on your computer for those 2 files and don't come up with them,then I will know they are hacked files. I also found under my Windows Firewall and exception to @shell32.dll,-1 and I truned this off also.

     Thanks For The Reply!
             Jerry

[DavidR]

The .pf files are not the actual files, but as I said that contain data to help load the file quickly, that is the purpose of the prefetch folder in windows. You can see from my prefetch folder image the sizes are much smaller than the actual file, avast.setup is 2469KB and avastss.scr is 96KB.

So I have no idea how setting permissions would make a difference other than a happy coincidence, as that isn't the real file. Neither of those files controls internet connection, avast.setup connects to do avast updates, but like all avast processes they don't block.

[Jerry Cassem]

   My host file has only 1 line active.

    127.0.01 Local Host

   Only thing I can think happened is virus attached to that Avast file. Does Avast have a screen saver scan in the Free Home edition, This when all the problems started it was saying all my Windows System file were infected. So I deleted a couple, and then reboot to safe mode and clicked on notepad and it started right up.....I never had this screensaver before!

[DavidR]

Then it is a more complex form of DNS blocking, possibly your DNS server is one that

I'm sorry but that is totally incorrect (apart from that file 'isn't' an avast file but a windows pre-fetch one), delete it and see, windows will recreate it on the next boot and in the meantime nothing will have changed.  avast also has a self-defence module to prevent files being modified or deleted and whilst that isn't 100% it is pretty effective.

I don't use the screen saver on my system, but those entries are in my pre-fetch folder and I'm not experiencing this problem.

Try connecting to OpenDNS.org and check out how to use that as your DNS server this isn't vulnerable to DNS hijacking.