Avast creates ghost-folders!

[ProloSozz]

Configuration: PC with Windows XP, avast 4.8.1335

I have the following problem: I had connected two external USB-Disks, one on G: and one on H: and copied contents of G: to H:. While copying, a single file was reported as malicious. I decided to copy that file to the specially created folder "Malware" on H: and not to it's former place in the directory-structure of h. As I had some other problems with the drive H:, I had to do the same copy several more times. But the next times, I did not anymore copy the reported file to that "Malware"-folder, but left it in it's directory structure.

Just before, I had connectet the same external USB drive on H:, emptied and formatted it, but copied totally different stuff (from a CD as source) on that drive. And what am I discovering at the end of the copy-process: an empty folder called "Malware" on drive H:.

What the hell has this folder to do there? Where does it come from? How can I get rid of it again? And what do I have to do that it never will reappear again?

My only explanation is, that it has something to do with avast - but what?

[DavidR]

It has nothing to do with avast, the only folder avast creates outside of the Alwil Software folder is the _avast4_ sub-folder of whatever you have assigned as your Temp/TMP folders in your system variables.

Was this malicious file actually reported/detected by avast, see image (is that what you saw), avast alert ?

What other security software do you have installed ?
Have (or did) you another AV installed in this system, if so what was it and how did you get rid of it ?

[Lisandro]

Let your USB drive plugged and run Autorun Eater or Flash Disinfector, allowing them to clean up all drives. They would create hidden folders named autorun.inf in each partition and every USB drive plugged in when you ran it. These folders protect your drives from future infection. After that, reboot your computer.

[ProloSozz]

The one and only context that a folder called "Malware" was created was when moving the suspicious file that avast reported to that folder (once and never again since then) and nothing else - neither before nor after that.

As soon as I reboot the pc with any usb-drive connected that will appear on the drive-letter h:, it has an empty folder called "Malware" on it, even if I deletet it just before rebooting.

I can stop avast on-access protection by system-tray-icon. As soon as I restart avast on-access protection, I can watch the folder "Malware" being created again on drive H:!

So it is absolutely obvious that avast on-access protection is again and again creating that folder on drive H: (if H: present) each time avast on-access protection starts.

No, there is and was no other AV-Software on that PC, and no other "Security-Software".

[DavidR]

I'm sorry but it isn't absolutely obvious to me, the behaviour that you are explaining I have never seen before in the forums in a little over 5 years - avast moves infected files to the Chest (assuming that is the option that you selected) it 'doesn't' send them to a folder called 'malware'

You can also do a move/rename option and that sends the file to the Moved folder and appends .vir to the file moved, but it most certainly doesn't send them to a folder named 'malware.'

The avast 4 Home/Pro version (the forum your post is in) doesn't create folders in a usb drive, all infected files if you sent it to the chest would be in the C:\Program Files\Alwil Software\Avast4\DATA\chest folder.

So I have no idea what is going on in your system, but avast Home/Pro version 'doesn't' create folders in usb drives.

[ProloSozz]

something more: (I always delete the malware-folder)

as soon as I begin to scan any file on any volume with avast, immediately a folder called "Malware" is created on H:

I don't remember what that suspicious file was - it was considered as possibly trojan and was in the system32 directory of a NT4 that was installed in 1998 and not used for several years. That file itself only has the connection to the "Malware"-folder that I manually told avast to put it in that folder that I specially created to put that file temporarily in.

[ProloSozz]

I have a suspicion: as I declared avast to put the suspicious file to the "Malware-folder on H:", avast is now considering that folder as the standard folder where the files would be parked - and if the folder does not exist, it creates it to be prepared to put the things there.

But where in the configuration or options is that paramter do declare in what folder the things will be put in?

[DavidR]

I'm sorry but this is totally alien to me as it doesn't sound like anything I have every heard of with avast.

avast has one location for infected files and that is the C:\Program Files\Alwil Software\Avast4\DATA\chest folder and that 'doesn't change' as it is a protected folder all files sent to the chest are encrypted and the name is changed. So when looking from the outside of the chest you see a different name so you can't identify it.
The only difference to that would be if you installed avast in a different partition (say D) on a fixed internal Hard Disk, but the chest would remain in the same structure D:\Program Files\Alwil Software\Avast4\DATA\chest folder so it doesn't change that.

Exactly what version of avast have you got ?
Where was it downloaded from ?

~~~~
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?  
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe - Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log

####
That's me for the night, 2:20am here.

[ProloSozz]

WINNT\system32\TPCHRSRV.EXE was told to be infected with RootKit-gen (Rtk).

I made a backup of the original HD (WinNT4 from 1998) on 07.05.2009 at 04:00 - before the Rtk-report.

I have Rtk-reports from avast on 07.05 at 13h/14h/15h/17h and on 08.05. at 02h/13h

I made an entire restore today and did not have any Rtk-report again since the mentioned six times - even not today after the restore. I assume it was a false positive or a generic suspicion.

One of these six times, I did not tell avast to do "no action", but to put the file into the specially created "Malware"-folder on H: and giving the suffix .vir - resulting in the mentioned problem with that ghost-folder that always reappears when having some acitivities of avast.

I have Avast Build Feb2009 (4.8.1335), Xtreme Toolkit 1.9.4.0, ActiveSkin 4.2.7.3

First Log-entry is from 19.11.08, last update today/yesterday

I downloaded it directly from the avast-website.

[DavidR]

I'm sorry it is difficult to know what else to suggest as this is nothing that I have ever heard of happening with avast and can only speak from my own experiences and those that I have seen within the forums and none match this.

You keep calling it the 'specially created Malware folder' the only two folders used by avast are the ones in the same partition as the Alwil Software\avast4 structure are the Chest and Moved (the one where the renamed .vir files are sent) folders not named 'Malware' and as far as I'm aware you can't actually change that.

You also say this is on H:\ did you install avast on H:\ ?
I don't know if as you say this is a usb drive, if avast can be installed other than to an internal fixed hard drive (I don't believe so).

You could try a clean reinstall using the default install location, C:\Program Files\Alwil Software\Avast4:
Download the latest version of avast http://www.avast.com/eng/download-avast-home.html and save it to your HDD, somewhere you can find it again. Use that when you reinstall.

Download the avast! Uninstall Utility, find it here and save it to your HDD.

• 1. Now uninstall (using add remove programs, if you can't do that start from the next step), reboot.
• 2. run the avast! Uninstall Utility, reboot.  If step 1 failed it may be necessary to run this from safe mode, once complete reboot into normal mode.
• 3. install the latest version, reboot.

[ProloSozz]

No necessitiy to panic! Errors and unexpected things can happen - finding them is just the first step.

Just to clarify: when the warning-window appeared, I chose manually the option "Move/Rename..." to move that file in a special folder that I created on H - and I gave it the name "Malware". So it was me to give that name as the intention was to temporarily put that file aside until I got some information what it is and what danger I have to be aware of.

I did not install avast on H - avast is only installed on the boot-drive C. H was just one of two USB-drives - I copied very old WinNT4 from G to H.

The bad thing is that I don't remember if I created the folder that I gave the name "Malware" from inside the avast-move-location-window or if I went out into the finder (sorry, windows explorer) and created that folder there.

I'll keep the current installation for the moment - maybe it could be useful to track down something - as the problem does not bother very much for the moment. I just know that I have to be aware of it.

I suggest your specialists to track down the option "Move/Rename..." if the directory used there get's saved somewhere else as parameter where avast is looking at later on - even if it should not - and what happens in the moment that a) any file is scannede (using the context-menu) and b) avast is started.

But I won't exclude that my WindowsXP-installation itself could corrupted neither.

Thank you so far.

[DavidR]

You would have had to create the Malware folder name and location, see Image, as by default the file is sent to the avast Moved folder.

So, it does look like it retains that information for the future if you choose Move/Rename as the option (Move to the Chest is by far the best option). I have no idea where avast retains that information as there is no way other than on your next detection to set it back to the default location C:\Program Files\Alwil Software\Avast4\DATA\moved.

Now when avast starts, I believe it does an integrity check and perhaps at that point would recreate that folder if it has been deleted. This is however speculation on my part, but based on what you said previously appears to be what is happening. So I would say it would be advisable to reset the location back to the default C:\Program Files\Alwil Software\Avast4\DATA\moved folder (whilst very long winded the clean reinstall would have set everything back to default settings).

So rather than wait for your next detection, you could use the eicar test file that I did to generate the alert.

[ProloSozz]

Oh, yeah - that's the thing ... I just downloaded eicar - and clicked into "Move/Rename..." - and what's proposed there in the field "Folder to move the file(s) to"? Guess what? "H:\Malware" - what else ...

So you (resp. your specialists) have got some homework! ... ... To keep that path there is one thing (why not? as a suggestion) - but to recreate that path and folder as soon as avast makes some activities (start up, scan etc.) even before really needing that folder yet another - and the latter one is IMHO not acceptable ...

Something else in that bigger context: I do not consider it as really appropriate to put data in a subfolder of "program files" - I'd rather suggest to put them either in a subfolder inside the documents-folder - or in a specially provided subfolder located in the root-directory - just do keep the program-files-directory-contents untouched. Please discuss with your specialists!

Thank you so far.

[ProloSozz]

Forgot something: ... what happens after having set back the folder in the Move/Rename-Dialog-box to the default folder with a drive H connected and scanning a file? or better what does not happen? Guess what: The folder with the name "Malware" on H: is no longer created!

[DavidR]

Well I can't have any input over how it works as I'm just an avast user like yourself.

I'm not surprised that the 'missing' H:\malware folder isn't created as it would no longer be a part of any integrity check as I presumed in my earlier post.

Now when avast starts, I believe it does an integrity check and perhaps at that point would recreate that folder if it has been deleted.

This is however speculation on my part, but based on what you said previously appears to be what is happening.

So I would say it would be advisable to reset the location back to the default C:\Program Files\Alwil Software\Avast4\DATA\moved folder

I would also repeat what I said about not using the Move/Rename option but to Sent to Chest, as the Moved folder is not protected in the same way as files in the chest: they aren't encrypted; they are available to outside access; as such they would be 'detected' again by subsequent avast scans which include the Moved folder.

My guess on the location of data is that the avast self-defence module protects all avast files within the Alwil Software and sub folders, running processes and its registry entries. If these detected files were placed elsewhere that location too would have to be protected and that could have other repercussions.