Author Topic: Avast keeps saying there's a virus  (Read 15489 times)

0 Members and 1 Guest are viewing this topic.

Offline Gillie2tat

  • Full Member
  • ***
  • Posts: 171
  • In a hole in the ground there lived a hobbit.
    • Tatting at Bella Online
Re:Avast keeps saying there's a virus
« Reply #15 on: June 06, 2004, 03:29:21 PM »
Just checked msconfig startup, nothing nasty running in there and when I used Control-Alt-Delete for something last night there were no unexpected programs running.  So I don't THINK this is active on my system, I think it's a cache problem somewhere.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83749
  • No support PMs thanks
Re:Avast keeps saying there's a virus
« Reply #16 on: June 06, 2004, 03:58:31 PM »
I'm about out of ideas, but you seem to keep getting infected/reinfected and it is probably down to not having your OS fully upto date. The very name RPCexploit indicates exploiting the Romote Procedure Call, a windows patch for this came out ages ago for this.

I did a search simply on Win32:RPCexploit and it returned 91 hits, this is just one. http://www.sophos.com/virusinfo/analyses/w32rpcspybota.html This may be of help, it also give a link to the MS patch.

Quote
Microsoft issued a patch for the vulnerability exploited by this worm on July 16, 2003. The patch is available from www.microsoft.com/technet/security/bulletin/MS03-026.asp.


If you haven't got that patch installed you are going to keep getting infected.

WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Gillie2tat

  • Full Member
  • ***
  • Posts: 171
  • In a hole in the ground there lived a hobbit.
    • Tatting at Bella Online
Re:Avast keeps saying there's a virus
« Reply #17 on: June 06, 2004, 09:28:00 PM »
I think you've got it, I don't have the relevant patches although I run Windows Update regularly.  Microsoft must have removed it from the list of Critical Updates because that particular patch never showed up.  Darn them.  Just run Windows Update again and those updates still didn't show up.

I wasn't able to get the scanner tool to work - I don't know enough about DOS and I don't understand how the different commands Microsoft list work - but I looked in Control Panel and those particular patches are not listed.  Should I install them first, then turn off System Restore and run Avast and tell it to delete forcibly on restart? or try running Avast again and then install the patches?

Sorry to be a nuisance but I've never had this particular situation before, I've always had all patches in place.  I don't know why those patches haven't come up in Windows Update which I run regularly.

Thank you so much for helping me with this and for taking the time to look for me.  I did look on the Symantec web site and this particular virus didn't seem to be listed, wish they'd install a search facility!

Offline Gillie2tat

  • Full Member
  • ***
  • Posts: 171
  • In a hole in the ground there lived a hobbit.
    • Tatting at Bella Online
Re:Avast keeps saying there's a virus
« Reply #18 on: June 06, 2004, 09:40:14 PM »
Also what the Sophos article seems to say is remove the worm and then install the patches but my understanding of what you are saying is it's necessary to install the patches first and then get rid of the virus - I won't get rid of the virus unless I'm patched?  Is that correct?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83749
  • No support PMs thanks
Re:Avast keeps saying there's a virus
« Reply #19 on: June 06, 2004, 10:06:59 PM »
From your previous post, I use google.com for all searches and they generally turn up the various antivirus companies' pages relating to that search term. This is particularly useful because in many cases it will have a different name from one company to another, but it will also find it if it is an alias.

Also what the Sophos article seems to say is remove the worm and then install the patches but my understanding of what you are saying is it's necessary to install the patches first and then get rid of the virus

Personally I don't think the order is important, You can try they suggested remove virus, install patch, reboot, scan again.

Having downloaded the patch from the link I gave you. Make sure that you are off line. Installing the patch doesn't get rid of the virus, it patches the vulnerability so you don't get reinfected when you go online.

You may need to disable system restore prior to removing virus (as per the instructions).

Quote
I won't get rid of the virus unless I'm patched?  Is that correct?

No - the patch has nothing to do with getting rid of the virus - but if you haven't got it installed, you will probably be reinfected on you very next venture online.

Take the next step.
« Last Edit: June 06, 2004, 10:11:14 PM by DavidR »
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Gillie2tat

  • Full Member
  • ***
  • Posts: 171
  • In a hole in the ground there lived a hobbit.
    • Tatting at Bella Online
Re:Avast keeps saying there's a virus
« Reply #20 on: June 06, 2004, 10:08:46 PM »
Well Avast isn't able to remove the virus from the look of things so I'll try installing the patches first.  Thank you!

Offline Gillie2tat

  • Full Member
  • ***
  • Posts: 171
  • In a hole in the ground there lived a hobbit.
    • Tatting at Bella Online
Re:Avast keeps saying there's a virus
« Reply #21 on: June 06, 2004, 10:33:11 PM »
New development - managed to work out how to run the kb824146scan tool, this is the result it gave - looks like I'm patched after all.  The command I used was kb824146scan.exe localhost.  So what's the next step?

I too did a search on Google.com and it looked as though there might be more than one virus using this as a name:-( but the main one I agree looked like the Spybot one.

I'm beginning to think if I'm patched and Avast can't deal with it, Sophos site says there's an IDE to deal with it, maybe I should switch to that one to fix this and then come back to Avast later.
« Last Edit: June 06, 2004, 10:49:25 PM by Gillie2tat »

Offline Gillie2tat

  • Full Member
  • ***
  • Posts: 171
  • In a hole in the ground there lived a hobbit.
    • Tatting at Bella Online
Re:Avast keeps saying there's a virus
« Reply #22 on: June 07, 2004, 08:26:10 AM »
OK I booted the computer in Safe Mode, turned off System Restore using msconfig and not the right click on My Computer method.  I then ran a full system scan using Avast (was up until 2.00 am).

I had to restart a couple of times to get System Restore back on using msconfig and stop the puter coming up with msconfig has been modified - all fixed now.

(1) as of now since I last ran Avast there are no more unp files in the C:\Documents and Settings\Gillie2tat\Local Files\Temp\_Avast4_ folder.  For the moment I propose to leave things as they are and not do any more scans for a few days to see if they reappear.  If they don't and then reappear when I run Avast next time it's something that's happening through Avast.  Otherwise it's spotting infected mail and so on just fine.

(2) There is a very odd file in my Windows System folder which is the one that was spotted by Avast as being infected.  Should I just navigate to the Windows folder, delete it and empty recycle bin and see what happens?  Avast is unable to delete it as such and although it can move it it reappears in that folder.

There are no other warnings coming up from Avast at all about any other folders other than the two I've mentioned (except that it put the unp files in the Administrator/Temp/_Avast4_ folder whilst I was logged into the Administrator section in Safe Mode) and I'm wondering if it's safe to back up My Documents.  Fortunately I back up onto CD-Rs and not CD-RWs so I'm not relying on just the one disk set!

Another screenshot coming up!


Offline Gillie2tat

  • Full Member
  • ***
  • Posts: 171
  • In a hole in the ground there lived a hobbit.
    • Tatting at Bella Online
Re:Avast keeps saying there's a virus
« Reply #23 on: June 07, 2004, 09:14:13 AM »
Also should I e-mail this crashlog.tar.gz to Avast for analysis?  I did a search on Google for crashlog.tar.gz and for crashlog.tar, it didn't come up with anything at all.  Is the file slass.exe anything to do with all this because it's running on my system (used control-alt-delete to check that).

Off to work now, be back later.
« Last Edit: June 07, 2004, 09:17:21 AM by Gillie2tat »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83749
  • No support PMs thanks
Re:Avast keeps saying there's a virus
« Reply #24 on: June 07, 2004, 03:09:39 PM »
Strange that there is a crashlog.tar.gz in the windows\system folder, .tar and .gz are forms of zipped file, it certainly is not a windows zip style that I am aware off.

Could it possibly be that it originates from some third party system tool or even an online scanner that compresses virus definations in a .tar.gz format in the hope not to confuse anti-virus programs? The name however would point to the first guess.

I would tend to rename the file first, rather than delete (especially if avast is not reporting it), you can always delete it if after some time there is no ill effect.

The Lsass.exe is a system file - Local Security Authority Service
. I don't think that it is connected with the file.

http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/

Hopefully you are coming to the end of your journey.
« Last Edit: June 07, 2004, 03:12:35 PM by DavidR »
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Gillie2tat

  • Full Member
  • ***
  • Posts: 171
  • In a hole in the ground there lived a hobbit.
    • Tatting at Bella Online
Re:Avast keeps saying there's a virus
« Reply #25 on: June 07, 2004, 06:25:20 PM »
I would tend to rename the file first, rather than delete (especially if avast is not reporting it), you can always delete it if after some time there is no ill effect.

But that's just it, this is exactly the file in the System32 folder that I mentioned earlier which Avast IS reporting as infected.  It's reporting c:/WINDOWS/System32/crashlog.tar.gz/crashlog.tar/crashlog.tar/Memory.dmp and c:\WINDOWS/System32/crashlog.tar.gz/crashlog.tar as the two infected system files - each and every time.  Double file extensions like that always ring warning bells for me.

The crashlog.tar.gz and unp files are the ONLY ones which are coming up labelled as infected now.  I just checked again on rebooting and again there are at present no unp files in my C:\Documents and Settings\Gillie2tat\Local Host\Temp\_avast4_ folder at all, infected or otherwise.

I can't tell you where it came from though I do have quite a lot of third party software on my system so it is possible that it came from a third party tool.

I will await your further advice :) I hope I'm coming to the end of my journey too.

I did a search on Google for crashlog.tar.gz and crashlog.tar and it didn't come up with anything which suggests to me it's not a system file. If it were it would probably be listed at least on Microsoft.com.

If you still think I should rename the file should I move it to a folder in My Documents or should I leave it in my system folder and just change the file extension - and if so what should I change the file extension to?
« Last Edit: June 07, 2004, 06:29:40 PM by Gillie2tat »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83749
  • No support PMs thanks
Re:Avast keeps saying there's a virus
« Reply #26 on: June 07, 2004, 06:40:30 PM »
I did a search on crashlog and that turns up 829 hits and some of those are programs, that obviously create some form of crashlog, perhaps you might find on that's familliar.

Quote
Double file extensions like that always ring warning bells for me.

They do normally for me, but I have seen this one as a legitimate compression format on some download sites.

As I said rename would have been my first option, since that wouldn't work, it doesn't leave much else other than deletion. It is not a windows system file.

David
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Gillie2tat

  • Full Member
  • ***
  • Posts: 171
  • In a hole in the ground there lived a hobbit.
    • Tatting at Bella Online
Re:Avast keeps saying there's a virus
« Reply #27 on: June 07, 2004, 06:49:45 PM »
I think I see why you say renaming the file wouldn't work, but I'm a bit concerned that although Avast has successfully moved that file and changed the extension to .vir it just came back.  That suggests to me something going on in the Registry.

The fact also that the infected unp files only appear when Avast is run suggest to me that something is going on with Avast itself.

OK we'll see what happens.  But I'm backing up first.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83749
  • No support PMs thanks
Re:Avast keeps saying there's a virus
« Reply #28 on: June 07, 2004, 07:28:17 PM »
the .tar.gz is a compressed file, in order for any anti-virus program to check it, it has to Unpack (upn) it and as far as I am aware it does this in _avast4_ which I believe I mentioned before.

If it keeps coming back, dont just temp disable System Restore using msconfig (don't see how you did that) anything that you delete from the system folders will I believe be regenerated at re-boot.

Any changes you make in msconfig, don't take effect until after a re-boot and I don't believe that system restore was properly disabled.

Go the distance and do it properly and then re-boot. Scan, resolve the problem, re-boot, check for infection and enable system restore once you are clear and re-boot.

Any backup that you do prior to cleaning could be leaving yourself vulnerable to reinfection if you use the backup.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Gillie2tat

  • Full Member
  • ***
  • Posts: 171
  • In a hole in the ground there lived a hobbit.
    • Tatting at Bella Online
Re:Avast keeps saying there's a virus
« Reply #29 on: June 07, 2004, 11:07:56 PM »
We have liftoff!  I am clean at last!

What I did was:-

1. Delete crashlog.tar.gz from my System32 folder but leave it in the Recycle Bin just in case.

2. I then disabled System Restore correctly - Start-Control Panel-click on System and check the Disable System REstore box.  REstart computer and check that crashlog.tar.gz was not in my System folder - no it wasn't.

3. Disable my screensaver.

4. I started a scan and it didn't pick up any infected unp files but it picked up the crashlog.tar.gz file in the Recycle Bin.  I stopped the scan, emptied out the Recycle Bin (it was teh only file in it anyway, I emptied it yesterday!)

5. Avast picked up more infected unp files on the next scan, so I stopped the scan and deleted them from the Temp/_Avast4_ folder and emptied the Recycle Bin.  I double checked System32 again but the file crashlog.tar.gz was not in it thank goodness.

6. I ran a full clean scan.

7. I restarted the computer and ran another full clean scan (I did go online again adn double checked your posting above, and Avast downloaded some updates whilst I was doing it - so the scans were absolutely up to date).

Tomorrow I plan to redo that backup - it's needed urgently now - and I will destroy those disks I burned today.

I am pretty certain now that the virus is gone and would like to thank you very much indeed for all your kindness and help over the last few days.  I don't know where I'd have been without all your patience, advice and help.

I do a lot of computer graphics and have my own web site so if I can do anything for you in that line please contact me and I'll be glad to help.

Avast were recommended to me by the principal of the web school where I study, Richard Dean of http://vu.org.  I have yet to find him wrong on software of any kind!