Antivirus Pro 2010 not detected by Avast Home

[avastuser1000]

About a week ago, while running the current and fully up to date Avast Home on my fully updated Windows XP Pro machine, I visited a computer parts web site and contracted malware that Avast neither detected or could repair.  The culprit was something called Antivirus Pro 2010 as well as another similar sounding product.  The Task manager was disabled and system policies were applied that kept Avast from running.  Starting in safe mode I was able to uninstall, reboot, and reinstall avast which schedualed a boot scan that did not detect anything.  I followed the instructions on bleeping computer to the letter, multiple times, and thought those instruction seemed like they were promising (allowing me to gain access to the task manager again) it ultimately was a complete waste of time.  On top of the hours wasted trying to repair the problem hours were spent reloading the system from scratch.  What the heck Avast?  I used to think you had a good product!  I have never seen a virus/malware/whatever as aggressive as this and despite it supposedly being a well known one why didn't Avast catch it?

[Jtaylor83]

Download and run MBAM.

[Mr.Agent]

Any undetected malware ? Use suggestion of taylor. And if you wanna improve our data base please send the virus to the chest and email it to ALWIL or simply email the virus to them by sending to virus@avast.com i think.

ALWIL Software is a bit busy for now with version 5 that is comming soon so please forgive them.

Thank.

Mr.Agent

[avastuser1000]

thanks for the reply, but as i said i followed the instructions on bleeping computer (and others) to no avail.
i was able to apply the registry patch to gain access to the task manager and stop the Antivirus Pro 2010 process, and also stop the svhaste (not svhost) process.  was then able to apply the registry patch that corrected the policy which kept me from being able to run any application, and so was then able to install mwb, but mwb would be shut down after 3 seconds of scanning.  a google search showed me others with this same problem and no solutions.  i tried all the above in diagnostic startup, selective startup with everything off, in safe mode, etc.  also tried manual removal of the the antivirus pro 2010 by removing registry keys, unregistering dlls, and deleting files all to no avail.  the machine has been reloaded so the suggestions though appreciated are pointless.  the only question that i have is why avast choked?  why didn't it stop it in the first place.  if this malware has been in the wild for over a year it is shocking that avast could not detect it.  i am in the process of removing avast from all of my machines and going with something else.

[polonus]

Where you probably will have a similar issue in the future, because of the everchanging malware landscape out there. There is no resident solution that gets them all and sometimes one's luck is in and one gets a zero-day version. Combine avast with other free anti malware programs like MBAM and SAS, and then when a rootkit is involved the anti-malware may cleanse it only with a result that the malware restarts after a reboot. Best policy is avoid malware installs by using a Windows account with normal user rights in stead of full admin rights even Antivirus Pro 2013 cannot beat that policy.
For manual removal instructions"
Antivirus Pro 2010 manual removal:
Kill processes:
AntivirusPro_2010.exe yxine.exe Uninstall.exe mifiryvele.exe

Delete registry values:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Extensions
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SQM\PIDs
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{DBC80044-A445-435B-BC74-9C25C1C588A9}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}
HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusPro_2010
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\[ORIGINAL FILE NAME]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntivirusPro_2010
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Pro


Unregister DLLs:
AVEngn.dll htmlayout.dll pthreadVC2.dll msvcm80.dll msvcp80.dll msvcr80.dll


Delete files:
AntivirusPro_2010.lnk bojag.dl aqepe.dat nyxuj.com Uninstall.lnk ebapepyno.db emuziwe.pif ugozuf._sy uxitavo.dl carugy.com yquxihet.exe ojupegos.pif qanof.bin yrihoka.lib zecorykyp.lib AntivirusPro_2010.cfg AntivirusPro_2010.exe AVEngn.dll daily.cvd htmlayout.dll Microsoft.VC80.CRT.manifest msvcm80.dll msvcp80.dll msvcr80.dll pthreadVC2.dll Uninstall.exe wscui.cpl medoqokeqo.exe ycevykazu.vbs yhabozix.vbs _scui.cpl azasal.bin dinubem.dl exifoton.dll mifiryvele.exe ralun.sys

Delete directories:
c:\Program Files\AntivirusPro_2010

• Super Anti Spyware
• Malwarebytes Anti Malware -
• Windows Defender -

Information updated: 08/10/09

polonus

[avastuser1000]

that is not very helpful. 
and for a third time i followed the directions on bleeping computer that you felt compelled to state again.
so far this forum is teaching me that there are a lot of well intentioned people here that don't seem to bother actually reading a posting before they reply. 
as for your safe computer methods, you know what would be an even better way to avoid not contracting malware - not to use your computer at all.
i am not unfamiliar with computers, and support a couple of hundred of them for 5 small companies and a small nonprofit.
the business all have trendmicro worry free security suite (which by the way stopped this infection when tested by visting the same site), but the nonprofit uses avast because of their seemingly generous pricing.  i say seemingly because if the darn thing can't stop a virus then all they have sold us is false sense of protection.  this happened on my personal laptop and i use a different free antivirus program on my other personal computers because of potential flaws in an antivirus program like avast apparently has.  i am looking for an explanation as to why this happened, if it is a known problem with avast home, if it is only a problem with the free avast home or if the paid versions are also subject to this flaw.  suggestions on how to remove it are mute at this point, the real question is if avast is subject to vulnerabilities like this and if so is it a product for the bit bucket or does it actually work (sometimes).  but this forum appears to only be wasting more of my time.

[Mr.Agent]

*edit*

Changed my mind.

Mr.Agent

[essexboy]

Hi could you run these two programmes so that I can see what you have

Please save this file to your desktop. 
Double-click on it to run a scan. 
When it's finished, there will be a log called Win32kDiag.txt on your desktop.  Please open it with notepad and post the contents here.

We Need to check for Rootkits with RootRepeal

• Download RootRepeal from the following location and save it to your desktop.
• Zip Mirrors (Recommended)
   
  • Primary Mirror
       
  • Secondary Mirror
       
  • Secondary Mirror
     
• Rar Mirrors - Only if you know what a RAR is and can extract it.
   
  • Primary Mirror
       
  • Secondary Mirror
       
  • Secondary Mirror
     
• Extract RootRepeal.exe from the archive.
• Open on your desktop.
  
• Click the tab.
  
• Click the button.
  
• Check all seven boxes:
  
• Push Ok
• Check the box for your main system drive (Usually C:), and press Ok.
• Allow RootRepeal to run a scan of your system. This may take some time.
• Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
  

[Mr.Agent]

*edit*

Changed my mind.

Mr.Agent

[Pondus]

the machine has been reloaded so the suggestions though appreciated are pointless.

and for a third time i followed the directions on bleeping computer that you felt compelled to state again.
so far this forum is teaching me that there are a lot of well intentioned people here that don't seem to bother actually reading a posting before they reply.

[Tarq57]

I believe just about anybody who has had a computer infection probably has similar questions regarding their own installed AV.
I've seen several users (and been one) who have had a particular AV fail to detect (or more commonly, detect but fail to remove) some nasty. The range of products used (and failed, in the instance concerned)  is extensive, and includes the "big names".

So I'm not about to defend Avast on this one, except to say that with the number of new variants of rogue software (and malware generally) increasing at such a huge rate (this year alone, so far by 585% (according to that study) it is not surprising that any AV will occasionally miss one.

(Myself, I changed Av's a number of times before settling with Avast, and have been "settled" happily for over three years. It ain't perfect, but it's helped keep me malware free. For those three years.)

One thing you could look at for the future is tying down the browser exposure a bit. These sorts of things can almost have a free reign if undetected by an AV, with a lot of standard browser configurations. Specifically, prompt for all scripting, in any of the internet zones. Many legit sites get hacked and a hidden frame (an "i-frame", whatever that is, you probably know) is inserted. The site is entered, the script run (unless blocked) and Bang. Malware installed.

All that is required is the appropriate vulnerability in the computer visiting the site, and a compromised site.
I guess you already know to keep all installed software up to date/patched.

[avastuser1000]

Thanks Pondus both for actually reading my posts and for saving me from having to repeat myself for the nth time.
I just figured out why Avast Home screwed me...  the Home version lacks the Script Blocker which the Professional version has.  And it was a visit to an infected site that triggered a script that reeked havoc on my laptop.  So I can only conclude that Avast Home sucks and can not in good conscious recommend this product to anyone again.  The Home product is promoted as essentially the same as the Professional product but only for use by individuals... but in reality the lack of the script blocker alone makes it a highly vulnerable product and worth considerably less than it's $0 price.

[Pondus]

Not sure, but i think Malware Bytes PRO would have blocked it from installing

[Tarq57]

As I said above, (and have a sneaky felling I might have been mistaken for someone else)
Blocking or prompting for scripts to run in the browser would have prevented it loading.
Firefox with noscript works for me.

And as an aside, layered protection is highly recommended, no matter what the AV.

[YoKenny]

As I said above, (and have a sneaky felling I might have been mistaken for someone else)
Blocking or prompting for scripts to run in the browser would have prevented it loading.
Firefox with noscript works for me.

And as an aside, layered protection is highly recommended, no matter what the AV.

+1 for Layered Protection

WinPatrol the Security Monitor that's free would have detected it and Malwarebytes Pro would have prevented it and its small lifetime charge is well worth having an additional layer of protection.

Relying on one application has unfortunatly come to an end to protect our systems from today's prolific malware purveyors.