One Nasty Virus/Trojan - Kills all virus scanners

[DavidR]

Is it possible to access the Avast vault from Puppy Linux

Yes, it is, sort of. The files can be accessed from the sda2 icon or from /mnt/sda2. They live in Program Files/Alwil Software/Avast4/DATA/chest but the files are not named anything but random names. What was found and which is which is tracked in index.xml which lives there with them.
<snip>

You're right in the 'sort of' comment. Even if it is possible to access the files in the chest folder, assuming you are able to work out what the random file names are (if that data is in the index.xml, and I would doubt that, seems too easy), those files are also encrypted.

So if you did manage to find what files are what, you would have to decrypt them and that isn't going to be easy.

[Lynn210]

When I click on the renamed file I get this window

No run action specified for files of this type (application/x-shellscript) - you can set a run action by choosing `Set Run Action' from the File menu, or you can just drag the file to an application.

Note: If this is a computer program which you want to run, you need to set the execute bit by choosing Permissions from the File menu.

[edifyguy]

Is it possible to access the Avast vault from Puppy Linux

Yes, it is, sort of. The files can be accessed from the sda2 icon or from /mnt/sda2. They live in Program Files/Alwil Software/Avast4/DATA/chest but the files are not named anything but random names. What was found and which is which is tracked in index.xml which lives there with them.
<snip>

You're right in the 'sort of' comment. Even if it is possible to access the files in the chest folder, assuming you are able to work out what the random file names are (if that data is in the index.xml, and I would doubt that, seems too easy), those files are also encrypted.

So if you did manage to find what files are what, you would have to decrypt them and that isn't going to be easy.

That data does seem to be present in the index.xml file, but not in an easily-human-perceivable format. I think the greater information to be gained is the names of the threats found, which are in human-perceivable format. I'd like to see Lynn's, if she has a chance to upload it, but it's more a matter of curiosity.

[edifyguy]

When I click on the renamed file I get this window

No run action specified for files of this type (application/x-shellscript) - you can set a run action by choosing `Set Run Action' from the File menu, or you can just drag the file to an application.

Note: If this is a computer program which you want to run, you need to set the execute bit by choosing Permissions from the File menu.

Ugh, yes, that can happen. Do this: right-click it, select "Window > Terminal Here" then type in "sh remove1.sh" in the resulting window. That'll run it and it should remove the previously discovered evilware.

How are we coming with the second-phase scan? Still not going? It should just go..........did you close the "xterm simulate hold.sh" window from before? You should have.

[Lynn210]

Every time I try to type what it says at the top of the scanning window I get knocked out of the forum .. so lets try one more time

I got it to run by letting it put the report in its default location
the first few lines say Error: Can not open devicefile /dev/ram10 no such file or
directory

there are 6 lines all the same except ram10 thru ram15

Nothing else is showing but one of the lines next to scanning spins around
every now and then...

[edifyguy]

OK, fine, fine. That'll do........

I wonder why it's complaining now about putting the report right on the hard drive.....it shouldn't mind.

The main reason that I wanted to put the report file somewhere else was simply that it goes, by default, in a hidden folder that doesn't get saved to the hard drive (isn't permanent) but we'll work around it. Not a big problem.

Let us know when it gets done with the second scan.

EDIT: If I wasn't clear, it's working now. It's actually scanning.

[Lynn210]

/quote]

Ugh, yes, that can happen. Do this: right-click it, select "Window > Terminal Here" then type in "sh remove1.sh" in the resulting window. That'll run it and it should remove the previously discovered evilware.

How are we coming with the second-phase scan? Still not going? It should just go..........did you close the "xterm simulate hold.sh" window from before? You should have.
[/quote]

Still says the same thing .. cannot remove
that the files are read only

[Lynn210]

I suppose the file can be copied to the hard drive.

tell me something.. what do I have to do so that I dont end up
on the home page of the forum everytime I reply..

Isn't there some way to stay in the thread?

[Lynn210]

Do you think it is ok to mess around with the hard drive
to find that file you wanted while it is scanning?

[edifyguy]

OK, then here's what's going on:

Your hard drive apparently got mounted read-only because of an improper shutdown in Windows last time. The read-write NTFS driver will not go by default if the drive is flagged dirty by Windows, and then the default mounter takes over and mounts it read-only.

Once the scan is done and ONLY once the scan is done, type this in a console box:

"umount * /dev/sda2" (no quotes, * indicates a space)
"ntfs-3g * /dev/sda2 * /mnt/sda2 * -o * force"

This will force it to give us read-write access to the hard drive, which will be essential to fixing this. But if you do that while it's scanning, it flat out won't work, or it'll interrupt the scan.

[Tarq57]

There is a copy of the chest contents (not screenshot - transposed/typed)  here.

[Lynn210]

OK /

I thought I had closed the old scan window but it was still open..
I closed it now.. the scan seems to be going ok.. slow but sure..

Should I let it go or restart it?

Since it is set to a diff location wouldnt it be ok.. or is it
running in a temp area ..

[edifyguy]

I suppose the file can be copied to the hard drive.

tell me something.. what do I have to do so that I dont end up
on the home page of the forum everytime I reply..

Isn't there some way to stay in the thread?

Yes. Click "Additional Options..." and check the box that says "Return to this topic" and it'll do that.

As for rifling around on the hard drive while it's scanning, yes it's possible, yes it's safe, but there's a bug in the explorer that will crash the desktop if you dig too deep into the Windows folder with it, just due to the sheer droves of files present. I'd suggest you wait to dig too much.

One thing you could do while you're waiting is to go into the Avast! chest and upload the index.xml file so we can see what Avast! had found. Copy it to my-documents first, though, otherwise it won't rename since the hard drive is read-only right now. That file lives in sda2 > Program Files > Alwil Software > Avast4 > DATA > chest. You can get to my-documents in 2 clicks by clicking the "File" icon in the upper-left corner, then my-documents in there. Then just drag the file over, rename it, and upload it.

[Lynn210]

I meant to mention that to you edifyguy

I thought it would be of interest then forgot with all else going on

I had to type it all because I could not get anything to work.. not even
notepad..

 

[edifyguy]

OK /

I thought I had closed the old scan window but it was still open..
I closed it now.. the scan seems to be going ok.. slow but sure..

Should I let it go or restart it?

Since it is set to a diff location wouldnt it be ok.. or is it
running in a temp area ..

It's scanning the real thing, it's just putting the report in a temporary area that will go away once the puter is turned off. Once it's done, we'll copy it back to the hard drive, once we get it out of read-only mode. Not a big deal. I'd let it go. Otherwise it will redo the part it has scanned already. Not necessary.