Eicar standard virus test

[niko]

Hi all !
I've just made an Eicar standard virus test, avast! detects immediately the "virus", but now I can't delete it usin the avast! warning windows.
If someone can help me I'll be very happy

[softwareguy]

Is the "test file" already gone?  

[RejZoR]

How do you mean you cannot delete it? Do you click Delete button on that warning pop-up window? And is then EICAR file still there or not?

[softwareguy]

Maybe some other programs are using the file?
Explorer.exe is one which likes doing that.  
Try using ForceDel to close any handles and delete the file.
Good Luck!

[softwareguy]

explorer.exe = Windows Explorer
iexplore.exe = Internet Explorer
Although IE is integrated into Windows Explorer

Try ForceDel if you are having trouble deleting the file.
http://www.codeguru.com/Cpp/W-P/files/fileio/article.php/c1287

[bassbag]

What is the path to the eicar test file?.It may be that (if you use XP) that a restore point has been created and a copy of the eicar file is now in the protected system restore folder.Can you confirm this?
me

[softwareguy]

Yes, if that's the case, you would have to disable System Restore before deleting that file.

System Restore could be disabled via System Properties.

[softwareguy]

niko, bassbag reply asks for the path of the eicar.com test file that has been detected by Avast. It is not necessary to perform an system restore on that date. (System Restore does not modify your existing files. It only overwrites system file changes and the registry.) Since the path you provided isn't the system restore folder, you could either try deleting eicar in Safe Mode or try using the ForceDel utility I mentioned above.

Good Luck!

[bassbag]

Actually i can reproduce nikos error to.If i download eicar.com file (to temp internet files)avast intercepts and pops up with the delete move etc , but cannot do any of the functions.The only way to let it do its work is to download the file completley and then do the scan.Is this a bug?
see attachment..
me

[softwareguy]

Ummm... I don't have this problem.
I tried it on my XP and it deleted okay...
Maybe just a 9x problem?  

P.S. I see from your screenshot that BitDefender is installed on your computer. Is it possible that BitDefender is locking down access for the test file?

[bassbag]

I m not sure whtehr its a 98 thing because niko uses XP pro.The bit defender i use is the free version which is only an on demand scanner....not resident or running.On further investigating , the eicar.com file is now completly locking my system and only a reboot works.The avast detection bar springs up and the machine locks, although control alt delete is accessible and it shows asherve.exe not responding.Then all other programmes encounter errors and shut down.There is also an entry in the avast warning logs when this happens...
10/06/04 22:17:28   Default   4294966701   Sign of "EICAR Test-NOT virus!!" has been found in "C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\WXMN0PER\EICAR[1].COM" file.  
10/06/04 22:19:21   Default   4293065153   AAVM - initialization warning: Recovering from last crash, .  
10/06/04 22:19:50   Default   4293065153   Function setifaceUpdatePackages() has failed. Return code is 0xC0000005, dwRes is C0000005.  
10/06/04 22:19:51   Default   4293065153   An error has occured while attempting to update. Please check the logs.  
10/06/04 22:20:07   Default   4293065153   Sign of "EICAR Test-NOT virus!!" has been found in "C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\AR4DCXIT\EICAR[1].COM" file.  
10/06/04 22:21:26   Default   4293065153   Sign of "EICAR Test-NOT virus!!" has been found in "C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\WXMN0PER\EICAR[1].COM" file.  
10/06/04 22:21:49   Default   4293065153   Sign of "EICAR Test-NOT virus!!" has been found in "C:\WINDOWS\DESKTOP\EICAR.COM" file.  
10/06/04 22:22:46   Default   4293212861   Sign of "EICAR Test-NOT virus!!" has been found in "C:\WINDOWS\Desktop\EICAR.COM" file.  
10/06/04 22:23:12   Default   4293065153   Sign of "EICAR Test-NOT virus!!" has been found in "C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\WXMN0PER\EICAR[1].COM" file.  
10/06/04 22:23:46   Default   4293065153   Sign of "EICAR Test-NOT virus!!" has been found in "C:\WINDOWS\Temporary Internet Files\Content.IE5\WXMN0PER\eicar[1].com" file.  
10/06/04 22:25:35   Default   4293065153   Sign of "EICAR Test-NOT virus!!" has been found in "C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\AR4DCXIT\EICAR[1].COM" file.  
10/06/04 22:26:18   Default   4293065153   Sign of "EICAR Test-NOT virus!!" has been found in "C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\8TQJGTE7\EICAR[1].COM" file.  

I need to investigate further but would appreciate any comments too.
me

[bassbag]

Happened again with similar log...
10/06/04 22:17:28   Default   4294966701   Sign of "EICAR Test-NOT virus!!" has been found in "C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\WXMN0PER\EICAR[1].COM" file.  
10/06/04 22:19:21   Default   4293065153   AAVM - initialization warning: Recovering from last crash, .  
10/06/04 22:19:50   Default   4293065153   Function setifaceUpdatePackages() has failed. Return code is 0xC0000005, dwRes is C0000005.  
10/06/04 22:19:51   Default   4293065153   An error has occured while attempting to update. Please check the logs.  
10/06/04 22:20:07   Default   4293065153   Sign of "EICAR Test-NOT virus!!" has been found in "C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\AR4DCXIT\EICAR[1].COM" file.  
10/06/04 22:21:26   Default   4293065153   Sign of "EICAR Test-NOT virus!!" has been found in "C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\WXMN0PER\EICAR[1].COM" file.  
10/06/04 22:21:49   Default   4293065153   Sign of "EICAR Test-NOT virus!!" has been found in "C:\WINDOWS\DESKTOP\EICAR.COM" file.  
10/06/04 22:22:46   Default   4293212861   Sign of "EICAR Test-NOT virus!!" has been found in "C:\WINDOWS\Desktop\EICAR.COM" file.  
10/06/04 23:03:05   Default   4294963835   Sign of "EICAR Test-NOT virus!!" has been found in "C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\AR4DCXIT\EICAR[1].COM" file.  
10/06/04 23:04:44   Default   4293672295   AAVM - initialization warning: Recovering from last crash, .  
10/06/04 23:05:19   Default   4293672295   Function setifaceUpdatePackages() has failed. Return code is 0xC0000005, dwRes is C0000005.  

Does Avast attempt to update everytime i clcik on the eicar.com virus? , as i notice AAVM warnings.
me

[Vlk]

Hmm, bassbag that log doesn't look very nice, really. Particularly the lines "Recovering from last crash" indicate something very mean happened to avast. Did you see the program "crash", really?

[niko]

Is it a foggy day ?
 

[bassbag]

Hi vik...
I cant see avast crash..it just freezes along with my computer,only on the eicar.com file.As soon as i click it , the blue yellow bar pops up by taskbar showing theres a virus (no audible sound though) and my system hangs.The only thing i have acess to is control +alt +delete which says ashserve.exe not responding.Then all my othe programmes like naviscope ,remind me (calendar ) etc throws up an error message and says they have to close until i just have to do a hard reboot.The logs are directly after thes occurrences.When i have some more time ill shut down different progs and see if theres a conflict.However avast detects many test viruses and trojans that i ve thrown at it with nio problem.It just doesnt seem to like the eicar.com test for some reason.
me