Avast Malware Removal Behavior

[MossyRock]

Hello,

A machine that I support was hit by the recent FP problem, and the user deleted several FP hits interactively and then ran a boot scan.  The result is now the system is complaining of a DLL that is missing.  This DLL is in the chest, and I will be connecting remotely soon to restore it using the published Avast restore procedures.

I'm not that familiar with the way Avast behaves during boot scans.  I've read that there is a log file in c:\program files\alwill software\avast4\data\report\aswboot that contains all files Avast finds a problem with during a boot scan.  Is this correct?

Are these files moved to the chest or are they deleted?  Is there any way to control which happens?

When DLL files are moved to chest or are deleted, are they unregistered from the registry?

If so, when restoring from the chest does Avast register them again?

Thank you.

[DavidR]

Yes the file is aswBoot.txt, but it doesn't record the action selected by the user only information on the alert, e.g. malware name, file name and location, etc.

If the user selects Delete as the option upon detection then that is exactly what avast will do, so recovery would require some form of file recovery application.

- Recuva Deleted File Recovery application - http://www.recuva.com/, also see Builds, http://www.recuva.com/download/builds as the Portable version would help as it doesn't have to be installed and the slim version if you don't like toolbars.

Only if the user selects Move to Chest will they be sent to the chest.

I believe avast would look for associated registry entries if the detection was spyware related, so you may be right the dll could effectively have been unregistered.

I don't know if on Restoration from the chest that the dll would subsequently registered, as I have never had to do this myself.

[MossyRock]

Thank you David, for your reply.