Author Topic: _Avast4_ virus (Read 5965 times)

Jzzkc · « **on:** April 22, 2010, 06:10:34 AM »

This virus has been plaguing me for some time now.

Now, I've searched the interwebs (and this site) and I know you have already confirmed that the Avast4 folder in C:\Windows\Temp is used by Avast for decompression, however there's one issue: I uninstalled Avast, a week ago actually. I recently upgraded to GDATA. The folder, no matter how many times I deleted it, reappeared. I went into safe made, opened registry editor, and used my common sense to determine which Avast! registry keys were unneccessary. I deleted them. All of them. Back on the full system, it has made an effect. All components of my computer are now working, however the _Avast4_ folder shows random pop up messages telling me that I, "Have insufficient rights to delete this folder". I hit OK, and then the folder gets deleted.

If that isn't enough proof, both Avast! and G-DATA denied registry changes, as well as port attacks, yet were unable to find the source of the problem.

Malware-Bytes' Anti Malware was clean
Spybot Search and Destroy was clean
Ad-Aware was clean
GData was clean
Avast! was clean

After I uninstalled Avast though, I kept getting these, "Access to registry denied" messages from my AV.

Also, I did a scan with Avast! that lasted 4 hours, and it came up with a few results, most of which were false positives. One interesting thing that did pop up, however, was Win32.WinSpy (Trj). I don't know if it could have falsely misidentified a file. However, Avast was "conveniently" bugging and the "Send to chest!" button was not working. Now, I don't know if I'm crazy, but that seems like intentional tampering to me.

"When closing file "C:\Windows\Temp\_avast5_\unp197631899.tmp" the virus "Gen:Trojan.Heur.GM.0004808D18 (Engine A)" has been detected. Access denied."

I attached a HJT log, so anything you guys can provide would be great.

Jzzkc · « **Reply #1 on:** April 22, 2010, 07:22:19 AM »

Also, because many people are probably thinking I'm crazy for various reasons...

A: My system is configured to create system restore points daily. What else are you supposed to fill up 500 gigs worth of memory with?
B: G-Data and Avast have given multiple reports (Avast while I used it) of blocking registry changes. Here is a complete list of blocks made by G-Data

When closing file "C:\Windows\Temp\_avast5_\unp64459658.tmp" the virus "Gen:Trojan.Heur.GM.0004808D18 (Engine A)" has been detected. Access denied.
When closing file "C:\Windows\Temp\_avast5_\unp99399384.tmp" the virus "Gen:Trojan.Heur.GM.0004808D18 (Engine A)" has been detected. Access denied.
When closing file "C:\Windows\Temp\_avast5_\unp153871179.tmp" the virus "Gen:Trojan.Heur.GM.0400C48518 (Engine A)" has been detected. Access denied.
When closing file "C:\Windows\Temp\_avast5_\unp236276533.tmp" the virus "Gen:Trojan.Heur.GM.0004008C08 (Engine A)" has been detected. Access denied.
When closing file "C:\Windows\Temp\_avast5_\unp46848915.tmp" the virus "Gen:Trojan.Heur.GM.0004008C08 (Engine A)" has been detected. Access denied.
When closing file "C:\Windows\Temp\_avast5_\unp205908810.tmp" the virus "Gen:Trojan.Heur.GM.0004008C08 (Engine A)" has been detected. Access denied.
When closing file "C:\Windows\Temp\_avast5_\unp37844276.tmp" the virus "Gen:Trojan.Heur.GM.0004008C08 (Engine A)" has been detected. Access denied.
When closing file "C:\Windows\Temp\_avast5_\unp23354296.tmp" the virus "Gen:Trojan.Heur.GM.0004008C08 (Engine A)" has been detected. Access denied.
When closing file "C:\Windows\Temp\_avast5_\unp256899775.tmp" the virus "Gen:Trojan.Heur.GM.0004008C08 (Engine A)" has been detected. Access denied.
When closing file "C:\Windows\Temp\_avast5_\unp75505370.tmp" the virus "Gen:Trojan.Heur.GM.0004808D18 (Engine A)" has been detected. Access denied.
When closing file "C:\Windows\Temp\_avast5_\unp42214506.tmp" the virus "Gen:Trojan.Heur.GM.0004008C08 (Engine A)" has been detected. Access denied.
When closing file "C:\Windows\Temp\_avast5_\unp34709578.tmp" the virus "Gen:Trojan.Heur.GM.0004008C08 (Engine A)" has been detected. Access denied.
When closing file "C:\Windows\Temp\_avast5_\unp79346070.tmp" the virus "Gen:Trojan.Heur.GM.0004008C08 (Engine A)" has been detected. Access denied.
When closing file "C:\Windows\Temp\_avast5_\unp221444246.tmp" the virus "Gen:Trojan.Heur.GM.0004808D18 (Engine A)" has been detected. Access denied.
When closing file "C:\Windows\Temp\_avast5_\unp197631899.tmp" the virus "Gen:Trojan.Heur.GM.0004808D18 (Engine A)" has been detected. Access denied.

I'm just spitballin' to get the ball rolling, because I'm convinced that there's something on my system (I was running without a decent AV for a good while). MBAM removed tons of stuff, but I'm fairly certain it didn't get everything.

Is is also possible that G-Data is using the _Avast4_ folder in the same manner that Avast does? Or can that be ruled out.

mikaelrask · « **Reply #2 on:** April 22, 2010, 08:14:08 AM »

welcome to the forum.

i suggest you give SAS a give and see if that could find the problem.

http://filehippo.com/download_superantispyware/

if it does not find anything try a boot scan with avast.

http://www.techiecorner.com/166/avast-how-to-schedule-boot-time-scan-before-window-start/ for v 4.8

http://www.schmahl.net/avastbootscan.php for v 5.
lets hope someone checks that hjt log for you i'm not that good on them i'm afraid.

good luck.

Jzzkc · « **Reply #3 on:** April 22, 2010, 03:02:48 PM »

I ran a SAS scan last night, aside from a few tracking cookies, everything came up clean.

Is it possible that there's something set up in Heuristics that's causing it to give a false positive.

I'm at school right now, so the boot scan doesn't seem like an option. I'm just afraid that a trojan has rooted itself so deeply within my system that AV technology may not be able to find it or reach it.

If you guys think I'm clean, I'll take your word for it ... but I just want to be absolutely sure nothing is stealing mah personal informations.

Pondus · « **Reply #4 on:** April 22, 2010, 03:11:46 PM »

follow Essexboy`s guide here and post the logs here so he can have a look
http://forum.avast.com/index.php?topic=53253.0

if the log`s are big: see down left corner > Additional Options > Attach

DavidR · « **Reply #5 on:** April 22, 2010, 05:17:27 PM »

@ Jzzkc
Your problem is that you have two detection engines in GData (avast and bitdefender)and the C:\Windows\Temp\_avast5_\ folder is where avast unpacks and scans files, so if avast unpacks a file into that folder the other scanners is going to first lock the file, scan it and alert if it is a sample that it detects.

This is a classic conflict between two scanners and gdata has two scanners. This also causes avast a problem as the files in that folder are locked by the other scanner, so it can't scan or remove them if they are still locked.

You have to exclude the C:\Windows\Temp\_avast5_\ folder from scanning by gdata (bitdefender engine) to avoid this conflict/locking/duplicate scanning of files in this folder.

Author Topic: _Avast4_ virus (Read 5965 times)

Jzzkc

_Avast4_ virus

Jzzkc

Re: _Avast4_ virus

mikaelrask

Re: _Avast4_ virus

Jzzkc

Re: _Avast4_ virus

Pondus

Re: _Avast4_ virus

DavidR

Re: _Avast4_ virus