Author Topic: Avast update brings virus ???  (Read 10631 times)

0 Members and 1 Guest are viewing this topic.

Offline JEZ

  • Newbie
  • *
  • Posts: 3
Avast update brings virus ???
« on: August 03, 2004, 11:31:20 AM »
I apologize in advance if I'm wrong, but I suspect that the latest update of Avast is infected.

I have 3 computers in my home lan, and they are set up to automatic Avast updates. I have rebooted 2 of them today and both loaded Windows (2000) but the desktop remained blank (no taskbar no icons).

Of course I searched Microsoft knowledge base and removed some files they say may cause this, but nothing helped. Then I deciided to run Avast (I can still run programs by pressing Ctrl-Shift-Esc to bring up the task manager, and then choose File/Run from the menu).

When Avast loaded it discovered that there's an infected process (explorer.exe). So I scheduled a boot scan and restarted. Avast found that \WINNT\explorer.exe is infected with Win32:Trojan (other), and deleted it. However Windows again booted to a blank desktop. I checked and discovered that the virus re-creates the false explorer.exe again and again.

After hours of trying to understand what is happening, I realized that there are more infected files in \WINNT and \WINNT\SYSTEM32. I performed a binary compare (FC /b) over the lan, and discovered differences even in some control panel applets (*.cpl files).

It seems that the virus infects some system files that load with Windows, so there's no way to boot to a clean windows (even in safe mode Avast finds the virus in memory).

Of the 2 infected computers, one had nothing installed recently, and the only new programs are the automatic updates of Avast. I am sure about it because my wife uses it and she doesn't even know how to download and install programs.

The third (uninfected) computer seems to be totally clean. However I'm afraid to reboot it because I think it downloaded the same Avast update and maybe after reboot it will also be infected. This one also had nothing new installed recently.

Can anyone confirm this? Any advice what I can do other than re-format and re-install everything?

Thanks,

J.
« Last Edit: August 03, 2004, 11:45:53 AM by JEZ »

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11791
    • AVAST Software
Re:Avast update brings virus ???
« Reply #1 on: August 03, 2004, 12:50:16 PM »
Can you send some of the "infected" files to virus@avast.com (with a brief description), please?
« Last Edit: August 03, 2004, 01:07:01 PM by igor »

Offline JEZ

  • Newbie
  • *
  • Posts: 3
Re:Avast update brings virus ???
« Reply #2 on: August 03, 2004, 01:51:36 PM »
Can you send some of the "infected" files to virus@avast.com (with a brief description), please?

I have sent you an email with detailed description of what I see and attached RAR file that contains:

1. explorer.exe from apparently clean computer.
2. explorer.exe from apparently infected computer.

I hope it helps!

J.


Offline levinut

  • Newbie
  • *
  • Posts: 3
Re:Avast update brings virus ???
« Reply #3 on: August 03, 2004, 02:57:03 PM »
I have this same issue!
same virus and same explorer.exe.

Unfortunately I deleted explorer.exe and now have nopo desktop icons or taskbar.
I have to use task mgr to do anything.

The avast scan seems to keep finding the virus even though I delete it.
Is this a new virus?  What does {Other} in "win32:trojan-gen. {Other}" mean?
I can't seem to find info on it.

Do I have to re-install???

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11791
    • AVAST Software
Re:Avast update brings virus ???
« Reply #4 on: August 03, 2004, 03:10:18 PM »
I'd suggest to wait a while for the file analysis, before taking any "hard" actions.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11791
    • AVAST Software
Re:Avast update brings virus ???
« Reply #5 on: August 03, 2004, 04:01:02 PM »
OK, it seems it's a false alarm - it will be fixed as soon as possible.
Sorry for the troubles.

Offline JEZ

  • Newbie
  • *
  • Posts: 3
Re:Avast update brings virus ???
« Reply #6 on: August 03, 2004, 05:31:38 PM »
levinut -

Don't worry Windows keeps copies of explorer.exe and re-creates the file automatically (in fact that what made me think that a virus is running wild on my system - I just couldn't get rid of explorer.exe no matter how hard I tried).

If for some reason Windows doesn't re-create explorer.exe for you, it doesn't, you can still copy the file yourself from (windir)\system32\dllcache or EXPAND the original file from the Windows installation CD.

If all else fails I can email you my explorer.exe ...


To Avast team -

I'm glad that it turns out to be just a false alarm. I apologize for blaming Avast for bringing in the virus, but I hope you understand that when two different computers stop working after an update...

Anyway you deserve a big Thank You for a great free product!

J.

Offline Pavel

  • Massive Poster
  • ****
  • Posts: 4305
  • Nostalgia isn't what it used to be...
    • ALWIL Software
Re:Avast update brings virus ???
« Reply #7 on: August 03, 2004, 05:37:50 PM »
The update solving the false alarm is available now. Again, sorry for any troubles...

Pavel
All of us could take a lesson from the weather. It pays no attention to criticism.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31311
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re:Avast update brings virus ???
« Reply #8 on: August 03, 2004, 05:47:33 PM »
Where people work, people make mistakes Pavel ;D
The good thing is that Alwil (Avast) is one of those companies that really listen to their customers and has a very fast response time !
Very much apreciated ! :D :D :D

Offline whocares

  • Super Poster
  • ***
  • Posts: 1698
  • I'm not a llama! :-)
Re:Avast update brings virus ???
« Reply #9 on: August 03, 2004, 05:55:58 PM »
Well well well,

I'll look forward to booting up my Win2000 with avast at home..  ;D ;D

How come this false positive ?
Not tested on Win2000 ? or not on older/new versions patch-level-wise ??

? ;)

Offline jembow

  • Newbie
  • *
  • Posts: 4
Re:Avast update brings virus ???
« Reply #10 on: August 03, 2004, 06:00:27 PM »
Hello,

Same thing happened to me on two different computers. On one, I expanded and it work fine....

On the other, problems:

I deleted the "explorer.exe" in "c:\winnt\" & "...\dllcache\"  - upon reboot the file is NOT recreated.

I copied "explorer.exe" from another machine and also expanded from the Win2K install CD.

Each time I try to run it via the Task Mgr/ command line i get the following error:

"Program too big to fit in memory"

Help is much appreciated.

Thanks,
-John

Offline whocares

  • Super Poster
  • ***
  • Posts: 1698
  • I'm not a llama! :-)
Re:Avast update brings virus ???
« Reply #11 on: August 03, 2004, 06:07:39 PM »
Hi John,

- a reboot doesn't help ?

- try running
SFC /scannow
from Start -> RUN (logged in as ADMINISTRATOR)
(But I'm not sure if this works after you've deleted the copy in "dllcache" ?)


-  there should also be the right version of explorer.exe in
C:\WINNT\ServicePackFiles\i386\
--> try copying it from there (maybe after booting from Win2k-CD and going to the console ?

*

But maybe you should wait until someon from ALWIL team comes up with a suggestion..

 ;)

Offline jembow

  • Newbie
  • *
  • Posts: 4
Re:Avast update brings virus ???
« Reply #12 on: August 03, 2004, 06:23:04 PM »
1) Reboot does not help...

2) 'SFC /scannow' ran successfully? (no response or errors) with same results

3)There is no 'explorer.exe' file in my 'C:\WINNT\ServicePackFiles\i386\' directory....

Any ideas?

Thanks!

Offline levinut

  • Newbie
  • *
  • Posts: 3
Re:Avast update brings virus ???
« Reply #13 on: August 03, 2004, 06:26:19 PM »
I am going to save all docs and re-install windows 2000 to the same directory.
I will let you know tomorrow if it works...

Offline harkx

  • Full Member
  • ***
  • Posts: 101
    • Cats & Dogs
Re:Avast update brings virus ???
« Reply #14 on: August 03, 2004, 07:35:55 PM »
I have seen that on Win2k with SP3 , SOME computers do have the problem. No matter what, updating avast (it's available now!) does the trick.

Other solution (we've tried it in between updates) is updating the windows 2000 to SP 4...

The "problem" virus definitions do not seem to influence the win2k with SP4..
« Last Edit: August 03, 2004, 07:39:40 PM by stoffell »