Malfunctioning Standard Shield

[satishincbs]

I think there seems to be some problem with the standard shield in my Avast! home edition.

I am using the latest signature as well as program updates.

A little while earlier, i double clicked on a program setup on a CD a friend gave to me. Avast! warned that it was infected with W32.Parite.B virus and i guess it should have stopped access to the file immediately.

Unfortunately, in a little while longer, warnings began to pop up that some of the files in C;\Windows were infected by the same virus.

I had scanned my computer earlier in the day and before this incident my computer was virus free for sure.

I have the standard shield set at high.

Any comments?? Anything i didnt do right??

[Lisandro]

Don't panic...
Maybe avast was just unpacking the file to the temporary folder of windows and scanning it...
Did you scan the HDD after the 'infection'?

[igor]

Hmm, that's strange... Standard Shield certainly shouldn't allow any infected file to be started.

What's your OS, avast! version, settings of the Standard Shield...?

[satishincbs]

hi

im using win98 se.

my signature database is dated 08/17/04, program version is 4.1.418.

my standard shield is running at high sensitivity.

[satishincbs]

hi

looked up the virus chest, the infected files were not temp files.

they include clspack.exe,msnmsgr1.exe, drwatson.exe...
and a couple of others.

they are windows system files i guess, other than msnmsgr1.exe i guess.

[Lisandro]

Even this way you can boot your computer?
Maybe the virus disable avast protection... Like Igor said it's strange but let's try to solve it. Can you follow the link 'Virus Clean' in my signature. Whocares gives us a lot of save procedures to get rid from virus...  

[satishincbs]

hi

well i finally got rid of the virus.

booted from my windows rescue disk, started nod32 for dos and cleaned the infected windows files.

may i suggest (correct me if im wrong) that avast! add a dos based scanner to the main program which we can run using the avast! signature in case windows is infected. you could keep the dos scanner in a rescue disk and ask it to locate signatures in the avast! antivirus directory.

im sure it could work and above all no virus could infect signature files as they are not executable.

plus, such a thing could work with all versions of windows whether ME or XP or anyother as long as they use FAT for their hard disk (there is a way out even in case of NTFS).

thnx and regards

satish

[Eddy]

add a dos based scanner to the main program...

Avast has a boot time scan which you could have used.

Avast has also a free dos version which you could have used.

Avast also has the BART cd which you could have used.

Next time a doing a little research first?

[igor]

Well, for Parite virus, I'd rather suggest the integrated avast! Virus Cleaner (that should have been offered in the avast! Virus dialog). That is the easiest way to remove the virus.

[Lisandro]

May i suggest (correct me if im wrong) that avast! add a dos based scanner to the main program which we can run using the avast! signature in case windows is infected. you could keep the dos scanner in a rescue disk and ask it to locate signatures in the avast! antivirus directory.

im sure it could work and above all no virus could infect signature files as they are not executable.

plus, such a thing could work with all versions of windows whether ME or XP or anyother as long as they use FAT for their hard disk (there is a way out even in case of NTFS).

Satish, of course you can suggest but I think the policy of Alwil is just release the Windows version for free (home and non-commercial use). F-Prot, for instance, make for free only the DOS version, not the Windows one...

You can use avast for DOS in FAT (FAT32) partitions... (or boot time if on XP).
If you have NTFS, just use the boot time scanning (as you will be with Windows 2k/XP).

Anyway, glad that you find a solution  

[satishincbs]

guys

you have misunderstood my point here.

when the virus infected setup got executed inspite of an active standard shield, i could not  trust in any windows based program to check for the virus, there was no certainty that it would not have been infected.

same goes for any other executable file in my hard disk (read the boot up scanner).

so my suggestion was to enable the user to put  a dos based scanner , whether you call it boot up scanner or whatever, onto a floppy to scan his/her computer when windows itself got infected as in my case.

plus, i did some research on the parite virus and i found it to be a fast infector, infecting a huge number of programs in a short while.

so most probably, the boot up scanner would have also been infected in the mean time and so the story moves on further.....

so my suggestion was to have a program onto a floppy disk which uses the signature files on a hard disk (that way it fits onto a floppy) and you can therefore avoid running a n infected scanner.

also, running the avast! cleaner while the virus was active in the memory did not seem to be a good idea to me, but still i tried it and it unfortunately failed.

it too got infected i guess.

in essence, what i am suggesting for is to use an existing piece of technology and adapting it for a new/additional use to get better protection.

thats it !!

[igor]

so most probably, the boot up scanner would have also been infected in the mean time and so the story moves on further.....

The boot-time scanner is not an ordinary executable module - so, the virus cannot infect it such that the "infection moves on". In the worst case, its executable may be corrupted and stop working, but it wouldn't spread the infection.

also, running the avast! cleaner while the virus was active in the memory did not seem to be a good idea to me, but still i tried it and it unfortunately failed.

Can you be a little more specific about the failure/output?
avast! Virus Cleaner is designed specifically to be working when the virus is active in memory (in general, it's better to run it when the virus is in memory than trying things like booting to safe mode).

[satishincbs]

hi

im sorry if i am raising a storm here and coming across as ignorant .

i guess i mistook the "repair" option in the pop up warning for the cleaner and in my case, the "repair" did not work and avast! gave me an error message.

just to check everything i ran the infected setup again (after backing up my inportant data). again i got infected inspite of avast! standard shield running.

but i should say, i started avast! antivirus and during the memory check, it detected the virus in memory and gave me a "clean from system" option and it did its work and cleared the infection.

but the fact remains that i got infected.....

i did a bit of analysis (if u can call it so .. , the setup itself was certified clean by avast! but it seems some other files which were part of the package were infected and these were executed by the setup and hence the infection....

i still believe that the execution of these files should have been stopped in the first place.

but finally, no harm done....

thnx and regards

satish

[Eddy]

but it seems some other files which were part of the package were infected and these were executed by the setup and hence the infection....

Are these archives, perhaps even pasword protected?

[satishincbs]

no, these were all exe files, perhaps a whole lot of them were executed at once and avast! couldnt cope with the whole lot of them, but this i merely speculation.