Author Topic: Virus Chest Destroys Files When Restored  (Read 12123 times)

0 Members and 1 Guest are viewing this topic.

Duran

  • Guest
Virus Chest Destroys Files When Restored
« on: April 24, 2011, 03:55:53 PM »
Hello,

While away from the computer, suddenly I started hearing Avast call out warnings one after another. I brought the computer out of monitor power down mode, only to find file after file being sent to the Virus Chest. In all, a total of 15 files. Files that include WinAMP, DirectX, Epson printer and mouse driver archives. These files have been residing in the same place for months, some for years. All are reported to have a Win32:Tenga virus. No, they don't have a Tenga virus or any other kind of virus.

Virus definitions were last updated on 2011-04-23 @2:49 pm. Why it took Avast 14 hours later, when the computer was doing virtually nothing during this time, to suddenly find all of these false positives makes no sense. It's as if Avast had some sort of computer seizure. But, that is not even the worse part. The worst part happened when I went to restore all the files. Turns out every single one of them is now destroyed.

What do I mean by destroyed?

I mean that Avast restored files from the Virus Chest that are not equivalent to the original files that when into the Virus Chest. These files have been altered to the point of being destroyed. They are now worthless. The files might as well have been deleted and not restored. What is the point of restoring files if they are not completely and fully restored?

Because the Virus Chest can not be trusted to restore files, I have disabled it as much as possible.

Speaking of disabling something as much as possible. Why is it that when you disable the Community pop-up thing, Avast continues to litter the temp directory with "cmc*.tmp" files. Shouldn't Avast also stop downloading those files, which are nearly always the same file, once the option is disabled?

Don't misunderstand, I like Avast. I just hate these two issues with a passion.

Can someone please explain to me why Avast doesn't completely and fully restore files from the Virus Chest?

Also, can someone please explain why Avast deems it necessary to continue to download CMC files when the option is disabled?

Thanks.

Duran

  • Guest
Re: Virus Chest Destroys Files When Restored
« Reply #1 on: April 24, 2011, 11:56:02 PM »
The Avast destroyed files continue to trigger false positives in their destroyed state. This after all updates are current. All Avast destroyed files have been re-download from their respective owners. Copying these re-downloaded files back to their respective original directories results in more false positives, only this time Avast wasn't allowed to automatically move them to the Virus Chest, so they are, for the moment, safe from Avast.

An interesting side note. Avast is so confident with it's findings, that it doesn't offer an option to ignore false positives through the alert user interface. Rather unfortunate when you have to go through so many false positive files in a row.

Dch48

  • Guest
Re: Virus Chest Destroys Files When Restored
« Reply #2 on: April 25, 2011, 12:20:50 AM »
Since nobody else is reporting any false positives by Avast, I would suspect that you have been infected by something new that slipped by Avast. Try scanning with Malwarebytes and see if it finds anything.
« Last Edit: April 25, 2011, 12:27:49 AM by Dch48 »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
Re: Virus Chest Destroys Files When Restored
« Reply #3 on: April 25, 2011, 12:26:23 AM »
could you post the avast log ?

Duran

  • Guest
Re: Virus Chest Destroys Files When Restored
« Reply #4 on: April 25, 2011, 10:56:59 AM »
Since nobody else is reporting any false positives by Avast,
Someone has to be the first and with my luck it had to be me. ;)


I would suspect that you have been infected by something new that slipped by Avast. Try scanning with Malwarebytes and see if it finds anything.
Well, to be honest I had my doubts it was something new. I ran a full Malwarebytes scan. Below is the Malwarebytes log with additional comment supplied by me on it's findings.


Quote from: Malwarebytes Log
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6435

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

2011-04-24 11:39:28 PM
mbam-log-2011-04-24 (23-38-52).txt

Scan type: Full scan (C:\|)
Objects scanned: 311655
Time elapsed: 2 hour(s), 40 minute(s), 22 second(s)
I believe the elapsed time to be inaccurate as it took longer then what's shown here.


Quote from: Malwarebytes Log
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Videosoft (Trojan.DNSChanger) -> No action taken.
I'm not entirely sure about this one. I looked at this specific registry entry and all that is there are color space formats values (eg: YV12,YUY2,RGB24,RGB32,etc). I'm not familiar with "Videosoft", so I did a Google search and found a reference to something called zCODEC, which I think is a H.264 Decoder. I've not heard of zCODEC before and I do NOT install CODEC packs, although it could have been slipped in with some other software. 

Doing a search through the entire registry for "Videosoft" turned up something called, "VideoSoft VSPrinter 7.0" and that branch mentions "VSPRINT7.ocx". The properties for "VSPRINT7.ocx" says that the file dates back to the year 2000. Other hits for "VideoSoft" in the registry include "Vsflex7.ocx" and "vsflex7L.ocx", both also from the year 2000. It looks to be from something called, "VideoSoft FlexGrid 7.0 (Light)" which also doesn't sound familiar.


Quote from: Malwarebytes Log
Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
I take this to mean nothing more than a general warning that Windows security is disabled. I have no use for the Windows versions with a hardware and software firewall, Avast and doing manual Windows updates.


Quote from: Malwarebytes Log
Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\WinDump.exe (Trojan.FraudLoad) -> No action taken.
This is a false positive and demonstrates what I believe to be a bug within Malwarebytes. Both a quick and full Malwarebytes scan repeatedly shows WinDump.exe to be malware. However, if I do a single scan through the right-click context menu with Malwarebytes on the file itself, it passes and no malware is found. Avast also green lights WinDump.exe. Also, the current downloadable version of WinDump.exe is byte for byte identical to the same version that I have, which Malwarebytes deems as malware.

So, in the end, the only questionable thing that Malwarebytes found is an old "Videosoft" registry entry.

Lastly, I'd like to take a moment to describe better the situation. I have a single directory that contains multiple sub-directories. Each sub-directory contains one piece of software that is necessary to do a complete re-install on a Laptop. Files like Avast, drivers, Firefox, WinAMP, etc are each contain in their own separate sub-directory. In addition to this Laptop archive directory, I also store duplicates, including the PAR2 files, on a separate hard drive that is disconnected from the system.

Take for example WinAMP. When I downloaded (at the time) the latest version of WinAMP in January 2011, I immediately created an associated PAR2 verification file. Each sub-directory contains one matching PAR2 file so I can test the archive's integrity at a later time.

When the WinAMP installer was destroyed and after changing the way Avast automatically sends things to the Virus Chest, I went to the the duplicate archive and tested the WinAMP installer with the PAR2 file and it passed. When the WinAMP installer was copied back to the Laptop directory, Avast displayed a warning dialog that it was infected with the Win32:Tenga virus. I closed the Avast warning, since there was no option to "Do Nothing", and the file was copied. I then checked the the copied file with the existing PAR2 file and it passed. I then checked with a binary compare program and the files were identical. Using the right-click context menu, I did a single scan on the WinAMP installer and it was supposedly infected. To me this has false positive written all over it.

Although some of the destroyed files were obvious, such as only being 180KB when it should have been 11 MB, it was through the use of these at the time created Par2 files that I verified the less obvious destroyed files and their eventual replacements.

Since my original post and subsequent reply, Avast's brain file has been updated to the latest 110425-0 version. A scan of the entire laptop archive directory now shows that there are no Win32:Tenga virus. It would seem that the false positive, for the moment anyways, has been corrected.

Thanks for the reply.

Duran

  • Guest
Re: Virus Chest Destroys Files When Restored
« Reply #5 on: April 25, 2011, 11:13:06 AM »
could you post the avast log ?
I don't know how to export the scan log and I see nothing in the help file that pertains to saving out the scan log. However, over the course of this entire issue, oddly enough there is only one entry listed in the scan log that says "Virus Found". That entry is for WinAMP and reads as follows:

Code: [Select]
File name                                                   Severity  Status
C:\Laptop\WinAMP\WinAMP v5.601_full_emusic-7plus_en-us.exe  High      Threat:Win32:Tenga

Due to the amount of action that Avast took yesterday on it's own, I would think there would be more than one entry listed. Unless I'm looking in the wrong place for a log, the scan log is the only one I see in the Avast interface.

Thanks for the reply.

YoKenny

  • Guest
Re: Virus Chest Destroys Files When Restored
« Reply #6 on: April 25, 2011, 02:56:58 PM »
Your main problem is that you are running Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180 as seen in your MBAM log.

See:
Support for Windows XP Service Pack 2 ends on July 13, 2010
http://support.microsoft.com/gp/lifean31

Plus IE6 is very old and needs to be updated to IE8.

Offline Rednose

  • Pirate Party Member
  • Avast Überevangelist
  • Massive Poster
  • *****
  • Posts: 3739
  • Bits of Freedom : https://www.bof.nl
    • Nederlandstalig Avast! forum
Re: Virus Chest Destroys Files When Restored
« Reply #7 on: April 25, 2011, 06:02:54 PM »
When you google Win32:Tenga you will easily find out it's a file infector. A file infector infects executable files by adding itself to them, what explains that Avast! is detecting what for the user seems to be legitimate files, but they are indeed infected. What I don't understand is that Avast! doesn't detect Win32:Tenga itself in the first place. Maybe a new variant ?

As I am definitely no malware expert, I will ask our specialist Essexboy for his thoughts about this :)

Greetz, Red.
« Last Edit: April 25, 2011, 06:08:51 PM by Rednose »
OS: Win 10 / iOS 17 / Debian 12 / Tails 5
Real Time: Avast Premium Security
On Demand: Malwarebytes
VPN: NordVPN ( NordLynx ) with Threat Protection ( Lite )

Duran

  • Guest
Re: Virus Chest Destroys Files When Restored
« Reply #8 on: April 25, 2011, 06:17:56 PM »
Your main problem is that you are running Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180 as seen in your MBAM log.

I've known about Microsoft's Lifecycle policy for a long time. It could be argued that it's not a concern until and most likely well past, 2014-04-08. It's not as if the OS is suddenly going to stop working on 2010-07-13. Besides, this in no way has any bearing on the issue at hand.

The issue is that Avast's Virus Chest destroyed the restored files. This is of course not a OS issue, it is a Avast default setting issue. I've since learned that due to the low default values for the Virus Chest, the files were destroyed most likely, going into the Virus Chest. It would seem that Avast never took into account what would happen if suddenly a large amount of files or their size, would be deemed bad and moved repeatedly into the Virus Chest. With no contingency plan for this happening, such as a warning that the Virus Chest was about to become full and/or an option to immediately increase the Virus Chest size, or allow some other user interaction, the files were instead destroyed.

Plus IE6 is very old and needs to be updated to IE8.
Why? So I can not use IE8?  ;D

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Virus Chest Destroys Files When Restored
« Reply #9 on: April 25, 2011, 06:22:11 PM »
The main thing that would give us a clue as to whether or not you are infected is, are there any unusal behaviours or symptoms on your system at the moment ?

Although for a false positive I would have expected a flood of people on the forums.  I take it Avast is quiet now ?   

Duran

  • Guest
Re: Virus Chest Destroys Files When Restored
« Reply #10 on: April 25, 2011, 07:19:51 PM »
When you google Win32:Tenga you will easily find out it's a file infector. A file infector infects executable files by adding itself to them, what explains that Avast! is detecting what for the user seems to be legitimate files, but they are indeed infected. What I don't understand is that Avast! doesn't detect Win32:Tenga itself in the first place. Maybe a new variant ?
At this time, I very much doubt that it's a new variant. As I mentioned, when the WinAMP installer was downloaded in January 2001 from the Nullsoft website, as I usually do, a PAR2 file was immediately created. Leaving the original in the Laptop directory, a copy of the installer and PAR2 file was placed on a temporarily mounted drive. Yesterday Avast suddenly and on it's own, found the WinAMP installer and as well as other executable files, to be infected with a Win32:Tenga virus.

Before doing anything, I tested the copy of WinAMP with the PAR2 file on the temporarily mounted drive and it passed. I then copied WinAMP back to the Laptop directory and Avast stopped the transfer, saying that the transferring WinAMP file was infected. Without an option to "Do Nothing", I closed off the warning and the file continued to be copied. Using the existing PAR2 file in the Laptop directory, the newly copied WinAMP file passed.

In review, WinAMP passed on the temporarily mounted drive using that PAR2 file. When copied back to the laptop directory, Avast said there was a threat and stopped the transfer. I allowed the transfer and using the PAR2 file located there, WinAMP passed. WinAMP was not added, modified or changed in anyway.

This morning a new virus brain file was downloaded from Avast. Since this recent update the same WinAMP file that Avast claimed to contain a Tenga when it was copied back to the Laptop directory, is now reported as clean.

The only explanation that I can think of that explains what happened above is that this started with a false positive. To me the worse part in all of this was finding out that the Virus Chest destroyed the original files. At this point, that's the bigger issue.

I'm not sure why Avast would attempt to sterilize a Virus Chest file before restoring since "restore" doesn't equal the same thing as "repair", but lets say that's what Avast attempted to do. A typical Tenga virus signature is about 4K in size. In one example, the original file was 11MB and after restoring it was severely smaller at 180K in size. And, according to Avast at that time, it still contained the Win32:Tenga virus. Other restored/repaired files were not restored to the point where the PAR2 file recognized it as the original file. So, the "repair" basically failed in that respect.

IMO, the Virus Chest default settings are too small. It doesn't take into account a situation like this were the amount of files, and their size, can easily exceed the default values. As a result, with no monitoring of the current state of the Virus Chest and no option to adjust these values in real-time during the process, the files become severely damaged.

As I am definitely no malware expert, I will ask our specialist Essexboy for his thoughts about this :)
That's very much appreciated.

Thank you.

Duran

  • Guest
Re: Virus Chest Destroys Files When Restored
« Reply #11 on: April 25, 2011, 07:29:58 PM »
The main thing that would give us a clue as to whether or not you are infected is, are there any unusal behaviours or symptoms on your system at the moment ?
None. It's now just as quite as it was three days ago.
 
Although for a false positive I would have expected a flood of people on the forums.  I take it Avast is quiet now ?
Yes. While the computer is left on 24/7 and therefore it's not possible for me to monitor it continuously, when I return to the computer there are no Avast threat warning dialogs on the screen and the Virus Chest remains empty.

Thanks for the reply.

YoKenny

  • Guest
Re: Virus Chest Destroys Files When Restored
« Reply #12 on: April 25, 2011, 07:55:21 PM »
Plus IE6 is very old and needs to be updated to IE8.
Why? So I can not use IE8?  ;D
You can use IE8 but your system should be at XP SP3.
Why do you not want to update to XP SP3. ???

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Virus Chest Destroys Files When Restored
« Reply #13 on: April 25, 2011, 08:24:32 PM »
Why do you not want to update to XP SP3. ???

Non legit XP..!!?? ;)
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Duran

  • Guest
Re: Virus Chest Destroys Files When Restored
« Reply #14 on: April 25, 2011, 09:02:59 PM »
Why do you not want to update to XP SP3. ???
Non legit XP..!!?? ;)

Actually it is legitimate. Originally purchased at Frys Electronics as a non-upgrade WinXP Pro (includes SP1) disc. I probably still have the receipt someplace and if necessary, I'll take the bronze looking disc and post a picture with your user name taped to the face of the disc to prove it. ;)

The reason for not updating to SP3 is because I'm very selective about updates and all critical updates (these include what would be contained in SP3) have already been applied. It's SP2 mostly in name only.
« Last Edit: April 25, 2011, 09:10:27 PM by Duran »