Author Topic: Questions!  (Read 7942 times)

0 Members and 1 Guest are viewing this topic.

jd665

  • Guest
Questions!
« on: August 10, 2003, 05:44:50 PM »
Hi,

Yesterday I downloaded and installed Avast 4 Home Edition and I scanned my local drives to check for any virus. After a couple of minutes Avast sounded the alarm because there was a (worm)virus found in one of the DLL-files located in the WINDOWS\System32 map or directory (I use Win XP Home Edition on a P4 2,4 GHz Tulip notebook running 512 MB internal memory shared with 32 MB video memory). Then Avast "asked" me what to do with the infected DLL-file: Move/Rename it, Delete it, Repair it, Move it to Chest, or do nothing and leave the file infected by going on with scanning. Of course I wanted to get rid of the virus, so I chose the option Repair to remove the virus from the infected (DLL-)file. Then Avast "said" the virus cannot be removed from the file because this DLL-file is in use by (an)other component(s) of Win XP. Is there any solution for this? Am I doing something wrong? How can I check which component uses this DLL-file? If there is no solution for this problem and I didn't anything wrong, probably the only way to remove viruses from files which are normally in use by the Win OS is to exit Win and run an antivirus program under MS-DOS (I must admit, in some situations I miss the good-old DOS very, very much!).

Another question.
When I download Avast 4 Home Edition, do I have to download Avast Virus Cleaner seperately, or is Avast VC a component of the Avast 4 HE package?

Many thanks to those who answers/answered my questions.

John Doe, NL.
« Last Edit: August 10, 2003, 07:51:34 PM by jd665 »

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:Questions!
« Reply #1 on: August 10, 2003, 07:27:51 PM »
What were the DLL files affected and what virus did avast! announce inside?

avast! Virus Cleaner is not part of avast! Home/Pro (currently). However, it doesn't mean you have to download it. Virus Cleaner is a standalone tool to remove specific viruses - the number of viruses is very limited and the list of them is given on the corresponding web page. You are not supposed to download it unless you really are infected by one of the viruses on the list.

avast! itself uses a different, generic approach to file repair - VRDB. However, in a future version (hopefully 4.1) the virus-specific cleaning procedures used in Virus Cleaner should be integrated in avast!, too - thus combining the power of VRDB and the Cleaner.

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:Questions!
« Reply #2 on: August 10, 2003, 07:34:40 PM »
Then  Avast "said" the virus cannot be removed from the file because this DLL-file is in use by (an)other component(s) of Win XP.

You can start your windows in safe mode and delete it than.  And you should clean any reference to that dll in the Registry.

FMI: What is the exact name Avast give that malware?
MfG Ralf

jd665

  • Guest
Re:Questions!
« Reply #3 on: August 12, 2003, 07:47:37 PM »
In reply to the above answers:

The following 9 files are infected;

1) Name: pav.sig
    In map: C:\WINDOWS\system32\
    Infected by: Win95:Matyas
    Message after attempting to remove the virus:
                        The file was not repaired.
                        Cannot process "C:\WINDOWS\system32\pav.sig" file

2) Name: imscan.dll
    In map: C:\WINDOWS\system32\ActiveScan\
    Infected by: Win32:Kuang2
    Message: File was successfully repaired.

3) Name: pav.sig
    In map: C:\WINDOWS\system32\ActiveScan\
    Infected by: Win95:Matyas
    Message: The file was not repaired.
                     Cannot process "C:\WINDOWS\system32\ActiveScan\pav.sig"
                     file

4) Name: WinStart001.exe
    In map: C:\Windows\System\
    Infected by: Win32:Trojan-gen. {VC}
    Message: The file was not repaired.
                     Cannot process "C:\Windows\System\WinStart001.exe" file

5) Name: A0019897.exe
    In map: C:\System Volume Information
                  \_Restore{6F41619F-E3DD-419C-B8D4-ABC18B018CE1}\RP229\
    Infected by: Win32:Trojan-gen. {VC}
    Message: The file was not repaired.
                     Cannot process "C:\System Volume Information
                     \_Restore{6F41619F-E3DD-419C-B8D4-ABC18B018CE1}\RP229
                     \A0019897.exe" file

6) Name: A0020631.dll
    In map: C:\System Volume Information
                  \_Restore{6F41619F-E3DD-419C-B8D4-ABC18B018CE1}\RP238\
    Infected by: Win32:Kuang2
    Message: The file was not repaired.
                     Cannot process "C:\System Volume Information
                     \_Restore{6F41619F-E3DD-419C-B8D4-ABC18B018CE1}\RP238
                     \A0020631.dll" file

7) Name: A0020646.dll
    In map: C:\System Volume Information
                  \_Restore{6F41619F-E3DD-419C-B8D4-ABC18B018CE1}\RP239\
    Infected by: Win32:Kuang2
    Message: The file was not repaired.
                     Cannot process "C:\System Volume Information
                     \_Restore{6F41619F-E3DD-419C-B8D4-ABC18B018CE1}\RP239
                     \A0020646.dll" file

8. Name: A0020657.dll
    In map: C:\System Volume Information
                  \_Restore{6F41619F-E3DD-419C-B8D4-ABC18B018CE1}\RP239\
    Infected by: Win32:Kuang2
    Message: The file was not repaired.
                     Cannot process "C:\System Volume Information
                     \_Restore{6F41619F-E3DD-419C-B8D4-ABC18B018CE1}\RP239
                     \A0020657.dll" file

9) Name: A0020713.dll
    In map: C:\System Volume Information
                  \_Restore{6F41619F-E3DD-419C-B8D4-ABC18B018CE1}\RP239\
    Infected by: Win32:Kuang2
    Message: The file was not repaired.
                     Cannot process "C:\System Volume Information
                     \_Restore{6F41619F-E3DD-419C-B8D4-ABC18B018CE1}\RP239
                     \A0020713.dll" file

Question 1: Why can't process Avast these infected files?

Note/Question 2: In spite of the message File Was Successfully Repaired,
                             every time I scan again my local drives with Avast, file
                             "number 2" - imscan.dll, located in map
                             C:\WINDOWS\system32\ActiveScan\ - stays infected by
                             the Win32:Kuang2 virus. How is this possible?

Note/Q. 3: So once a while I also use for a second opinion some free online
                   virus scanners like BitDefender Antivirus, Panda ActiveScan,
                   Symantec Security Virus Detection, or TrendMicro HouseCall
                   Antivirus. When I look to the map
                   C:\WINDOWS\system32\ActiveScan\ (see number 2 & 3) I think
                   that this map is used by the online Panda ActiveScan(ner)
                   software because of the same name ("ActiveScan"). Am I right?

Note/Q. 4: Does someone know what the function is of the file
                   WinStart001.exe which is located in map C:\Windows\System\
                   and infected by the "Win32:Trojan-gen. {VC}" virus (see no. 4)?

Note/Q. 5: Every time I use the Avast 4 Home Edition Virus Scanner to scan
                   my local drives for viruses the number of infected files increases
                   by one. Again, how is that possible?

Note/Q. 6: Last question. What is the function of the map with the long
                   name "C:\System Volume Information
                   \_Restore{6F41619F-E3DD-419C-..." (see no. 5 - 9)?
« Last Edit: August 12, 2003, 08:02:37 PM by jd665 »

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:Questions!
« Reply #4 on: August 12, 2003, 07:57:15 PM »
The files belong to Panda(PAV.SIG,. IMscan.DLL) are false alarms(delete it)
, for the winstart001 take a look here: http://www.avast.com/forum/index.php?board=4;action=display;threadid=698;start=0

For the files which are located here: C:\System Volume Information
look here: http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

Doing this and than ask the Questions which are left over.:)

Edit: If you want to know more about the Panda files, make a boardsearch or Panda
« Last Edit: August 12, 2003, 07:58:24 PM by raman »
MfG Ralf

whocares

  • Guest
Re:Questions!
« Reply #5 on: August 12, 2003, 07:58:58 PM »
Hi, only
4)  & 5) need to concern you

Name: WinStart001.exe
    In map: C:\Windows\System\
    Infected by: Win32:Trojan-gen. {VC}
    Message: The file was not repaired.
                  Cannot process "C:\Windows\System\WinStart001.exe" file

the other ones are false positives in PANDA-AV-Files because Panda don't encrypt there Files properly.

-look at TrendMicro or mcafee for the winstart.Trojan
follow the removal procedure

-you need to disable Win-SystemRestore to get rid of the viruses/warnings from the restore-folder (procedure should be explained on Mcafee/symantec, too)

whocares

  • Guest
Re:Questions!
« Reply #6 on: August 12, 2003, 07:59:18 PM »
Mennoo... ;D

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:Questions!
« Reply #7 on: August 12, 2003, 08:03:32 PM »
Mennoo... ;D

Irgendwann muss ich ja mal schneller sein!:)

BTW: Nutzt du Avast und Antivir regelmaessig?
MfG Ralf

whocares

  • Guest
Re:Questions!
« Reply #8 on: August 12, 2003, 08:09:09 PM »
Auf einem PC Avast wegen der autoupdates..
auf nem anderen AVPE




jd665

  • Guest
Re:Questions!
« Reply #9 on: August 14, 2003, 03:54:07 AM »
Sorry but I cannot speak and read German. Could you please try it in English or Dutch (Dutch is my homelanguage)? Thanks! JD, NL.

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:Questions!
« Reply #10 on: August 14, 2003, 06:13:30 AM »
Just smalltalk!:) I am only able to read and understand a bit dutch.
The realy important is written in english.
Sorry...
MfG Ralf

littlepr

  • Guest
Re:Questions!
« Reply #11 on: May 31, 2004, 03:55:53 AM »
Once again to all who are getting a virus as

"Win95:Matyas"
or

"PAV.sig"
or

"imscan.dll"


These are not viruses. They are unencrypted Panda Virus scan files. If you have ever installed any Panda antivirus including running an online free scan from Panda website, these files are generated and saved on your PC. Avast detects them as a virus because they are not encrypted. They are false-positive and you can ignore them. Set Avast to ignore/exclude them next time you run the complete scan. If you no longer needs the files (if you installed Avast, you should no longer need them) dlete them.

CharleyO

  • Guest
Re:Questions!
« Reply #12 on: May 31, 2004, 04:05:08 AM »

Even better, since Panda does not encryt their files correctly, stay away from Panda services.    :)  



Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re:Questions!
« Reply #13 on: May 31, 2004, 04:24:13 PM »
Even better, since Panda does not encryt their files correctly, stay away from Panda services.    :)  

Yeah!  ;D
The best things in life are free.