Average Joe

CLOSED Two (inactive?) malwares and odd Avast/EEK conflict

Recommended Posts

Hi everybody,

I am not English native so I apologize for possible errors.
Software running on my PC:
- OS: Windows 7 Pro 64 (regularly updated)
- AV: Avast Free Antivirus
- AM: Emsisoft Emergency Kit (2017.4.0.7437)
- FW: Comodo Firewall 10

I have been using this machine for a couple of years, more or less.
The antivirus and firewall are always running in background and I use both Avast and Emsisoft Emergency Kit (which is placed on one of the internal drives) every now and then for virus and malware scanning.
I didn't notice anything strange, everything was smooth and fine, Avast all green (Protected), no viruses found (both by quick and full system scan) and EEK always tells me "0 detected" (malware scan).
Yesterday, influenced by the "Wanna Cry Crisis" I ran another malware scan with EEK, 0 detected as usual.
Then I decided to do a Custom Scan (which I have never done before, apparently), I left all the default settings and gave it a go. The scan took much more time than usual (that's normal) but this time two objects were detected (see attached log).
Both files were located on F:, which is a data partition on a HDD I moved into this machine from a previous computer running Windows XP, for what I know they could have been there for years, doing what? I don't know, as I said I have never experienced anything strange.
I quarantined the two files then I rescanned with EEK (Custom Scan) to confirm the system was clean.
I got a "0 detected" from EEK but Avast showed me an alert about an infection (Win32:Malware-gen) coming from a2emergencykit.exe (which is inside the EEK folder). According to Avast the process was blocked before any damage was done.
I ran a full system scan and a boot time scan with Avast, both negative.
I then ran EEK Custom Scan twice, "0 detected" but both times Avast showed the same alert about a2emergencykit.exe.
Again Avast full system scan, negative.
In short, it seems I get an Avast alert each time I do a EEK Custom Scan (the standard Malware Scan doesn't trigger the alert).

Anybody can help me to understand what is happening?

scan_170517-202303.txt

Share this post


Link to post
Share on other sites

It's worth uploading the file that Avast thinks is suspicious  -  a2emergencykit.exe   - to the virustotal  website where it will be examined by lots of different anti-virus/malware programs to see whether they all think it's a problem or just a few programs do.  If you do that, you could then include the virustotal website URL for the report about that file, here.

Does the free version of Avast update its signatures often? 

Share this post


Link to post
Share on other sites

The detection in Drive F are system restore points and are inactive. It would not hurt to delete those detections.

Avast may be alerting against one of the signatures as EEK is loading the signatures into memory.

Otherwise, your logs look fine.

Share this post


Link to post
Share on other sites

Thanks for the replies.

@JeremyNicoll
I will do that, thank you. I think Avast updates its signatures several times a day.

@Kevin Zoll
I've got some questions:
- Can you explain to me what exactly is an inactive malware? I would think a malware has to do something to be... malicious.
- I would like to know if these two files were there since the drive was in the old computer. I was thinking of de-quarantine them to look into their properties for the date of creation (and then re-quarantine them). Do you think it is a wise idea to do so?
- I am particularly concerned about some Live Linux USB (especially one I use for online banking), they were created on this W7 machine using a piece of software called Rufus. Do you think the Linux OS on these USB flash drives could be somehow not safe? (Maybe the question doesn't make sense, not enough knowledge to answer that myself).

Thank you.

14 hours ago, Kevin Zoll said:

Avast may be alerting against one of the signatures as EEK is loading the signatures into memory.

As far as I can remember, the first time I ran a custom scan (i.e. when the two files were detected) Avast didn't show any alert (same signatures). Wouldn't this be strange?

Share this post


Link to post
Share on other sites

The two files in question are located in the System Volume Information store (System Restore).  Unless something accesses the files directly they cannot perform any malicious actions.  Since they are on Drive F: and that drive is the OS partition from an old install, they unless the system is booted from Drive F: into the old Operating System.

Linux is not vulnerable to Windows malware.

Avast has a habit of alerting against some of our process when they either load signatures into memory or read signatures from memory.

The Virus Total report shows nothing is wrong with a2emergencykit.exe.

Share this post


Link to post
Share on other sites

Thank you Kevin.

F: has never been an OS partition, it is a data partition. It is the second partition on this particular hard disk, XP was installed on the first partition (which doens't exist anymore since I replaced it with two new partitions when I moved the hard disk into this new machine). So I must assume that XP or Seven (or both) create one System Volume Information folder for each partiton (system and non-system).

Again, I wonder what is the purpose of a malware than manages to sneak into a computer, passes untouched through antivirus/antimalware scans (many scans if these files are there since XP) and then... just sits there (apparently) doing nothing.

What do you think of temporarily de-quarantine the two files to look for the date of creation?

I know Linux isn't vulnerable to Windows malware.
Let me rephrase my question:
generally speaking, is a Linux USB flash drive to be considered safe even if created on an infected (even heavily infected) Windows machine?

About Avast, if that's the case I don't understand why no alert was shown when I ran the first EEK custom scan with the same signatures. 

Share this post


Link to post
Share on other sites

We do not check every area of a system unless a custom scan is performed.  A quick scan only checks the memory for active malware and a couple of additional areas for active malware.  A Malware scan checks memory, the registry, and the file system where malware is commonly found.  So unless the malware attempts to modify something on the system or what is deemed malicious behavior it will never be detected if it is in some obscure area of the file system unless a custom scan is performed.

You would need to look at the Restore Point creation date to get an idea of when the infection occurred.

A Linux USB created on an infected Windows system and becomes infected with Windows Malware will trigger an Infection Alert if and when an infected/malicious Windows file is executed on any Windows system protected by our software.

Without debug logs, there is no way to determine what went on between Avast and EEK.

Share this post


Link to post
Share on other sites

Unless you are having problems, it is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:

Download Delfix from here and save it to your desktop.

  • Ensure Remove disinfection tools is checked.
  • Also place a checkmark next to:
    • Create registry backup
    • Purge system restore

  • Click the Run button.


When the tool is finished, a log will open in notepad. I do not need the log.  You can close Notepad.

Empty the Recycle Bin

Download to your Desktop:
- CCleaner Portable

  • UnZip CCleaner Portable to a folder on your Desktop named CCleaner


Run CCleaner

  • Open the CCleaner Folder on your Desktop and double-click CCleaner.exe (32-bit) or CCleaner64.exe (64-bit)
  • Click "Options" and choose "Advanced"
  • Uncheck "Only delete files in Windows Temp folders older than 24 hours"
  • Then go back to "Cleaner" and click the "RunCleaner" button.
  • Exit CCleaner.


You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

To Remove EEK simple delete the EEK for in the of your System Drive, normally C:\EEK

Run Windows Update and update your Windows Operating System.

Articles to Read:
How to Protect Your Computer From Malware
How to keep you and your Windows PC happy
Web, email, chat, password and kids safety
How Did I Get Infected?

That should take care of everything.

Safe Surfing!

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only.  Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair.  Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.