Strange alert from Avast

One of my friends is getting this alert while using internet since few days( on dial up). I could not understand what is this. A full system scan by Avast did find nothing except for a trojan( Pirate) in a Temp folder.

Any help? Thanks

 

Is he getting that message while surfing the web or when using his email client? I have personnaly only seen that message from Avast when sending or receiving an email containing an executable file attachment (even with a clean file). Apparently Avast considers any emails containing an executable to be suspiscious.

 

Avast's mail heuristics at work

 

The strange thing is that it warns about the Subject, but on the screenshot, it seems there's no Subject at all. Or isn't the Subject line to long so that it wraps outside of the visible area?

Anyway, if the alert only happened once, I wouldn't worry too much about it...

This is taking place only if you manually set the sensitivity to high level. With default settings, it only warns about such phenomena as double extensions etc. (i.e. it lets "standard" files, even executable, go thru without any warnings).

 

He does not use outlook and has no e-mil account for outlook even( none provided by ISP). Only uses web based mail.

The alert come only while on internet and it comes so often that he can,t do his work.

Is there a bot on his PC sending messages? But is it possibel even if ur outlook not yest configured for use at all.

 

I would have thought it was a bot... and I always thought it was possible for bots to send e-mails regardless of whether Outlook is installed or not.

 

Very interesting to catch such a bot.

What i sholud run? I will try to run a few scabnners like SAS, AVG AS and use an outbound FW to see what comes out.

 

UPdate:

This message was no more appearing. Anyway I ran multiple scans on the PC.

AVG AS( not updated)- clean
SAS( fast scan)- clean
CFP intergrated scanner- clean( I actually installed CFP to see if something suspicious tries for outbound but none- malware probabaly did not tried that)
CSI- clean

Antivir - It caught these malware:

1- 6 copies of a trojan in Application data and Temp Internet Files( differnet copies)- TR/Delphi.Downloader.Gen
2- a suspicious crack application.

I uploaded all to VT. Some copies of first one are detected by KAV, AVG( Generic9.AVIV) , MS n Dr.Web plus many others- seems surely a true detection by Antivir.

Second one is probably unrelated to this issue. It,s a suspicious heuristic detection. I deleted all of them after saving copies of them.

Scanned them with Dr.Web cure it, it caught all copies of TR/Delphi.Downloader.Gen as DLOADER.Trojan I have uninstalled Avast and installed AVG on that machine. Let,s see how it goes. I do think AVG is getting better in detection than Avast, just my feeling since many months, can,t be sure though.

 

Wow aigle you truly have patience .

 

It,s interesting to do this. My main problem with that PC was that it slow- low specifications nad 256 MB ram and has a slow inetnet( dial up).

BTW, I am still not sure if it is clean. I can,t keep an outbound FW on it as the user will not know how to reply it. Also not enough resources so I just kept one AV. I would have isntalled Antivir but its updates are not good with dial up.

 

I did the exact same thing on my sister's 192MB RAM computer about 2 months ago. Avira was the only one to find anything that wasn't a FP. I assume they were FP's because I submitted them to VT and the scans were mostly clean except for the programs that alert to almost everything. I also submitted the files Avira found to CastleCops unknown files and one of them was a FP.

It is interesting to do this, but it just drives home the point of blacklisting is far from perfect. I'm like you, I don't know if I got everything cleaned or not. I've since installed another 512MB of RAM, but I haven't scanned anything in two months. They have 3 kids and one is a newborn, too much noise for me to concentrate .

 

I tried one of the files detected by Antivir as TR/Delphi.Downloader.Gen.
It sure is malicious, it creates many executables and launches a hidden IE window.

 

It would be smart to send all undetected files to avast! developers so they can add them to virus database.

 

I will send. Any link for that?

 

Also please note that having the files present in the Internet Temporary folder doesn't mean they ever got executed... this is where IE places all temp (cached) files it encounteres...

 

vlk! no point of this argument as malware made many of its copies and none was/ is detected by Avast. It will not be detected even if u execute it.

Actually the file in Temp Internet Folder was a spoofed jpg file( an executable), which made many of its copies in Application data\ Real and Application data\ ICQ folders. It,s my analysis of this malware, I am not an expert and I may be wrong but sure it seems that malware was executed.

One sample missed is no problem we all know .

 

I'm in no way saying that it should not be detected by avast. It sure should.

However, I'm just trying to calm you a bit, saying that the malware maybe hasn't really activated on that machine (if it's only found in the Temporary Internet Files folder).

Vlk

 

No, it sure is executed. I told u that spoofed jpg file was there and it made copies in application data and if I remember well even some start up enteries.

I understand well, any AV can miss a sample. It was my Friend,s chance to get it. But I am a bit dissappointed as it,s second tiome. Before I installed Avast for one of my friends, according to him, they got some alert from Avast while online, I am not well aware, wat they answred but it was shrtly after that the PC became unbootable and they had to go for a format and reinstall. Though I am not sure but I still suspct it was a failure.

Also every time I upload malware on jotti, VT- I see AVG catching more than Avast.

 

Run also MC Afee,NOD 32,KAV ,BitDefender online scanners.

 

Online scanners on dial up? Not possible.

 

I've used several online scanners with a dialup connection. Panda, Kaspersky, McAfee, Trend Micro. I've never had any problems. I don't have any of those fast connections like DSL, cable, satellite, Fiber optics, or T-1 lines at home.

 

PC is slow and we have to pay 0.75$ per hour.

 

My idea of a strange alert:

Your computer has been taken over by aliens. Prepare for transfer to the mother ship. Resistance is futile. You will be assimilated.