AVG issues

Posted at 2:59:23 PM in Recovery (46) | Read count: 2074

One of my issues with anti-virus software is their brute force removal of infected files regardless of that file's importance. In this situation, the cure is far worse that the illness.  The computer I worked on today wouldn't start.  It halted with a BSOD (Blue Screen of Death) saying that windows shut down in order to prevent more damage to the system.  AVG 9.0, found a virus in Explorer.exe and winlogon.exe and quarantined them without asking the user.  I'll be the first to admit that most users just press the go button anyway, but in this case, the user said that the computer just shutdown on it's own and then wouldn't restart.  

I didn't know what files had been removed because the quarantine renames the files and gives it a .fil extension.  I used Windows PE to access the hard drive and look around.  I knew that Explorer was one of them as that file is commonly attacked and it was missing and the file size of the last quarantined file matched that of a working explorer.exe.  I couldn't tell what the second file name was and was forced to do a repair install of WinXP SP3.

After the reinstall, I was able to open the virus vault and see what files had been infected and removed.  A common tool I use from this web site: www.bleepingcomputer.com is MalwareBytes Anti-malware.  On this site, you'll find most of the virus infection removal procedures involve malwarebytes software which you can download here.  Another one I use regularly is combofix.exe from the same site.  (Combofix won't work on 64-bit systems or on systems after WinXP as of this writing).

Both of these applications take the time to determine the threat and extract the problem without damaging the system.  I'm not sure why antivirus writers can't make .fil files of critical files and save them for later restoring in case a critical file is infected.  Certainly they must know what files are needed and critical to the PC's health.

Written by Leonard Rogers on Thursday, December 30, 2010 | Comments (0)

    Email address is not published
    Remember Me

    CAPTCHA Reload
    Write the characters in the image above