Question about Avira Antivirus - I think it let some viruses through! :(

Well, here is the deal. I am using Avira free edition on all my machines and other machines I "support"(as in my friend's machines ). Avira has been pretty good and has worked great with all my personally owned machines. As far as I know I don't have any viruses or any problem with my machines. But recently, as in the last 2 days, my friend has been having problems. I had installed Avira 8.x(I am thinking it was 8.x. It was what ever version was before this last major update to 9.x) on his machine and it has been active an running continuously. Avira, as you know, has major updates once in a while, where they go from 7 to 8 or in this case 8 to 9. Therefore, Avira was poping up a dialog box saying for him to download the new version. He ignored this message and kept using his current Avira install.

Well the last time I came over I saw this message and downloaded the newest free Avira, uninstalled his old one and installed the new one. Well after a couple of minutes a pop up came up from Avira saying that a virus or suspicious file was found called ALotToolbar.1. I was surprised that this came up, since according to my friend, he never got any "you have a virus" messages. In any event I was mad since now I would probably have to restore/format his machine and reinstall the OS. I didn't do this however, since I didn't have the time(was planning on doing it later), but instead read up on this virus and found out it was low risk and was some kind of toolbar that is spyware/adware that installs itself in IE. I read a how to on uninstalling it and did. Then I did a full virus scan and looks like a piece of it was still active and did a repair. At this point I thought all was ok. A few days later my friend says that he is getting weird behavior from his Yahoo free web mail account. He couldn't replicate the problem for me, but says he gets this "enter the letters and numbers you see(the common security method that many web sites use)" page that would not let him send his email till it was filled out. In any event he calls me today and tells me that he received some kind of message from yahoo saying that his account has strange activity going on and that he can't send any more emails. I don't know what the heck is going on for sure, but I will get the specifics tonight when I check the machine out personally. Sorry for the long post, but I wanted to list all the details. So my questions are..

1.) When Avira is prompting you to download their new version, does this mean the currently running version on the machine is inactive and not receiving any updates?

2.) My friend only uses Firefox to go on the web. How could something like this get through?

3.) Did Avira get penetrated by some kind of virus that Avira's DAT file doesn't know about?

4.) How can a virus/spyware/whatever affect the behavior of a free web mail account? Does that make any sense?

THANKS!

 

1) as far as i can tell, all of these updates get done through the auto-updater. i just checked my versions of avira, and the dates it shows are very recent. i certainly never performed any manual updates of the software, so it must have been auto with the definitions.

4) i have not had this particular issue, but i did have a problem where my yahoo messenger account was hacked and was spamming acai berry diet pill messages through the messenger to my contacts. i also know other people with the exact same problem. i've also had fake emails sent to one of my yahoo accounts telling me i needed to provide verification of personal info to keep my account active. these emails were NOT from yahoo, but some phisher... my guess is this yahoo incident has nothing to do with Avira.

 

1. No
2. Yes
3. ?
4. Maybe his account password has been stolen, one way or the other.

Avira is an excellent product but it doesn't protect against all malware and certainly not against all points of entry for malware as in drive-by-downloads.

This means that when visiting a website (unaware of) hosting malicious content like an infected adbanner, obfuscated script within the adbanner 'instructs' your browser to download (and install) a file without you/the user having any knowledge about it.
You can protect yourself against this stuff, for example by using Firefox with the extensions AdBlockPlus and NoScript (again, not 100% protection).

Please remember that nowadays, because of the success of AV products, malware writers look for other ways to 'get' your computer/money like with drive-by downloads or scamware.
Some links about this; link, link, link.

If you really want to do yourself (and your friends) a favour, look into how to make an image of a harddrive like with Acronis TrueImage, Paragon or DriveImage XML.
With an image available, a 'reinstall' (actually more a copy/paste operation) takes about 10/15 minutes.
It really can save you hours and hours.
Cheers.

 

My DAT definitions files happen automatically by downloading and installing, but when there is a major upgrade of Avira itself, like going from 8 to 9, then I just get a popup saying there is a new version of Avira and to click on the download button in the popup. When I do then I am taken to Avira site and to the page were I can download the new version. Nothing is automated where it downloads automatically and installs. I have to download it and install it myself.

You make a good point. Perhaps the 2 problems I have witnessed so far are unrelated. The 2 problems being the issue with yahoo mail and the other with the virus on the machine. As I said I don't have all the specifics just yet, but I will. With the yahoo problem there might be multiple things going on I guess. One could be that the account has in fact been broken into and someone is sending out spam messages from it and the email warning received is in fact from Yahoo or the account has been broken into and this warning message is not from Yahoo. But the strange thing is, what could be causing the that image verification thing from being displayed before an email can be sent? He tried to show me but it seems intermittent, as it did not appear when I was looking.

 

Thanks for the response.

- First thing I am going to have him do is change is password for the account.
If he can get in anymore that is.

- I thought that Avira was somehow inactive since he had not upgraded to the new version as the popup said. I thought that the cause of these problems might have been an inactive Avira for several days(when he thought it was running since it's icon was in the system tray), allowing this virus to sweek by. You are saying that is not possible.

- So let me confirm something. There are certain websites now, where just going to them(not clicking on any links on the page) can cause you to get a virus? I thought I saw IE have a new feature where sites are marked if they are dangerous. Any plans for Firefox to have this?

- Noscript also prevents Javascript from running too, right? Quite a few sites use Javascript and become nonfunctional if it cannot execute. This add on seems impractical. Am I right?

- I don't have drive imaging software but I might purchase one when on sale.

- Formatting a drive by running the restore disk is enough to kill a virus guaranteed, correct?

 

One vulnerability that's in dire need of a patch in let's say an Adobe program, Flash player or Windows part can cause a trojan drive-by download.
(Emphasis on can, not necessarily will)
So keep at least all your programs up-to-date (check my sig for Secunia OSI)
Check Mozilla for FF features.

Yep, but you can allow scripts, I-frames etc on those pages where you need it.
I somewhat agree, a lot of folks find it bothersome but it offers excellent protection.

There are free alternatives like DriveImageXML.

An OEM restore/recovery disk will usually simply put the notebook back in factory condition and wipe the malware indeed.
Some companies like HP offer a 'non-destructive' recovery option where data is saved before restoring and then later on, put back.
So don't use such an option
Cheers.

 

Baserk, your replies clear out the mystery.
So, those Adobe stuffs can cause Virus infection!? How much it is possibility?
If it is low, then, I would just left it be. If it is very high, then, I should take precaution.
Lastly, +Rep for Baserk!

 

IIRC, over 40% of all virus infections and such have happened through attack vectors based on Adobe products like Acrobat and flash.

Adobe is targeted so frequently because everyone has Acrobat and Flash installed. Heck, even Linux people use flash (correct me if I'm wrong) and its really hard to surf the web without using flash at all given the number of websites out there that would become broken if you don't have it.

 

True, and even Linux Flash Player suffered from a vulnerability, deemed critical by Adobe, last year.

 

OOOOOO. Finally, I understand.
But Adobe stuffs are very important to me. T.T
I need it to browse the Internet and assignments too.

Did avira support 64bit Windows Vista?

 

Yep, it does

 

Just an update. I am not sure what happened with Avira but I will assume that it was working just fine. It looks like there were 2 different issues. One issue was some kind of Virus/trojen etc has infected the machine and the other issue was it looks like someone might have been using the Yahoo mail account to send spam or other garbage. I have remedied both problems by reformatting my friends harddrive an installing Linux on it. It fits his needs perfectly. Secondly I had him change his password on his yahoo account and that seems to have helped. The message from Yahoo that the account had suspicious activity seems legit as it wasn't sent to him in an email but was displayed on the screen before he went to send emails to people. In any event, after the password change this problem seems to be gone. Thanks for the help everybody.