On a new HP running Vista (one week old), after uninstalling Norton AV/Internet Security and installing Avast, the memory test indicated that the C:\autorun.inf was infected by WinREG:Autorun [trj]. Moved it to Avast’s chest. Avast advised rebooting and running a boot scan. Boot scan then indicated that D & E autorun.inf files were also infected by WinREG:Autorun [trj] – moved them to the chest as well. Avast also showed three ctfmon.exe files (on C:\recycled, D:\recycled and E:\recycled) were infected with Win32:VB-EAA [trj]. All put into the chest. Finally, after rebooting I noticed that the chest also contained three dll’s from C:\Windows\system32: kernel32.dll, winsock.dll and wsock32.dll. I tried to restore them to their folder but got this error:
FileID: 0000000003 Program cannot copy the following file: C:\Windows\system32\wsock32.dll (Original filename: wsock32.dll )
—>Description: Access is denied
I did go to the C:\Windows\System32 folder later and confirmed that the files are in fact there after all(!).
Only Windows, HP, Nvidia and D-link updates have run on this computer, so I don’t know if I’m getting false virus warnings or if they’re legit. I’m strongly considering restoring Windows to an earlier time. Would appreciate someone knowledgable advising on this matter.
The three system files are backup files rather than infected files- you should see that they are in a separate section of the chest- so you don’t have to worry about them.
To check the files detected, go to the chest and restore the files to a new location: the desktop, for example. Then right click the avast! ball and temporarily disable avast! You will then be able to submit the files to VirusTotal. Please post the results here.
If only avast! detects the files as malicious, submit them to virus[at]avast.com in a password-protected Zip file mentioning they are suspected false-positives, or you could also submit the files from the chest, again mentioning they are a suspected false positive.
If, on the other hand, avast! is not alone in detecting the files, you should leave them in the chest and look for the source of the infection: a thumb drive, maybe?
Thanks for the reply. I’ll give your advice a try later today.
Not sure what you meant by the dll’s being in a separate section of the chest – they show up in the Infected files section, although under the virus heading it is noted they are virus free. They’re off my worry list (just thought it odd they showed up there to begin with).
I, too, wondered if the source of infection wasn’t a thumb drive that I used to transfer the D-link set up file to the new machine, but a scan of it on two Avast enabled machines didn’t indicate any problems.
So tonight I’ll do as you advised and post the results here. Thanks again for the sage advice.
Not sure what you meant by the dll's being in a separate section of the chest -- they show up in the Infected files section, although under the virus heading it is noted they are virus free. They're off my worry list (just thought it odd they showed up there to begin with).
They may show up in the ‘All Chest Files’ section’ but they shouldn’t be in ‘Infected Files’.
I really do wish Alwil would get rid of this All Chest Files collation of the three sections.
The only area you should be interested in is the Infected Files section, this is where the files detected by avast and selected by you to move to the chest are placed.
The User Files section is where the user can add files they suspect of being malware but not detected by avast.
The System Files section is where avast keeps back-up copies of important system files in case the original becomes infected (leave them alone).
DavidR,
You were correct, I was looking at ‘All Chest Files.’ (Long day and finding out your new machine has viruses didn’t help my mood!) So, good catch.
Spent some time with HP chat support, who couldn’t explain how I got these infected files on a Norton “protected” machine. HP support agreed the files weren’t critical, so I’m going to leave them in the chest and press on.
Thanks again to both of you for offering insight and advice to my problem.
I’ve actually used it on all of our home computers for several years now with good results. I converted about 5 years ago when a virus knocked out NAV on my daughter’s laptop. I’ve been convinced ever since that avast is the right AV app for me. Didn’t have much of a choice with this new HP machine, as Norton IS/AV came preloaded. Glad I ditched it!
TMS, Revo Uninstaller is not specialized and it’s not aggressive on removing registry keys. For sure, the specialized tool is recommended, specially in Norton case.
I must disagree with you on Revo not being aggressive. It has varying levels of agressiveness when one uninstalls something. Besides, I’ve already uninstalled Norton, so what’s done is done.
Downloaded and ran Norton’s clean up tool, took about 10 seconds for it to complete. From the reviews of others (slow to work, etc.) I doubt there was anything left to clean up – not sure if it gives a log of what it removed after running, but there was no results page like some folks spoke about. But, better safe than sorry…especially when it comes to getting Norton/Symantec programs off ones machine.