Dear Avast Forum,

Is the following Avast bootscan result nothing to worry about?

• Some time late last year I created a text file on my desktop with the EICAR test virus signature
• I had read some article on the Avast forum about how to test thorough your virus scanner was
• Hence it suggested to create a text file on the desktop with the EICAR test virus signature
• It was only a text file and upon opening it with Avast (in notepad) it detected the EICAR virus
• I deleted the text file and thought nothing more of it
• Until today’s bootscan turned up this

File C:\System Volume Information_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP569\A0176817.com is infected by EICAR Test-NOT virus!!

If you could please answer the following four questions I would be very grateful:

1. Is this a system recovery file?
2. Has the windows recovery somehow saved that text file I created (please read above)?
3. How can I (should I?) upload the file to jotti and virustotal? (tried but couldn’t locate them)
4. Should I be worried?

Thanks for your help!

Avastfan1

That file is in your system restore. Turn off system restore (xp) Start > Right click my computer >properties> system restore>turn off system restore>apply>ok Reboot. then turn system restore back on.You can then create a fresh restore point.ALL previous restore point will have been erased

1. It is a restore point created by system restore.

2. I don’t know the exact rules for the creation of restore points, my belief was that it was for only files in the system folders, etc. Now I don’t know if the desktop, being somewhat different to a conventional folder is also included.

Personally I wouldn’t have though that system restore would have looked after text files, though you talk text file, you don’t say what the file name you gave it was. But probably eicar.com and a .com file isn’t considered a text file, but a command file.

So from the file name given by system restore (is how I guessed what you called it), it retains the file type but changed the name.

3. Why would you want to upload it to VT it would only find the same thing, especially if the creation date/time of the restore point coincides with the deletion/detection by avast.

You say you couldn’t locate them, where did you look, surely they would be in the avast chest.

4. No

1. Yes
2. Possibly yes.
3. No, don’t do that. (let they handle the dangerous things )
4. No, not because of this anyway.

If you are dependent of Sys Res, don’t turn it off/on. All will be gone.

I have it turned off because I don’t trust it, but that’s another story.
Using Norton Ghost on a regular basis instead.

HL

EDIT: Sorry David, didn’t see your post.
Looking at the postcount you have more writing experience than me.

Hello Avast Forum,

Thank you for the responses. After reading these wise words I do indeed remember calling it eicar.com now. Hence that is probably why it was saved in the system recovery file.

Could I just simply delete the specific file (see below) using Avast in the boot time scan?

C:\System Volume Information_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP569\A0176817.com

Would that ruin the system restore function within Window$? Is it a wise idea to turn off system restore, reboot and then turn it back on again?

Sorry for the additional questions. Just that I’m not great with computers and need to cover all bases before I do something.

Thanks and I look forward to your reply!

Avastfan1

@hlecter: Du är norsk? Vad bra! Kommer du ifrån Oslo eller bor du på ett annat ställe? Norge är ett sådant jätteskönt land! Det tycker jag iaf. Och tack för hjälpen med jävligt Window$

Yes, you can remove it and probably on a normal scan once it is detected, otherwise yes use the boot-time scan.

Yes.

No, it will destroy only that particular recovery point.

If you don’t need the old restore points, yes.
If you want the avast scanning returns clean, yes.