I’m a relatively new user of Avast. In doing thorough scan today, a Virus Warning box kept popping up. The recommended action was to move it to the chest. However, no matter how often I chose that option, it wouldn’t move. The last statement seems to have not been the case. When the scan finally finished, the “virus” must have appeared in over 70 places. The ones where I selected move to chest, were moved. A few still remained because I thought the move to chest wasn’t working. At the end, I moved those into the chest also.
Here is a Screen shot of what I kept getting when doing the scan –
it appears from my (limited) knowledge on these matters that it was found in your system restore folder when this happens you must deactivate system restore to clear your restore points and then reactivate it but be warned this will clear all restore points so you cant return to a earlier time. If it is a real virus in there it must have been due to a virus being saved along with the restore point as it hasnt shown elsewhere on your drive it must have been a past infection that was saved to a restore point before it was removed, I would wait to see what others say first as they may advise you better
good luck either way
ps this MAY explain why you cant move to chest as windows protects these restore points
I experienced the same ‘trojan’ which nominated my admunch.exe ! This would seem to be a clear false positive as admunch.exe could not possibly be a trojan as it is a legitimate ad blocking program that I run.
You can’t relate the two detections as the same as the trojan-gen is a generic signature which tries to detect multiple variants of the same type of malware. So it is entirely possible to have totally different files being detected with the same signature.
There is also no way you could know if it was admuncher in the restore point.
@ alaura
Can you give some examples of the ‘over 70’ locations, e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.
If it keeps getting detected in the _Restore points, you can do as suggested and disable system restore and reboot (as suggested) this will clear all restore points (sledgehammer) or schedule a boot-time scan.
If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, Menu, ‘Schedule boot-time scan…’ Or see http://www.digitalred.com/avast-boot-time.php.
You may find it easier to copy some of the data from the actual warning.log text file (that’s where the data comes from to be displayed in the log viewer, it is here C:\Program Files\Alwil Software\Avast4\DATA\log assuming you installed it in the default location, copy and paste from that.
[b]Ah, that was easier, David, thank you. Actually, I did reply that they’re all _restore (It’s in bolded red in one of my posts.)
Okay, here’s a copy and paste from the warning log text file. There are many more of them.[/b]
10:07:54 AM 1215871674 3460 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst(3).dll” file.
7/12/2008 10:08:12 AM 1215871692 3460 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst(4)(2).dll” file.
7/12/2008 10:08:44 AM 1215871724 3460 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst(5)(2).dll” file.
7/12/2008 10:08:55 AM 1215871735 3460 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlctnk.dll” file.
7/12/2008 10:17:13 AM 1215872233 3460 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\symlcsv1.exe” file.
7/12/2008 10:17:37 AM 1215872257 3460 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\System Volume Information_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP891\A0152464.dll” file.
7/12/2008 10:17:48 AM 1215872268 3460 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\System Volume Information_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP891\A0152480.dll” file.
7/12/2008 10:18:19 AM 1215872299 3460 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\System Volume Information_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP895\A0152601.dll” file.
7/12/2008 10:18:38 AM 1215872318 3460 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\System Volume Information_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP896\A0152655.dll” file.
7/12/2008 10:18:51 AM 1215872331 3460 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\System Volume Information_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP897\A0152741.dll” file.
7/12/2008 10:19:48 AM 1215872388 3460 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\System Volume Information_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP898\A0152813.dll” file.
7/12/2008 10:20:06 AM 1215872406 3460 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\System Volume Information_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP899\A0152876.dll” file.
7/12/2008 10:20:24 AM 1215872424 3460 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\System Volume Information_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP900\A0152930.dll” file.
7/12/2008 10:20:39 AM 1215872439 3460 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\System Volume Information_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP901\A0153019.dll” file.
7/12/2008 10:21:11 AM 1215872471 3460 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\System Volume Information_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP902\A0153089.dll” file.
7/12/2008 10:22:34 AM 1215872554 3460 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\System Volume Information_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP903\A0153164.dll” file.
The Semantic ones ‘may’ be false positives as I believe there was something on that file name without the (n) bracketed numbers previously, which was corrected, this would make me ask if you have the latest version of the VPS updates, current version 080712-1 ?
The others in the restore points are harder to confirm as the file names get changed when they are sent to the system volume information folder by system restore. If you were able to send any of them to the chest you could possibly upload one or two to virustotal to see if the detection was good.
However, assuming one or more weren’t good I don’t know how system restore would react to avast trying to place them back in the system volume information folder when avast tries to restore them.
What would probably be best would be to clear the system volume information folder completely by disabling system restore (on all drives) and rebooting. That would clear ‘all’ restore points, but I have an aversion to suspect files in the system volume information folder waiting to be restored at some point in the future and reinfecting your system.
There is nothing to be scared about, if they are in the chest where they can do no harm. It would only be an issue if they were still in the system volume information folder still.
David, I just ran another scan. Once again, I got the Virus/Trojan warning 4 times… moved them to the chest. I don’t understand where they’re coming from.
I only get these warnings when I do a scan. Nothing pops up while I’m online to warn me. Would that be significant?
Also what does the entry I have in red mean?
BTW, I do have the latest version of the VPS updates, current version 080713-0
Thanks again for sticking with me through this.
alaura
Below is a copy and paste from today’s scan result:
7/13/2008 9:43:24 AM 1215956604 SYSTEM 1764 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
7/13/2008 1:26:18 PM 1215969978 2508 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\System Volume Information_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP987\A0163675.dll” file.
7/13/2008 1:28:10 PM 1215970090 2508 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\System Volume Information_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP987\A0163695.dll” file.
7/13/2008 1:28:26 PM 1215970106 2508 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\System Volume Information_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP987\A0163733.dll” file.
7/13/2008 1:28:38 PM 1215970118 2508 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\System Volume Information_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP987\A0163914.dll” file.
With these particular detections, I suggest disabling System Restore on Windows ME, XP or Vista. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore.