I finally found David’s instructions from some time ago and my SUSPECT file is still in C. I extracted the
two culprits showing I have Win 32.Trojan gen into the file but could not upload to Virus Total because of
warnings going mad.
Since I wrote the first post I have done a lot of reading. They still could be false but maybe not. They
are now in my SUSPECT file which is entered in Standard Shield as a non-scan BUT they are also no longer in the chest.
I really need to know what to do next.
Donna in AR
Enter into avast Chest, go to User folder and right click the blank area. Choose in the context menu the entry called “add” and make a copy of the file into Chest. You can send to Alwil from there (right clicking the file).
Thanks. I think I got that done. I had one of these files in line to be sent to VirusTotal for 1:15. I had to
give that up and I have a cable connection. For now I’ve moved the two files back to the chest.
Donna
Late in the afternoon I ran another Avast scan and it found two more files in the same areas but with different numbers. After completing the scan Avast listed a bunch of files that it could not scan (which
I’ve not seen before) and then showed the two additional that I also sent to chest.
Maybe I should try a different time of day for VirusTotal and see if I can get one file and if it is for real then
I suppose the rest will be too.
Donna
That is because you haven’t excluded the suspect folder and its contents from a standard shield scan.
Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect*
That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
Lets not forget what we did before malware names, file names and locations, etc, ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.
I do have it excluded in standard shield on my XP machine. I finally did get it to begin sending one file through VT but with little experience I gave up at an hour and 20 minutes.
I have an XP box and an Acer Vista box networked on a wired router and a KVM switch. They do not share files; I simply flip back and forth as needed
to do different tasks. The XP is the one I’ve been working with all day, the one I updated Avast on, and it is the one that shows four infected files. I just
now flipped to Vista and ran Avast which is still running 4.8.1229; it turned up one infected file which I sent to chest and also e-mailed to Alwil.
I use each box’s firewall and a router firewall as well.
Location: C:Program files\Acer Game Zone\Backspin Billiards\Launch.exe
Never used this as I’m not a gamer. It says it has Win32. Trojan-gen also. I may try to send it to VT very early a.m. Will have to create a Suspect file for the Vista machine first.
I just really don’t quite know what I’m dealing with and guess I won’t until I get a confirmation. Then if it is real I guess a major clean-up (how?)
is in order.
If you did then it wouldn’t alert (your ‘the warnings going mad’ comment) and once avast alerts it won’t allow you to do anything to that file. So exactly what did you put in the standard shield exclusions ?
Though the normal issue when avast alerts when you try to upload to VT is that the file loads relatively quickly as it end up there as a 0byte sized file, e.g. empty. So why exactly it took that long before you eventually gave up I don’t really know.
In Standard Shield I have Resident Task Settings>Advanced>C:\Suspects
Maybe Avast simply would not let it load; the file appeared in VT from my Suspects file finally and frankly
I don’t remember how I made it do it. VT darkened the foreground and a box appeared that said it was sending file and said not to close the screen. It stayed like that for over an hour and 20 minutes.
Donna
See what happens when you get the exclusion right ;D
Most of these are generic detections, which are more prone to false positive detection though they all follow the same theme, a password stealer. It would have been easier to copy and paste the URL from the VT Results page into the post, saves you having to create an image and we get to see the full information.
So I would suggest that you don’t use on-line banking until this is resolved and then change your passwords.
You’re still very shy of name (only found by the name of the image attachment) and its original location. This could help us to try and work out what it program it might be from or how it got in.
See http://www.google.co.uk/search?q=NSsetup.exe for hits on the file name.
Thanks to both of you. I want to clean out the Suspect files and return them to the Chest; how do I do that? I thought I could right click and do it but not so.
Since I’ve played with these so much I’m going to run another Avast scan on both machines and if I get more files I’ll VT them too. I guess just file in chest and keep scanning to see if still infected?
Most of these are generic detections, which are more prone to false positive detection though they all follow the same theme, a password stealer
So I would suggest that you don't use on-line banking until this is resolved and then change your passwords.
So where in here am I suggesting it isn’t infected, I’m urging caution whilst at the same time giving information to be checked about the NSsetup.exe file. Many setup files are detected by generic signatures because of what they do and we haven’t got the full information on where it was located.
Games are notorious for this kind of checking to ensure no hacking but that is speculation as we don’t have the full information. So I will let you obtain that and continue with this one.
I included this path of one of them in an earlier post. Is this the name you are talking about? I guess I get
too nervous to do copying and pasting when I’m into a mess like this.
Donna
Well that file name doesn’t match any of the files you uploaded to virustotal.
But as I have said before in another topic, there really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore.
Worst case scenario it isn’t infected and you delete it, you can’t use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.
So if thee is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.
