Deleted from Chest by mistake

Viruses and worms
1

I’m new here and deleted some viruses from the chest. Is that going to be a problem? When the virus pops up Avast recommends that it be sent to the chest but should I instead try to repair it first?

2

Hi Donlee, welcome to the forum :slight_smile:

Please could you stick to one topic as it makes it harder for those here to help you. Since this one is in the right place I will post here.

Normally, the recommended action is to put the files in the chest, as secure encrypted location that cannot be access other than by avast! itself. If after some time (say, a couple of weeks) you have not noticed any advesrse effects, (for example problems with the using of the pc or programs not working) then it should be reasonable to delete.

To be sure, we would need the filenames and locations of the files that you deleted.

Right click avast icon–>click ‘Avast log viewer’–>click ‘warning’ section–>look at the bottom of the log (or click the date time header to bring the most recent to the top)

Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the last few entries.

-Scott-

3

just something to read

Clean, Quarantine, or Delete?
http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm

4

Okay Scott here you go
1/16/2010 6:54:57 PM 1263686097 SYSTEM 1588 Sign of “Win32:Trojan-gen” has been found in “C:\WINDOWS\default32.dll” file.
1/16/2010 7:13:49 PM 1263687229 Administrator 2424 Sign of “Win32:Trojan-gen” has been found in “C:\System Volume Information_restore{E2FD6C42-B93A-4152-A6E5-324F632CD4D3}\RP82\A0008821.dll” file.
1/16/2010 7:18:26 PM 1263687506 Administrator 2424 Sign of “Win32:Spyware-gen [Spy]” has been found in “C:\WINDOWS\system32\FontReg.exe” file.
1/16/2010 7:20:32 PM 1263687632 Administrator 2424 Sign of “Win32:Trojan-gen” has been found in “C:\WINDOWS\trz96.tmp” file.

5

Thanks Pondus

6
1/16/2010 6:54:57 PM 1263686097 SYSTEM 1588 Sign of "Win32:Trojan-gen" has been found in "C:\WINDOWS\default32.dll" file.
Not sure about this one, I can't seem to find any info on it. (I presume that this would mean a genuine detection...)
1/16/2010 7:13:49 PM 1263687229 Administrator 2424 Sign of "Win32:Trojan-gen" has been found in "C:\System Volume Information\_restore{E2FD6C42-B93A-4152-A6E5-324F632CD4D3}\RP82\A0008821.dll" file.
This should be okay to delete, as it is a restore point:
1/16/2010 7:20:32 PM 1263687632 Administrator 2424 Sign of "Win32:Trojan-gen" has been found in "C:\WINDOWS\trz96.tmp" file.

A temp file, again, this should be okay to delete.

1/16/2010 7:18:26 PM 1263687506 Administrator 2424 Sign of "Win32:Spyware-gen [Spy]" has been found in "C:\WINDOWS\system32\FontReg.exe" file.

This one I am not too sure about. It looks like a genuine detection, as the real version, if there should be at C:\WINDOWS\SYSTEM\ not in the system32 folder.
http://www.bleepingcomputer.com/filedb/fontreg.exe-32022.html

If you are having no adverse effects, I would think that you are ok, maybe someone else here could confirm…

-Scott-

7

thank you so much

8

Trojans generally can’t be repaired (either by the VRDB or avast virus cleaner), because the entire content of the file is malware, so it is either move to chest or delete, move to the chest being the best option (first do no harm). When a file is in the chest it can’t do any harm and you can investigate the infected warning.

The VRDB only protects certain files, mainly .exe files, it doesn’t protect data files or all files, it is not a back-up program, so there are going to be many occasions where repair won’t be an option.

Only true virus infection can be repaired, e.g. when a virus infects a file it adds a small part to it, provided that file is one that avast’s VRDB would monitor and you have run the VRDB, then it may be possible to repair the file to its uninfected state.

However, for the most part so called viruses, trojans (adware/spyware/malware, etc.) can’t be repaired because the complete content of the file is malicious.

9

Information on … default32.dll … can be found at the link below :

http://www.prevx.com/filenames/X2065179817566393827-X1/DEFAULT32.DLL.html ( Malware Downloader )

10

I am also new to this. If a virus is detected and is in the chest, does that mean it will not harm my computer? On the screen it says that there are 5 infected files? How can I get this off?

11

Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, so it is best to send virus to the chest (quarantine) and investigate.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

12

[url=http://[/url]

I believe the FontReg that Donlee has is the one that come with the RyanVM post-SP3 hotfix pack http://www.ryanvm.net/forum/viewtopic.php?t=6729]

I believe the FontReg that Donlee has is the one that come with the RyanVM post-SP3 hotfix pack http://www.ryanvm.net/forum/viewtopic.php?t=6729. Basically it’s for slipstreaming hotfixes beyond SP3 into a Windows XP CD. I’m pretty sure it is a false positive, a lot of people have tested these packs and I’m sure it would have been caught. I have the exact same detection as Donlee from Avast but I can’t get any other antivirus program to complain. I’ve tried both kaspersky and MSE with clean results.

The issue could be that the FontReg program uses part of the Microsoft source code from the old 1995 file installation utility. Microsoft released this code to the public so it is legit. I wonder if Avast is detecting FontReg as a compromised Microsoft system file because of this.

Long story short, it’s safe to delete FontReg, you will probably never use it since it’s for installing fonts via the command prompt.