destroying from chest

Viruses and worms
1

I run avast home 4.6.763 on win XP/SP2 Recently after a panda online scan I found:C:\WINDOWS\system32\ActiveScan\pskavs.dll is infected by Win32:CTX - Repair: Error 42060 {The file was not repaired.}

Then I believe I put it into the avast chest and deleted it. Also scoured the hard drive for anything panda related and deleted it, and there was MUCH stuff.
Next day bootscan:
C:\System Volume Information_restore{E630283C-5E74-4BB3-AAF5-8195E155E5A7}\RP632\A0089061.dll is infected by Win32:CTX - Repair: Error 42060 {The file was not repaired.}

put in chest /deleted, then
C:\Program Files\Alwil Software\Avast4\A0089061.dll is infected by Win32:CTX - Repair: Error 42060 {The file was not repaired.}

chest/delete
C:\System Volume Information_restore{E630283C-5E74-4BB3-AAF5-8195E155E5A7}\RP635\A0089221.dll is infected by Win32:CTX - Repair: Error 42060 {The file was not repaired.

Then I kept it in the chest and subsequent scans are clear. But cannot an AV program destroy viruses? Does this have to stay in the chest forever? When I delete it it hides somewhere else. That is my first of two questions. How can it be destroyed?
The other question is, since I deleted two system restore files, is system restore now damaged?

Any help is much appreciated.

2

This is down to Panda not encrypting its virus signature files, there are many other on-line scanners you can use as a back-up scan.
On-line Virus Scanners and other useful Links Security-Ops.eu.tt

Being in a system folder it is highly unlikely that it can be repaired as windows is protecting it. Not to mention it isn’t a true virus but a collection of virus signatures and this is just the first one.

No you don’t have to leave them there forever, it is never good to delete as a first option, sending an infected file gives time to investigate (as you are doing now). There is no rush to delete anything from the chest, they can’t do any harm there. Anything that you send to the chest you should leave there for a week or two. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

You haven’t damage system restore, if however you did a system restore that included this you would again get a false positive detection on this panda signature file.
Your best action is to disable system restore, reboot and scan again. If clear you can re-enable system restore.

Information General:
Trojans generally can’t be repaired (either by the VRDB or avast virus cleaner), because the entire content of the file is malware, so it is either move to chest or delete, move to the chest being the best option (first do no harm). When a file is in the chest it can’t do any harm and you can investigate the infected warning.

The VRDB only protects certain files, .exe, dll and other system files, it doesn’t protect data files or all files, it is not a back-up program, so there are going to be many occasions where repair won’t be an option.
Only true virus infection can be repaired, e.g. when a virus infects a file it adds a small part to it, provided that file is one that avast’s VRDB would monitor and you have run the VRDB, then it may be possible to repair the file to its uninfected state.
However, for the most part so called viruses, trojans (adware/spyware/malware, etc.) can’t be repaired because the complete content of the file is malicious.

3

I have a “Q” regarding Avast!'s virus chest. Is there any way to open malware with notepad.exe to look at it’s properties while it’s in the chest? I looked for a option of “right clicking” but, didn’t see any. Thank you in advance to those that reply.

-SIG-

Avast! 4 Home 4.7

4

The whole idea of the virus chest is to protect the contents against activation and that would include outside programs, you don’t want a virus to be executed, edited, opened, etc. that is the point of putting it into the chest. So no you can’t examine it with notepad, etc. whilst it is in the chest, the only way to do that is to extract it to a temp location.

5

Thanks for your reply DavidR. I have one more “Q” about infected objects… if you open a object that is malware with notepad, it can’t run within it correct? I was told that you can use notepad to look at a malware object’s properties to see if it’s in fact malware. I could have misunderstood though.

-SIG-

6

Generally you are not executing the malware as you aren’t using the running file associated with that malware so it should (note: should not is) be safe to examine.

However, for the most part you will be examining a file that won’t be in text format rather unrecognisable character code (compiled code), so you are unlikely to be able to identify anything without some experience or other tools to de-compile/interpret it.

Looking at a files properties is different to examining the contents of a file to identify a malware by its characteristics/content.

7

Okay, thank you for the info. DavidR. When you stated about “other tools” that can decompile/interpret the code, are they tools that are accessable to home users or are they the type that are for professionals only? If they are, are there any tools that are freeware?

-SIG-

8

Whilst I haven’t need to use any of these tools if you know what you need to decompile I’m sure that google will be your best bet in finding one. A google search for decompilers returns many hits.

This one coming from a link within one of the hits would seem a good starting point http://www.thefreecountry.com/programming/disassemblers.shtml. Google is a good tool that you should have in your toolbox ;D