I am running the free version of avast and normally run a quick virus check every other day and a full scan every 2 to 3 weeks
I recently noticed that my pc was running very slowly so ran a full scan, this showed 1 infection, path as follows:
C:\Docs and Settings\All Users\Application Data\Avast Software\Avast\Report\EmailShield.txt
I was prevented from repairing or moving the infection to chest because it was already in use so I deleted and was advised that the operation was postponed until reboot
I rebooted and ran a full scan again and was informed of the same infection, I repeated delete/reboot again same result
I’ve tried searching my pc but am unable to find this file, I’ve also run my Avast installation through jotti and got a clear bill of health
My pc is still running slow, any advice woyuld be appreciated
re Malwarebytes. Because I download quite a bit I tend to run this on a daily basis but always in Quick Mode. I’m now checking with a Full Scan, been running now for 40 minutes and no infections but I’ll let it go to the end and will report back with results.
Incidentally everything I download I check with both Avast and Malwarebytes before installing but it has just occurred to me that these scans may not be deep enough to detect everything.
I can’t give a file name because I can’t find anywhere where this is stated other than as emailshield.txt but what I can tell you is that the Severity Rating is HIGH and the Status is HTML:Script -info
A little bit of history which may or may not help:
I first noticed this infection on 4th Sept when I last ran a Full Scan. I deleted and rebooted and assumed it had gone away as daily quick scans didn’t show any problems. It has only shown itself yesterday and today when I did Full Scans.
My reason for doing a Full Scan yesterday was because I noticed an icon on my desktop for an exe file named csc.exe. I had no idea what this was for and was sure I hadn’t intentionally downloaded it so I scanned it with Malwarebytes and Avast (both clear) but was still uneasy so I did a Full Avast Scan. This showed up csc.exe and cvtres.exe as High Risk Infections. I successfully transferred these to the chest. The full path for these files is:
C:\Documents and Settings\Owner\Local Settings\Application Data\Xenocode\Sandbox\compiledBot\1.0.0.0\2011.0504T15.13\Native\STUBEXE@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe (also \cvtres.exe)
I can’t put an exact date/time to it but I think Windows did an automatic Security Update just prior to this. May or may not have anything to do with the problem but Windows has been known to cause one or two problems before now.
I’m now doing a search to list all .exe files I’ve installed during the last 7 days to see if I can find anything unusual and if necessary will do a one by one delete/reinstall to see if I find any problems. I will report back with results.
I don’t really understand the technical aspects of all this therefore I hesitate before jumping in with both feet, however I still have a niggle about those csc and cvtres files.
They are at present sitting in the chest and I understand they should not be able to do any harm from there, but should I delete them to be sure?
Or, are they essential to the running of my pc? Your advice on this would be appreciated.
3. I can't give a file name because I can't find anywhere where this is stated other than as emailshield.txt but what I can tell you is that the Severity Rating is HIGH and the Status is HTML:Script -info
Personally I get the feeling this is a false positive, as for a HTML:Script-inf (not HTML:Script -info) is related to HTML pages (which the emailshield.txt isn’t) and that is normally the injection of a [npbbc][nobbc] that usually contains either exploit code or a redirect to a malicious site.
C:\Documents and Settings\Owner\Local Settings\Application Data\Xenocode\Sandbox\compiledBot\1.0.0.0\2011.0504T15.13\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe (also \cvtres.exe)
Whilst both of those file names appear to be legit, that isn’t a guarantee they are legit/clean.
Ensure that you have the latest avast virus definitions version, 110913-1 (currently) and scan those files again inside the chest, if they are still detected, confirm the detection at virustotal (see below).
You could also check the offending/suspect files (all three) at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect*
That will stop the File System Shield scanning any file you put in that folder.
Thanks for the detailed info but I’m sorry to say I’m having problems following your suggestions.
I’ve created the folder C:\Suspect and have excluded that in the File System Shield - no problems so far
I confirm that I have been using Avast v 110913-1 (now 110913-2) and I have performed another Full Scan.
The files which are in the chest (csc.exe and cvtres.exe) were not detected in this scan however EmailShield.txt did appear again as an infection.
I also did a search on my pc.
Several older versions of csc.exe and cvtres.exe dating back as far as 2004 were found but not the versions which had been infected. It looks as though the older versions could be the original Windows XP installation and later SP updates.
EmailShield.txt could not be found anywhere.
Next I tried to extract the csc.exe and cvtres.exe files from the chest to put into the new Suspect folder. This has me completely baffled. I just could not find any way of extracting these files.
Finally I tried using VirusTotal.
First I tried browsing for the files. I tried browsing for all 3 in turn but could find no trace of any of them so I then tried browsing to the first part of the file path “C:\Documents and Settings” and manually pasted in the remainder of the file path I had obtained from the Avast log “\Owner\Local Settings\Application Data\Xenocode\Sandbox\compiledBot\1.0.0.0\2011.0504T15.13\Native\STUBEXE@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe”
This produced an error message “Path does not exist”. Same results when I tried inserting the path for the other 2 files.
I’ve had a final thought. The csc.exe and cvtres.exe appear to be genuine Windows files in so far as I have several versions of them on my pc dating back to as early as 2004 which was when I probably installed XP. Now that I have confined the latest versions to the chest would you suggest I go into Microsoft and download the latest updates for XP which should then hopefully install a clean version of these files?
Other than that I’m baffled. Any further comments would be welcomed.
4. Next I tried to extract the csc.exe and cvtres.exe files from the chest to put into the new Suspect folder. This has me completely baffled. I just could not find any way of extracting these files.
did you right click the files in the chest..and then extracting to the folder you made ?
For the emailshield.txt detected again in the scan of the chest, I would still seek confirmation using virustotal. So you shouldn’t need to upload the csc.exe and cvtres.exe if the avast scan of the chest didn’t find them infected.
By entering the original path when trying to upload to virustotal, when the file is in the chest, is doomed to fail as it is no longer in the original location.
The files which are in the chest (csc.exe and cvtres.exe) were not detected in this scan however EmailShield.txt did appear again as an infection.
Did you actually scan the file from within the chest ?
You need to have opened the chest, select the files and right click and select Scan (se image). A scan from outside of the chest won’t find anything in the chest infected as the chest is a protected area.
For those not detected on the scan of the chest can be restored, right click on the file in the chest and select Restore. Confirm that the files are back in the original location and then the copy remaining in the chest can be removed.
Sorry but I’ve had another after thought which might be helpful.
You originally expressed the opinion that the EmailShield.txt might be a False Positive.
I had heard this expression but was not sure what it exactly meant so I looked it up in Wikipedia.
The following extract caught my eye.
“Some antivirus software can also predict what a file will do by running it in a sandbox and analyzing what it does to see if it performs any malicious actions”
When I look again at the path for the csc.exe and cvtres.exe files from the Avast log I notice that Sandbox is included as part of the path.
Could this be why I got the error message “path does not exist” when trying VirusTotal as I assume the Sandbox will not actually exist on my pc?
Could it also be that none of the 3 files were in actual fact infected but were only treat as such by Avast as a precaution?
Correct me please if my assumptions are wrong.
Pondus. I just got your message as I was typing this. Yes I tried but Right Click did not work.
Whilst it mentions a sandbox I don’t believe is has anything to do with avast as the location of the sandbox in your file is in the Xenocode folder and that has nothing to do with avast. So do you have this Xenocode software installed ?
If so if must be out of date as it is now called Spoon, see image.
If you sent the file to the chest from the original location then it ‘shouldn’t exist’ in that location and that is a certainty why the path wouldn’t be found.
The reason we suggest sending to virustotal is for confirmation, especially in the case of avast alerting on an inert avast log file. That would be considered a possible false positive. because the other two were legit file names it is best to seek confirmation one way or another.
We are asking questions, but we aren’t getting any answers, without them we are guessing.
Sorry but my posting and your postings overlapped which may have caused a little confusion.
I was wrong when I said Right Click didn’t work, I did not have the chest open when I tried it.
David, many thanks for the chest illustration this immediately explained everything to me.
It is now 2am and my brainbox is not working as it should. I will go over your postings very carefully in the morning and will give you all the answers then.
Thanks again for your help, it is much appreciated. Speak tomorrow, goodnight to you both, Gordon.
Sorry for the confusion arising from overlapping posts however the following should clarify matters
csc.exe and cvtres.exe - when the infection was discovered on 12 Sept I initially consigned these to the chest however I later decided to delete them completely which is why they are no longer appearing in the chest. By coincidence when I closed my pc down last night windows automatically updated so this morning I checked and found that a new version of csc.exe has been installed which has convinced me that the files are legit. I’ve also run an Avast Full Scan this morning and there are no problems other than the EmailShield.txt being listed as an infection again.
I do not feel qualified to report on this analysis but am curious about the entry against “ByteHero” and what it means. I am also curious about the fact that this file was first analysed on 7 Sept which was not at my instigation, I was not even aware of the existence of VirusTotal until you told me about it on the 12/13 Sept.
Xenocode/Spoon - I have found files for these on my pc and have scanned using Avast and Malwarebytes. No infections were found however I will be looking at these again to see whether I really need them.
Conclusion - Unless item 3 requires any action then it would appear that I do not need to be concerned any more. Your opinion would be valued.
Thanks once again for all your help, I’ve extended my education considerably in the process.
There is a problem with your VT results link (doesn’t seem to work correctly) and as there are no alerts by avast on it and only ByteHero, which seems to be one with frequent false positives.
So I honestly haven’t a clue what is going on with your copy when avast doesn’t alert on Virustotal but does on your system. Which is why I questioned the virus definitions version that you had.
Now the virustotal results you will find an MD5 hash (unique file identification number) and it is highly unlikely that any two emailshield.txt files would have the same MD5 as they reflect the users system and their email settings. So Given the problems you have had in finding it, I don’t even know if it has been correctly uploaded to VT, as the one in the link above is for avastUI and not the emailshield.txt file.
So please read my instruction on submission to virustotal and apply it to emailshield.txt.
I’ve completed all as requested, emailshield recreated without any problem.
I don’t know but this may be of help.
I checked the Avast logs again and noticed that on 17 August Avast found 2 High Level Infections Status:JSRedirector-IK[Trj] (could be [Tri]) but took no action because the files could not be found. These referred to xexed.com and valuatewebsite.com I’ve located both files and run them through VT , results as follows.
They look like they were email detections (probably attachments), but I don’t see why any reference to them in the wmailshield.txt would cause an alert as the files themselves aren’t included in the log.
So I take it that the new emailshield.txt isn’t detected (just right click on it and have avast scan) ?
If not then you can safely delete the renamed file, emailshieldOLD.txt.