Avast has detected a trojan, so I moved it to the virus chest but the file is still showing under C:windows\system32…
Is this normal? This scares me because I ran the file through Virus Total and there are 2 other virus programs that identify the file as being a trojan. The file is called autochk.exe
Also, I did a restore file (in virus chest)to see if it would do anything (my intention was to rescan it and put it back in the virus chest) but the file does not move out of the virus chest…
it isn’t normal to see it in the original location after it has been successfully sent to the chest.
How long after detection and moving to the chest did you check (as it could well have been regenerated by another element of the infection) ?
It isn’t wise to restore an infected/suspect file as that outs it back in the original location, making it active again. Use the extract file, this allows you to select a temporary location, not the original and is safer.
What file is it that you were wanting to scan again and what section of the chest was it in ?
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
A copy will remain in the chest, that is normal as a) it allows you to scan it within the chest, b) if you are restoring a file from the chest you want to ensure it has been successfully moved before deleting the ‘only’ copy.
Disable System Restore and reenable it after step 3.
Clean your temporary files.
Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
when it is in its CORRECT LOCATION and Properties check out
and a TROJAN if elsewhere or even in the correct location
Be Very Very Careful and take the actions in the previous thread
you might do a search and post the location of the file and then right click and look at properties
It is not unusual for baddies to use MS file names
take a filename that is not Critical and replace the code with malicious which runs when the MS file is called for
does autocheck show up in your start page? programs that run automatically at boot up?
I just saw your virus total results
I’d leave this one in the vault for awhile as it is not a critical system file
and submit the code to AVAST for analysis
you could also follow the advise and run an antispyware scan as shown above
DrWebCureIt did not detect it, neither did my already installed programs (AdAware, Spybot, ThreatFire). Avast Bootscan does not detect it anymore either.
This file was detected a while ago by Avast (over a month ago) and was then moved to Chest. I was just wondering what to do with it, move it back to its original location or leave as is in the Virus Chest. This is when I found out it was still showing under C:\windows\system32…
I will leave it as is for now. My computer works just fine…
Thanks a lot for your help. It was very much appreciated.