Hi I run Avast Home 4.7 and having updated to build 4.7 938 I then carried out a full thorough scan including archive files. During this scan the above worm was detected and I have placed the file in the Avast chest. On doing some checks I cannot find any references on this malware and wondered if anyone else could advise me if it is an infection or a false positive. Thanks
Without information we can’t advise.
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
You are more likely to find information based on the file name.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can’t do this with the file in the chest, you will need to move it out.
If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.
Also see (Mini Sticky) False Positives, how to report it to avast! and what to do to exclude them until the problem is corrected.
Thanks for your reply DavidR.
The virus was in “C:\System Volume Information_restore{5ABE0331-B63E-4365-84B6-07399241OAC4}\RP307\SOO46682 Acl” file.
I will follow your suggestions and try to establish if it is a false positive or otherwise.
If avast has been able to move it from the C:\System Volume Information folder, in the past it wasn’t able to do that but I believe it now can.
Confirm it has been moved and if so you could leave it in the avast chest for a few weeks, a protected area where it can do no harm and scan it again in the chest if still detected then delete it.
Personally I would suggest you disable system restore and reboot, that will remove ALL restore points, infected or otherwise. That way there is no possibility of at some time in the future using system restore only to infect the system.
Win XP-ME - How to disable System Restore
After you have done that run another scan and if clear (you should be) enable system restore again.
Right now… behavior seems another thing.
I get the ownership of that folder and then check the file …740
You’ll see it’s not there anymore.
Safety first… I’ll suggest the same 8)
I can confirm that the file has been moved to the virus chest and I have followed your suggestions and removed all restore points. Further full scans have come back clean so I am hoping that the matter is now resolved. I was concerned that deleting the file might effect the system’s ability to make future restore points but this obviously was me being over cautious. I will let you know if I encounter any further problems but in the meantime many thanks for your help.
Your welcome, thanks for the feed back.
If you haven’t already done so you can enable system restore again, the act of doing so will create a new ‘clean’ restore point so you should have the ability to restore to a clean time.
Yes I re-enabled system restore and created a new restore point. I forgot to mention that a further scan by Avast found only ‘traces’ of hllp-vova in the System Restore file but after removing it all scans came back clean. Many thanks for your help once again.
No problem.