How to deal (..) [CHECK DAVID LAST QUESTION]

Hello,

well avast! just detected a virus/trojan. But after I’ve moved the virus to the chest, what should I
do next? Sure I could let it be there to make sure windows/my programs is still working as they
should. But then what? Should I keep it in the chest or delete it?
Thanks.

We thrive on information and with the lack of it we are guessing.
I take it that your aren’t using the server version of avast ?

What Operating System are you using ?

What is the malware name, the infected file name, where was it found e.g. (malware name, C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.

You have done the right thing, ‘first do no harm’ don’t delete, send virus to the chest and investigate.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

Hi,

the name is Ravenhearst.exe. It can be found in a map which I got with my new computer (Acer GameZone).
And thats abit strange, I mean, why would Acer put a virus in their own program? Anyway,
It says that its a Win32: Trojan. Anyway, if the file isn’t in the system files, I can just have it in the chest for
some time and then scan again - delete?

(Whole adress; C:\Program Files\Acer GameZone\MCF Rave…) ← and thats the whole adress I can find, and yes, avast! also shows three dots at the end.
Thanks!

BTW, how do I rescan in the chest? Just press the scan button when you open the virus chest?

That is the reason why we ask about the file, location and malware name as I think that it is win32:Trojan-gen

The three … dots signify that there is more info (concatenated) you can expand the column width by left click and hold whilst dragging the mouse pointer to the right (this works in most windows applications with columns.

The avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected. So you should confirm the detection, see below.

When you open the chest, Infected Files section, highlight the file, right click on it and select scan.

  • The only area you should be interested in is the Infected Files section, this is where the files detected by avast and selected by you to move to the chest are placed.
  • The User Files section is where the user can add files they suspect of being malware but not detected by avast.
  • The System Files section is where avast keeps back-up copies of important system files in case the original becomes infected (leave them alone).

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

O.O

Heh, alright. But anyway, I don’t really care so much about that file since I don’t play it. So to make
it simple, if I rescan it and it’s still a Virus (And as I said, if I don’t care about the file), I can delete it?

It isn’t so much if you care as you don’t use it, but submitting it to virustotal to confirm or deny the validity of the detection. Sending it to avast to correct the detection for all other users of avast who might just have this file as well if it is a false positive.

Can’t I just in someway send it to Avast! and let them check it? xD

The point is if it isn’t a false positive there is no point in sending it.

Yes you can… but like David said if it is not a false, i.e., if it is really infected, well, sending will not help you, you need to get rid of the file. As we don’t know (you need to submit the file to virustotal and give us more info), the safer now will be moving the file to Chest and test it within there (right clicking it).

Okay.

So first, I have tested the file once again in the chest and still avast! says it’s a virus. So here is what I should do;

Go to Virus Total and check the file, if it’s a virus, delete. If it’s not, send it to avast(!)?

To David, but if I move/copy the file to another map to check it on VirusTotal, then I’m “releasing it”? And the pic you had in your second post I believe, was that from VirusTotal or what?
And can’t I just create the folder on the desktop?

You would be taking a copy, Extract (as opposed to Restore (which sends it to the original location) to a temporary location (the c:\suspect folder I suggested creating and excluding) where it can be uploaded to virustotal without avast alerting again.

Whilst outside the chest in a different location to the original location presents virtually no risk as nothing knows it is there and there is no command to run it from that location, it is effectively inert.

The image isn’t of virustotal but showing how to expand the column width so you can see the full text.

Using windows explorer it is easier to create a folder in the C:\ folder than to create one on the desktop. It also makes it easier to upload the file to virus total as when you click browse (in VT) to indicate where the file is located on your HDD it will be much easier to find the c:\suspect folder where the files it than find the desktop and any folder on that, it is buried. Just try and find your desktop folder in windows explorer.

Believe me when I give you a suggestion I’m trying to give the easiest option. You can also believe me that I’m not going to suggest doing something that is harmful to your system (certainly not without full notification), like Extracting a file from the chest, that is absolutely necessary as you can’t upload the file in the chest it is a protected area.

You can send the file to virus@avast.com in any case…
You can zip and password the files… Inform a link to this thread and the password used.
You can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks.

Maybe it will be good to add in the email body a link to this thread.

David,

sure I believe you. But I rather ask some stupid questions then doing something wrong. I’m not that of a pro. :stuck_out_tongue:
Anyway. So I’ll do exactly as you’ve posted. I’ll let you know how it went! (It’ll take some minutes I believe!)

By the way, I can delete the extracted file yes? ← Nevermind, I had avast! take the file in again by detecting it

[Edit:]

It’s done. It got 5/36, so some programs took it as a virus. Delete? :slight_smile:

Personally I would leave the extracted files alone until we have completed thie whole process.

If you can either copy and paste the results or copy and paste the URL in the address bar of the VT results page.

This information, e.g. what other scanners detected it and what they called the detections, helps us greatly.

Oh darn… Now make it all over again! >.>

Anyway, big thanks for the help. So, I’ll upload the URL tomorrow I believe, after that, please tell me
I’m ready to delete the file? I’m so tired of it! :stuck_out_tongue:

[And I have the extracted file in the Virus chest now, but I’ll just do the same thing over again,
right?]

…David…? :cry:

There is no rush to delete files that are into Chest… but if it passes some days and it’s still being detected as infected, and your computer is working, well, you can delete the file into Chest.

You’re welcome, just repeat the exercise extract the file to the suspect folder and upload to VT again. This is why I suggested leaving it there until the process is complete and we aren’t there yet.

The more info we have on the VT detections the easier it is to say for sure or with any degree of confidence if it is an FP and if so them we send the file to avast for further analysis to correct the virus signatures.

Sorry David that I haven’t posted in a while. But I’ve been kinda busy in real life, working. Anyway,
here’s the link. Finally! :slight_smile:

http://www.virustotal.com/sv/analisis/b730eed1339c0e89377dbd815eb298c6

Now what? ^^