Hi All, this is my first time I have had an infection and I have no idea what to do. I moved the two of them into the virus chest as that option was suggested. Can you please direct me on what steps to take to get rid of them. Thank you.

I am running Windows Vista Home Premium 64 bit. Here are the two infections.

C:\hp\bin\MSOffice.…\ONENOTEM.EXE WIN32: T

D:\PRELOAD\83NAv6PrA17.wim\ONENOTEM.EXE WIN32: T

I am just beside myself with worry until I hear back from you.

Don’t panic (as it says in the alert), If you were able to move them to the chest they can do no harm there, you can start breathing again.

I’m a little surprised at the detection of this legit file (but a name is only a name), see http://www.bleepingcomputer.com/startups/ONENOTEM.EXE-2921.html.

The one in the D: partition is I believe the HP hidden restore partition that in an emergency would restore your system to the factory defaults (as when you got it, programs, the works) and that is where the second copy resides. So I would be surprised if it were infected on leaving HP.

So I would like you to validate the detection (see below) whilst this might seem complex, taken a step at a time it really isn’t difficult.

Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page.
You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

1. Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect.
2. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* (left click the avast ‘a’ icon, click the Details button, select the Standard Shield provider).
3. That will stop the standard shield scanning any file you put in that folder.
4. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

Hope I did it right

http://www.virustotal.com/reanalisis.html?5b3cceaef171b9b48b8f909d00aa9ea8

That looks fine, no problem, this looks like a false positive detection, so we need to submit the file for analysis and hopefully correction of the VPS.

GData also uses avast as one of its two AV scanners, so that is effectively only avast detecting it.

If you have one of these files in the chest, you can send it to avast as a false positive.

Send it from the Infected Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done. To avoid waiting for the next auto update, right click the avast ‘a’ icon, select Updating, iAVS Update. During the update check you should notice the file being uploaded. Periodically scan the file from inside Chest, after VPS updates, when it is no longer detected you can restore the file/ to their original location/s.

That looks fine, no problem, this looks like a false positive detection, so we need to submit the file for analysis and hopefully correction of the VPS.

GData also uses avast as one of its two AV scanners, so that is effectively only avast detecting it.

If you have one of these files in the chest, you can send it to avast as a false positive.

Send it from the Infected Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done. To avoid waiting for the next auto update, right click the avast ‘a’ icon, select Updating, iAVS Update. During the update check you should notice the file being uploaded. Periodically scan the file from inside Chest, after VPS updates, when it is no longer detected you can restore the file/ to their original location/s.

I cannot thank you enough for your really quick response and all your help. I am so very happy. One question, I understand scanning these files from inside the chest but I don’t understand the last part "after VPS updates, when it is no longer detected you can restore the files to their original locations. What is VPS updates? and when I do a scan on them you are saying it will not show as an infection after VPS updates. Thank you

You’re welcome.

When the file is analysed if it is conformed to be a false positive, then an amendment will be made to the VPS (virus signatures), this will be incorporated in one of the VPS auto updates, that usually happen every day and sometimes more than once a day.

You should get an audible and pop-up notification (default settings) that the Virus Database has been updated, or words to that effect. Now you can open the chest, right click on the file in the Infected Files section and select scan.

It will only show up as uninfected when:
a. it has been analysed and confirmed as an FP.
b. the corrected signature is included in a VPS update.
c. that VPS update is downloaded (automatically) and installed on your system.
d. you do a scan after an update that included the correction. This is why I say scan the file in the chest periodically, but after an update (as nothing would have changed).

Thank you again DavidR for giving up your own private time to help me. It is well appreciated. I fully understand everything you have told me. I have sent it off as you directed and will now wait until they download the updates. I can’t tell you how pleased I am with Avast Antivirus. I must tell you that I purchased Norton Internet Security 2009 a few months ago. I had to uninstall it, it just froze up my Vista (x64) constantly. Then I purchased Avira AntiVir and had nothing but problems and uninstalled it also. I finally found Avast that is compatible with my Vista and it really works like a charm. I am totally pleased with it. I would like to purchase Avast Pro but I don’t know if I can disable Script Blocking which I need to do every once in awhile. If I can do that I would upgrade to the Pro immediately.

Warmest regards

Hey, btw David, would you mind telling me what program you use to get your screenshots? I think I could make some good use of it. Hopefully it’s free, but I understand if it’s not.

I’m sure that there has probably been a few others that have asked you the same question, but I haven’t looked for the answer. Thanks!

I like MWSnap that is free:
http://www.mirekw.com/winfreeware/mwsnap.html

I also use MWSnap … easy to use.

You’re welcome, avast are normally quick to correct an FP when identified, so hopefully it shouldn’t take too long.

You just did ;D
You now join a happy band that have found the same thing avast runs very nicely on their system without hogging resources, etc.

You can temporarily pause, disable individual providers, or terminate them and restart them again when you have done what is needed. Right click the avast ‘a’ icon, Pause Provider, another list of the providers you have running is displayed, select the Script Blocker, when done the Resume provider will be available on the right click menu.

Or open the On-Access providers window, left click the avast ‘a’ icon, select Script Blocker, Terminate, answer No to the persist change, etc. and reverse when done, e.g. Start and answer Yes.

Personally I don’t know why you would want to do this or if it is necessary at all, the script blocker monitors scripts but only blocks malicious ones.

I use SnagIt 9, whilst it is a paid for option I have tried a number of others in the past but have been using snagit since about version 6. It is very powerful but more important very flexible and relatively easy to use with a number of one click options. It was a bit of a steep learning curve as virtually everything changed (for the better) from version 8, though those who didn’t use that wouldn’t see that issue.

Hi ???
can someone please tell how to put the trojan.win32 in the chest box? Everytime I scan my computer it freezes right before I click on the option the allows me to put it in the chestbox.
Novice ???

Thanks David, CharleyO, and YoKenny for the programs. I appreciate it!

Please start a New Topic of your own as this seems unrelated to the original subject and will just confuse the topic and we will try to help. - Go to this link, http://forum.avast.com/index.php, scroll down to the Viruses and Worms forum and click it, click the New Topic button at the top of the list and post there.

There is also very little useful information in your post, so answer these questions in the new topic.
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe

What Operating System are you using ?
What is your computer desktop/laptop and what is its CPU and RAM ?

Thanks David, I will upgrade to Avast Pro but I do have a problem. I extracted one of the files to it’s original location but the other one I cannot. They are both virus free now. The file in C:\ went back with success but the other one I can’t restore. The C;\ file I just followed the path and restored it but I do not have a path for the D:\Preload. and the Restore tab does not light up (the one with the arrow that is circled) Now what do I do. I need that D:\ file restored in case I need to do a complete recovery of my system. Below is the file I cannot restore. If I uninstall Avast will it be restored? Hope you can help.

D:\PRELOAD\83NAv6PrA17.wim\ONENOTEM.EXE

When you run a scan now does it no longer show these items to be an issue?

As far as your restore partition do you have a cd or dvd that you can use to restore that partition? If not its a good idea to request one from the factory. typically as part of set up you are instructed to make a restore disc

I think that the one in C:\ is the important one as that would be the one used if you used this function in MS Office. It surprises me that avast can’t put it back in the location in D: the 83NAv6PrA17.wim file is a windows image (not like a picture image) that contains many files, normally I would have expected it to have thrown up an error when trying to move it to the chest as an unsupported archive format.

If you uninstall avast you would lose any files in the avast chest, avast wouldn’t attempt to restore them after all they were in the chest because avast thought they were infected so it wouldn’t make sense to restore infected files.

Personally I suspect there may still be a copy in the 83NAv6PrA17.wim image, but even if it isn’t I don’t believe it would be a serious problem, even if you had to use this restore image as I presume you have been able to use MS Office when the file was moved from the C: partition.

Thanks for getting back to me again David. I suspect you are right about the 83NAv6prA17.wim image file and there may be a copy. I know now that if this ever happens again I will be prepared for it. I sure am not happy about having FP but there’s not much can be done about it.It appears that Avast Antivirus has it’s downsides right along with other antivirus programs.

Your help has been very important. I would not have gotten through this without it and picked up some knowledge also. I will be upgrading to the Pro.

Regards

Daine

You’re welcome.

All security products have false positives, it is down to trying to have signatures detect new variants of malware where there is no existing signature detection.

The avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected.

Other security products also use this type of generic signature and other use heuristic detections, all of which can be prone to false positive.