I got 52 Trojan Horses?

I ran an Avast! scan last night, and long story short, it found fifty-two Trojan Horses. My question is, would some or all of these be “false positives”? The file names included references to games (HPgames, Nick.com, Compaqgames) my son has played for more than a year, and some file names that referenced “system restore”.

I’ve run scans several times a week for the last couple of years, and this has never happened. Does anyone know why all of these would show up now?

thx - cpr

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

Id suggest then rt clicking on the ball, updating and scheduling a boot time scan
quarantine/chest do not delete/remove
The C:\Program Files\Alwil Software\Avast4\DATA\report\aswBoot.txt provides a more user friendly summary of the boot-time scan and it should list any detections.
post it back here

thank you wyrmrider - will do. I’m busy now, and I’m not what most would call computer-savvy; I’ll have to come back to this later this evening, when I can spend more time on it. Once I do it a few times, I’ll be fine. I’ll definitely report back here what I find.

One thing I forgot to mention was that most of the Trojan Horse flags (regarding games) in the scan mentioned Wild Tangent in the file name; maybe that’s important.

thx - cpr


Yep … the problems most likely are related to Wild Tangent.

Follow wyrmrider’s suggests first. After the boot time scan and you still have problems, please report back to let us know. You may need to run HighjackThis or other removal programs but let’s see what the boot time scan does first.


wild tangent by itself is ok (privacy issues) and must be around to run wild tangent on line games
HOWEVER
if you do not get it from a reliable source it can come with multiple packaged malware loaders
NOT GOOD
let’s find out
this is a great board you will be walked through the process
ask lot’s of questions

:slight_smile: Hi Co :

Many Expert “Malware-Fighters” do NOT recommend having Wild Tangent on
a computer, but it is a “borderline” Issue ; I recommend you read the Info
at www.pchell.com/support/wildtangent.shtml . A very knowledgeable
person on the Spybot Support Forums said :

"I personally think that the biggest threat concerning WildTangent is its Updater which can do silent installs/updates of software. I don’t even let Micosoft Windows install automatically (I have it set to: ‘download updates for me, but let me choose when to install them.’) and Windows doesn’t do it silently even when set to ‘Automatically download recommended updates for my computer and install them’. "

You have a Choice to make .

good point about the updater spiritsongs

the “affiliates” and “friends” of wild tangent are also a big problem
warping, bundling, injecting

except for the updater issue --can it be compromised/ hijacked?
the Wild Tangent corporate has been on best behavior for the last couple of years
any recent bad news?

Question: In that area of Exclusions mentioned above …
SHOULD there be anything in there by Default?
Like I have in there right now: .txt.ini.log
And 3 others. Is that normal?

Chim
If I understand you correctly ???
an Exclusion of C:\suspect is being made- a folder
and
C:\suspect* the * being a wildcard indicating all files in C:\suspect

does that sound right to you?

or did I not understand the question

Oh, I understand the part that the C:\suspect* is a Folder to be created for transferring the infected Files from the Chest.
I just meant that I took a quick leisurely stroll over there and in that white are next to the Add Button (NOT in any C:\suspect* File) … there are 6 Exclusion Items / Extensions in there. I’m wondering if those 6 Exclusions already in that white area come normally by Default?

ah NO IDEA
what are they
(I’ve never looked)
note to self
go look
MY EXCLUSIONS IS BLANK

post em up

anyone else have experience in this?

Okay, I clicked on Standard Shield … Customize … Advanced
In the WHITE area to the Left of the Add Button, these are in there:

*\Win386.swp
*\System.da?
*\User.da?
*.txt
*.log
*.ini

Is this normal? Are these Default?

Well you can take a look in this topic, Weird locations in Standard Shield advanced config, http://forum.avast.com/index.php?topic=37418.0.

So you will see there seems to be many permutation of what should be in here by default.

Ahhhhh! Okay. I see. It’s gonna no doubt vary depending on everyone’s system configuration. At least 3 of the 6 exclusions I mentioned having in MY avast! … ARE mentioned in that thread. If I remember and get around to it, I just might send avast! Support an E-mail. Hopefully they’ll say all are OK. You may or may not remember that I did perform an Uninstall and Clean Reinstall of avast! recently when the 4.8.1229 Program Update didn’t get my Web Shield working properly. Yep, I did do the Control Panel bit as well as the avast! Uninstaller utility thing. I must admit that ultimately I did forget to do the avast! Uninstaller utility thing in Safe Mode. I did it in plain ole Regular Mode. I had been searching through my Gateway User’s Manual, Windows Books and Windows Help function on how to Boot Up in Safe Mode. I eventually found it, but was apparently distracted by something and forgot to actually Boot Up in Safe Mode. I doubt forgetting that step would suddenly insert nefarious Exclusions in my Standard Shield.

I just did a Manual Thorough Scan including Archives last night. It checked 96,000 Plus Files. That’s pretty typical for what I have installed right now. In fact, I think the avast! Program Update before this current one MUST have really improved the Unpackers as they stated because last night’s Scan didn’t tag the usual 30 or so EPSON Files as “Unable to Scan” as it always did before, since the 4.8 era started. This time only the 50 something MAV Files were tagged as “Unable to Scan.” So, it MUST have been doing something. I guess those Exclusions couldn’t have been too ridiculous.

Well not scanning the swap file txt files etc
personal choice
now if the exclusion was for .exe .dll etc then we would know there was malware afoot
let us know what you find out

Hi C0731R ,

I think it is also time to clean up house (computer temp files meant) with ATF Cleaner (yes tick all and fire) and the additional ClearProg to have a go at specific IE, Fx and Windows files.
Get ATF Cleaner here: http://www.majorgeeks.com/downloadget.php?id=4949&file=15&evp=72ef5a5e927b2276e6a5bc34c89d005a

Get ClearProg here: http://www.clearprog.de/site.php?id=10&lang=en

That is a lot of crap less, I do this only a regular basis and it never caused me any harm, because I like my comp nicely crisp and clean, and what I like to save saved through back-up,

polonus

I just sent avast! Tech Support my E-mail inquiry.
Whenever I get a reply from them, I will let you all know what the lowdown is on these “DEFAULT” Standard Shield Exclusions.

?:\PageFile.sys
should be enough :wink:

Okay, ya’ll, I’m back. Looks like this issue has stirred up some discussion; it’s also taught me quite a bit about “pamuters” (my son’s word) that I hadn’t learned yet.

[b]I’ve scanned most of the 52 flagged & quarantined files what Avast! flagged as Trojan Horses, and as VirusTotal scans the file the only system that indicates that these files are Trojan Horses is Avast!.

The screen gives what appears to be basic file info, like file size, etc., then lists all of the scanning systems used. At the bottom is says (0 exports).[/b]

Any other info I can share here? Let me know.

To me, this begs the question: was there a recent Avast! update that is now seeing these files as Trojans, when older versions didn’t? I’m thinking that I need to make the changes to have Avast! ignore them in future scans. It appears to me that most or all of these “Trojan” false alarms actually serve some purpose, so at this point, I guess I’ll leave them for now; I may go through and kill 'em all later. It appears I’ve got a lot of “housecleaning” to do. I’ll wait for everyone’s advice before I decide on anything.

Thanks for all your help, everyone.

thx - cpr

Also see http://forum.avast.com/index.php?topic=37651.msg315169#msg315169

To know if a file is a false positive, please submit it to VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com. VirusTotal has a file size limit of 10Mb. Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.

Maybe you need to disable Hide protected operating system files and enable View hidden files and folders to manage the file(s).

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the ‘a’ blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button…
You can use wildcards like * and ?. But be careful, you should ‘exclude’ that many files that let your system in danger.