Hi guys, I opened an .exe file which is about 300mb in size thinking that a virus couldn’t possibly be so large only to have Avast pop a warning of the above virus.
I moved it to chest, and googled on how to remove it. I proceeded to safe mode, ran Malwarebytes Anti-Malware and Superantispyware and spybot but all of them found nothing. I then proceeded to delete the file in the chest.
I’m currently running a scan again to double-confirm that I’m virus-free.
So my question here is, am I safe if I delete the files I moved to chest?
The exe might not be the infected file if it is an installation (archive) file it could contain.
Other scanners won’t find anything if you have it in the chest as a0 it is a protected area and b) the files in there are encrypted.
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.
Deleting a file so soon after putting it in the chest kind of defeats the point of putting it in the chest, you might as well have deleted it to start with.
However, deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.
Once a file is in the chest you are safe it can’t do anything from there and once deleted it is history.
So the start.exe was 300MB ?
If so I would say there is a possibility that it was a bad detection.
The avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected.
Whilst downloading some torrents from unknown/untrusted sources are of a higher risk.
The 3 part .RAR files add up to 300mb, the one I opened is around a 100mb.
However, the file I opened wasn’t named start.exe, but it was an .exe file, in a .RAR icon, which is around 100mb file size. The directory of where I opened the file wasn’t what AVAST! Log Viewer registered.
I have deleted the 3 .RAR files too, so I am unable to provide any data on it too. Should I run Hijackthis or something that can detect Win32 to make sure my computer is clean?
IXP000.tmp was a file needed for some ms informations
evidently the name has also been used for a virus
hard to tell now
run malwarebytes anti malware update–check any baddies THEN CLICK “REMOVE SELECTED”
post a log (if the log says “no action taken” do it again
you could also try Super Anti Spy quarantine do not delete/ remove
do not include cookies in your report- just cut them out
do you have any other apps installed like Spybot?
also
try a boot time avast scan
rt click the ball and “update Programs” (just to make sure)
then open avast and schedule a boot time scan, reboot
post log
things from a torrent have a higher chance of being affected
after the above scans post a HJT and I’ll take a look at it
At least if you want that file you could download it again- not like system trashed
when you post
what os, firewall, browser cpu memory etc
avast would scan within the RAR or exe as you try to extract it so no it won’t be showing file you opened but the infected file it found within it.
The same is true of the directory as when you open an archive file like a RAR it will be unpacked in a temporary location, it is this extraction in the temp location that is triggering avast to scan the newly created files and when it detects the infected/suspect start.exe file.
Personally I don’t believe HJT would show anything relating to this as it never got to set anything up as it would appear that as you unpacked the RAR avast jumped on the start.exe so it wouldn’t have been able to run.
I agree with DAVIDR about this hit
however if you have been using torrent
and want to do the scans suggested
I’ll look at your HJT and see if anything else has snuck aboard
File C:\Users\Personal\Desktop\Music_-FromNowOn___???-FromNowOn??+??????«???».rar.td????«???»\chmnrzt01.mp3 Error 42126 {RAR archive is corrupted.}
Number of searched folders: 17717
Number of tested files: 300001
Number of infected files: 0
Hijack This:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:07 AM, on 23/9/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal
Yeah, you’re right, because there was an error popup from WINRAR that prevented the .RAR file from being extracted. I deleted the 3 .RAR files immediately after.
I honestly believe avast stopped whatever it was in its tracks so it didn’t get a chance to do anything, assuming that the detection was a good one.
Having already run SAS, MBAM and Spybot S&D and come up empty, personally I would say you have done enough. I also don’t see anything obvious in your HJT log.
Your HJT does not show an active third party firewall
you can make Vista firewall work but it is a lot of work
I’m not a vista user but I see reports that COMODO works well (do not install the CLAM AV)
best to look at the on line manual so you can tell what the install options mean
the defender+ is ok
Windows defender works well for real time anti spyware
you can close all your browser windows including this one and FIX this with HJT
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
this is inactive so no big deal
that’s it from HJT land
there are a lot of things running at start up that do not need to be- taking resources
you could use DECRAPIFIER to sort through pre-installed garbage
go to SECUNIA and run Secunia software inspector and get all your programs updated
post back and let us know how you are doing
I recommend the installation of Spywareblaster by Javacool
and a Hosts file
post back if you want/need recommendations
This is a volunteer forum so you will get all the answers
you can close all your browser windows including this one and FIX this with HJT
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
this is inactive so no big deal
I would still say leave this alone as if the user is using Windows Live Messenger (and hasn’t uninstalled it) it isn’t inactive, regardless of what HJT says (this has happened in the past where it even reported some avast files as missing), so potentially this could be a big deal.