I was wondering if anyone could help. It looks like other people have been infected by the same trojan but I just don’t get how to remove it.
I’m on Vista and the file was found in the file ONENOTEM.EXE and it’s original location was in C:\MSOCache\All Users{91120000-002F-0000-0000-0000000FF1CE}C \HomeSrWW.cab\ONENOTEM.EXE
I did a thorough scan and the alert came up so I put in the virus chest. I don’t even use MSOffice One note! I wonder if that was why firefox kept crashing on me. Also what does it actually do? It’s not as bad as I think it is, is it?
If you do a forum search for onenotem.exe you will find other topics related to this, this appears to be a false positive that has been corrected. Ensure you have the latest VPS (right click the avast ‘a’ icon, select Updating, iAVS Update) and scan the file again within the chest and report the findings.
Though it is strange if you don’t have MS Orifice ;D
Perhaps your system came with a trial or something like that ???
That’s what I got from the virustotal scan. Don’t know what it means but hmmm ok…
I do have MS office it’s the trial but I don’t use it at all and I haven’t activated it since I bought my pc 2months ago. And my VPS is up to date. I was going to uninstall office anyways maybe I should?
Also I’ve done virus scans before and it never picked up anything…
The student and home edition has never been installed as I have an older but more complete that I already own. Nothing from the older office installation seems to be at issue.
What to make of it? Well they are two so-called general findings for what seems a FP.
Scan the same file here, and give the URL link there: http://anubis.iseclab.org/?action=home
Then we can compare to the Vienna results and come to a more conservative conclusion, although I following my intuition of things lean towards a false positive find, we shall see. Post the link you get from anubis in your next posting, please,
Fortunately I do, GData uses avast as one of its two scanners, so effectively it is only avast detecting it and I believe it is a false positive detection. So you should send a sample to avast so that the VPS signatures can be corrected, see below.
Personally I you haven’t used it and have no intention of doing so I would advise uninstalling dead wood.
Changes to virus signatures can bring up detections where there wasn’t one before, this is why it is important to move to the chest (not delete) and investigate.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already in the Infected Files section) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.
To avoid waiting for the next auto update, right click the avast ‘a’ icon, select Updating, iAVS Update. During the update check you should notice the file being uploaded. Periodically scan the file from inside Chest, after VPS updates, when it is no longer detected you can restore the file/ to their original location/s.
Still don’t know what that means, it could be or could not be safe lol. Sigh, I think I might just delete MS Office!
Thanks
To David,
At the moment I have it in a suspect file on my C:\ drive should I now move it back to the chest and then upload it to avast from there? Also I did click the update a on my avast and it says it already updated.
As you would have expected I just post this to back up DavidR’s opinion in this issue. And the outcome is the following…
FP, yes, almost certain now, they (at Vienna Uni- that is anubis) said it did nothing out of the ordinairy.
If the file is not essential to the functioning of your Operational System, you can safely move it to the chest for a while, and from the chest you can upload it to avast for evaluation, and if it is found up as a genuine false positive, they will no longer flag it with one of the upcoming iAVS Updates, they are known to do that quite conscientiously, and if no longer flagged you can put it back from the chest and take it out of “limbo”…
Ok I’ve sent the sample to avast. I think I shall go about removing MS Office. Do you think my pc is in the clear now that it’s in the virus chest? And do you think I should just remove the file altogether?
Thank you so much you guys been a great help!
PS I am currently uninstalling MS OFFICE and Avast sirens go off again… I think it’s definitely time to remove it…
You computer is as “snug as a bug in a rug”, everything is just fine, trust us as we say so. Good that we could let you feel at ease now, don’t worry about that false positive, and so what? Every file in the chest has been rendered harmless, and it can do no further harm just like a prisoner in a cell that is. Good that we could help you, and again welcome to these here forums,
this appears to the same issue or very similar although it appears that in one case the program has been executed and in the other case these has not been an execution
if executed it appears that the sub program can be hijacked
if not executed you have a fairly good idea based on the file size and where the file came from if there is in fact an issue just do a google search on the master program
When I said I was un-installing Office the sirens were going off on avast? I have another file that’s been detected 5b5160.rbf in C:\config.msi which also has this virus in it.
Not really, normally it would be a case of periodically scanning the file in the chest to see when it is no longer detected (e.g. a correction has been made), then you would restore the file to the original location and delete the one in the chest (and the one in suspect folder you extracted).
Since you have uninstalled the MS Orifice trial that isn’t so much of an issue, unless out of general interest you want to see the process to completion.