Avast gets into a fit about this file, which tries to execute when I want to start up Civilization 4: Colonization purchased from GamersGate. A quick glance on the net indicates this is a file associated with SecuRom. Is it safe to select “No action” on this one? Quick reply appreciated as I really want to play this game
Send it to Virus total,then post the results
http://www.virustotal.com/
No action only means none of the options given, no matter how often you click it avast won’t let a file it considers to be infected be run. Exclusion from scans would be the only way, but you must confirm it is false positive, see below.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.
Thanks for replies. I clicked “No action” and the game launch was aborted. I then searched for the file in “Computer” but there are no references of it anymore. Second attempt to launch game did not trigger Avast and game ran flawlessly.
Well there is something strange going on as No action should leave the file in its original location.
Launching the game should trigger the same alert as before, when you asked if No action was safe, did you take any other action, move to chest, delete, etc. ?
Was this file in the same location as the program or in another location, e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.
- Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, see image.
I have removed the checks for hiding extensions and system files, but the file is still nowhere to be found.
I didn’t take any other action, no. But I noticed the file was in a temp-directory, so I guess it fulfilled its SecuROM-related task and selfdestructed. I didn’t realize it might, if I had I would have put it in the chest for future investigation. I’m running a full scan now, but I don’t think anything will show up.
Edit: Nothing detected by Avast thorough scan.
As you say if game related to ensure you don’t copy it, then that might well have been the purpose. You may well be able to find the launcher on the CD (if you bought a CD).
It may have been what it was attempting to do that avast though suspicious, what malware name did avast give it, that will also be in the avast log viewer.
No, it was a digital download from GamersGate. In the log it states “Sign of Win32:Trojan-gen {other} has been found”.
Location was “C:\Users\Username\AppData\Local\Temp\mtka_tmp\matroschka_launcher.exe”.
The avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected.
So it may just have been the generic detection being too tight, but unfortunately without a sample for Alwil to analyse I doubt we would be able to get beyond what we have surmised in this topic.
I think it is a case of monitoring your system to see if there are any out of the ordinary occurrences.
You could also run some other scans just to be sure. If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
-
SUPERantispyware On-Demand only in free version.
-
MalwareBytes Anti-Malware freeware version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
Hi…I had the same problem while running Crysis Warhead and before I clicked anything I read this forum. I have got a copy of the file in the suspect folder and have also submitted it to Virus Total. It said it has already been analysed before and this is the result. I don’t know what it means…hopefully you could explain.
Oh and XE800 was right. I clicked No action after making a copy of the file. It does self destruct!
This is the link provided in Virus Total. Hope someone can tell me what it means!
http://www.virustotal.com/analisis/68d1029ff3888cfc0eb35c3fff3d0f5d
Personally I always look the old scan, I also have it scan again as a) more scanners may detect it or b) less may detect it, which could show corrected FPs and c) as in this case avast doesn’t detect it as the VPS used is older that that of the users.
However, looking at the old scan many of those detections appear to be heuristic detections that are more prone to FP. So you should submit the sample to avast as in my first reply, how to report, etc.
I am unable to mail the file to Avast as all the mail clients do not allow me to attach the file saying it has a virus in it!!
What should I do now?
To send the samples to virus@avast.com maybe you need to pause the mail scanner.
You can zip and password the files… Inform a link to this thread and the password used.
You can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks.
What is your email program ?
Did you zip and password protect the sample ?
I suspect that they aren’t detecting the virus but simply the .exe file type inside the zip file if password protected it shouldn’t be able to extract the file to scan it, so it isn’t actually scanning the sample. Add to that the VT results what scanners should be detecting it anyway, very few are likely to be employed at email server level ???
If the file is in the chest sending it from there would avoid that problem.