I scanned my system with the free home use avast 4.8. The scan found a virus and recommended I move it to chest. When I select “move to chest” I recieve an error message that the virus chest server is not running and the RPC communication failed. What do I do next?
How long have you had avast installed ?
Have (or did) you another AV installed in this system, if so what was it and how did you get rid of it ?
RPC errors can sometimes be caused by having another AV or remnants on your system.
If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, ‘Schedule boot-time scan…’ Or see http://www.digitalred.com/avast-boot-time.php.
I installed avast earlier today for the first time to see how it works. Not knowing how it works and how to use it, I kept my McAfee security suite enabled.
I did eventually get to move the two virues to the chest. How do I know if they are truly viruses?
Thanks.
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
Welcome to the forums.
C:\windows\trueprocess
C:\systemvolumeinformation_restore…
Thanks
I will deal with a bit I missed in an earlier post. Having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable. This could be the conflict that stopped the file being moved/deleted.
So you need to make a decision as to which AV you are going to have installed and uninstall the other. The problem being the McAfee Suite you may want to keep the firewall element, you would need to uninstall, reboot and do a custom install including only the firewall element.
Re the file names, that doesn’t show the actual file name just the folder.
Ignore the C:\System Volume Information_restore one as that is no relation to the original file name, it is allocated one by system restore when it creates the restore point. It is possible that it is the same as the other one if they were given the same malware detection name…
Do I need to remove Mcafee or can it be disabled?
Will there be a problem if I remove avast, with a potential virus in the chest?
I am more comfortable with McAfee right now and I know my way around the program. I am concerned about removing it and going with an AV that I don’t know how to use right now. Is avast user freindly for a novice?
It has to be removed.
Will there be a problem if I remove avast, with a potential virus in the chest?Try using their forum for support:I am more comfortable with McAfee right now and I know my way around the program. I am concerned about removing it and going with an AV that I don’t know how to use right now. Is avast user freindly for a novice?
http://community.mcafee.com/index.php
Will there be a problem if I remove avast, with a potential virus in the chest?
You should find out more about the file before you remove avast. If the file is in the chest when you remove avast, the file will go also.
This may interest you
http://forum.avast.com/index.php?topic=38856.msg325739#msg325739
How do I temporarily disable avast so I don’t have 2 AV’s running while I figure out how to handle the potential virus?
I currently do not have any operating issues, as far as I can tell. I am confused with what I need to do first. can you help?
Disabling as has been said simply isn’t enough, resident scanners operate at low level and load low level virtual device drivers, it is these that can conflict.
Disabling the resident AV doesn’t stop these low level drivers from being loaded and that is the problem with multiple resident AVs.
The first thing you should do is confirm the detection at VT as I first said.
Sorry but I beg to differ in your comment “I currently do not have any operating issues, as far as I can tell.” The problem that you first posted about not being able to deal with a detection is a classic of AVs locking files and fighting for control and RPC issues as I also mentioned is frequently related to other AVs installed or remnants.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
Do I type in C:\suspect* or C:\suspect\TrueProcess. ? I typed in just suspect and I received an avast alarm.
Also when go to VT and upload the file , the last step in uploading asks me to open the file. Is that what I should do?
Exactly what I said and what you quoted, c:\suspect* as it said it will exclude any file that you put in there.
Yes you want to open the file (it isn’t running it, just uploading it), but you must have the exclusion setup as I said or avast would alert and block the upload.
Results of upload to VT:
2008.11.1.0 2008.11.02 -
AntiVir 7.9.0.10 2008.11.02 TR/Small.jhy.5632
Authentium 5.1.0.4 2008.11.02 -
Avast 4.8.1248.0 2008.11.02 Win32:Trojan-gen {Other}
AVG 8.0.0.161 2008.11.02 -
BitDefender 7.2 2008.11.02 -
CAT-QuickHeal 9.50 2008.11.01 -
ClamAV 0.94.1 2008.11.02 -
DrWeb 4.44.0.09170 2008.11.02 -
eSafe 7.0.17.0 2008.11.02 -
eTrust-Vet 31.6.6185 2008.11.01 -
Ewido 4.0 2008.11.02 -
F-Prot 4.4.4.56 2008.11.02 -
F-Secure 8.0.14332.0 2008.11.02 -
Fortinet 3.117.0.0 2008.10.31 -
GData 19 2008.11.02 Win32:Trojan-gen {Other}
Ikarus T3.1.1.45.0 2008.11.02 Trojan.Small.jhy.5632
K7AntiVirus 7.10.514 2008.11.01 -
Kaspersky 7.0.0.125 2008.11.02 -
McAfee 5422 2008.11.02 -
Microsoft 1.4005 2008.11.02 -
Norman 5.80.02 2008.10.31 -
Panda 9.0.0.4 2008.11.02 -
PCTools 4.4.2.0 2008.11.02 -
Prevx1 V2 2008.11.02 -
Rising 21.01.62.00 2008.11.02 -
SecureWeb-Gateway 6.7.6 2008.11.02 Trojan.Small.jhy.5632
Sophos 4.35.0 2008.11.02 -
Sunbelt 3.1.1767.2 2008.10.31 -
Symantec 10 2008.11.02 -
TheHacker 6.3.1.1.135 2008.10.31 -
TrendMicro 8.700.0.1004 2008.10.31 -
VBA32 3.12.8.9 2008.11.02 -
ViRobot 2008.10.31.1446 2008.10.31 -
VirusBuster 4.5.11.0 2008.11.02 -
Additional information
File size: 5632 bytes
MD5…: 90d33bbd0728ee46a184894bc1576c9b
SHA1…: 980be43c75e9465adaf21613a3a6dc9e58962cf4
SHA256: db922b8adafa97829d1cb6e620b929832e204e1e3fe4b68f2dfc460fa4acd1f2
SHA512: 0b9a56ef2f462f078dfcc5089ae5f625811d66c2f6aa5dead34ec6586d579782
cfe7fc8c16fb82ce23c9c70c6fcf5cb1bd3a12fef7534a2fac79e8cdc2334f22
PEiD…: Armadillo v1.71
TrID…: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x4017e2
timedatestamp…: 0x3ed98478 (Sun Jun 01 04:43:36 2003)
machinetype…: 0x14c (I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x97c 0xa00 6.04 6895717e56e6a8c8796fbb9a3a1d5f0b
.rdata 0x2000 0x37c 0x400 4.42 14149f80fee71a04f6b34d1bebd82a25
.data 0x3000 0x1f4 0x200 2.81 d016170842963e05c88b1dcf62491cd0
.rsrc 0x4000 0x200 0x200 2.72 81ad42278e07fe0536cec00e7199b9cd
( 3 imports )
MSVCRT.dll: _controlfp, __2@YAPAXI@Z, _except_handler3, __p__commode, __set_app_type, __p__fmode, _initterm, _adjust_fdiv, __setusermatherr, exit, __getmainargs, _acmdln, strtok, _XcptFilter, _exit, __3@YAXPAX@Z
KERNEL32.dll: GetProcAddress, GetStartupInfoA, GetModuleHandleA, GetExitCodeProcess, lstrcmpiA, WaitForSingleObject, Sleep, CreateFileA, CopyFileA, WriteFile, ReadFile, LoadLibraryA, OpenProcess, FreeLibrary, CloseHandle
USER32.dll: FindWindowA
( 0 exports )
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=90d33bbd0728ee46a184894bc1576c9b
KevinB12, I don’t think it’s a false positive… maybe a good detection of avast (before a lot of others).
Disable is not enough… you’ll have bad conflicts between avast and McAfee.
What is a false positive?
I am not sure what you are saying in your last post. I plan to remove avast until I can do further reading on the avast AV program. Is it okay to remove avast even though there are two files in the chest?
Where can i go to get info/instructions on avast?
It seems a reasonable detection, however, I would still send it to avast for further analysis, as there are effectively 2 detections the avast and gdata being one (as gdata uses avast as one of its two scanners), the other three with identical signatures, Trojan.Small.jhy.5632, seems like too much of a coincidence.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and possible false positive in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
The detection of a good file as infected.
Also see this link, http://virscan.org/report/6c52f3ddd1f55f973b4c399305be92fb.html and http://www.virustotal.com/sl/analisis/0228a2b2b4db39ef17e9a68a0d32361e, was the file TrueProcess.exe, you never did confirm the actual file name ?
If so there is more of a possibility it could be an FP.
Remove avast and the files in the chest would be removed also, so you would have to extract them whist any investigation you carry out, but I wouldn’t recommend placing them in the original location in case they are infected.
The best place is here, reading the various sticky topics (at the top of the forums) and from the avast help file, which would also be gone if you removed avast. The best place to learn is by practical use of avast and asking questions in the forums (one of the most responsive forums I have come across). I would suggest keeping avast and uninstalling McAfee.
Extract the files to a safe folder. They will be gone when you uninstall avast (unrecoverable).
Edited: sorry, I’ve missed that David had already answered this :-[
I have gone with your advice and I uninstalled McAfee. Is the firewall provided in the Windows Security Center sufficient or do I need to download the McAfee firewall?
Is there anything I need to do with the system restore file in the chest? In an earlier post you said to ignore, but I am not sure what that means.
I am trying to get the infected file to Alwill. It is not in the User Files. If I select File and then Add, it comes up with a lot of Avast files. Do I need to go to the actual location on my C drive and select it?
Last question, is it okay to run Ad-aware, spybot, superantispayware and malwarebytes every so often?
Thanks