I did a scan today an the scan picked up three infections.
First one was listed as: File name: A0086358.exe and was in the system volume information file.
The second and third infection was listed as: pskill.exe and was in my sysinternals file which I had downloaded. I assume these are false positives and can I safely restore them?
The first file I mentioned is the one I don’t know what to do with. All of these files are currently in the chest.
I tried googling the file name and it only came up with one site with a foreign language. No help.
I guess it’s safe to leave it in the chest for now.
The A0086358.exe is a file name generated by system restore of a file previously deleted from on of the system folders. Windows in its infinite wisdom protects files in the system folders (even malware), it is likely that avast! can’t delete or move files in the system volume information folder, see below if it is still in the system volume information folder.
The c:\System Volume Information folder is a part of the system restore function and as such is protected by windows, the only way to clean infected _restore points is to disable system restore and reboot. This will clear ALL _restore points. Once you have disabled system restore, reboot, scan your PC again and if clear enable system restore.
The pskill.exe detection will have had the suffix [Tool] which basically means this is a tool that can be used for good or evil, if you downloaded it and know what it is for no problem, add it to the exclusions. Standard Shield, Customize, Advanced, Add and Program Settings, Exclusions
There have been occasions where this tool has been included in other software (doesn’t seem to be the case here).
I did notice that when I right click these files to restore them, that only one can be restored.
The other files restore option is not available.
I also did as you suggested by disabling system restore and rebooting.
I then did another scan that came up clean and turned system restore back on.
Getting back to the two pskill.exe files, you mentioned that they should have the suffix [tool], I did not notice that on either file. I don’t know if that means anything?
The file name doesn’t have the suffix [Tool], the detection malware name usually has a suffix, like [Trj] Trojan, [Wrm] Worm, in this case it may have had the suffix [Tool] which just says it could be used for a legit purpose, but like a hammer it can also be used for harm.
Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections. The locations may provide some information as to why one had a suffix of [Tool] but not the other, were they given the same malware name, all that information is in the log viewer.
Using the log viewer as you suggested, on the warning page after the date and time,the description reads:
Sign of "Win32: Trojan-gen.{VC} has been found in C:.…
How do you get the entire location to appear?
I assume the location would show these files to be in my sysinternals suite file.
Thanks for all your help. One last question slightly off topic and then I promise not to bother you again (at least for a little while).
When scanning with Avast, how do I get the program to automatically accept the recommended action if an infection is found and thus continuing with the scan? I’m sure it is somewhere in the settings pages but I can’t seem to find it.
By expanding the column width, hover the mouse between the column headings and you will see the pointer change two dual arrows, left click and hold whilst dragging the pointer to the right. This works for virtually all windows applications with columns.
These advanced automated options are only available in the Pro version. There have to be differences in the Home/Pro version (the programmers have to eat) and for the Home version it is interactive response required.
In the Home version you can check the option “Don’t show this window again” when the first virus warning appears, select the “No action” button. This way, no action will be taken and you will given the results at the end of the scan (and you can perform actions from there).