On demand scan 4.8.1368 (Home Free)

After a new version and update, I ran an on demand scan. Had a worm XXXXXXX(cab.XXX, Put it in the chest, (no come back). At the end of scan, with the list that pop’s up, said there was a problem putting worm in the chest. Now what do I do. and thanks.

Post the full details of the detections would be a good start.

What is the malware name, infected file name, where was it found e.g. (malware name, C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe

  • Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.

What was the full error text as to why it couldn’t move it to the chest ?

Nothing in the warning file DavidR. Full text of message was,“Problem moving file to chest”) Next time I run an on demand, I will right it all down. Thank You for the come back.

It should be there if the detection was made during an on-demand scan.

I suspect that it might be considered an unsupported archive type possibly, but not much point speculating without alert details.

Best I can do DavidR, Ran another scan, same worm popped up. moved it to chest, thought it went OK, (nothing said any thing different), continued scan and at the end is where it says it had a problem moving to chest.
(On the list that poops up). I would like to get rid of it if I can. Thanks again. Might be my OS. (see attachment’s)

Some thing screwed up ! (See attachment I Hope) ???

Do you know what the infected file is? (Important cabinet file or not? Which program is it related to?)
If a file is re-downloadable and avast cannot move it to a chest, I have previously gone with ‘Delete’.

The problem with moving may be related to the file type (cabinet - read only?)

The infected file is a screen saver file, .scr within an archive file, .cab and basically avast can’t extract the file from within the .cab file (without possibly corrupting the archive file).

Do you know what the win_19.cab (cabinet) file in c:\windows\Options\Cabs folder is all about ?

How big is the win_19.cab file ?

Do you know what the win_19.cab (cabinet) file in c:\windows\Options\Cabs folder is all about ? Have no Idea DavidR.
Size is 8000kb

Thanks jillzebub, Possibility

At only 8MB you could upload it to VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

Hi DavidR - excuse crosspost

Hi Hines232

The file appears to from an installation disk winMe (probably copied to yr HDD sometime) - just speculating – see link

http://www.easydesksoftware.com/recovery.htm

it says recovery disk but I think would apply natively to the installation disk

http://www.pcmag.com/encyclopedia_term/0,2542,t=Windows+Options+Cabs&i=54678,00.asp
http://www.mp3car.com/vbulletin/software-software-development/4495-can-i-delete-c-windows-options-cabs.html

I saved disk images of xp and various xp office to a folder on my HDD in case the disks went missing. Obviously I cannot defrag or disassemble the components of the disk image (such as send one file elsewhere).

You have winMe installed on yr machine and the installation disk was loaded to the HDD either to ease installation or for a tech to have a copy of the native immediately at hand for any work done that needed access to the installation files (recovery work is good example).

Bottom line is you cant do much with it except get rid of it, so that is yr option once you have sorted what is happening on yr OS - best not to do it immediately as this may not be yr problem.

I dont think the file is part of yr running system (rather than installation) but if it is you could replace it. Almost surely isn’t part of running system butr wait for further advice.

You also have MemTurbo downloaded to yr desktop. This is not good practice, and you should consider uninstalling it, but yr own judgment here as you would know more about it than me and also you may have paid for the program. There is nothing bad about the program, so again don’t do anything yet.

You may also have Ad-Aware SE Personal running at the same time as avast
http://www.download3k.com/Antivirus-Report-Lavasoft-Ad-Aware-SE-Personal.html

so there might be some conflict in OS environment and this is give reason for a false positive, as file itself may be bit oddball in this day and age (no offence intended) - yr ideal scenario as envisioned by yr scan would not include the WinMe 3D Flowerbox (though cant see why not). the file may be corrupted.

Here is some info on the file itself.
http://www.fileresearchcenter.com/S/SSFLWBOX.SCR-1617.html

Since the reading comes from SAS, I would recommend download from http://www.filehippo.com/download_superantispyware/ and run a scan, see what turns up.

I posted most this stuff for other people have a look as well and maybe give someone lead in to this problem. i have to go out and do something myself. Good luck.

Thanks mkis, A lot you are right on. A lot of info.

DavidR, A lot to do here. Before I start, What if I do a “check point” on my system, Re start, and go in and “delete” that file, (If I can). If there is a problem when I restart, I can go back to the check point and restore my system back. Will not that worm file be there again" ??

Personally I wouldn’t delete it, but first confirm or deny the detection at virustotal.

I doubt there would be a problem as the .cab file is to all intents an purposes inert as would be the .scr inside. So the .cab file wouldn’t be in use, so shouldn’t cause any problem, that doesn’t get away from the fact deletion is a poor option (you have none left) if you haven’t checked it 100%.

So lets assume for a moment it were a false positive, a) you had deleted a file unnecessarily and b) sent it to avast for analysis and correction of an FP and so improving detections and helping all avast users that might also have this file.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

This has been completed, But now how do I get the “worm” in the chest to export ???

I don’t believe you have the worm or whatever it is in the chest, that operation failed didn’t it ?

We also aren’t putting in there what was detected, the .scr file but the win_19.cab file which contained the .scr file that avast detected and couldn’t extract to the chest.

So you would be trying to copy the win_19.cab file (from c:\windows\Options\Cabs) to the c:\suspect folder, you would probably need to pause the standard shield to copy it to the c:\suspect folder, enable it after you have copied it there.

The “Worm” is now in the Suspect folder. What now DavidR ? ;D

Results.

There were two bad duds. How now dose this help any one else ?? ;D