restore from virus chest

i have recently registered a game called ‘bubble shooter golden pack’ and have played with no problems. today when i tried to open the game, Avast said it contained a virus so i transferred it to the virus chest. now i can’t play the game, i have tried to restore it but it hasn’t worked. when i click on the icon on the desktop i get a pop-up saying windows cannot access the specific drive path or file? can anyone help?

File name and location of the original would be helpful ?

What icon on the desktop ?

Restoration (from where and how ?) is pointless if avast considers it infected it still won’t let you run it.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

thanks for your reply, i was trying to restore the file so that i could use it again. i clicked on restore from the virus chest but it didn’t work, as when i clicked on the desktop shortcut to Bubble Golden Pack, windows says the path or file is not available?
the file name is C:\Program Files\absolutist.com\Bubble GJolden Pack\bgpack.exe. the malware name is showing as Win32:Trojan-gen (Other), showing as a Virus/Worm, VPS 081114.0, 14/11/2008. i don’t really understand how a virus got into this file as i play offline? How can i get rid of the infected part but still keep the game?

You still don’t say How or Where you were trying to restore this file, I ask because there is a specific means of doing this in avast, but a file should not be restored unless confirmed to be a bad detection. You also say it didn’t work, why, what errors, etc. ?

If you have mover the file to the chest, the desktop short cut would be pointing at a non-existent file, so that should account for the (location error).

If you do as I suggest and upload the file to virustotal, you will have to jump through some hoops to avoid avast alerting as I have pointed out.

You can’t get rid of an infected part as generally trojans can’t be repaired as the whole file is malicious. Only true ‘virus’ infections can’t be repaired and the Repair option would be available in the detection if it were.

Also the avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected. So I suspect that it may be a false positive, another reason why there is nothing to repair and the chief reason I ask you to confirm the detection (or otherwise) at virustotal.

So please follow the instruction in my first post, believe me it will be quicker in the long run.

thanks David, i have followed your instructions & uploaded the files to VirusTotal & have the results. unfortunately i have no idea what the results mean. there is a long list of anti virus programmes with numbers & then some have red writing after them. it doesn’t give any specific advice about what to do next. how do i know if this is a real virus or not? when i was trying to restore the game, i just clicked on restore in the virus chest page, but nothing happened at all, i didn’t get any error messages or anything, it just didn’t restore. i apologise for my lack of knowledge but this is all new to me.

Which is why I suggested posting the results and we can have a stab at the results.

When you scan using VT when it is complete, just copy and paste the URL in the address bar of that page into your post (or copy and paste the text of the results, but the link is easier all round).

It is simply an analysis/scanning tool it doesn’t give advice on what to do next, we can do that.

http://www.virustotal.com/analisis/8e0873325b361452c5fa49d5fd75f2a9
Hi, is this what your mean?

http://www.virustotal.com/reanalisis.html?c848404e7eb5cdc669637f1dfd0f4955http://www.virustotal.com/reanalisis.html?0aac2d23d042c0f0f650986345b41bde. also this but i think this is the same thing (i have 3 applications in the virus chest:- bgoldpak(1) (4360kb). BGPack (940kb) and BubbleGoldPaid (4589). i scanned them all but it said they had already been scanned?

Yes that is what I mean the red is just the malware name that was found by that particular scanner.

The GData also uses avast as one of its two scanners, so effectively there is only one detection (1/36) and that is a strong indication that the detection is a false positive.

Send the file to avast for further analysis and correction, as in the link how to report and exclude from scans in my first reply.

sorry to be so dim but can you talk me through what to do next please? also what will happen when i do, will i be able to get my game back & if so, how?

The fact that they have been scanned before just means someone has previously submitted a file to be scanned, you should always have it reanalised as the previous scan could be quite old

BGPack.exe now shows more detections, http://www.virustotal.com/analisis/c848404e7eb5cdc669637f1dfd0f4955 10/36 (9/35 when gdata is removed) normally the more detections the less likely it is a false positive detection. However most of the detections are either suspicious (heuristic), generic, which are more prone to false positives so I still think you should send this to avast.

Bubble_Gold_Paid.exe seems the same as the one you posted first with only the two/one detection.

Do as I said click on the link I posted about how to report and exclude in my first post.

If you have, then you have to be more specific as I would just be repeating what is in that link.

i have tried to email the files to alwil by highlighting them in the virus chest & clicking on email to alwil, but it came up they are too big to send, i’m afraid i don’t understand the other option of restoring them & zipping them & sending them to Avast. do i have to send the files before i can restore them?

The first thing I would suggest is a manual program update to the latest version (right click the avast ‘a’ icon, select Updating, Program Update), that may get round this as it doesn’t actually email them now but uploads via http).

You can Increase the sizes in Program Settings (right click the avast ‘a’ icon) Chest and increase the Maximum file size to send, so that it is large enough to cope with your file.

You don’t have to send the file before you restore it (a copy remains in the chest), but what you would have to do is exclude the original location or avast would just detect it when you try to restore it.

i increased the size & tried again, it said ‘unspecified errors’, then when i clicked cancel it came up files sent with errors?
what happens now, is it safe to restore the file? do i just highlight the files & click on restore? what do you mean by ‘exclude the original location’?

i finally figured out how to send the file (i couldn’t see how to update to the latest version but now i have) so i think they have them now. i have to go now but would appreciate your help in restoring the files so that i can use the game again, thanks for your time.

Hopefully now you have updated the program it should be able to submit the samples.

It should be safe to restore those that only had two detections in VT the other with 10 detections I would wait until it is confirmed by avast it is no longer detected.

For this to happen you have to have submitted the samples and periodically scan the file in the chest, when it is no longer detected (avast has corrected the VPS) then it would be safe to restore.

Right clicking on the file in the chest and selecting restore will send the file to the original location.

The same as I meant when I had you create the suspect folder and exclude that and its contents (remember that) so you could upload to virustotal with avast alerting. Well you have to do the same thing but be more defined in you have to name the file C:\Program Files\absolutist.com\Bubble GJolden Pack\bgpack.exe and the same for the others this will stop avast alerting when you play the game. You would also need to add the same to the Program Settings, Exclusions, so they aren’t detected when you do an on-demand scan.

hi, i have tried to follow your instructions but have failed to restore my game. i typed in C:\Program Files\absolutist.com\Bubble Golden Pack, into the exclusions & then typed all the other locations listed in the virus chest. then i highlighted all the files in the virus chest & clicked on restore. now the desktop icon has lost it’s picture & when i click on it (or on the application in Program Files) i still get 'windows cannot find the file or path. i am at my wit’s end, i have even tried reinstalling the game but that won’t work either. i seem to have ended up with loads of files called Bubbles Golden Pack, (with various words after them) but none of them work. can anyone please try to explain in very simple words what i can do now? can i delete the whole thing & just buy the game again or will that be infected too, quite honestly i would be prepared to pay another £20 to get my life back!!!

If this is all you have entered into the exclusions lists (C:\Program Files\absolutist.com\Bubble Golden Pack) I’m not surprised it didn’t work, because that neither names the file to exclude from scans, nor does it use wildcards (as in the example I used for the suspect folder c:\suspect*). However, I don’t recommend that you exclude the complete folder Bubble Golden Pack, it is too big a security hole, but it is your system and your choice.

You must enter the full path and file name (of the file beind detected as infected) into both exclusions lists as in the example I gave C:\Program Files\absolutist.com\Bubble GJolden Pack\bgpack.exe

Reinstalling won’t work for obvious reasons avast will detect it unless you have the exclusions set or you pause the standard shield so it doesn’t scan the installation. That takes you up to the point of trying to play the game when avast is likely to alert again on the same files as before (unless you have the specific files excluded).

If by none of them work you mean avast detects them, then again this is back to exclusions if you don’t get that right they won’t work (even if you answer no action to the alert) so the exclusions are crucial to your problem get that wrong and it won’t work.

can you tell me where i can find ‘Standard Shield, Customize, Advanced, Add’ as i think you are telling me to put the file names in here to exclude them? also where do i find the file names to put in it? thanks