Scanning process!

I did a full thorough scanning with Avast and one file that is located in: C:\System Volume Information\restore has a result: Infection: JS-Seeker-gen … Operation: Error occurred during file repair. I couldn’t read the rest because it did there wasn’t enough room to read it. Also, I have notice when i tried to move it to chest. I get a message saying that not enough disk space? I have enough disk space, so why does it keep saying that? Also, what do i do about this infected file it can’t be repair or moved, how do i know if it is safe to delete? I am a beginner and don’t know what to do with it?

The repair function wouldn’t work for a file like this, so I’m surprised it was even an active choice.

Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe

  • Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log this makes it easy to read all the text.

The not enough space is more to do with the size of the file trying to be sent, exceeds the avast Program Settings, Chest, Maximum file size to send, adjust that value to allow for the size of the file you want to send.

There is a detection in one of your system restore points. Each system restore point is quite large; probably too large for the chest. Avast can not remove the individual item from within the restore point, the only viable action in this case is for it to try and remove the entire point, which effectively is now useless, in that using System restore and attempting to restore that point would also now restore the malicious file.

In that case, is it safe to delete this file? This detection cannot be harmless … or what?

Personally if there is any doubt in a restore point, I would rather it wasn’t there to possibly infect the system if you used in the future.

Remember the only reason it is in the C:\System Volume Information\ folder is something was previously deleted or moved from the system folders, etc. and system restore created the restore point, just in case.

So assuming the worst case scenario and it was a bad detection and you deleted you wouldn’t have that restore point available in the future and the older the restore point the less real value it is.

You can have Avast delete the file, or delete all your system restore points, as you prefer.

(To delete all restore points, turn system restore off, reboot, turn it back on.)
(To turn system restore off, right-click “my computer” select “properties”, then select “system restore”. Tick the box in the obvious place, click “OK”.)

Unfortunately, the repair option is always available, most of the time, it’s impossible to repair :cry:
It should be grayed out.

The detection is upon files, not the entire restore point, afaik.

Moving any file (of that folder) to Chest breaks down the restore point and make it unusable. File cannot be restored to that folder. But, in most cases, this is good, as it is an infected restore point.

I downloaded the Malwarebytes anti-malware, and the Superantispyware and the Comodo firewall. I have used all three to do scanning on my computer. The first three found no infected files. However, the third did!!! Comodo firewall has found this: Trojan.Win32.Patched.m(ID = 0x517d0) D:\WINDOWS\SYSTEM32\system32\dllcache\winlogon.exe

However, the Comodo firewall does NOT give the option to quarantine to move it to chest. It gives Save as, delete all or exit.

My question is this to the previous post by:

Quote from: Tarq57 on May 15, 2009, 10:37:04 PM
There is a detection in one of your system restore points. Each system restore point is quite large
The detection is upon files, not the entire restore point, afaik.

Moving any file (of that folder) to Chest breaks down the restore point and make it unusable. File cannot be restored to that folder. But, in most cases, this is good, as it is an infected restore point.

Since, i can only “Save as” or “delete all” or “exit” If i delete this will the above as quoted from above post cause a breaddown or unusable if i tried to quarantine or delete this file? What is the best option for me to do with this? Please be specific for i am a beginner and need to be advised slow and clearly on steps to take … since i do not understand all this technical jargons ???.. thanks …

I recommend you do not delete or quarantine that file without some further research. The file could be infected, or it could be a false positive by Comodo. (I believe it is the included antispyware component in the firewall that made that detection, rather than the Antivirus part of the “suite”, which I hope you didn’t install.) I’m inclined to think it is more likely than not to be a false positive, as your other scanners didn’t flag it.

So how to proceed with this?
What I would do is locate the file concerned. You will have to go into “folder options” via the control panel (or any explorer window - whatever way is easier for you to find) and set it to show “hidden and system files”.
Then navigate to the folder/file concerned. (Reason: So you know how to do it for what comes next.)

Open a web page to Virus total and clcik the “browse” button. Locate that same file again, and then select “send file”. It will then be analyzed by several up to date virus scanners. The results will give an indication as to its status. Copy the URL for the VirusTotal results, and post it back here.

You could also do a search/ask a question on the Comodo Forum because if it is a false positive, it’s likely that other users will be experiencing the same issue.

One thing I also do is scan the individual file with whatever scanners I have installed, by locating it, right-clicking, and from the context menu select “scan with…” and choose MBAM, and then Superantispyware (provided context menu scanning was enabled during installation.)

Hope this helps.

PS: Hey, look what I just found at the Comodo forum.
This post originated over a year ago. It is further indication that it’s likely to be a FP.

It is too late! It ask if i want to clean the file. I click yes! Now what will happen now? Is this going to effect my computer now badly? OMG!! :o

Don’t reboot or turn it off.
Go into the Comodo panel, and locate where it is quarantined, and remove it (not delete it) from the quarantine.
From the forum post I linked just before:

If you only Quarantined it and didn`t remove it you can remove it from quarantine.Highlight Click “Remove” and “Apply”.This will only remove from quarantine not from your computer.

Regards

Matty

Additional information from the same thread:

Size: 502,272 bytes
Date: 2004-08-04 00:56:58.

If the Winlogon.exe files on your system(s) reflect these attributes, do not delete them. They may appear in the following folders: C:\WINDOWS\SYSTEM32; C:\WINDOWS\SYSTEM32\DLLCACHE; C:\WINDOWS$NtServicePackUninstall$; C:\I386\ and C:\WINDOWS\ServicePackFiles\i386</blockquote>

And once you’ve done that, navigate to the folder it came from originally, and check that it is there.
(You could look at the attributes while you’re there by right clicking it and selecting “properties” once you have found it; compare them to what I just posted above.)
If you haven’t tried to reboot since quarantining it, you should be alright.

If you have deleted rather than quarantining it, once again, do not reboot, post back here. (And do you have your Windows installation disk?)

I am sorry but i am catching your posts too late. I did reboot it … so i can do i volume error check to see if i rectify this somehow. I check quarantine in Comodo and i do not see it there.

And it rebooted OK? Everything works?
You might have dodged a bit of a bullet there.

So far i do not see any error messages. Why is that? If it is deleted?

Good question.
I have no idea.
Be back in a bit.

The other one was this detection: ApplicUnsaf.Win32.Joke.ScreenMate(ID = 0x2b5d8) D:\System Volume Information_restore {323E5864-4CA2-9417-A44B336Do}-\RP367\A0038683.exe

Is it possible that the volume error checking … fix the system error? Do i still need to use the disk to replace the missing file? Why didn’t it caution me before cleaning the threat? I look for the file in “my computer” and couldn’t find it. Also, i am getting alerts to upgrade the version of Comodo firewall … is it safe to do so at this point?

Regarding the first part of your most recent post, see earlier discussions on System restore. (Basically, should be cleaned up, but not an immediate threat; takes low priority, will bork that particular restore point if it’s cleaned, don’t fret. Later.)

Regarding the second part of your most recent post: are we talking about the file the Comodo firewall alerted then you had delete?

1-It is possible that “check volume for error” might have made all OK. But probably not.
2-It would seem that you don’t need the disk, since the computer appears to work.
3-Why didn’t it warn you? Indeed. Be good if it did. But unfortunately it appears that this particular issue is known abut at Comodo, and accorded a low priority to fix. Be warned: any security application may be prone to FP’s (if that is what this was-I am still not convinced) and deleting of such detections can cause system problems. They can all do this. Even Avast. Always investigate a detection before taking action.
4- Did you set Windows to show hidden and system files before looking for it? Do you need to know how to do that?

Regarding earlier posts: Everything working alright, as far as you can tell?
I’m guessing that in the absence of other options, you deleted the file. So the long and short of it is, we probably will never know.

If it turns out that file is necessary for the opration of some aspect of the computer, hopefully there will be ways of downloading or otherwise getting it. Here is what it looks like in my XP home installation. (What’s your OS again?)

Sorry if this sounds a bit rambly, I’m a shiftworker, have not slept properly for over 36 hours, and have just consumed half a bottle of Central Otagos’ Finest and am in no properly lucid state to be proffering advice.

I see it in C:drive in Windows; however, i do not see it in the D:drive where it was detected