First off HELLO! ;D and thank you Avast and to all who contribute to it.
I have used Avast as the sole virus scanner and resident for over a decade I think now, and recommend it without any pause (for dogs, I recommend it without paws lol anyway…
I have never had Avast move a file to the infamous Chest before, in all the years of using it.
Tonight Avast started popping-up warnings and Chest-ing files.
They are, in the order they are listed in the Avast Chest sorted by first Transfer Time:
[i]C:\Program Files\Lenovo\System Update\session\6hu706ww\TPPWRIF.SYS[/i]
(with a few different other session numbers): 6hu706ww
81u704ww
81u711ww
81u715ww
C:\System Volume Information_restore{25D7988E-C1AC-41B6-A475-0357F33EB439}\RP130\A0019593.SYS
with a the variations: A0019593.SYS
A0019594.SYS
A0019595.SYS
A0019596.SYS
and C:\WINDOWS\system32\drivers
All of the files are listed as Win32:Malware-gen
I am questioning whether these files are possible threats, simply because I was only on mainstream websites, because “lenovo” is in one of the file sets, and my laptop is set for several automatic updates via lenovo and ofter software.
I am no techie so I left them chested… but if they are legitimate I’d like to reenable them so my computer can function as intended.
How can these files be checked to see if they are legit?
you could upload them to virustotal.com there a file is checked by 43 antivirus programs. a good place to start if you wanna check a file.
second i would recommend you to download, install, update malwarebytes antimalware to get a second opinion, if your computer is safe from malware. and of course scan your computer.
if anything comess up through malwarebytes hit remove and it will first quartine the file then delete it, in case of false threat. plus it goes well with avast
You did the right thing by keeping the items in the Virus Chest for now until we know what is going on.
First I have a few questions:
What is your OS, 32 or 64-bit?
What version of Avast did you install? 5.0.677 is the latest version.
What product of Avast did you install? Free, Pro, AIS?
Are your Avast definitions (updates) current?
Was your machine acting unusual prior to noticing things going into the Chest?
Please open your Avast GUI > Settings > Virus Chest > Maximum Size of Chest and change the size to zero > click “OK” on bottom of this page.
Next, check your computer for malware with Malwarebytes’ Anti-Malware (MBAM).
· Download freehttp://www.malwarebytes.org/ for an on-demand scanner.
· Double Click mbam-setup.exe to install the application.
· After install, click update so you have latest database before scanning.
· Under Settings:
o General: Automatically Save File After Scan Completes is checked off
o Scanner Settings: Check all boxes
o Updater: Download and install update if available is checked off
· Once the program has loaded, select “Perform FULL Scan”, then click Scan.
· The scan may take some time to finish, so please be patient.
· When the disinfection scan is complete, a log will appear in Notepad and you may be prompted to Restart. (See Extra Note).
· Click the “remove selected” button to quarantine anything found. You will find the infection details under the Quarantine tab.
· The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
· Copy & Paste the entire report in your next reply.
I will await your MBAM log (cut and paste the results to your next post). Remember to quarantine and not delete any infections. Should you need to repeat an MBAM scan, always update MBAM first.
In the meantime, keep your Avast definitions updated. You can right click the items in the Virus Chest after your definitions are updated to see if the items in the Chest were a false positive (FP) or not. Your System Restore files in the Chest cannot be restored, so do not attempt to restore them even if they eventually come out clean.
If you have a 32-bit machine, you can also do an Avast boot-time scan and report on that as well. Thank you.
I went to the virustotal site, and then I searched for each of the Chested files on my hard drive.
The TPPWRIF.SYS files wee not in the specified folders. The folder paths were valid, but there was no “TPPWRIF.SYS” file within the last folder of the tree.
There was also no TPPWRIF.SYS file in the WINDOWS32 drivers folder
And I could not see any folder labeled “System Volume Information” in the C:\WINDOWS folder.
The files also were not visible when setting the folders to show hidden files.
I was actually running the Malware Bytes anti-malware, updated to the latest version… and it was during this scan that avast alerted and quarantined the listed files.
MB anti-malware did not find any suspicious files and did not suggest anything other than that the scan was clean.
I also ran Spybot, updated to the latest version, after the MB scan. Spybot did not find anything either.
After posting your MBAM log, which is needed for the next step below, please check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0.
Follow the directions of obtaining an OTL logs. Post the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post). We can then analyze this in the meantime for any malware, and if any malware is found we will refer you to one of our malware experts. Thank you.
Your file is too large. The maximum attachment size allowed is 192 KB
The OTL.txt is 194 KB.
I will post the start of the .txt text here, and attach a “2nd part OTL.txt”
Start of OTL.txt:
OTL logfile created on: 10/16/2010 11:50:24 AM - Run 1
OTL by OldTimer - Version 3.2.15.2 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 56.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): C:\pagefile.sys 1408 2048 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 119.74 Gb Free Space | 80.34% Space Free | Partition Type: NTFS
Drive D: | 243.92 Mb Total Space | 141.53 Mb Free Space | 58.02% Space Free | Partition Type: FAT
Computer Name: LENOVO | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 90 Days
I usually come on the forum at this time or slightly earlier, but others could have helped. Regardless, your MBAM and boot-time scan are clean. I do have a question regarding your OTL log which I am contacting someone else about for another opinion.
What I recommend you do is to update your Avast definitions > right click on each item in the Virus Chest to re-scan it. You will not be able to use the System Volume Information/restore file in the Chest anyway, but you can still scan it. Report back on the results.
To confirm, you have no files quarantined from previous scans with MBAM or SB&D?
[color=blue]Okay, after updating definitions, the results are – no virus-- for each file
I am unsure of exactly what you are asking regarding the quarantine?
If it answers the question:
-the avast virus chest contains only the files that I have mentioned in this thread.
-I have fixed files using SBS&D, but am not aware of having put any into quarantine. I do have the SB resident running.
-I believe, but am not sure, that MBAM has fixed a few files. There are currently no files within the MBAM quarantine tab. Since install, the settings have automatically saved a log, and the log for each scan shows that all scans found 0 infected files.
Actually, I remember now that I installed MBAM, and immediately ran it, and the avast warnings came a few minutes after the scan was started. That, and installing a new USB touchpad (an hour prior to running MBAM) are the only things that were out of the ordinary directly before the avast warnings.
Thank you very much for your help… your time and assistance is appreciated greatly.
When I can’t understand these tools and how they function, it is appreciated when someone else can help guide on what to do.
lol anyway…