Using Avast home and Windows 7 and totally new to both of them.
A week ago or so I had several trojan horse alerts below:
Win 32 RBOT-GMX [tri] in C:\program data\Wild Tangent (moved to chest)
Win 32 RBOT-GMX [tri] in C:\program files(x86)HP games\chocolatier decadence (tried to send to chest but it denied access to chest): cannot proccess HP games \chocolatier decadence GDF.dll file. (I deleted one, but one is in the chest).
Win 32: DELF-MZG [tri] in C:\program files (x86) microsoft works inchtour.exe[UPX][embedded_R#hookdll] file.
When I clicked on the chest, it said ‘cannot find file specified, cannot process’. (I clicked ‘no action’)
Under ‘All Chest Files’ are:
54464113b-8694-4f…C:\ProgramData\Wild Tangent - no virus -
hp_remote_solution… C:\program files (86)hewlett-pack… - no virus -
Kernel32.dll – C:\windows\system32 - no virus -
Wsock32.dll – C:\windows\system32 - no virus -
Clamav-9ba8cdf559d… C:\users\verona\appdata\local\te… - Win32: Trojan
Clamwin is an on demand virus scanner and I got the alert during scan
I’ve searched for RBOT-GMX and found nothing.
I did online scans with Trend Micro, a couple with Avast, Eset, Windows Defender, A2Squared(anti-malware) and Clamwin and all said OK, no infections.
Used disk cleanup also. Lots of reading and searching and am at a loss.
Could someone please help and tell me how to proceed with this now in restoring or deleting these files as I think I’ve made some mistakes already dealing with the alerts, and sure don’t want to mess up my PC. Sorry this is so long. Thank you.
PS- is there a tutorial somewhere explaining about alerts & virus solutions?
Something to let you know about the chest and its different sections as two of the files you list were never infected assuming they were in the System Files section of the chest.
I really do wish Alwil would get rid of this All Chest Files collation of the three sections:
The only area you should be interested in is the Infected Files section, this is where the files detected by avast and selected by you to move to the chest are placed.- The User Files section is where the user can add files they suspect of being malware but not detected by avast.- The System Files section is where avast keeps back-up copies of important system files in case the original becomes infected (leave them alone).- The All Chest Files is a collation of the three sections.
The problem with the Clamav detection isn’t that it is a false positive, but that Clamav haven’t encrypted the virus signatures, and any installed AV which is signature based is going to detect the unencrypted virus signature.
In the infected files category are:
54464113b-8694-4f…C:\ProgramData\Wild Tangent no virus
hp_remote_solution… C:\program files (86)hewlett-pack… no virus
Clamav-9ba8cdf559d… C:\users\verona\appdata\local\te…Win32:Trojan-gen
(got alert while scanning with Clamav)
Scanned with Avast. – Win32:Trojan-gen
Could you please advise me how to handle these files in the chest?
Do I delete or restore the first two with ‘no virus’?
Do I delete the Clamav with (win32: trojan-gen) ?
Also, the problem which you explained about Clamav - does that mean that if I scan with Clamav, I will be getting these same kind of infection alerts? Maybe I should just uninstall Clamav?
I appreciate your help and patience as I’m new to Avast and am doing my best trying to read and acquaint myself with the program.
One more question if I may - the help files recommended to enable the VRDB which I did. I thought that it took a snap shot of files for future use but it appears that it continuously runs (maybe I understood wrong). Is this what it normally does (run continuous)?
You can Restore these two from the chest (right click on the file and select Restore):
54464113b-8694-4f…C:\ProgramData\Wild Tangent no virus
hp_remote_solution… C:\program files (86)hewlett-pack… no virus
There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.
Whilst I didn’t say that you should uninstall clamav, I’m concerned about antivirus applications that don’t bother encrypting their signatures, lazy at best, incompetent at worst. But it may not be as simple as that.
If as you say this was found during a clamav scan, it might not have been a clamav signature being detected but a file that clamav tried to open for scanning, but avast made a detection on that file. This can happen when running scans with other security applications, as this is what a ‘resident’ scanner does, hooks files that are created/opened and scans them before handing control back to the originating program.
For this reason I tend to pause the Standard Shield if running a 3rd party scan, this not only avoids possible conflicts like this, it would also get rid of duplication of scanning for files being scanned by both, reducing the overall scan duration.
The decision on removing clamav is one which will have to take. Personally I would back avast up with SAS and MBAM as on-demand anti-spy/malware scanners. WinPatrol is another to help guard against registry changes, etc.
DavidR - thank you so much for your help, it was great.
Sorry, I hate to be a pain, but in my paranoia I totally forgot to ask a question which is concerning me. Could you please explain what this means?
At the end of every entry that Clam AV scanned, it said ‘permission denied’, yet scan results read ‘0 infected files’. If they didn’t have permission to access the files, how do they determine that there is no infection? Still I got a trojan alert. Is this because the Avast resident blocked their access to the files?
Is resident just another name for the standard shield?
Sorry for my newbie illiteracy!!
Anyway, I would like to wish you a joyous and peaceful Xmas and all the best in 2010. Many thanks again.
The problem with two AV scanners running at the same time is that they can end up locking each others attempts to scan a file. So ‘permission denied’ can be a symptom of that, or other legitimate reason to block access, if a file for whatever reason can’t be scanned, what other conclusion can you draw, certainly not infected. There is unfortunately zero information to go on, like the file name and location of the file that has had ‘permission denied.’
As far as avast is concerned (I have never used clamav and don't intend to start now), there are occasions when it too can't scan a file and it reports that at the end of the scan also (some AVs don't even bother to tell you).
[b]Files that can't be scanned are just that, not an indication they are suspicious/infected, just unable to be scanned.[/b]
Many programs (usually security based ones) password protect their files for legitimate reasons such as AdAware and Spybot Search & Destroy, there are others (and avast doesn't know the password or have any way of using it even if it did know it).
When you run scans with the above programs and you delete harmful entries that they detect, a copy is kept (in quarantine/restore/backup) in case you need to reverse what you did. These are usually password protected, you should do some housekeeping and delete old backup/recovery/quarantine entries (older than two weeks or so), this will reduce the numbers of files that can't be scanned.
By examining 1) the reason given by avast! for not being able to scan the files, 2) the location of the files, you can get an idea of what program they relate to. You may need to expand the column headings to see all the text.
If you can give some examples of those file names, the locations and reason given why it can't be scanned might help us further ?
Resident isn't another name for standard shield, resident protection means it is always on 'resident' also called 'on-access scanners' and scans files as they are accessed; as opposed to on-demand, only scans when you initiate it.
So all of avasts different shields/providers work as resident/on-access functions.