i ran the scanner for the first time 'after i did a ‘itunes’ update, and got 6 hits (2 trojan & 4 maleware) in my ‘volume control’ … after being prompted i chose to send to the ‘chest’. after the scan, results show that ‘an error’ occurred and that i couldn’t do anything … move, clean, repair … it said that it was a different type of virus ‘structured’ so it could do nothing for it. what should i do?
What is the file size, if it it large it might stop it getting into the chest (but the error should relate to size) ?
What is the malware name, the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
- Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.
- Sign of “VBS:Agent-CM [Trj]” has been found in “C:\System Volume Information_restore{CA4ABE0F-4771-4DBA-9EF7-DAEE681C0C0B}\RP46\A0010009.msi\Binary.vista.vbs” file.
- Sign of “Win32:Adware-gen [Adw]” has been found in “C:\System Volume Information_restore{CA4ABE0F-4771-4DBA-9EF7-DAEE681C0C0B}\RP46\A0010009.msi\Binary.fbsetup_114_FbasicWD1.exe[Embedded_R#01640]$0\findbasic.dll” file.
- Sign of “VBS:Agent-CM [Trj]” has been found in “C:\System Volume Information_restore{CA4ABE0F-4771-4DBA-9EF7-DAEE681C0C0B}\RP46\A0010012.msi\Binary.vista.vbs” file.
- Sign of “Win32:Adware-gen [Adw]” has been found in “C:\System Volume Information_restore{CA4ABE0F-4771-4DBA-9EF7-DAEE681C0C0B}\RP46\A0010012.msi\Binary.fbsetup_114_FbasicWD1.exe[Embedded_R#01640]$0\findbasic.dll” file.
- Sign of “VBS:Agent-CM [Trj]” has been found in “C:\System Volume Information_restore{CA4ABE0F-4771-4DBA-9EF7-DAEE681C0C0B}\RP47\A0010021.msi\Binary.vista.vbs” file.
- Sign of “VBS:Agent-CM [Trj]” has been found in “C:\System Volume Information_restore{CA4ABE0F-4771-4DBA-9EF7-DAEE681C0C0B}\RP46\A0010009.msi\Binary.vista.vbs” file.
- Sign of “Win32:Adware-gen [Adw]” has been found in “C:\System Volume Information_restore{CA4ABE0F-4771-4DBA-9EF7-DAEE681C0C0B}\RP47\A0010021.msi\Binary.fbsetup_114_FbasicWD1.exe[Embedded_R#01640]$0\findbasic.dll” file.
i did look at the size of the chest … was at basic … made it 50000mb size of chest
100000kb size of file
OK, the reason they failed to be sent to the chest is avast couldn’t extract them from deep inside an archive file, the numerous .msi files, like this one, A0010009.msi. avast if it tried to extract it that could corrupt the parent .msi file that it is in.
Fortunately this isn’t too much of a problem:
Infected Restore Points - There really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore.
-
Worst case scenario it isn’t infected and you delete it, you can’t use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.
-
So if there is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.
The problem here is the detection is on a file within the main file in the restore point, if it were on the main file of the restore point then you could have avast delete the suspect/infected restore point. This would mean you would have to find and delete them manually, but there is a way round that.
####
-- Create Clean Restore Point - Clear old Restore Points.
Now you are clear of infection create a clean System Restore point:
1. Click Start, All Programs, Accessories, System tools, System Restore.
2. In the pop-up that appears fill in the radio button to Create a Restore Point
3. Click NEXT
4. Enter a useful name that you will remember if you need to find this again (Clean Restore Point)
5. Click CREATE
You now have a clean restore point, you should clear the old ones:
1. Click Start, All Programs, Accessories, System tools, Disk Clean Up
2. Click OK on the C: drive
3. Click the More Options tab
4. In the System Restore section click the Clean Up button
how do i get to the system volume folder? so i can manually remove these infected files?
It is a protected folder and somewhat messy thying to get permissions to do it.
That is why I suggested the above to clear old restore points including those infected.
– Create Clean Restore Point - Clear old Restore Points.
Now you are (clear of infection) create a clean System Restore point:
( I DONT UNDERSTAND HERE … IT SAYS IM CLEAR OF INFECTION … HOW? …
BY DOING THIS 1-5 … OR DO I DO 1-5 AND THEN DO THE RESTORE POINT?)
- Click Start, All Programs, Accessories, System tools, System Restore.
- In the pop-up that appears fill in the radio button to Create a Restore Point
- Click NEXT
- Enter a useful name that you will remember if you need to find this again (Clean Restore Point)
- Click CREATE
You now have a clean restore point, you should clear the old ones:
- Click Start, All Programs, Accessories, System tools, Disk Clean Up
- Click OK on the C: drive
- Click the More Options tab
- In the System Restore section click the Clean Up button
It is basically saying other than the ones in the restore points your system is clean, which according to your information is correct.
It is then OK to create a new restore point, there would be little point in doing that if your system (other than the restore points) was still actively infected as you could just be backing up infected files in system folder.
The Instruction is in two parts, broken down into steps to make it easier to follow. You complete the first set, creating the new restore point. Having done that you carry out the second part, clearing out the old restore points (which would remove the infected ones also).
DAViDR … THANK YOU SO VERY MUCH FOR YOUR KNOWLEDGE AND HELP …
HAPPY THANKSGiViNG TO YOU & ALL … BE SAFE … THANK YOU
You’re welcome.