Virus/question

Hello folks I am new here and not very good at computers sorry about that ::). I sent to the virus chest three files

the file names are A0005675.exe , A0005677.exe, A0006474.dll

another one I got was mst120.dll

All of them are now (I presume) safe in the virus chest what i found somewhat concerning is that two of the infected files have a last changed date of BEFORE i scanned ,so does that mean avast is failed to find them at first or when they were made?:S

How should i proceed?:S I mean i dont mind reformatting and all but i recently learned that external hard drives can get viruses/trojan horse etc etc. Which combined with avast may not be finding the viruses etc doesnt make it such a valuable option.

I guess what i am asking is what should I do?.. I presume just delete them now that they are in the chest or? , but i did read somewhere hear about investigating before doing that?

sorry If i sound pathetic.

take pity on me please :-[

You did a good job sending the files to the virus chest.

Technically, mst120.dll is MST120 Library, a Microsoft Windows file which could be a false positive.

Extract the file from the virus chest and add it to Exclusions list (hint: use “*” or “?” as a wildcard).

Upload the file to VirusTotal and post results.

If indeed an FP, send the file in a password-protected zip folder to virus@avast.com with False Positive in subject and the password mentioned in the email body.

Isn’t it digitally signed? If so, avast should have ignored the detection (default settings).


These 3 … A0005675.exe , A0005677.exe, A0006474.dll … seem to be related to a trojan downloader but since avast has them in the chest, you should be ok.

http://g.s.scandoo.com/search?hl=en&meta=on&q=A0005675.exe

http://g.s.scandoo.com/search?hl=en&meta=on&q=A0005677.exe

http://g.s.scandoo.com/search?hl=en&meta=on&q=A0006474.dll

These can do no harm while in the virus chest. You can leave them in the chest for about 2 weeks and if your computer is running correctly at that time, you can delete them if you want.


Personally I can’t see how there can be any reliability in any relationship to malware with these file names.

The reason why:
a) they look like system restore file names and not original file names.
b) system restore creates random file names so what is shown on one randomly named system restore file may have a totally different original file name than the same system restore file name on another system. Clear as mud I know.
c) we don’t know the location (I’m assuming the c:\system volume information folder) so we have incomplete information.


You are right, David.

We do not know the location of the files.


Thanks for the responses :).

the folder the mst120.dll one is in a folder called system 32^^ The others are in system volume information restore then some radom string of numbers and letters ( i can post them if that helps)

You say if my computer is running correctly well, it seems to be running alright the only problem i have found is windows explorer seems to crash at random times ( program not responding) making me close that window ( think thats what its called) Also runs slowly on some sites i visit ( nothing dodgy :P) but that may the adverts on the website. Also the pc sometimes runs windows media player slowly then goes back to normal. SO by no means is it all the time.

A question though if i were to reformat (I think thats what i do) , you need a cd for it anyways would it be wise to deleate them first or just leave them there and reformat?.

again sorry :-[

sure hope i will be free to ask other questions if i need to oppose to being on a ration of them ;D

Personally I wouldn’t worry about further analysis on the ones from the system volume information folder, the worst case scenario is if you used system restore in the future those restore points wouldn’t be available to you. Remember the reason they are in there in the first place is that they were previously deleted or moved from the system folders, etc.

So my thoughts are if there is any element of doubt over a restore point, being in the chest is best. The last thing you want is to use system restore in the future only to have that suspect restore point bite you in the rear.

You should however, do as Jtaylor83 suggested and upload the mst120.dll file to virustotal to confirm the detection.

VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive (only avast and or gdata detects it), see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

You can easily clean off infected files in the System Restore folder by resetting System Restore:

[*]Right click on “My Computer” and click on “Properties”.
[*]Go to “System Restore” tab and check “Turn off System Restore on all drives”. Click “Yes” at the prompt. (Wait a while for it to finish)
[*]Then UNcheck “Turn off System Restore on all drives”. Click “Yes” at the prompt. (Wait a while for it to finish)
[*]Your System Restore is now turned on.

That will flush away all previously infected System restore points and create new ones for you.

Yes you can, but avast has been able to remove just the infected restore point/files.

Whilst disabling system restore on all drives will remove ALL restore points not just infected restore points/files. So this is really an option if avast can’t deal with an infected restore point.

sorry DavidR but sounds like a very confusing process :-. I presume the cdrive is the hc folder called Boot C?. Realy all i need to know is if i should reformat before or after deleating the files of the virus chest, or you could give me a more detailed step by step guide. Again sorry I am not good at PC’s remember. :-X But isnt it like dangerous to put viruses back on the pc?:S sorry just sounds scary and all plus scared about what might be lurking but the complicated nature of this is putting me off.

First there is absolutely no reason to reformat, unless there is something you aren’t telling us (or why do you feel you need to) ?
If you feel this sounds confusing a reformat is brain surgery by comparison.

C:\ is the drive that is the boot drive, the primary drive.
When you click on that, then File, New, Folder, click that a new folder will pop-up name that Suspect and click OK, job done, see images.

Well trust me i was scared of reformatting at first but managed in the end to do it. The reason why bring up reformat is mainly because its one of me favorite ways to be sure there are zero viruses on my computer (afterall avast could possibly not pick up soem virus/trojan horse etc) . I just see it as risky putting the viruses back on the pc ?:S but guess your the expert not I. I created the said file you wanted next stage?:s I presume i do the virus total after putting the infected files in the ‘Suspect’ folder? How do i get to the ‘standard shield customize advanced add’ thingy.

Sure hope you know what your doing, sorry just dont realy like going into unknown territory :-[.

Putting a suspect file in a different location to its original is not so risky (provided you don’t try and run it) as any registry entry that is present to run that file won’t work as the file isn’t in the original location but a temporary one. So to all intents and purposes it is inert in the suspect folder, so not so much of a risk.

Don’t lose sight of the fact that we want you to check it is to confirm (or deny) the detection as we think that there is a possibility it isn’t infected and that is why we want you to check it.

We wouldn’t ask you to do something that was downright dangerous.

Left click the avast icon, if there is a button called Details… >> click that it will display a different layout showing all the avast shields, select the Standard Shield. Now you are at the point I mentioned earlier to exclude the suspect folder.

Reply #7 above
http://forum.avast.com/index.php?topic=40194.msg337314#msg337314

Once you have done that copy the mst120.dll to the suspect folder (assuming it is still present after your format and OS reinstall) and upload to virustotal.