Virus Scan Results.

system · 2007-12-05T17:46:25.000Z

I ran Avast yesterday and the scan showed the system clean. However after updating to version 4.7.1098 and installing the latest definitions a scan showed the following virus which I have placed in the virus chest.

File Name: A0133330.exe
FileID: 8
Virus Description: Win32:Spyware-gen [trj]
(location C:\System Volume Information_restore)

I then did a further scan which showed the following infection:

File Name: Restart.exe
FileID: 7
Virus Description: Win32:Spyware-gen [trj]
(location C:\WINDOWS\System32\Tools)

Could these alerts be false positives? Also is it ok to leave the files in the quarantine chest or should I delete them. Thanks EY

DavidR · 2007-12-05T18:29:25.000Z

It is not unusual that after VPS updates that you may find it detects something previously undetected.

However, looking at the FileID: number it looks like it first found the one, restart.exe in the system32 folder and the act of moving it meant system restore saved a copy of it in the C:\System Volume Information folder. I say this as the detection is the same spyware-gen.

Restart.exe could well be a tool (given its location in a Tools, sub-folder of system32) but tools can be used for good or evil as avast can’t determine use. I don’t have a Tools sub-folder of system32 so you have to ask what put it there.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.

If it is indeed a false positive, add it to the exclusions lists:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions
Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

Send the sample to virus@avast.com zipped and password protected with the password in email body and false positive in the subject.

Or if it is in the avast chest send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

system · 2007-12-05T21:37:05.000Z

Hi DavidR, Many thanks for your rapid response it is very much appreciated. After posting here I ran Spybot and Ad-Aware plus various online scans and all came back clean. I then ran Avast again and another entry came up;

Virus has been detected!
File Name: A0133363.exe
FileID: 13
Virus Description: Win32:Spyware-gen [trj]

(again in System Volume Information)

I then ran the file in Virus Total and it had already been reported. Not all Virus Total scanners detected it but Avast/Kasparsky and a few others did (under different names), have sent copies to Avast for their info. I have made a new restore point and removed all earlier ones and just finished a further scan in safe mode and all is clear. Thanks once again. EY

DavidR · 2007-12-05T22:54:08.000Z

Your welcome.

Spybot S&D and adaware are lightweight (IMHO) when compared to these anti-spyware applications.

SUPERantispyware On-Demand only in free version. Or AVG anti-spyware (formerly Ewido) Resident scanner during trial On-Demand after trial ends. Or Spyware Terminator Resident scanner.

I don’t know how this other detection was found in the System Volume Information folder as that is usually associated with a deletion or moved file from the system folders and if that were the case I would also have expected you to have had an avast alert on a file in the system folders first.

It may be worth clearing all the old restore points and creating a new clean one (assuming your system is currently clean other than this detection).

Create Clean Restore Point - Clear old Restore Points.

Now you are clear of infection create a clean System Restore point:

Click Start, All Programs, Accessories, System tools, System Restore.
In the pop-up that appears fill in the radio button to Create a Restore Point
Click NEXT
Enter a useful name that you will remember if you need to find this again (Clean Restore Point)
Click CREATE

You now have a clean restore point, you should clear the old ones:

Click Start, All Programs, Accessories, System tools, Disk Clean Up
Click OK on the C: drive
Click the More Options tab
In the System Restore section click the Clean Up button

Lisandro · 2007-12-05T23:58:31.000Z

I suggest:

Disable System Restore and reenable it after step 3. Or follow the procedures posted by David.
Clean your temporary files.
Schedule a boot time scanning with avast with archive scanning turned on.
Use AVG Antispyware; SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
Test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster.
Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
Immunize your system with SpywareBlaster or Windows Advanced Care.
Check if you have insecure applications with Secunia Software Inspector.

system · 2007-12-06T00:17:44.000Z

Thanks for all your help it has been much appreciated.

I have just finished running ESET and F Secure scans and both have indicated my system is clean, I also ran Avast in safe mode and again nothing was detected. Will run the AVG (Ewido) and Microsoft MSR Tool tomorrow as well in addition to a boot scan with Avast.

Avast and you guys have been second to none today I can’t thank you enough Regards EY

DavidR · 2007-12-06T02:39:28.000Z

Your welcome.

system · 2007-12-06T19:46:52.000Z

Hi DavidR, I see your point about the other detection (A0133363.exe in System Volume Information) but that was the only place that Avast discovered it. Did more scans today and all were fine. Should I leave the files quarantined in the chest or is it safe to delete them? Thanks. EY

Lisandro · 2007-12-06T19:54:30.000Z

east yorkie post:8:

Should I leave the files quarantined in the chest or is it safe to delete them? Thanks. EY

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

DavidR · 2007-12-06T20:23:22.000Z

east yorkie post:8:

Hi DavidR, I see your point about the other detection (A0133363.exe in System Volume Information) but that was the only place that Avast discovered it. Did more scans today and all were fine. Should I leave the files quarantined in the chest or is it safe to delete them? Thanks. EY

Your welcome.
There is no harm in leaving them there for a while.

system · 2007-12-06T22:55:59.000Z

Thanks Tech/DavidR for the clarification much appreciated as always. EY

Announcements