Hi
I’m new to this and just downloaded and ran avast 4 home free edition and it found trojans and virus’ but when I try to move it to the chest or to delete it, it says either: “error occurred during moving file to chest” or “error occurred during file deleting”. Why is this happening and what do I do?
Maybe files are in use. Are you using Windows XP/Vista?
Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning.
Select for scanning archives.
Boot.
If infected files are found, it’s safer to send them to Chest instead of deleting them.
This way you can further analysis them.
I am running XP SP3. I will try running a boot time scan. Thank you.
Lisa
In the boot-time scan, avoid deleting anything, send to the chest (safest option).
What is the infected file name/s, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.
It might be easier to get the information using notepad and open C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log, use copy and paste to post in the forum.
Thank you.
Here is the warning log:
9/13/2008 1:52:06 PM 1221328326 Lisa 2992 Sign of “Win32:Agent-RVE [trj]” has been found in “C:\Users\Lisa\Desktop\tightbackgroundsFree.exe\resource.0000.pkg\RPCInstall_US.dll” file.
9/13/2008 1:58:32 PM 1221328712 Lisa 2992 Sign of “Win32:Agent-YFR [trj]” has been found in “C:\Users\Lisa\Desktop\tightbackgroundsFree.exe\resource.0000.pkg\RPCInstall_INTL.dll” file.
9/13/2008 1:58:48 PM 1221328728 Lisa 2992 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\Users\Lisa\Desktop\tightbackgroundsFree.exe\resource.0000.pkg\freeze_us.exe%frztb_maindir%\freeze_us.dll” file.
9/13/2008 1:58:56 PM 1221328736 Lisa 2992 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\Users\Lisa\Desktop\tightbackgroundsFree.exe\resource.0000.pkg\freeze_int.exe%frztb_maindir%\freeze_int.dll” file.
9/13/2008 1:59:01 PM 1221328741 Lisa 2992 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Users\Lisa\Desktop\tightbackgroundsFree.exe\resource.0000.pkg\blinksetup.exe[Embedded#06140]$0\blink.dll” file.
9/13/2008 1:59:13 PM 1221328753 Lisa 2992 Sign of “Win32:Onestep-B [trj]” has been found in “C:\Users\Lisa\Desktop\tightbackgroundsFree.exe\resource.0000.pkg\blinksetup.exe[Embedded#06140]$0\blink.exe” file.
9/13/2008 1:59:17 PM 1221328757 Lisa 2992 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\Users\Lisa\Desktop\tightbackgroundsFree.exe\resource.0000.pkg\osfreez118.exe[Embedded#01340]$0\onestep.dll” file.
9/13/2008 2:03:45 PM 1221329025 Lisa 2992 Sign of “Win32:Onestep-B [trj]” has been found in “C:\Users\Lisa\Desktop\tightbackgroundsFree.exe\resource.0000.pkg\osfreez118.exe[Embedded#01340]$0\onestep.exe” file.
9/13/2008 2:03:55 PM 1221329035 Lisa 2992 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\Users\Lisa\Desktop\tightbackgroundsFree.exe\resource.0000.pkg\osfreez118.exe[Embedded#01340]$0\osopt.exe” file.
9/13/2008 2:03:58 PM 1221329038 Lisa 2992 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\Users\Lisa\Desktop\tightbackgroundsFree.exe\resource.0000.pkg\osfreez118.exe[Embedded#01340]$0\uninstall.exe” file.
9/13/2008 2:04:00 PM 1221329040 Lisa 2992 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Users\Lisa\Desktop\tightbackgroundsFree.exe\resource.0000.pkg\PCCInstall_US.dll” file.
9/13/2008 2:04:10 PM 1221329050 Lisa 2992 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Users\Lisa\Desktop\tightbackgroundsFree.exe\resource.0000.pkg\PCCInstall_INTL.dll” file.
9/13/2008 2:04:16 PM 1221329056 Lisa 2992 Sign of “Win32:Onestep-B [trj]” has been found in “C:\Users\Lisa\Desktop\tightbackgroundsFree.exe\resource.0000.pkg\zsetup.exe$0\zumie.exe” file.
9/13/2008 2:04:22 PM 1221329062 Lisa 2992 Sign of “Win32:Onestep-E [trj]” has been found in “C:\Users\Lisa\Desktop\tightbackgroundsFree.exe\resource.0000.pkg\zsetup.exe” file.
9/13/2008 2:04:56 PM 1221329096 Lisa 2992 Sign of “Win32:Onestep-E [trj]” has been found in “C:\Users\Lisa\Desktop\tightbackgroundsFree.exe” file.
Also, how come when I ran bitdefender it came up empty?
Did you install tightbackgroundsFree.exe, what exactly is it and how long have you had it on your system ?
If you sent those files to the chest, you could run bitdefender till you are blue in the face it wouldn’t find anything.
You could also check a few of the offending/suspect file/s at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
Thanks DavidR
answer DavidR’s question about tightbackgroundsFree.exe,
if you did install this program it may have brought some friends along
does it show up in add remove programs or START>Programs> name of program> uninstall?
did you run the Bit Defender or Avast Scan first?
check avast “chest” anything there? (do not count the three system backup files)
who’s warning log is this? and why is it just a warning log?
the first line is malware
zumie.exe is malware do not run this
so send them to the chest/ quarantine do not remove or delete
no idea why bit defender came up empty- DavidR’s idea is as good as any if they are in the AVAST CHEST 
BD is great if you are living in the world of first day threats and like their heuristics and the subsequent false positives
BD also CLEANS as well as detects
however AVAST HAS added SOME Malware detection to their already fine AV program
now the AVAST SOME caveat
after you get the other program to deal with what it found post new log
(post back if it can’t deal with a detection)
then
Go to Malwarebytes.org and download, update and run Malwyare Bytes Anti Malware FREE
(go to the download page not the product page)
Just run the quick scan for now
place a check mark next to all baddies
then click FIX CHECKED
post log
while you are there you can run Rogue Remover Free also
you can also Download install update Super Anti Spyware and let it quarantine any remaining badies
post log (without cookies)
now read the stickie at the top of this forum and post a Hijack This (scan only)
No I did not install that and I didn’t put them in the chest because it wouldn’t let me.
I ran malwarebytes.org and it did not find these neither did superantispyware. The only program that found these was avast yet it won’t let me move it to the chest, keeps saying error occurred.
OK
let’s rt click the avast ball and do update>programs (just in case)
then open avast and schedule a boot time scan and then reboot
we should now be able to move everything to the chest
post the log and let’s see
either way do the rest of the drill
If you get short of time just post up what you have done so far and let the next thing run overnight
will do thanks.
@ Lisa64
Since you didn’t install it I would say that the detections are more likely to be good, so you should run a boot-time scan which should get round the problems moving them to the chest.
If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, ‘Schedule boot-time scan…’ Or see http://www.digitalred.com/avast-boot-time.php.
Since this was an uninvited guest I would suggest some other scans:
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
- SUPERantispyware On-Demand only in free version.
- MalwareBytes Anti-Malware freeware version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
@ wyrmrider
If you check my post (reply #3) you will see it is the avast warning.log file (I gave the location for it), much easier to copy and paste info from the text file than try and export it from the Warning section of the avast log viewer.
Right
Saw that I guess I would like to have scans labled
how do you tell from the Warning log if there was action taken and if so what it was?
did I miss something (again?)
I guess you could run the scan again and show a clean system
but I’d like to know what was found, that they are safely in the chest, or if they could not be moved to the chest then go to plan B (Boot time scan)
and if they STILL will not go to chest do a custom routine
IN this case it was nice to see the warnings so we could guess at the FalsePositive/ favorite program vs Nasty question
Unfortunately it looks nasty to me
Lisa -
Have you installed any screen savers from Freeze.com?
This file … tightbackgroundsFree.exe … belongs to Freeze.com according to Prevx.
Information at the link below :
http://www.prevx.com/filenames/1476036070245750424-0/TIGHTBACKGROUNDSFREE.EXE.html
Freeze is known to be a bad site to visit as shown in the photos below.
The short answer is you can’t as that isn’t the purpose of the avast log viewer or the warning.log data file where the information is kept, it is simply recording the alerts.
There is nothing to stop the user checking the chest, infected files section, but then the user, ‘should’ know the action that they chose on the alert.
Which is the standard response to being unable to move to the chest file in use, etc. etc. as the boot-time scan shouldn’t sufer from the same problem.
Well the actual entry ‘didn’t’ look suspicious or otherwise to me which was why I asked the questions I did, e.g. did they install it, what does it do, etc. It is the answers that confirm that it is most likely that the detection is good.
No, I have never visited that sight. I did the boot-time scan and it came up with 1 infected file and it won’t let me move it to the chest. I looked in the chest and it has 3 files under system files which are:1. Kernel32.dll, 2. winsock.dll, 3. wsock32.dll
09/14/2008
Scan of C:\
File C:\System Volume Information_restore{CA527F24-15A4-4D1E-9D7A-2D1036842F6E}\RP37\A0010316.exe\resource.0000.pkg\RPCInstall_US.dll is infected by Win32:Agent-RVE [trj],
Move to chest: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}, Move to chest: Error 0xC0000024 {Wrong Type}
Number of searched folders: 5898
Number of tested files: 276886
Number of infected files: 1
The system files section of the chest contains a back-up copy of important system files in case the original were to become infected avast would replace with the back-up. Obviously leave these files alone.
The Infected Files section is the only area of concern to you at the moment.
This is an infected restore point, created by system restore when a file was moved or deleted from a system folder. avast should have been able to deal with it in normal mode and even more so in a boot-time scan, which seems very strange.
With a suspect restore point if you use system restore in the future it could reinfect your system, so it is best to disable system restore and reboot. This will clear ‘all’ restore points not just this suspect one. Now run a normal scan and if clear, enable system restore again, this will create a restore point.
Windows XP System Restore General Information System Restore Guide
What happened to the earlier detections, the ones in Lisa\Desktop\tightbackgroundsFree.exe file ?
If they couldn’t be dealt with at the original time of detection they should still be present and detected on subsequent scans.
Okay, I turned off system restore and will scan again after rebooting. The other is still in the warning log but didn’t show up on the scan. Don’t know why.
The warning.log is historical data it doesn’t mean it is now on your system. However if you were unable to deal with it as your posts state, they should still be there.
So even though avast reported experiencing a problem it looks like it was still able to deal with it. You should confirm this by checking the path and ensuring that the C:\Users\Lisa\Desktop\tightbackgroundsFree.exe file is no longer their.
- Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, see image.
I looked for that file and it’s not anywhere to be found. I did a normal scan after turning off system restore and rebooting and nothing came up and then I turned restore back on.
I think we can safely assume that it has now gone.
Now you need to look at the other software I mentioned (in reply #10 page 1 of this topic), SAS and MalwareBytes Anti Malware, as if you didn’t put it there something else did.