My brother went on the computer today and supposedly updated Steam (Half Life games client) from Valve, he said the desktop resolution changed, the program crashed and other stuff happened. I did a check of my computer using Avast and a file was detected in the Steam folder infected with W32.Notime so I moved it to the virus chest. What does this virus do and how can I check there are no remanents of it left?

ps my firewall log is full of Steam related entries with high invasion priority, can the developers of Avast please work on a way to allow scans of the packers that Steam games use please as I fear they are infected but not detectable by the current set of packers Avast supports

edit: I ran it through Virustotal and only Avast (detected it as W32.Notime) and Webwasher (detected it as suspicious W32.malware.dam) detected it

Did you Google?

Online scanning and other antitrojan/antispyware tools, besides full avast scanning.

If you can supply a sample for analysis, I mean, one that is detected by VirusTotal and not by avast itself…

I ran adaware and i was clean, the full scan of Avast detected only this one instance of the virus and virustotal only said Avast and webwasher detected it. I have sent the file to avast for analysis stating that it could be a false positive. I cant find any info on this virus online even with google the info is limited, if you can help me find out more on it I’d be very grateful

i’m preparing for the Win32:NoTime revision… i saw another one false detection, which i want to fix… i’ll fix that tomorrow.

can you confirm that it is a false detection or could it still be a real virus?

Since you didn’t say what the file name and location was I doubt Maxx_original could say for certain, as he doesn’t know what you detect it on to be able to check.

It was in my Steam games folder under temp fileswith a .vfx extension I think, I have sent it to Avast with a small description and I still have a copy in my virus chest

i can’t tell it without having seen the file…

Can I post the file here?

nope… i can extract it from virus-at-avast-dot-com box when i’m in da job…

anyway - it looks to be a quite legal software part… some PE protectors using many strange and suspicious techiques, which are misdetected by poly detections… i will take a look tomorrow…

I sent the file to virus @avast.com today so you should find it there, would you be able to post here once you have analyzed it to put my mind at rest, if it isnt too much trouble for you, thanks again mate for helping me with this

i said it already… there’s another one false positive, so i want to fix the detection soon… but now is sundays night and i’m of course home

sorry mate I didnt mean now as I can appreciate its sunday night just wanted to clarify whether you would come back to this topic after checking my file out, again sorry :-[

don’t be sorry for that… i just want to say, that i’d prefer to solve this problem quickly, but i (and also you) must wait till morning… i’ll be back with more info about this particular file and/or this detection generally… oki?

Just a quick question how does someone like yourself determine if a file is a false positive or the genuine virus?

e.g. by the fact, that there’s only one “infected” file… and Win32:NoTime is a polymorphic file infector and it infects files by their extensions (.exe)…

Anyway I have faith in you mate see you tomorrow to see where we stand on this issue

ps Just a reminder that the file I sent will have arrived on the 4th November from a lycos email account

i expect your file to be undetected with next VPS… the problem was related to the incorrect entry point RVA (specified in PE header)…

can you confirm, that the FP is solved now?

It is now being shown as clean of infection