what do i do with files in "chest"?

what do i do with them? i had a few infected files so i moved them to the chest and everything seems fine. do i just leave them there forever? ive seen some people say that you just delete them after waiting like a week or something, but what would waiting a week do? and they are windows files, so im sure im not supposed to delete them. help is greatly appreciated. thanks

You have done the right thing, ‘first do no harm’ don’t delete, send virus to the chest and investigate.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

What do you mean their windows files ?
Just because they happened to be on a windows folder doesn’t mean a) they are windows files and b) they weren’t infected.

What is the malware name, the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe

  • Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log

the names of the viruses are win32:fasec, and win32:alureon-BX. the names of the win32:fasec files are UACb994.TMP, UACcbde.TMP, UACFOBALBAVUTKLTODGW.DLL, UACLGDTYCFNGVCRUUUOT.DLL, UACYFKMOYLJCTVPJKDYI.DLL. the names of the wind32:alureon-bx files are UACbf80.TMP. UACjmtdxjlmktkuflmij.sys. the dlls are in C:\WINDOWS\SYSTEM32, the sys file is in C:\WINDOWS\SYSTEM32\DRIVERS, and the tmp files are in C:\WINDOWS\TEMP ALSO there is kernel32.dll, winsock.dll, wsock32.dll and i cant find the names of the virus in them.

These files would be on the infected folder of the Chest and are safe to be kept there. In two weeks, you can rescan them and if they’re still infected, delete them.

These files are there for backup purposes, they’re on system folder of the Chest, and they’re clean.

It would have been easier to copy and paste the entries from the warning.log file I gave the path to, less for you to explain and easier for us to follow:

04/07/2009 22:33:31 1246743211 SYSTEM 1448 Sign of "JS:Bulered [Trj]" has been found in "hXXp://patrickallenmohnphotography.com/orders/orders_index_image.html" file. 04/07/2009 22:34:45 1246743285 SYSTEM 1448 Sign of "JS:Bulered [Trj]" has been found in "hXXp://patrickallenmohnphotography.com/favicon.ico" file. 04/07/2009 22:35:45 1246743345 SYSTEM 1448 Sign of "JS:Bulered [Trj]" has been found in "hXXp://www.patrickallenmohnphotography.com/orders/orders_index_image.html" file.

Whilst these examples are from when I was investigating sites that have been hacked, it just shows how much easier it is to get the data direct from the warning.log.

That aside the detections look good (nothing to do with windows files) apparently related to a Fake Security program, so you were probably getting notifications that your system was infected, etc.

I would suggest that you also run these.
If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

The others as Tech mentioned are backup copies of important systems files, which you should leave alone.

If it’s in the windows folder it doesn’t means it’s not a fake file to trap you into believing it’s a false positive. I had 3 infected files in Windows/system32/ but I deleted them all at boot-time scan. The files were zlib.dll, config.exe and svchost.exe( you can see this program 6-7 times in task manager as system file but apparently the one I deleted was a fake file and caused no harm at all. Still best if you quarantine them before you delete so you don’t regret later( my copy of Windows installs recovery console on my comp so I can delete without worrying. The single side-efect is that it gives me some registry errors, so…).

Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.

sorry for not replying sooner, but do i need to post the log after i scan with malwarebytes? and should i do full or quick scan?


First, do a quick scan with MBAM and then post the log here.


sorry i keep replying late, i keep forgetting to check my email, heres the log, also, when i scan them, if they ARENT infected, do i just restore them?
Malwarebytes’ Anti-Malware 1.38
Database version: 2411
Windows 5.1.2600 Service Pack 3

7/16/2009 9:43:03 PM
mbam-log-2009-07-16 (21-43-03).txt

Scan type: Quick Scan
Objects scanned: 100234
Time elapsed: 8 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Well the MBAM log doesn’t show anything, so I’m not sure what you mean by “if they ARENT infected, do i just restore them?”

If you mean the files in the chest - MBAM can’t scan files in the chest (a protected area), so it can’t confirm the detection.

From the Files in the Infected Files section of the chest, I believe are good detections, so much so I suggested other scans (as I said in Reply #4) to see if they had invited any other friends to the party.

Now you need to download, install, update, run SuperAntiSpyware and attach the log.