Where is program that was recognized by AVAST as Malware?

Hello:

In need of printing out 10 years of tax returns and had to search through some old HDs (since removed from their computers) to find old installations of TaxCut (HR Block). When I tried to double click on TaxCut04.exe and TaxCut05.exe on the same disc, AVAST informed that they were Win32:Vitro infected (yes, I know this is a nasty one! I remember this infection and it took two weeks and finally wiping the main HD to stop the infection.). Then the exe disappeared. I could not find it in the Virus Chest nor through any search in Recycle nor anywhere else on the HD in question or on the current HD in the computer used to connect (via USB) to this old drive.

I really need to recover those two EXEs so I can print out these old tax returns. I plan to do an image backup of the current HD, then use Sandboxie to run these two programs. I will disconnect from the internet and the in house network. There will be no new data, thus no writing to disc, by the two Taxcut programs. The entire disc is infected and I would never use it otherwise.

Where does AVAST put such files? BTW, I have sandboxing set to off, because it was constantly triggered when I was using Delphi IDE developing my own programs.

Thank you,

Chuck Belanger

What I have found is the following:

  1. Used Restoration Freeware to find and undelete Taxcut.exe for the 2004 and 2005 versions.
  2. Although, I did not write to the disk after AVAST deleted this file, Restoration only found the EXE by looking for files with mixed clusters of other files. I attempted to copy the file to another partition and was successful.
  3. Use Sandboxie to attempt to run taxcut it would not because it states the exe is a 16 bit program–it is not. Would not open. Tried to open after scanning with AVAST. Avast now reports the exe is not a threat. On trying to open by dbl click, command window pops up and says the program is too large for memory (it is about 5mb).
  4. Avast clearly not only deletes the exe when it detects malware, but also scrambles it making it impossible to recover.

This is going to be costly for me since I no longer have the installation discs and has already taken many hours of my time. I believe that any malware infected EXE should be quarantined first, not deleted irrevocably!

Very unhappy about this, AVAST.
Chuck

The default action is to quarantined.
If it is a false positive, then once the erroneous detection has stopped, you can right click on the file in the virus chest
and select restore.
The restore function put’s that file back into the folder from where it was originally detected.