As i said in another topic(sorry) I have this bugger and I guess its harder than I thought to get rid of.

Here’s some of my info

OS: XP
Last window update: yesterday
firewall: yes
Files Identified as infected: restore, alienstars(Real one arcade game) and tropix(also real one arcade game)

I have no idea how it got on. I need step by step help with downloads if needed.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe - Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log

What action did you choose on detection, Move to Chest is safest option ?

If you have had this program file for a while I would suggest confirming the detection.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

ok I will try that

As i said in another topic(sorry)

Ok, first of all, the files that were identified as infected, can you post the exact file names and locations?

I hate Real One, I always have, and it’s this sort of thing that makes that hatred apparent… However, this might be a false positive.

I don’t know what you did with the files once they were detected. Hopefully you just quarantined them.

The next logical step is to upload them to http://www.virustotal.com to make sure that they are not a False Positive (FP).

If they aren’t, you should try downloading Malwarebytes http://www.malwarebytes.org and or Superantispyware http://www.superantispyware.com, installing the programs, updating them, and running scans.

Posting a log from anyone of those three on here once you are done running the scans will help us evaluate what we have going on here.

I’ll wait to see what you say about where the viruses are and what you did with them before going further.

Welcome to the forums…

Figures… DavidR typed faster than I. Darn, I need to start that script collection soon… ;D

I cant seem to find the standard shield options. where are they on the mp3 SKIN

Right-Click your Avast Icon in the System Tray (the blue ball), then click On-Access Protection Control.

Then, expand “Details” (if needed) which is on the bottom. Click Standard shield, and follow the rest of DavidR’s directions.

Faster ;D Left click the ‘a’ blue icon and click the Details button.

Learn something new every day… ;D

It says this

0 bytes size received / Se ha recibido un archivo vacio

sorry about double post, but wouldnt those programs conflict with Avast?

No, they aren’t antivirus programs, they’re antispyware programs. They’re fine.

As for your 0 bytes received, is that what virus total said? Did you upload the file? Is it 0 bytes on your computer as well?

I uploaded them to virustotal, still said zero bytes. Computer says 83KB for both

I don’t know what to say really. If the file is bigger than that on your computer, you might not be uploading it correctly?

I select browse and then go to suspect file and try both infected files one at a time. Should I just put the whole suspect file in? I dont know how to do that

Just do one at a time…

I haven’t tried more than one at a time yet, I’ll look at their site, but I don’t know if it’s possible to do or not yet.

After this Should I just try downloading the program HJT Ive heard about?

Yes, that would be a good next step…

Please post the a link to the virus total pages for both files first though.

We’ll take a look at hijackthis logs next if we need to.

for restore…
MD5: a1b5f0632a44b3464c8f4ba5fde14d36
First received: 11.15.2007 18:48:04 (CET)
Date: 11.15.2007 18:48:04 (CET) [>503D]
Results: 9/32
Permalink: analisis/1555b69aafd2ec18c7b6dae901ea0d5f

For Tropix postcardMD5: a1b5f0632a44b3464c8f4ba5fde14d36
First received: 11.15.2007 18:48:04 (CET)
Date: 11.15.2007 18:48:04 (CET) [>503D]
Results: 9/32
Permalink: analisis/1555b69aafd2ec18c7b6dae901ea0d5f

weird, they show the same things

You didn’t post the hyperlink to the results page, but I see that it was detected as a malicious item from 9/32 A/V programs.

I’m guessing that it’s not a false positive.

Now would be a good time to download hijackthis and run a scan. Please click “additional options” on the bottom of your post, and attach the hijackthislog for analysis.