I had version Free version 4.8 till this morning. I did a clean install of Avast Free v 5.0.377 and everything seems to be fine. I ran a scan after installing the new software and have “WLX QuickTimeControl Host exe” in the Chest.
I saw on 1/22/2010 “drsubaru” posted that he also had this WLX QuickTimeControl Host exe (Win 32: Trojan-gen), but apparently there was not a new vps released after he mentioned it. I’m at a loss trying to figure out how to send this to alwil from the Chest. How do you email it?? In the past, I could not figure out how to submit a FP to have it checked as a virus.
MBAM does not report any problems and I don’t even use my “2006” Microsoft Digital Image software that the trojan is related to. Apparently on 2/1/2008 there was a software change to the program that was never used making me think that this is a FP as well.
I thought I would bring it to your attention so a new update can be issued as I don’t think it was submitted previously.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
avast5 - Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect* That will stop the File System Shield scanning any file you put in that folder.
Open the chest and right click on the file and select Submit to virus lab, complete the short form (possible false positive) and submit. It will be uploaded on the next update.
I just downloaded Prevx and did a scan and it came up “Clean”. I didn’t keep Prevx. I don’t like keeping programs I’m not familiar with.
I’m unable to figure out how to submit that file. It is over my head. If it came up as nothing found, could I delete it from the chest if it is merely a copy or would you recommend keeping it in there a few weeks.
It should be OK (if your image was the same as mine, click to expand the image, you are in the right area), submitting a file is much easier in 5.0 as access to the chest is easier.
I’m beginning to wonder if I didn’t jump into the fire with Avast 5. I just ran another Full System Scan (normal scan mode) and it found “AO206402.exe” - Original Location: C:\System Volume Information\restore(2… - Win32: Trojan-gen".
Is this a restore of WLX QuickTimeControlHost.exe. Now I have 2 infections showing in my Chest and each time after running the Full System Scans yesterday and today, I was asked to run a “Boot Scan” and both times I could not make any selections of the 6 or so available options at the end of the scan. The only thing I could do is hold in the Power Button on the tower and shut down and then power back on the tower. Both are “Win 32: Trojan-gen”.
I tried going to Virus Total to check on the WLX QuickTimeControlHost.exe but got told I didn’t have the correct hash information.
I’m really snowed! How in the world did I come up with what is showing with Avast 5 when I had no problems with version 4.8 not finding anything on Friday when I ran a scan that included archive files??? I just installed version 5 on Monday (yesterday). “Nothing found” comes up scanning with MBAM and SUPERAntiSpyware programs. I always make it a point to run those programs prior to running a weekly Anti-Virus scan. The “Help” manual doesn’t seem to provide answers in detail and seems to apply more to the old version 4.8.
Could it be that when I entered the WLX exclusion that I didn’t have a full path and another Trojan (restore) was picked up from the file system shield. I had it listed as C:\Suspect\WLX QuickTimeControlHost.exe
Why would you think that, so a restore point has been detected as a trojan.
When a file that is covered by system restore and it is either moved, modified or deleted then there is the possibility that it would be saved as a restore point in the System Volume Information folder, so it is entirely possible this is one and the same file but under a different name (system restore creates its own name).
The fact you had no problems with avast4 doesn’t mean you won’t have a detection with avast5 as it has different routines not available in 4.8.
You have to ensure that the path is exactly correct for the exclusion to work. There is no need to enter the WLX QuickTimeControlHost.exe in the exclusion, just copy and paste exactly what I told you to use into the exclusion “C:\Suspect*” without the quotes. The * is a wildcard for multiple characters so everything in that folder would be excluded, that is the point so you don’t have to enter an exclusion for each different file you send there.
A restore point won’t be created when you Export a file from the chest to the suspect folder, did you do that ?
Where do I create a new folder? Should I do it within “My Documents”?
I noticed in creating a new folder "A file name cannot contain any of the following characters: \ / : * ? " < > ! So how can I name it C:\Suspect\ ?? Any suggestions as to naming the folder?
Will putting the path in the folder place my computer at risk or is there no risk of having a virus within the folder?
Questions, Questions???
By right-clicking on the infected item in the chest and selecting “Submit to Virus Lab”, I should be able to get the correct path at the top by copying and pasting it to the new folder. Am I correct?
Do I place the original WLX file in the folder by itself or do I include the restore file as well?
Gosh, you must think I’m a real dummie with all the questions I have, but this is brand new to me.
You create a folder called Suspect in the C:\ drive, not a folder called c:\suspect.
So the path to that folder (once created) needed in the exclusions is C:\Suspect with the additional * to exclude all files in that folder.
Submitting to the virus labs refers to avast and is over and above submitting it to virus total. For that to be done you have to Extract it (different right click option, se the original image again) not Restore as that places it in the original location and if it happens to be infected not what you want as it would be active again.
By using Extract, it allows you to send a copy to the Suspect folder that you created.
I think I finally understand the procedure for exclusions after re-reading your first reply, DavidR. I’ve created a folder called Suspect within C:\drive. I placed both FP infections in the new folder and added it to be excluded from being scanned, so I think. The folder does have both entries within it after extracting the files from the chest. I’m dying to give a quick scan to see if the files come up, but think I’ll try to hold off. This is something new for me to grasp and have never created a folder within the C:\drive before or extracted files. I’m happy that you stuck by me, David. You know your stuff! I certainly was not reading and understanding what I was reading or I would not have mentioned about making a folder in My Documents. Alwil will have more reports submitted than usual with me learning.
I just noticed you already posted as I’m posting at the same time, David.
One question I have is, "What would cause me not to make any keyboard selections after the Boot Scans completed? It was necessary for me to hold in the power button to shut down the program and then start up the tower once again.
Don’t do a Quick scan as that will detect the two files in the Suspect folder they are only excluded from the File System Shield and you will be back to square one. Please don’t go doing anything not suggested.
It should boot into windows after the boot-time scan has completed provided there were no alerts, were there any alerts ?
The Esc key (top left of keyboard) should abort any boot-time scan running.
I’ll hold off on doing any scan then, DavidR. I didn’t understand as I thought once the folder was added to the exclusions within File System Shield that that would prevent that folder from being scanned. How will I know when a scan can be done or do I wait a few days on new vps updates?? I received vps 100127-0 , but nothing since.
Please advise me as to what should be done at the proper time such as Restore the file, Delete files in the chest, Scan infected files or do a full scan.
I checked the manual plus my printout of Belarc Advisor and I have USB 2 on my Dell HID Keyboard Device.
After the boot scan ran last evening and the previous evening, I was unable to use the Esc key as well as I could not make any selection of what to do with what was found. I have the latest BIOS version in use on the computer, but have no idea how to go in and make any changes to the BIOS.
Running other scans should be unnecessary you don’t have to initiate other scans every day as avast is a resident (on-access) scanner. I run an on-demand scan once a week, some do it every fortnight or month, don’t bother at all. As if a file is infected and something accesses it avast will scan it for files that are at risk or a target of infection. The VPS updates just ensure that the file system shield has the latest signatures for its on-access scans. The other types of scan also uses that VPS/signature update for their scans.
It only prevents it from scanning by the File System Shield (the on-access part, when you try to upload it would alert otherwise) and not any other scanning function at least that is my understanding of it. So running other on-demand scans may not exclude it.
Even if the keyboard input isn’t detected the boot-time scan doesn’t require input unless something is detected. So in theory having a USB keyboard shouldn’t matter, but if it is required detections (which you didn’t mention what they were) then it is required.
Now I would have thought companies like Dell would set the BIOS to detect USB devices outside of windows if they are going to supply computers with USB mice. Entering the BIOS isn’t too difficult, but for different systems it isn’t standard, generally it is pecking away at the keyboard (delete or F1 keys).
Thereby hangs another chicken and egg situation, if it doesn’t detect your mouse before windows boots I really don’t know how you would change the BIOS settings with a keyboard that isn’t detected.
Even if it is able to get into the BIOS I don’t know what area of it handles the USB devices (peripherals perhaps) as you have no doubt guessed it they differ from BIOS manufacturer to manufacturer.
DavidR, I’m going to take a pass on digging into the BIOS. The boot scan had just found the two infections (FP’s) and after looking at the logs, I see they reported the findings as “No Virus” both days the boot scan ran.
Yesterday, after receiving vps 100127-1, I scanned both Infected Files showing in the Chest and they came up as “No Virus”. Am I correct in that I do a right-click and “Delete” the “no virus” entries? Alwil apparently released definitions for what I submitted as I didn’t understand how to submit to Virus Total at the time with extracting files as I had no folder created on the C drive till a day or two later.
Do I remove the excluded file from the File System Shield?
Do I delete the two suspect files that were placed in the Suspect folder or just remove the folder completely?
Thanks, David for all your help. In the past, I just viewed posts that others with the same FP made on the forum; just taking a low profile and didn’t really understand “False Positive submission procedure”.
I don’t blame you not wishing to dig around in the BIOS, I try to avoid unless absolutely essential.
I have however found that there is something about XP and USB keyboards not working in the boot-time scan, so any setting in the BIOS wouldn’t change that. So it might be worth getting hold of a cheap PS2 keyboard whilst you have XP.
The WLX QuickTimeControl Host exe file can be restored from the chest (select file in the chest, right click select Restore, see my 1st post image). The one that came from a restore point, AO206402.exe can’t be restored as it is going to a protected area and can’t really be reintegrated into the system restore process.
