Whilst running a routine scan (using Avast 4.7 home ed) of system memory and startup Avast reported that Digicell.exe was infected with Win32:hityou (trj) it then moved the infected file to the Virus chest. Digicell is an MSI utility that provides for online automatic MSI driver updates and MSI mainboard configuration.
However, I have just come across a recent forum conversation on Forum.msi.com.tw that indicates that this may infact be a sort of mis-hit and that what Avast thinks is an infection may infact be genuine required code for the utility to run. However, it didn’t confirm one way or the other.
Having no experience of viruses or virus software can someone please throw some light on this. I suppose the questions I need answering are:
What is Win32:hityou?
Has it really infected my system or could it be a ‘mis-hit’?
If yes How do I disinfect it or get a new file to enable digicell to run again?
If its not a real virus I presume that I can simply restore the file from the chest to get digicell running again?
Firstly avast doesn’t do anything automatically but requires user input with the free version.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 29 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can’t do this with the file in the chest, you will need to move it out.
If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced, Add and Program Settings, Exclusions) and periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.
Also see (Mini Sticky) False Positives, how to report it to avast! and what to do to exclude them until the problem is corrected.
I’m keen to try the VirusTotal option. Web site looks good although there is a 10MB down load limit and my file is 1288704 (is that over 10 MB?)
To use VirusTotal I need to send them the file which means extracting it from the Chest and saving it somewhere. In doing so is there any danger that the virus (if there is one) may activate/spread. (appologies if this is a stupid question!)
The only scanner on Jotti to find any thing was Avast.
On Virus Total, Avast again found the ‘Win32:hityou’ and two other scanners (esafe and Fortinet) had a suspicious result. However that means that the 29 other scanners found nothing.
So whats the concensus, is my file safe or unsafe???
Thanks once again to DavidR for suggesting these tests.
The suspicious detections are I would say some form of heuristic detection and could be subject to incorrect detection. I would say you are probably in the clear, send the sample to avast for analysis. If it is currently in the chest send it from there, a copy should still be there even if you have restored it to its original location.
If you haven’t restored it from the chest, do so, you will get an alert from avast, select No Action (or pause the Standard Shied first) and add the file to the exclusions as outlined above.