A couple of days ago I was connected to the Web (Firefox 2.0.0.16 / Win XP Home SP2), with two tabs open, the newspaper “The Guardian” and a weather site (meteofrance.com). My avast! antivirus (version 4.8, Home Edition) suddenly signalled a warning message, as follows:
Sign of “Win32:Searches-E [trj]” has been found in C:\Program Files\LG Software\IP Operator 2005\IP Operator 2005.exe” file.
I let avast! put the program to the virus chest. The program in question is one written by my computer manufacturer (LG Electronics); it is used to manage web connections, and I had, up until then, been using it every day without any problems. (I prefer it to the native Windows program for managing web connections).
I searched around for information about this particular virus/trojan, “Win32:Searches-E [trj]”, but without much luck. I have read the recent post on this forum, below (http://forum.avast.com/index.php?topic=40553.0), but it seems now (if I’ve understood correctly), that this thing called “Win32:Searches-E [trj]” is no longer considered to be a virus/trojan.
I have just run a scan of the supposedly infected program (IP Operator 2005.exe) from within the avast! virus chest, and avast! now tells me there is no sign of a virus. I’m no expert on this stuff, and I’m a little confused about the status of this thing called “Win32:Searches-E [trj]”. Basically, I’d rather be absolutely sure it is no longer a threat before restoring the program and using it again.
Any clarification, or even confirmation, that anyone would be able to give about “Win32:Searches-E [trj]” would be much appreciated.
Well as your link to the other topic shows that that detection was deemed a false positive detection and the VPS signatures modified, so it is entirely possible that this now modified signature no longer finds what was previously detected in that file.
If you want further confirmation:
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
It isn’t unusual to not have avast detect on VirusTotal when it does so on your system. VT isn’t able to update the VPS in real time as the user is and this is often the cause. Remember the point of submitting it to VT is also to see what the other scanners find.
Does this mean the program is safe to place back in its folder and run again? If so, I can’t quite understand why this thing called “Win32:Searches-E [trj]” caused an alert in the first place.
Thank you kindly for any further suggestions or instructions.
Yes, that shows it is clean as the updates avast VPS signature found.
Right click on the file from within the Infected Files section of the chest and select Restore. Check that it is in the original location and then delete the copy in the chest and the suspect folder you used to upload to virustotal.
You could have got away with just pausing the standard shield to extract the file from the chest and upload to virus total, but I don’t like going on-line with my defences down if possible (and those instructions although more complex means your fully protected).