Pardon my ignorance on the topic . I’m definitely a newbie with Avast and virus software in general.
I am running Avast 4.7 Home Edition and it appears to be updating each time I go onto the web. My VPS file vers is 0714-2 and its compilation date 2/16/07 indicates that it updated just prior to my online session.
I am running Windows XP Home edition and connect to the internet over a Verizon FIOS line.
During an online session I got a virus alarm and choose to move this virus to the chest.
I immediately did a scan of my hard drive and Avast found no viruses but did indicate that it was unable to scan 13 GZIP files because they were corrupted.
When I tried to move these files to the chest I got a message that an error occurred during the process and was unable to complete. I then tried to just delete these files with the same error message. I believe these files are temporary internet files.
With my first power up after this occurrence I got a virus alarm and I also moved this file to the chest ( I found the same virus type which had previously been moved to the chest ).
I shut the computer down immediately and on power up the second time the same alarm was indicated and I again moved the file to the chest. I assume this means my computer is infected and the virus was not been caught by avast???
Can someone give me an idea on how to proceed at this point. ???
Files that can’t be scanned are just that, not an indication they are suspicious/infected, just unable to be scanned.
Don’t do anything with files that can’t be scanned, but investigate, if you want further confirmation.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 29 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can’t do this with the file in the chest, you will need to move it out.
I just finished the boot time scan and it found 0 infected files. But in the process of accessing this record file Avast detected the virus again and I moved it to the chest.
The file name which contained the virus was c:\documen~1\chaesa~1\ local~1\temp\tmp1.tmp. When I click on the file in the Chest, Avast lists it as tmp1.tmp and under virus it lists Win32:Small-gen2 [trj].
Possible solution to above problem–but unable to complete solution–
My problem is identicle to the thread posting by DimitrisK on Oct 28,2006-- the final pane of this thread mentions file names identicle to the file names involved in my case but I am unable to locate the file by search to delete it?? The final pane reads as follows:
Thanks!!! I had the same problem for two or three weeks and was unable to solve it. The only difference was that in my case the application was called “ms_update_0612_kb74062.exe”, otherwise all was the same. Actually you don’t need to uncheck the msconfig entry since after you delete the .exe file it disappears automatically. Once again, thanks a lot!
I do find this exact file title appear when I go to Program Files–>Startup. When I click on it it runs and causes the Avast software to alarm.
Could someone clue me in on the deletion process–I can’t find the file to delete it ?? Windows file search doesn’t find the file . Is their a place I can go to delete the file from the Startup folder??? Sorry for the Novice questions.
With the file deleted the computer now seems to be working fine. I no longer have virus alarms everytime I turn the computer on. I seem to be able to run all my programs with no ill effects(hopefully this will continue).
Based on what was done—does this all make sense? It certainly seems to follow the solution pattern of the Dimitrisk thread of October 28, 2006(Win:Small-gen2-trj).
Is there anything further that I should do?
Is there anything I should look for in the future ?
mauserme and all Thanks for helping me with the solution–I’ll sleep better tonight—I think?
Yes, it makes a lot of sense. If the file you deleted was a downloader that avast! doesn’t yet recognize, it was able to exist on your computer trying to download malware that avast! did recognize. Now that its gone the attempted downloads have ended.
At this point, since avast! didn’t detect everything that was going on, I would run CleanUp followed by a Trend micro on-line scan just to make sure your computer is clean
What mauserme said about removing the downloader could well be correct. Whilst the removal of the file would have appeared to have resolved the problem, I have some questions about your overall protection.
If this was something that happened immediately on boot (no internet connection) I would be concerned that it might not have been a downloader? Unless you have an always on connection that gets established very quickly allowing the downloader to work.
If it were a downloader at work, I would like to have thought that the web shield would intercept the file being downloaded? But, since you never said what the location was we can’t say which shield detected it. Essential information to help us is the malware name, the infected file name and its location.
Again if it were a downloader at work I would also wonder why your firewall (which is ?) didn’t block an unauthorised outbound connection.
In brief my experience and troubleshooting experience was this:
1)while online got virus alarm and was immediately thrown off the internet
2)I immediately disconnected my computer from the internet
3)I immediately did a through scan with an updated Avast home edition(details above first note) .
4)Results of scan found no virus.
After powering down the computer and then back up I got the virus alarm again and this then happened in an identical manner each time I power up (after each time I move the virus to the chest).
6)I did a power up boot scan and it did not find any virus-----but on powering down then up it alarmed again.
7)I found the thread of February 4,2007(Win:32.Small-gen2 trojan) and it sounded exactly like my situation —in fact the file mentioned in the last panel of that episode matched exactly mine.(ms_update_069_7723.exe)
As the solution to the above case stated ,I deleted this file from the startup ( Programs–>Startup—>ms_update_069_7723) and I have had no problems since.I now see Programs–>Startup–>(empty)
But I am still not totally confident in the solution
Note: during this whole troubleshooting episode my computer was disconnected from the internet—I corresponded over the internet via a second computer at a second site. I still have not placed the infected computer back online.
Any further comments on this episode would be greatly appreciated.
This indicates a web shield detection, and should indicate this by displaying an internet address (location), it will also only give the option to Abort Connection, this stops the file being downloaded.
There is no need to disconnect, the abort connection is fine, but if it happens at a site you didn’t intent to visit, clear that page connection.
You won’t find anything because the web shield blocked it from your system by the Abort Connection.
This is the result I would expect.
but you don’t say what the file name or location is, this information is crucial in trying to help you even if you are repeating what you have said before, that is preferable to just saying it came back. We don’t know where or why and have no information to even hazard a guess and that doesn’t help you either.
When there is a topic that sounds like your then it may be helpful to give a link to it, but that to makes life difficult for those helping having to refer to another topic for information. You could either monitor that topic and follow the advice, instructions or contribute to that topic.
You might well be happy and it is your system, but to me there are still mysteries surrounding this issue, due in part to a lack of information about.
In response to your question --all the virus alarms I got were with the computer disconnected from
the internet—with the first alert I disconnected from the internet and infact have not gone back on yet.
Just kinda waiting for the dust to settle. Does this put a different perspective on the reason and outcome prognosis?
DavidR
I have the exe file which I deleted in my trash can. Is this the file name you are referring to or do you want the file name that was reported by Avast with the alerts and is presently contained in the Avast chest on my computer?
DavidR
In response to your last question —I am not at all happy with the solution if some doubt exists.
What can I do to investigate further?
Thanks again to both of you for your concerns with my system.
You said you deleted the file from your start up folder. Are you sure that was the actual file, not just the shortcut to the file? Ususally that’s what is in the startup folder, shortcuts.
Yes, and no. Since a downloader cannot download anything without an internet connection it’s not that, but ms_update_069_7723.exe can still have been responsible for the regeneration of the malware avast! did detect. In either case it seems beyond coincidence to me that the alerts stopped immediately after deletion of that file. As long as you followed the path indicated in the shortcut’s Target field and deleted that file, rather than just the shortcut itself, I do believe you’ve taken the correct action. But since we all agree that confirmation is needed I’ll again suggest a Trend Micro on-line scan. And I still think you should clear your temp files since this is where the detections were located.
Since avast! never did alert on ms_update_069_7723.exe I don’t think we should expect to see it in the log, but the copy you saved can be upload it to Jotti and Virus Total for additional opinions