I need help once again. I took my PC to Circuit City two days ago only to have it cleaned. When the tech inserted their flash drive
analyzer both Avast and Commodo went nuts on my machine. A message notified of a Trojan Horse. The tech IGNORED all this and
forced the analyzer program to run which showed I had a clean machine.
After bringing home my XP fully updated PC (64 athlon 3300 processor), I ran an Avast scan and it found two infected files and identified
them as Win32 Trojan which I moved to the chest. I scheduled and ran a boot scan and moved files once again to the chest. Re-scanned and PC is showing as clean.
What do I do now? I’ve already wasted $131 at CC and would not go back there for any reason. I did see some false positives in this
list archive but finding the files seems to make mine very real. Should I run a boot scan daily for a bit? Do I need to run other programs?
Please help,
Donna in AR
In detail, if a virus is replicant (coming and coming again), you could follow the general cleaning procedure:
As posted before, disable System Restore on Windows ME, XP or Vista. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3.
Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).
Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.
After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.
Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.
It could be a false positive: sometimes ‘tools’ are detected in this way. Still, not good form to leave files on your computer that are detected as malware.
To check them out, export the files from the chest, temporarily disable avast! (otherwise you won’t be able to access the files) and upload the detected files to VirusTotal.
I extracted the files and sent them to Virus Total uploader. Somehow I skipped the disable Avast but the files were sent it said.
I returned the copies to Chest because I really didn’t know what to do though it said copies were in the uploader. Having never done this before, I am a bit lost. Earlier I also e-mailed both files to ALWIL software team by R. clicking.
Donna in AR
Hi David,
It’s been months but here I am again. I don’t think the VT upload was successful. I’ve only done this one time before but I did not
remember if the results were immediate and how they came. Nothing so far so I doubt the upload worked.
I have the uploader downloaded and when i sent the infected files to it they appeared in the VT window with all warnings attached
and then a note came up at the bottom of the screen saying copies were in the uploader so I R. clicked and sent to VT but there was
a long wait message. I did send the copies back to the chest because it appeared they were loose. Do I need to re-do a different way.
The warnings said these files have Win32: Agent TOS.
Thanks,
Donna in AR
The most common problem is trying to upload from the chest (though you mentioned extracting them) resulting in a 0 byte file size uploaded. The other possibility is avast stopping the upload because it is detected again, even if you select take no action or close the alert window.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder upload it to VirusTotal without avast alerting.
I don’t know why you needed to have to do this, “I have the uploader downloaded and when i sent the infected files to it they appeared in the VT window with all warnings attached.” You should only need to click the VirusTotal link Frank gave, when the site opens, click the Browse button. Using the pop-up window navigate to the c:\suspect folder and select the file you want to upload.
If you have created the suspect folder (excluded it also) and exported file from the chest avast shouldn’t get in the way. The site can get busy and there might well be a wait, don’t send the file/s back to the chest as that would effectively break the upload. You just have to be patient and allow the upload to complete and the scan to commence.
I have decided this is probably real. I did everything you said except the : and / could not be typed so i just called it C Suspect
both places. I extracted the files and the warning went mad again and I was not allowed to move in any way to the VT upload box.
I tried right clicking and sending to VT–not allowed to move.
I may have inadvertently let the monster loose again. I tried to copy, cut paste, move—nothing allowed. It may be in my memory now for sure.
I finally got both of the files into VT by opening and the reading came back 0 bytes. This is driving me to panic for i feel like this TH is just racing through my machine. What should I do with the useless C Suspect file?
OK. I cleaned up the C Suspect file and sent those copies to reside in chest and removed from Avast scanning list. I will remove Panda
and I also have PC Doctor for windows that must have come from a free virus scan also so it needs to go. My PC is operating fine and
I haven’t noticed any serious behavior so I lean toward the false positive too. Do I just leave everything in the chest for a bit and then
delete or what? There are some other .dll files in the chest connected with Win32 but they are not marked as infected and they have
been there for months. Just leave all in the chest and maybe run another scan?
Thanks so much for your help,
Donna in AR
The folder name should be Suspect, the : and / are part of the path as in c:\ c: is the drive the \ indicates the next bit is a folder so the sum path to the suspect folder is c:\suspect.
You need to ensure that you exclude the suspect folder and its contents so avast doesn’t scan them. Add “c:\suspect*” (copy and paste the text in quotes but not the quotes) to the avast exclusions lists: Standard Shield, Customize, Advanced, Add and Program Settings, Exclusions
This will stop avast going mad as you call it and allow the files to be uploaded.
No you haven’t infected files in isolation (different location from where they were found) without a registry key to run them, etc. are inert. That is part of the purpose of having the suspect folder so you don’t have to disable avast to be able to extract from the chest and upload to VT from the suspect folder.
You now no why the file size is 0 bytes, avast blocking it another reason for using the suspect ‘folder’ it isn’t a file, you can delete the c suspect file.
Whilst this is all a moot point as you have managed to upload the files, it may be of help in the future.
So when a problem is found the folder should be created and not send files to chest. Do you agree that the VT results I sent looks like false positive. As you will see in my post to Frank my machine is working fine and i asked what to do about the files in Chest. If it is wait-and-see then I am OK. All scans are negative for anything.
Thanks a bunch,
Donna in AR
I have the folder permanently created (and excluded as I mentioned) though I have given mine a different name (it can be anything you like) and anything I don’t want avast to scan lives in there (some samples/tools that would otherwise be detected by avast. Also anything suspicious goes in there so it can easily uploaded to VT.
The only files to be concerned with in the chest are those in the Infected Files section, those that avast detects and you choose to send to the chest. They can do no harm there, so you have done the right thing, ‘first do no harm’ don’t delete, send virus to the chest and investigate.
There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.
In a way they are and they aren’t false positives. The problem arises because Panda don’t encrypt their virus signature files and avast or any other resident scanner is likely to detect them because they are looking for virus signatures. So in this case it looks like you didn’t have any ‘monster’ running round in your system just some unencrypted panda signature files.