In all 4 cases, the recommendation was that I move them to chest, which I did. I rebooted and ran another AV which came up clear. I have also just run SUPERAntispyware, which also came up clear. I have XP, and have recently installed the firewall online armor (though I think this is a coincidence).
Can I now assume my PC is clear or are there any other checks I should be performing? I wondered if I should post my HiJackThis log somewhere, just to make sure.
Disable System Restore and reenable it after step 3.
Clean your temporary files.
Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
Anyway, the detection of generic infections (-gen(other)) should be done with extra precaution. There is a great chance of false positives. To know if a file is a false positive, please submit it to VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com. VirusTotal has a file size limit of 10Mb. Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.
As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the ‘a’ blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button…
You can use wildcards like * and ?. But be careful, you should ‘exclude’ that many files that let your system in danger.
Personally I suspect the two setup.exe file detections are false positives.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
Thanks for your replies. I’ve looked everywhere but can’t find how to schedule a “boot time scanning with avast with archive scanning turned on”.
I also realised that my defs were 1 day old so I have updated them. I then found the 4 files in the chest (tho they are now called 000000B, C etc), and right clicked each one and selected ‘scan’ and these come up clean (well I can hear no sirens!). Does this negate the need to send them to ‘VirusTotal’, or to create C:\Suspect or exclude in Standard Shield, Customize, Advanced, Add.
Edit: I have done the same thing by loading Avast, selecting the files in the chest and scanned and they are saying these are still viruses. How can you copy these files to C:\Suspect because in the chest in Explorer they are showing as 000000B, 000000C, 000000D and 000000E?
I have pasted a copy of my HiJackLog as you suggest, and would be glad if you could look at it
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:55:14, on 01/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, Menu, ‘Schedule boot-time scan…’ Or see http://www.digitalred.com/avast-boot-time.php.
If you are scanning form outside the chest and it sounds like you are because the name is changed when viewed in explorer (see image), files in the chest can’t be scanned from the outside as a) it is a protected area and b) the files are encrypted. So you need to open the avast Chest, Infected Files section and right click on the file and select scan, that is the only way they can be scanned.
I would say you should upload the files to virustotal as I suggested it could save you a lot of work.
Thanks for advice. I have unticked system restore, deleted temp items ran a boot scan with archive and it found 2 more examples of exactly the same file in my ‘Documents & Settings’. For now, I have left them there and will move them if you feel it’s not a false positive. I remembered to turn system restore back on.
I have uploaded the Setup.exe file to VirusTotal as you suggested, and 2 out of 33 found it to be a Win32:Trojan(other) virus. I sent the 2nd Setup.exe up and it said it was a copy and had already been analysed. Other than Avast, Gdata was the other to say it was a virus. With 31 (including Kapernsky!) finding it ok, should I now proceed to send it to avast? If the answer is yes, I have looked everywhere on how to zip the file as you suggested, but can find nothing. More advice please.
You should have moved them to the Chest were they can do no harm and gives time to investigate.
You don’t say what the full locations are (as the Docs & Settings is a huge file with many sub folders) ?
GData uses two scanning engines and one of them is avast so effectively I would count this as only avast detecting it and a false positive. They should be sent to avast, outlined in the link on how to report, etc. in reply '2 above. If you have a sample in the chest (as you should), you can send them to Alwil Software (avast) without the need to zip and password protect them.
The full path was C:\Documents and Settings\Owner\My Documents\GX260 Drivers\R54402NICEXE\Win98\Setup.exe.
I did a boot scan originally forgetting archive and it found nothing. It was only when I reran with the archive selected that these turned up. Funnily enough, I did try to move them to chest during the boot scan by selecting option 5 but it said ‘error’ and wouldn’t let me do it.
I still have the file in the chest, so I will send them to avast from within the chest so I will not need to zip/password.
Yes looks like the same, a drivers setup.exe file, there must be something that avast doesn’t like in the way the setup goes about its business or something that it does.
The sooner the samples are send the better. When you send them there is a small text box that allows for some information, I would certainly suggest you post the link to this topic and put probably False Positive at the start of that text information box.
I sent them another msg giving the link to this thread as you suggested. Does avast normally reply with their findings? If it is a false postive, should I then restore from within the avast chest?
You don’t normally get a reply unless they need more information.
Yes you can restore them from the chest, but you would have to exclude them from further scans. However, since these files are actually not active (those drivers would have been installed if required), they are just occupying HDD space, I would leave them in the chest.
Periodically scan them (after VPS updates) from within the chest and when they are no longer detected you can restore them. Note they will be restored to their original location but a copy will remain in the chest, confirm that they are in the original location and then you can delete the copy in the chest.
Hi. I think my system have detected a similar virus, the name is: Win32:Trojan-gen {Other}, and the file name is: C:\Documents and Settings\andres lairet\Shared\Excel 2007 Dashboards & Reports for Dummies.iso\AUTORUN.EXE. I tried to send the virus to avast chest but appears a message that says that the system is unable to process that file…please your advice on what should I do.Thanks
It’s probably a false positive. You can’t process the file as avast can’t remove it from the .iso file (the CD/DVD image). Which is the size of the .iso file? If it is smaller than 10Mb, maybe you can send it to www.virustotal.com for analysis.