Avast WEBforum
Other => General Topics => Topic started by: sandy55 on February 09, 2013, 02:43:06 PM
-
I did a boot scan yesterday.. moved a windows file to the chest as it could not be repaired now sign in window missing. Tried to see the file in the chest it is empty??? should it not be there to restore if I chose to do that. Do you think this was a false positive... how to get this file back since it is not in the chest?
-
Can you post a screenshot so we could see the problem you're having ;)
-
never used screen shot
if I were to capture a shot what would it be of...
boot scan said there was a problem with a windows file so I tried to repair it ... did not work so I chose move to chest... scan completed... on restart the sign in window was changed.. no admin window sign in .. I am assuming this was part of the file I moved to the chest
looked in the chest there are no files there.
what would I be taking a screen shot of?
I am not good with computers to start with just had a car accident in Dec and brain has been a bit muddled since apt to make big mistakes and cause more damage is there an easy way of finding and restoring files that should be in the chest but are not?
-
why did you do a bootscan.....bootscan is not ment to be used as a regular scan
Do you think this was a false positive...
impossible to say with no file info....
file name and location.....full file path
what malware name did avast give it
test suspicious files at www.virustotal.com
-
Sit tight and wait someone with a much more experience than me understanding in the boot scan section you're having problem with ;)
-
I don't know the name of the file I did not write it down assumed it would be in the chest if there was an issue... I did not know a boot scan should not be used whenever and do one occasionally..
-
I just did a restart now both log in including admin is once again there... maybe it has fixed itself? May sound odd to you folks but I am seeking an easy way out and this may well be it :)
I was thinking of using restore.. to just go back seems it may be a false alarm sorry... bit confused due to this shaken head issue re accident maybe I just made a mistake ... just not sure. No I am sure the sign in for admin was not there last startup but is there now. No idea what is going on with the chest will let you guys think about it as it is not my cup of tea.
-
Probably because of the restart, but wait for a qualified malware remover to answer your question with a full explanation...
polonus
-
@ sandy55
Look in the C:\Documents and Settings\All Users\Application Data\Avast Software\Avast\report\aswBoot.txt file (XP location), check this file using notepad for info on the scan/detections, etc.
That should hopefully have the details of your last boot-time scan and the detection. Let us know the file name, location and malware name of the detection ?
-
02/08/2013 22:54
Scan of all local drives
File C:\Windows\Temp\WERE5BE.tmp.hdmp is infected by Win32:Downloader-MIU [Trj], Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Deleted
Number of searched folders: 20422
Number of tested files: 244968
I copied and searched the name you gave this is what I found.
Number of infected files: 1
-
found this but have not done anything to foggy headed to mess around...
How to Remove Win32.Downloader.CFV.Trj Manually?
1. Remove the registry entries hidden by Win32.Downloader.CFV.Trj
If you notice that the programs on your computer are running abnormally, please check the following entries in the Registry, and directly delete the spyware-related registry entries if found.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE \Software \Microsoft \Windows \CurrentVersion \RunServicesOnce
HKEY_CURRENT_USER/Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER \Software \Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer\Run
HKEY_CURRENT_USER\ Software\ Microsoft \Windows\ CurrentVersion
Explorer/ShellFolders Startup="C:\windows/start menu/programs\startup
2. It is possibly a way to load the "Win32.Downloader.CFV.Trj" malicious programs, by hiding within the system WIN.INI file and the strings "run=" and "load=", so this must be carefully checked.
3. Clean up “IE Temporary File folder” where the original carrier of spyware threats is likely stored.
according to spy dig... whoever they are..
http://www.spydig.com/spyware-info/Win32-Downloader-CFV-Trj.html
-
I suggest you follow the guide outlined at:
http://forum.avast.com/index.php?topic=53253.msg451454#msg451454 (http://forum.avast.com/index.php?topic=53253.msg451454#msg451454)
Attach the requested logs here and wait for one of the Malware Experts to help you.
-
02/08/2013 22:54
Scan of all local drives
File C:\Windows\Temp\WERE5BE.tmp.hdmp is infected by Win32:Downloader-MIU [Trj], Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Deleted
Number of searched folders: 20422
Number of tested files: 244968
I copied and searched the name you gave this is what I found.
Number of infected files: 1
The C:\Windows\Temp\WERE5BE.tmp.hdmp is a dump file, it isn't a Windows system file and is also a temporary location; even if deleted this shouldn't cause any issues. Dump files contain elements from memory and depending on the reason for the dump creation can cause some strange strings in memory.
Only true virus infections can be repaired, e.g. the small part of the virus inserted into an executable file. This isn't a virus infection but a trojan so can't be repaired hence all of the errors on not being able to repair.
The file won't be in the chest, as the last action taken was 'Delete,' so it is gone. As I said this shouldn't present a problem as it is/was a temporary file.
####
Given the nature of the detection and its location within a dump file and not in an active.live file I don't believe you have to follow any of the steps that you found about that malware name.
I would also doubt the necessity to go through the Logs to assist in malware removal topic, but if you seek peace of mind, then the time spent won't be wasted.
-
It is interesting the log or whatever it is says deleted when I know for sure I did not delete the file but put it in the chest... grr
will think it over.
-
Well as a temporary file is really isn't an issue that it has gone, unless your thinking it over refers to using the Logs to assist in malware removal topic and running those analysis tools.
-
Hi,
little I can say...DavidR has already explained things. ;)
Using System Restore is a good option and should be used in such cases.
The *.tmp.hdmp file could not cause an error that you described and that file is detected via antivirus heuristics.
I also do recommend you to run&attach log reports (assistant diagnosis: MBAM+ AdwCleaner ; primary diagnosis:OTL+aswMBR ) to check your system on malware if you will.
I don't know exactly what happened. When i review attached logs, then I can tell you something more.