Avast WEBforum

Other => Viruses and worms => Topic started by: REDACTED on December 03, 2018, 11:10:48 AM

Title: Suspicious Files Detected
Post by: REDACTED on December 03, 2018, 11:10:48 AM
Hi, my first time posting here so apologies if I'm in the wrong area!
Avast has detected 54 suspicious files which "MAY" be harmful. 
I'm not sure whether I should delete them or not!
The threat name is: Rootkit: Hidden Process
All the files under under C:\Windows\Installer and all have the same name: MSIC5C7.tmp
What should I do?
thank you

edit:  I also have Malwarebytes installed.  I just ran a scan and it didn't detect anything!
Title: Re: Suspicious Files Detected
Post by: Asyn on December 03, 2018, 11:54:44 AM
Attach your basic diagnostic logs. (MBAM and FRST)
Instructions: https://forum.avast.com/index.php?topic=194892
Title: Re: Suspicious Files Detected
Post by: REDACTED on December 03, 2018, 12:15:23 PM
Files attached, thank you
Title: Re: Suspicious Files Detected
Post by: REDACTED on December 03, 2018, 12:28:55 PM
Also a screen shot of the Avast message
Title: Re: Suspicious Files Detected
Post by: Pondus on December 03, 2018, 12:30:17 PM
was this a boot time scan?

Title: Re: Suspicious Files Detected
Post by: REDACTED on December 03, 2018, 12:33:24 PM
Sorry, not quite sure which scan you mean.  The Avast message just popped up while I was writing an email, I assume it was running a scan in the background while I was working.
Title: Re: Suspicious Files Detected
Post by: Pondus on December 03, 2018, 12:38:08 PM
Quote
Sorry, not quite sure which scan you mean.
https://support.avast.com/en-ww/article/Antivirus-Boot-time-Scan


Quote
The Avast message just popped up while I was writing an email, I assume it was running a scan in the background while I was working.
OK


it may take hours before the malware expert is online ...




Title: Re: Suspicious Files Detected
Post by: REDACTED on December 03, 2018, 12:41:52 PM
Thanks Pondus, should I run this boot time scan?  I'm just worried if I close the current Avast message I may not find it again!  I can't see it listed in the notifications within the Avast software.  However I'm not very experienced at this kind of thing, if you hadn't already detected that! :)
Title: Re: Suspicious Files Detected
Post by: Pondus on December 03, 2018, 12:47:35 PM
@Sass Drake will check your logs when he is online

Title: Re: Suspicious Files Detected
Post by: REDACTED on December 03, 2018, 12:49:51 PM
Great, thank you. Appreciate the comments.  Will wait to hear further! :)
Title: Re: Suspicious Files Detected
Post by: Sass Drake on December 03, 2018, 08:03:10 PM
Logs looks clean but we will check reported file.


Code: [Select]
VirusTotal: C:\WINDOWS\Installer\MSIC5C7.tmp
Title: Re: Suspicious Files Detected
Post by: REDACTED on December 03, 2018, 09:50:07 PM
Thanks for your help @Sass Drake.

Report attached as instructed.

Please note, I saved the file into Downloads rather than Desktop as that's where the FRST tool was located... I don't suppose the location affects the way it works, just mentioning in case it does!

The log suggests there are no issues.  Would you recommend allowing Avast to remove the suspicious files or not?
Title: Re: Suspicious Files Detected
Post by: Sass Drake on December 03, 2018, 11:15:22 PM
Now I can only guess it is Avast false positive. Please let us know will it continue display alerts.
Title: Re: Suspicious Files Detected
Post by: REDACTED on December 04, 2018, 08:02:14 AM
Hi, I ran a full scan through Avast this morning and it picked up the same files, but this time there are 70. 
This makes me think I should delete them!
Picture of the scan result attached.

Title: Re: Suspicious Files Detected
Post by: REDACTED on December 04, 2018, 08:32:00 AM
I guess I should have waited for advice, but I clicked Resolve on the previous message.  Then ran another scan and now there are 72 files found  :-[

Not sure why I've got a different scan result screen this time, I think it may have been a quick scan rather than full scan like I ran this morning



Title: Re: Suspicious Files Detected
Post by: Sass Drake on December 04, 2018, 08:58:18 PM
Title: Re: Suspicious Files Detected
Post by: REDACTED on December 04, 2018, 09:59:54 PM
Hi, the file is not listed in the Virus Chest!  Perhaps Avast was unable to delete it when I clicked Resolve?

I have browsed to C:\Windows\Installer and I cannot see the files there either, and I have not acted on the last scan result showing 72 files of the same name!  (How can files with identical names even exist?) 
Title: Re: Suspicious Files Detected
Post by: Sass Drake on December 05, 2018, 02:19:51 AM
Then we will have to wait for response from Avast team.
Title: Re: Suspicious Files Detected
Post by: REDACTED on December 05, 2018, 08:04:08 AM
Thank you for your help to date, @Sass Drake, I really appreciate it!

Is there anything I need to do to bring this to the attention of the Avast team or will they see this post?

Just to summarise the current situation, I didn't like to shut down my computer with this unresolved for fear that something would be triggered when I rebooted, so I tried to remove all the suspect files to the "Chest".  I have also tried to Delete them.
Running a quick scan immediately after, shows no viruses.  But then when I run it again there are 70 or 80 files created again, always with the same name, MSIC5C7.tmp.
They don't appear in the Virus Chest and I can't see anything when I look in the C:\Windows\Installer location.
I have run Malwarebytes and Spybot Search and Destroy and they find no issues.

thank you
Title: Re: Suspicious Files Detected
Post by: Sass Drake on December 05, 2018, 07:31:04 PM
Try here:

https://www.avast.com/false-positive-file-form.php
Title: Re: Suspicious Files Detected
Post by: REDACTED on December 05, 2018, 11:45:03 PM
The problem is, I have no file to upload.
Title: Re: Suspicious Files Detected
Post by: Sass Drake on December 06, 2018, 08:58:52 PM
Download and run TDSSKiller following instructions here.
After you finish scan, there should be report file on location similar to C:\TDSSKiller_*.txt.

Attach it to your message.
Title: Re: Suspicious Files Detected
Post by: REDACTED on December 07, 2018, 12:49:43 PM
Hi, there didn't seem to be any link to instructions, however I have downloaded the software and run a scan.  please let me know if there were any special instructions that I may have missed.
The text file is attached as instructed.

Something else new.  When I completed my most recent Avast Scan, I deleted the "virus" files it found same as I've been doing each time.  To date it's just given a green tick with no information and gone on the next step in the Resolving Issues process.
This time I closed the scan window after Step 1 of Resolving Issues (ie resolving virus issues)  When opened the scan again it said, "Resolved Issues: NaN".
Not sure if NaN is the name of an infection?  I've attached a screen shot.

Title: Re: Suspicious Files Detected
Post by: Sass Drake on December 07, 2018, 06:37:21 PM
Hi, there didn't seem to be any link to instructions, however I have downloaded the software and run a scan.  please let me know if there were any special instructions that I may have missed.
The text file is attached as instructed.

Something else new.  When I completed my most recent Avast Scan, I deleted the "virus" files it found same as I've been doing each time.  To date it's just given a green tick with no information and gone on the next step in the Resolving Issues process.
This time I closed the scan window after Step 1 of Resolving Issues (ie resolving virus issues)  When opened the scan again it said, "Resolved Issues: NaN".
Not sure if NaN is the name of an infection?  I've attached a screen shot.

It was my mistake because I forgot to paste link. Sorry.
TDSSKiller didn't find anything so I can say for sure it Avast report. NaN is acronym for "Not a Number" and it is Avast error. Can you try to reinstall Avast?
Title: Re: Suspicious Files Detected
Post by: REDACTED on December 11, 2018, 01:33:39 PM
Hi, now that you explained the meaning of NaN, I don't think Avast is doing anything wrong.  Rather it was a reflection of the fact that I was trying to delete files that it had already deleted (due to closing and reopening the process)

I've disconnected my PC from the internet as I'm nervous about what's going on.   I'm using a tablet to post this update!  Avast is still finding the same temp files, only now the number seem to have reduced to 35.

I also ran a Rootkit scan from Spybot Search and Destroy.  It found a number of processes etc and I understand these may not necessarily be malware.  To my untrained eye, there is one item that seems a bit odd.

File: "Invisible to Win32", "C:\Boott! s"

I cannot see that file if I browse to C:\
I will attach the complete report.