Avast WEBforum
Other => Viruses and worms => Topic started by: REDACTED on December 03, 2018, 11:10:48 AM
-
Hi, my first time posting here so apologies if I'm in the wrong area!
Avast has detected 54 suspicious files which "MAY" be harmful.
I'm not sure whether I should delete them or not!
The threat name is: Rootkit: Hidden Process
All the files under under C:\Windows\Installer and all have the same name: MSIC5C7.tmp
What should I do?
thank you
edit: I also have Malwarebytes installed. I just ran a scan and it didn't detect anything!
-
Attach your basic diagnostic logs. (MBAM and FRST)
Instructions: https://forum.avast.com/index.php?topic=194892
-
Files attached, thank you
-
Also a screen shot of the Avast message
-
was this a boot time scan?
-
Sorry, not quite sure which scan you mean. The Avast message just popped up while I was writing an email, I assume it was running a scan in the background while I was working.
-
Sorry, not quite sure which scan you mean.
https://support.avast.com/en-ww/article/Antivirus-Boot-time-Scan
The Avast message just popped up while I was writing an email, I assume it was running a scan in the background while I was working.
OK
it may take hours before the malware expert is online ...
-
Thanks Pondus, should I run this boot time scan? I'm just worried if I close the current Avast message I may not find it again! I can't see it listed in the notifications within the Avast software. However I'm not very experienced at this kind of thing, if you hadn't already detected that! :)
-
@Sass Drake will check your logs when he is online
-
Great, thank you. Appreciate the comments. Will wait to hear further! :)
-
Logs looks clean but we will check reported file.
- Open Notepad (click Start button -> type notepad.exe -> press Enter)
- Copy text from code block below and paste it into Notepad
VirusTotal: C:\WINDOWS\Installer\MSIC5C7.tmp
- Go to File -> Save As
- Make sure that UTF-8 is selected as Encoding (left side of Save button)
- Save it as fixlist.txt on Desktop
- Open again FRST and click on button Fix
- Wait until FRST finishes
- fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.
-
Thanks for your help @Sass Drake.
Report attached as instructed.
Please note, I saved the file into Downloads rather than Desktop as that's where the FRST tool was located... I don't suppose the location affects the way it works, just mentioning in case it does!
The log suggests there are no issues. Would you recommend allowing Avast to remove the suspicious files or not?
-
Now I can only guess it is Avast false positive. Please let us know will it continue display alerts.
-
Hi, I ran a full scan through Avast this morning and it picked up the same files, but this time there are 70.
This makes me think I should delete them!
Picture of the scan result attached.
-
I guess I should have waited for advice, but I clicked Resolve on the previous message. Then ran another scan and now there are 72 files found :-[
Not sure why I've got a different scan result screen this time, I think it may have been a quick scan rather than full scan like I ran this morning
-
- Open Avast interface Window
- On left side click on Protection and then click on Virus Chest
- Check one MSIC5C7.tmp and mark checkbox on left side
- Notice Delete button down and arrow on it. Click on that arrow and then on Restore As.
- Chose Desktop as destination
- MSIC5C7.tmp should appear on Desktop. Go to https://virustotal.com and upload it there.
- Post here link to report
-
Hi, the file is not listed in the Virus Chest! Perhaps Avast was unable to delete it when I clicked Resolve?
I have browsed to C:\Windows\Installer and I cannot see the files there either, and I have not acted on the last scan result showing 72 files of the same name! (How can files with identical names even exist?)
-
Then we will have to wait for response from Avast team.
-
Thank you for your help to date, @Sass Drake, I really appreciate it!
Is there anything I need to do to bring this to the attention of the Avast team or will they see this post?
Just to summarise the current situation, I didn't like to shut down my computer with this unresolved for fear that something would be triggered when I rebooted, so I tried to remove all the suspect files to the "Chest". I have also tried to Delete them.
Running a quick scan immediately after, shows no viruses. But then when I run it again there are 70 or 80 files created again, always with the same name, MSIC5C7.tmp.
They don't appear in the Virus Chest and I can't see anything when I look in the C:\Windows\Installer location.
I have run Malwarebytes and Spybot Search and Destroy and they find no issues.
thank you
-
Try here:
https://www.avast.com/false-positive-file-form.php
-
The problem is, I have no file to upload.
-
Download and run TDSSKiller following instructions here.
After you finish scan, there should be report file on location similar to C:\TDSSKiller_*.txt.
Attach it to your message.
-
Hi, there didn't seem to be any link to instructions, however I have downloaded the software and run a scan. please let me know if there were any special instructions that I may have missed.
The text file is attached as instructed.
Something else new. When I completed my most recent Avast Scan, I deleted the "virus" files it found same as I've been doing each time. To date it's just given a green tick with no information and gone on the next step in the Resolving Issues process.
This time I closed the scan window after Step 1 of Resolving Issues (ie resolving virus issues) When opened the scan again it said, "Resolved Issues: NaN".
Not sure if NaN is the name of an infection? I've attached a screen shot.
-
Hi, there didn't seem to be any link to instructions, however I have downloaded the software and run a scan. please let me know if there were any special instructions that I may have missed.
The text file is attached as instructed.
Something else new. When I completed my most recent Avast Scan, I deleted the "virus" files it found same as I've been doing each time. To date it's just given a green tick with no information and gone on the next step in the Resolving Issues process.
This time I closed the scan window after Step 1 of Resolving Issues (ie resolving virus issues) When opened the scan again it said, "Resolved Issues: NaN".
Not sure if NaN is the name of an infection? I've attached a screen shot.
It was my mistake because I forgot to paste link. Sorry.
TDSSKiller didn't find anything so I can say for sure it Avast report. NaN is acronym for "Not a Number" and it is Avast error. Can you try to reinstall Avast?
-
Hi, now that you explained the meaning of NaN, I don't think Avast is doing anything wrong. Rather it was a reflection of the fact that I was trying to delete files that it had already deleted (due to closing and reopening the process)
I've disconnected my PC from the internet as I'm nervous about what's going on. I'm using a tablet to post this update! Avast is still finding the same temp files, only now the number seem to have reduced to 35.
I also ran a Rootkit scan from Spybot Search and Destroy. It found a number of processes etc and I understand these may not necessarily be malware. To my untrained eye, there is one item that seems a bit odd.
File: "Invisible to Win32", "C:\Boott! s"
I cannot see that file if I browse to C:\
I will attach the complete report.