Avast WEBforum
Other => General Topics => Topic started by: djlen on March 01, 2009, 09:46:16 PM
-
I just ran my first scan of Avast. Very pleased with this application BTW.
Anyway, it came up with 3 items (one of which is Catchme exe.) and there is an option "delete".
I think I'm supposed to wait a certain period before deleting any of them, but my question is
if I do hit delete does that completely remove them from the computer?
I read the thread on the chest an never got a definitive answer, at least to me, to that question.
Regards,
Len
-
Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest and investigate.
So I think you can get the idea if avast deletes it, then it is history/gone/deceased/is no more as it doesn't send it to the recycle bin but deletes it.
There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.
-
Thank you David. I will wait the appropriate period of time, re-scan and delete where necessary.
Regards,
Len
-
You're welcome.
I friend PM'd me in relation to this and I though you had given a location for this file name, so my reply to him was incorect, so I hope to correct that here.
That file name has been used in the past by some security applications (for good) so it would be best to confirm the location it was found and what the malware name avast gave it.
What is the malware name, the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
-
This is what I found in the log file:
3/1/2009 1:44:55 PM Len2 948 Sign of "Other:Malware-gen" has been found in "C:\Documents and Settings\Mary\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\FcPred.class-5d184450-6c28bb44.class" file.
3/1/2009 2:00:07 PM Len2 948 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Program Files\Adobe\Photoshop 7.0\Plug-Ins\Effects\Glowing Edges.8BF" file.
3/1/2009 2:26:02 PM Len2 948 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\catchme.exe" file.
This third one is the one I think you were referring to. But if you can tell me if the others should be deleted I'd appreciate it.
Regards,
Len
-
From the first detection related to JAVA and it is likely to be because you haven't got the latest version of JAVA, vulnerabilities being exploited.
Ensure you have the latest version of JRE (JAVA Runtime Environment) because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.
Then get the latest update from here http://java.sun.com/javase/downloads/index.jsp (http://java.sun.com/javase/downloads/index.jsp)
Or JRE version 6 update 12 http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html (http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html)
The second I think need more analysis, see below.
The third and the one I was also interested in is often associated with an anti-rootkit scanner called GMER or a tool called combofix, but I don't believe they would be located in that folder. Can you recall ever using GMER anti-rootkit or Combofix ?
A google search for the file name and location, http://www.google.com/search?q=C%3A\WINDOWS\catchme.exe (http://www.google.com/search?q=C%3A\WINDOWS\catchme.exe), returns some hits that tend to indicate it being associated with a trojan so the detection looks good, though you could also check that out with virustotal and report the findings if you wish.
####
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here the URL in the Address bar of the VT results page.
You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
-
I have used ComboFix in the past....quite some time ago
Regards,
Len
-
Well combofix may also use this but I would have thought that a) it would have been located with combofix files, b) that it would be removed on removing combofix.
So I still think the detection is likely to be correct, but as I said you can confirm that via virustotal if you wish.