Author Topic: Cyberlink users, please run boot scans  (Read 3360 times)

0 Members and 1 Guest are viewing this topic.

Offline leftisthominid

  • Sr. Member
  • ****
  • Posts: 211
Cyberlink users, please run boot scans
« on: August 09, 2012, 02:29:01 AM »
Hello, I have Cyberlink Videomagic on my other computer.
On Monday, I did a boot-scan and all was clean. Between then and now I barely used my computer.

Right now I am running a boot scan on that computer and Avast is saying that EffectExtractor.exe and RichVideo.exe are infected by Win32:Evo-gen. I have a strong feeling this is a false positive.

Does anyone else get this problem on boot scan?

Offline leftisthominid

  • Sr. Member
  • ****
  • Posts: 211
Re: Cyberlink users, please run boot scans
« Reply #1 on: August 09, 2012, 03:13:34 AM »
I've posted logs here
http://forum.avast.com/index.php?topic=102878.0

Please, someone smart, please look at them.

I am going to run Microsoft Safety Scanner with my wireless off for another opinion

Online DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 88465
  • No support PMs thanks
Re: Cyberlink users, please run boot scans
« Reply #2 on: August 09, 2012, 03:21:11 AM »
Personally before running the other scans and posting the logs I would have sought confirmation on the detections.

You could have check the offending/suspect file/s at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to Open the chest and right click on the file and select 'Extract' it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 23.10.6086 (build 23.10.8563.800) UI 1.0.784/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline leftisthominid

  • Sr. Member
  • ****
  • Posts: 211
Re: Cyberlink users, please run boot scans
« Reply #3 on: August 09, 2012, 03:23:17 AM »
I told Avast to delete the files though, so I can't check them.

Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5414
  • Spartan Warrior
Re: Cyberlink users, please run boot scans
« Reply #4 on: August 09, 2012, 06:42:58 AM »
I told Avast to delete the files though, so I can't check them.
Once you delete the files, they are gone forever.  What if the program needs those files to run properly, and Avast! later changes the detection to a false positive?  What do you do then?

Always quarantine, never delete.  Qualification:  If, after two weeks in the quarantine folder, they check out to be still malicious, and your program(s) seem to run fine without them, then and only then, delete from the chest.  Quarantine is a protected area in your system where malicious files are kept away in a safe area, and separate from the rest of the operating system.  They cannot do harm whilst in the chest.

Antivirus vendors routinely check Virus Total for new malware, so submitting a new sample will eventually help everyone later down the road.  So if one could do that, it will help everyone.  It is also useful to determine if a file is likely a false positive when scanned at Virus Total if only 1 or 2 vendors detect.

Deleting leaves no options.

EDIT:  Boot scans are run only when Avast! asks.  Normal real-time scanners (File system, Web scanner, Network scanner, etc.,) are more than sufficient to protect my system.  I almost never run a quick, full or boot scan.  There is no need to, unless an alert box pops up.

Continue on with the thread in the virus section, though.  Since the files were deleted....
« Last Edit: August 09, 2012, 06:51:32 AM by mchain »
Windows 10 Home 64-bit 22H2 Avast Premier Security version 23.11.6090 (build 23.11.8635.809)
 UI version 1.0.788.  Windows 11 Pro 22H2 Avast Premier Security version 23.11.6090 (build 23.11.8635.809)

Offline leftisthominid

  • Sr. Member
  • ****
  • Posts: 211
Re: Cyberlink users, please run boot scans
« Reply #5 on: August 09, 2012, 05:33:36 PM »
Ok, I get it, in the future I should quarantine, not delete.

Can someone look at my logs from the other thread (http://forum.avast.com/index.php?topic=102878.0)?

I just want clarification that I am clean. MBAM, another bootscan, and Microsoft Safety Scanner all said I am clean.

Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5414
  • Spartan Warrior
Re: Cyberlink users, please run boot scans
« Reply #6 on: August 10, 2012, 05:28:27 AM »
@ leftisthominid,

As I am just an Avast! user with a little technical knowledge, I do not think I can honestly offer the distinguished and discerning judgment of a certified malware specialist.  Therefore, I cannot tell you if or when your system is clean.  This is not my place.

You are in good hands with essexboy, and when he says, at the end, your system is clean, it is. 

I can tell you, however, from the aswMBR log you attached, it is showing you are infected with a rootkit;
 
File: C:\Windows\assembly\GAC_32\Desktop.ini  **INFECTED** Win32:Sirefef-PL [Rtk] 11:11:48.316   
File: C:\Windows\assembly\GAC_64\Desktop.ini  **INFECTED** Win32:Sirefef-PL [Rtk]
(Copied directly from your aswMBR log).


Avast!, according to essexboy in another thread, can detect all versions of Sirefef rootkit.  Some a/v solutions, sadly, cannot yet do so.

So, you are infected, and now at the point where Sirefef can be killed and removed from your system.  Sirefef is a serious infection.

Work with essexboy to get this done.  Let him do his magical wizardry to cleanse your system. 

You are not yet quite there.  Remnants must be removed.  Remnants can come back to haunt you, so....


EDIT:  As leftisthominid has pointed out, I was looking another post.  My mistake and error.  *sigh*
« Last Edit: August 10, 2012, 05:45:53 AM by mchain »
Windows 10 Home 64-bit 22H2 Avast Premier Security version 23.11.6090 (build 23.11.8635.809)
 UI version 1.0.788.  Windows 11 Pro 22H2 Avast Premier Security version 23.11.6090 (build 23.11.8635.809)

Offline leftisthominid

  • Sr. Member
  • ****
  • Posts: 211
Re: Cyberlink users, please run boot scans
« Reply #7 on: August 10, 2012, 05:34:15 AM »
mchain, I did not post any aswMBR log, I do not know where you are getting that I have MBR infection. Please make sure you are reading the right person's logs