Renamed worm/virus and can't find it?

[mm6chic]

I ran a scan recently and instead of moving the worm to the chest, I accidentally hit move/rename instead.  How do I figure out where this file went to (where it defaulted to) and how do I delete it off my computer? 

I ran a boot-scan after this and it came back clean.  I'm sure I still have that worm on my computer somewhere.....can anybody give me any advice??  Thanks.

[DavidR]

This is the location of files moved, C:\Program Files\Alwil Software\Avast4\DATA\moved. If it is in there it should effectively have been removed, you could move it back to its original location (if you know where that is) and let avast detect it again and this time send it to the chest.

What makes you sure you still have this on your system ?

[mm6chic]

Well I went to the Moved folder and nothing is there...I guess my question is, if I told it to rename and move the file and it's not in that folder, is it still a threat to me?

I believe the file name is FPUPDATEAX.EXE-1BCF6D6E.pf.  It was something that appeared to come from Macromedia Flash Player, most likely from MySpace.

I have an empty folder named fpupdateax and then I have this above mentioned file.  The virus/worm detected definitely had the letters FPUP in it and these are the only files/programs with those letters in the name.  Should I move it somewhere?  Right now it's just in my Program Files....

[Lisandro]

Well I went to the Moved folder and nothing is there...I guess my question is, if I told it to rename and move the file and it's not in that folder, is it still a threat to me?

Maybe...
Did you fully scan with avast and another antitrojan (like ewido)?

Should I move it somewhere?  Right now it's just in my Program Files....

Open avast chest and add it there then, if you don't need the file, delete it and clean the recycle bin.

C:\Program Files\Alwil Software\Avast4\ashChest.exe is the avast quarentine.

[DavidR]

I believe the file name is FPUPDATEAX.EXE-1BCF6D6E.pf

If this file name is correct it could be a pre-fetch file to speed loading of programs and if deleted will be replaced by the pre-fetch function later, assuming it was in the C:\WINDOWS\Prefetch folder, check the avast Log Viewer, warning section for more details on the detection. If it wasn't in the pre-fetch folder this would make that .pf file more suspicious (to me). Please let us know what information is contained in the Log Viewer about this detection (virus name, original location, etc.) ?

The first part of the file name, FPUPDATEAX.EXE does appear to be related to Macromedia Flash, a google search only brings up a 5 hits for this all need translating, but this would appear to be the location:

c:\Documents and Settings\YourUserName\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe

Now this file may then have a file in the c:\windows\prefetch folder to speed its loading and that would probably be FPUPDATEAX.EXE-1BCF6D6E.pf.

Why the prefetch file should be detected is strange as I don't believe it contains the original file, just hard disk locations to make it load faster. If it did contain the original file then in theory the original file should also have been detected as infected, very strange.

[mm6chic]

OK, this is what the log viewer says about this virus:

7/23/2006 11:30:20 PM   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Documents and Settings\HP_Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe" file.  I accidentally hit Move and Rename and then it scanned some more and came up with....

7/24/2006 11:22:03 AM   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Program Files\Alwil Software\Avast4\DATA\moved\fpupdateax.exe.vir" file. 

Since the file name changed to .vir and I actually deleted that file, does this mean that I am now virus free?  I can still find the original files.  I found the empty folder in the same place - application data\macromedia\flashplayer etc.... but I found the .exe file in C:/WINDOWS/PreFetch??  I moved them into the Avast Moved folder for now - is that OK?

[Lisandro]

Since the file name changed to .vir and I actually deleted that file, does this mean that I am now virus free?  I can still find the original files.

No, you're not clean if you have the original files...

but I found the .exe file in C:/WINDOWS/PreFetch??  I moved them into the Avast Moved folder for now - is that OK?

No...
The moved folder is not safe. You need to move the files to Chest (Quarentine of avast).

I suggest you run a full avast scanning and, after, a boot time scanning with avast, moving the infected files to Chest 

[mm6chic]

It's me again.  I ran a full scan and a boot time scan with this file being in the chest folder (not the ashChest).  Both scans came back without a virus.  So, maybe it did delete the virus, but I still have the original .exe file??  Should I delete the file from the chest folder and delete my recycle bin?  Or should I move it to the ashChest?  (I tried doing that but it still left a copy of the file in the chest folder as well, so I deleted it from the ashChest).  Thank you for your help.....

[mm6chic]

I also did a full scan and a boot time  scan with  the .exe file moved into the ashChest (although a copy of it still remained in the chest folder too) and it came back with no viruses.

I also installed and ran ewido and that virus didn't show up.