Author Topic: What to do with Viruses??  (Read 11582 times)

0 Members and 1 Guest are viewing this topic.

Offline Pelikan

  • Newbie
  • *
  • Posts: 13
What to do with Viruses??
« on: October 20, 2007, 03:29:37 PM »
Hi. After scanning my PC with Avast Home Edition 4.7 it discovered more than 1700 infected files..! Now, I moved part of them to the Chest and others still in "move/rename" folder. I couldnt find any "virus healing" option on Avast interface, it only suggests delete or move file to chest. Is it possible somehow to heal infected files w/o deleting them?(VRDB is alrd created as I understand, but not clear where it keeps this backups and how to restore them..?) I wouldnt like to delete many of those files that contain useful texts(in Word.doc or Html formats). Also, copying their contents into text format in the Notepad is quite bothersom work...
It also showed some system files infectded, which it moved to chest (Kernel32.dll, winsock.dll, wsock32.dll, - C:\windows\system32). What to do to them?
My Windows Xp works well and I liked how Avast found so many viruses. Your kind advice on this problem would be much appreciated.
 
Thanks.

Offline Maxx_original

  • Avast team
  • Super Poster
  • *
  • Posts: 1479
Re: What to do with Viruses??
« Reply #1 on: October 20, 2007, 04:00:21 PM »
hard to say anything, cause we don't know what type of malware is so spreaded in your PC... can you tell us more or pack the scan results and post them here as attachment?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: What to do with Viruses??
« Reply #2 on: October 20, 2007, 04:19:24 PM »
VRDB is alrd created as I understand, but not clear where it keeps this backups and how to restore them..?
avast manages the VRDB itself. Only some executable files could be restored (cleaned). It's not a backup feature, rather a feature to recover some executable files from some infections.

It also showed some system files infectded, which it moved to chest (Kernel32.dll, winsock.dll, wsock32.dll, - C:\windows\system32). What to do to them?
If they are in the 'System' folder of the Chest, they're there for backup purposes.
If they are in the 'Infected' folder, you can let them into Chest, without harm, for further analysis.
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83751
  • No support PMs thanks
Re: What to do with Viruses??
« Reply #3 on: October 20, 2007, 05:02:00 PM »
The VRDB only protects certain files, .exe, etc. it doesn't protect data files or all files, it is not a back-up program, so there are going to be many occasions where repair won't be an option.

Only true virus infection can be repaired, e.g. when a virus infects a file it adds a small part to it, provided that file is one that avast's VRDB would monitor and you have run the VRDB, then it may be possible to repair the file to its uninfected state.

However, for the most part so called viruses, trojans (adware/spyware/malware, etc.) can't be repaired because the complete content of the file is malicious.

Trojans generally can't be repaired (either by the VRDB or avast virus cleaner), because the entire content of the file is malware, so it is either move to chest or delete, move to the chest being the best option (first do no harm). When a file is in the chest it can't do any harm and you can investigate the infected warning.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline tsilo

  • Full Member
  • ***
  • Posts: 131
  • I'm a llama!
Re: What to do with Viruses??
« Reply #4 on: October 20, 2007, 05:48:36 PM »
Wow 1700 infected files? ? ?
Will be good to format your PC, reinstall Windows and install Avast! on the clean computer ... not because Avast! can't clean your system, because your system will not work good.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4143
  • Some days..... MOS...this bug's for you
Re: What to do with Viruses??
« Reply #5 on: October 20, 2007, 06:15:05 PM »
I'd hold off on the reformatting. Without knowing what the files and detections are, that sounds pretty drastic.

There's false positive to take into account also.

Pelikan, you should take a few samples from a group of files with, say the .doc extention and submit them to http://www.virustotal.com  It's an online multiscanner. You would have to move them out of the chest to a temporary folder before submitting. Post back the results of the scans.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83751
  • No support PMs thanks
Re: What to do with Viruses??
« Reply #6 on: October 20, 2007, 06:26:20 PM »
Absolutely agree a suggestion of a reformat based on insufficient information is too soon in the game.

Whilst 1700 infected files found is a bad situation indicating a possibly seriously compromised system. It is possible that there is/was a trojan downloader, backdoor or hidden elements, but that we have to find out.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: What to do with Viruses??
« Reply #7 on: October 20, 2007, 06:40:45 PM »
Sometimes, just one of two infections could be due to such a high of infected files.
Without further information (name of virus, name and path of the infected files or some of them, etc.) is difficult to judge.
The best things in life are free.

Offline Pelikan

  • Newbie
  • *
  • Posts: 13
Re: What to do with Viruses??
« Reply #8 on: October 21, 2007, 10:50:33 AM »
hard to say anything, cause we don't know what type of malware is so spreaded in your PC... can you tell us more or pack the scan results and post them here as attachment?

Thank you for this advises. Thank other members too for their insights. Will make decision after carefully weighing all cons and pros'.
Genrally, the viruses it shows in the list are these:

1)Win32:Adware-gen[Adw] (found in sinstaller2.exe)
2)Win32:VB-EQB[trj] (found in all other files(most of them Html, Doc))
As for system files like kernel32.dll and winsock.dll it moved to chest but doesnt show the definition of the virus.

Looking forward to ur comments, thanks a lot.
P.S. Does it help if after eventually deciding to format C:\ disk and reinstalling Windows, to additionally double-scan system by two alternative antiviruses, say Avast and KAV (Kaspersky av) ? I cudnt activate "healing" or "recovering" option in Avast Home edition. Does the Avast.Pro have it?
« Last Edit: October 21, 2007, 01:51:11 PM by Pelikan »

Offline Pelikan

  • Newbie
  • *
  • Posts: 13
Re: What to do with Viruses??
« Reply #9 on: October 21, 2007, 02:46:38 PM »
I'd hold off on the reformatting. Without knowing what the files and detections are, that sounds pretty drastic.

There's false positive to take into account also.

Pelikan, you should take a few samples from a group of files with, say the .doc extention and submit them to http://www.virustotal.com  It's an online multiscanner. You would have to move them out of the chest to a temporary folder before submitting. Post back the results of the scans.
Hi, Sending a copy of Virustotal scan result of some of my files. its in *txt format, but if opened in *Doc can be seen the actual page of Virustotal scan results. It found a lots of virus names.... :-\

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83751
  • No support PMs thanks
Re: What to do with Viruses??
« Reply #10 on: October 21, 2007, 02:55:20 PM »
The System Files section of the chest contains copies of important system files, they are not infected, they are placed there by avast as a back-up copy in case the original became infected. Only avast can uses these files.

I would imagine most of these .html files were found in the temporary internet files folder ?
If so these aren't such a problem and I would suggest you completely clear your Temporary Internet Files.

The .doc files are more of a concern if they are your own .doc files that are infected ?
If I'm reading the malware name right this is a Visual Basic (VB) trojan, I don't know how macros work in word if they are able to run VB from within the .doc file.

So I would appreciate some input from Maxx_original. Also since the majority of trojans aren't infecters but completely malicious content, is this an exception that infects .doc files ?

@ Pelikan
Your attachment isn't a txt file but garbled, just copy and paste the contents of the screen into the post.

If the nuclear option is chosen and we aren't there yet, if you start from scratch, having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.
« Last Edit: October 21, 2007, 02:58:30 PM by DavidR »
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Maxx_original

  • Avast team
  • Super Poster
  • *
  • Posts: 1479
Re: What to do with Viruses??
« Reply #11 on: October 21, 2007, 04:13:42 PM »
pelikan: can you send some files from your chest to our virus lab? we can validate te VB virus detection..

Offline Pelikan

  • Newbie
  • *
  • Posts: 13
Re: What to do with Viruses??
« Reply #12 on: October 22, 2007, 06:17:40 AM »
pelikan: can you send some files from your chest to our virus lab? we can validate te VB virus detection..

Hi, I only can extract from virus  chest and send by yahoo.mail attachment, cos I dont use resident email program(IMAP or SMTP) on my PC. To which email address can I send them?

Thanks.

Offline Pelikan

  • Newbie
  • *
  • Posts: 13
Re: What to do with Viruses??
« Reply #13 on: October 22, 2007, 06:26:43 AM »
The System Files section of the chest contains copies of important system files, they are not infected, they are placed there by avast as a back-up copy in case the original became infected. Only avast can uses these files.
I understand, thnks 4clarification.

I would imagine most of these .html files were found in the temporary internet files folder ?If so these aren't such a problem and I would suggest you completely clear your Temporary Internet Files.
no, unfortunately, those were mostly books and articles in Html format which I downloaded before from online libraries..

The .doc files are more of a concern if they are your own .doc files that are infected ?
If I'm reading the malware name right this is a Visual Basic (VB) trojan, I don't know how macros work in word if they are able to run VB from within the .doc file.
So I will wait till it clears up with viruses, if ALWIL lab can feedback on them and then make decision on reformatting or re-cleaning the whole system.


@ Pelikan
Your attachment isn't a txt file but garbled, just copy and paste the contents of the screen into the post.
I see, wl try to do this.

If the nuclear option is chosen and we aren't there yet, if you start from scratch, having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.
Ok, got it.
Thks.

Offline Pelikan

  • Newbie
  • *
  • Posts: 13
Re: What to do with Viruses??
« Reply #14 on: October 22, 2007, 06:32:31 AM »

@ Pelikan
Your attachment isn't a txt file but garbled, just copy and paste the contents of the screen into the post.


File infected_files.rar received on 10.21.2007 14:17:26 (CET)
Current status:   waiting     
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
 Compact
Print results 
Email:   
   
Antivirus   Version   Last Update   Result
AhnLab-V3   2007.10.20.0   2007.10.19   -
AntiVir   7.6.0.27   2007.10.20   HTML/Dldr.Agent.bp
Authentium   4.93.8   2007.10.20   HTML/IFrame
Avast   4.7.1051.0   2007.10.21   Win32:VB-EQB
AVG   7.5.0.488   2007.10.20   -
BitDefender   7.2   2007.10.21   Trojan.Clicker.HTML.IFrame.AC
CAT-QuickHeal   9.00   2007.10.20   HTML/Agent.CP
ClamAV   0.91.2   2007.10.20   HTML.Iframe-6
DrWeb   4.44.0.09170   2007.10.21   -
eSafe   7.0.15.0   2007.10.15   JS.Agent.bs
eTrust-Vet   31.2.5225   2007.10.20   -
Ewido   4.0   2007.10.21   Adware.Comet
FileAdvisor   1   2007.10.21   -
Fortinet   3.11.0.0   2007.10.19   Adware/Comet
F-Prot   4.3.2.48   2007.10.20   HTML/IFrame
F-Secure   6.70.13030.0   2007.10.21   HTML/IFrame
Ikarus   T3.1.1.12   2007.10.21   Trojan-Downloader.HTML.Agent.bp
Kaspersky   7.0.0.125   2007.10.21   Trojan-Downloader.HTML.Agent.cp
McAfee   5145   2007.10.19   potentially unwanted program Adware-Cometsys
Microsoft   1.2908   2007.10.21   Exploit:HTML/IframeRef.gen
NOD32v2   2604   2007.10.19   HTML/TrojanDownloader.Agent.BP
Norman   5.80.02   2007.10.19   -
Panda   9.0.0.4   2007.10.21   W32/Radoppan.AI
Prevx1   V2   2007.10.21   ADWARE.COMET.C.1.A
Rising   19.45.62.00   2007.10.21   Trojan.DL.Delf.xuh
Sophos   4.22.0   2007.10.21   Troj/Fujif-Gen
Sunbelt   2.2.907.0   2007.10.20   -
Symantec   10   2007.10.21   Trojan.Dowiex!inf
TheHacker   6.2.9.103   2007.10.21   -
VBA32   3.12.2.4   2007.10.19   AdWare.Win32.Comet.ac
VirusBuster   4.3.26:9   2007.10.20   -
Additional information
File size: 159939 bytes
MD5: 76c41f254e8a8efa72dac75fed58cf1d
SHA1: 478fb0803f2f757b1f3115d7b4c4db6f7b0dcfa1
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=A9D9E1B29F540BB88E23008178754900023F604E