Two Topics: "Safe" stuff in Chest & AVG Removal

[DianneGC]

Hello,

Another newbie, here.  It's been a long time since I've added a new program to my system that I have made a Newbie Error.

I downloaded Avast - but I still have AVG Free 7.5.5 installed.  This has been the case for a couple of weeks, I believe.  This morning, I was paying closer attention to the Avast program and allowed it to do a complete scan (thorough? not sure what the verbage was). 

Now when I try to open my Microsoft Money, I get an error message and it does not open.  Following some of the advice that I read, here, I went into the virus vault, and, there is a reference to a Mnyexp file.

So. I've read and read the boards and there seems to be lots of wonderful advice with helpful people, but, I'm REALLY nervous, now.  To say I'm not computer literate would be THE understatement of 2007. So, I just wanted to see if I could find some nice mentor that may be willing to help me out. 

I am willing to turn the corner and DUMP AVG and keep Avast, but, I just want to get everything set up properly without making anymore dumb errors.

Can you tell me what I need to do?  An uninstall of AVG?  If you need log files, I can provide them, but, may end up needing some hand-holding there, too.  I haven't searched that, yet, so, there may be perfectly fine directions on How-to.

Hoping I've made sense and will be looking forward to an answer.

Thanks,
Dianne

[DavidR]

The uninstall of AVG using the windows add remove programs should be fine as AVG seems to be OK using this to remove all elements.

What is the error message you are getting when trying to open Money ?

What is the info you mentioned about Mnyexp in the chest (for it to be in the chest it would have to have been detected as infected) ?

What is the malware name, the infected file name, where was it found e.g. (malware name, C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

[DianneGC]

Thank you very much for your very prompt reply.  This is what I've done so far, based on your information:

• Uninstalled AVG using its uninstall option
  
• Re-ran Avast!

I found how to get to the Warning section, but, didn't really know what I was looking at.  I will try re-opening the Money option in a bit and copy the precise error message.

What do you do when a portion of a file that's needed is infected? Do I have to re-install the program?

Thank you, again, for your assistance. 

[oldman]

I found how to get to the Warning section, but, didn't really know what I was looking at.  I will try re-opening the Money option in a bit and copy the precise error message.

In the right panel will be a list of avast detections, with the file name, path and what avast detected it as. You will have to expand the columns by sliding them sideways at the top, to be able to read the entire message.

What do you do when a portion of a file that's needed is infected? Do I have to re-install the program?

Can you explain further?

[DavidR]

You are looking for the detection information we asked for, the malware name, C:\windows\system32\infected-file-name.xxx that related to the detection about Mnyexp, it helps us to help you.

If you are having trouble, you could extract the information from another source, CD:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log. This is just a text file that you can open with notepad, look for the line that relates to the Mnyexp detection and copy and paste the information here.

avast may be able to 'Repair' files that have been infected by a true virus. If it is possible to try this, then at the time of detection, the Repair button will be active and not Greyed out.

Only true virus infection can be repaired, e.g. when a virus infects a file it adds a small part to it, provided that file is one that avast's VRDB would monitor and you have run the VRDB, then it may be possible to repair the file to its uninfected state.

The VRDB only protects certain files, .exe, dll and other system files, it doesn't protect data files or all files, it is not a back-up program, so there are going to be many occasions where repair won't be an option.

Trojans generally can't be repaired (either by the VRDB or avast virus cleaner), because the entire content of the file is malware, so it is either move to chest or delete, move to the chest being the best option (first do no harm). When a file is in the chest it can't do any harm and you can investigate the infected warning.

Everything hinges on what the detection was as to what can be done and we don't have that information.

[DianneGC]

Everything hinges on what the detection was as to what can be done and we don't have that information.

 

This is line that I found in the Warnings page:

Sign of "Win32: Agent - MJG [Drp]" has been found in "C:\ProgramFiles\Microsoft Money\System\mnyexpr.exe\[UPX]" file.

Is this what we need?

There are many lines like this in the Warning file.  They relate to several programs that I frequently use, including, Adobe Photoshop, iTunes.  My Warning file shows 5874 lines.     

Also, it appears as though my MS Money is in some circular pattern of trying to reinstall software - and I cannot seem to "OK" or 'X' my way out of it. 

[DavidR]

Yes this is what we needed, if you can post the same information for the others also. Based on the file name, its location and the malware name this might be a false positive detection, which is why sending to the chest and investigate is the best option.

Where the file that is detected is part of a program that you installed and have used previously without being detected by avast, it is possible that the detection isn't correct. There was recently a quite large virus signature update and it may be that this was a false positive detection.

Before you do anything, ensure that you have the latest VPS version, do a manual update and scan the suspect files in the chest first (if they are still detected carry on as below), if they are no longer detected, restore them (right click on the file and select Restore).

Check the offending/suspect file/s at: VirusTotal - Multi engine on-line virus scanner. You can't do this with the file in the chest, you will need to move it out (export to a temporary folder, see below) to be able to upload it. Report the findings of the scan here.

avast will probably alert again, to avoid this create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

[DianneGC]

Thank you. I will proceed on these directions shortly.  Before I do, though, can you translate for me - what is 'VPS'?   ::a little red-in-the-face::

[DianneGC]

   VPS = Virus Protection System, correct?   

Also, what 'setting' do I have the chest in when I do the 2nd scan of the file, and, potentially, the move from chest to C:\Suspect?  Do I remain in the Warnings mode?

Again -- sorry if I'm sounding very anal about this.  I'm just in the middle of three courses and I can't kill my computer now! 

[RejZoR]

VPS means "Virus Pattern Signature(s)"

[DavidR]

There are probably many interpretations but I too say it is Virus Pattern Signatures, though the interpretation isn't important, knowing the meaning is, a file containing virus signatures.

To further add to the confusion, right click the avast 'a' icon, Updating, iAVS is the manual update the iAVS is old and is effectively the same, update the virus signatures.

[DianneGC]

Also, what 'setting' do I have the chest in when I do the 2nd scan of the file, and, potentially, the move from chest to C:\Suspect?  Do I remain in the Warnings mode?

Hello, again.  I tried to use the VirusTotal site and find myself completely confused.      Can someone point me toward some directions, please?

A million Thank Yous.

[DavidR]

On the site, there is a Browse button, when you click that you get a windows explorer style tree structure, navigate to the C:\Suspect folder and select the suspect file and click OK.

There should now be a button called Send, click that to upload the file for scanning.

This is from memory I haven't uploaded a file for a while, but it isn't too complex.