Two viruses?

[sunsets]

I don’t know if these two are viruses or not.

I bought my computer three weeks ago. It came with Norton’s Internet Security. I uninstalled it using Add/Remove Program.

I use Avast Free 4.8. I get virus definition updates and run scans daily without fail.

Today, it said I had two Win32:Trojan viruses which are located in:

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll\[Embedded#DODGY]

D:\hp\apps\APP04471\src\Setup\Setup.msi\Binary.SymLCSVC.9E3C0E2F_0873_4AD9_995B_D9DAAF9B9E76\[Embedded#XINSTALLDLL]\[Embedded#DODGY]

I was able to move the first one successfully to the virus chest. I was not able to move the second one due to an error.

I did some searching and found the Norton’s Removal Tool. I used that. After running it, I went into Explorer and looked through the files. I found a Symantec folder left over and deleted everything in it plus the folder.

I ran Avast again, and it again found the second virus but not the first.

Any suggestions? If so, can you please explain what I need to do in easy words. When it comes to the above, I’m a novice.

[DavidR]

The first, even if it isn't a virus it shows you have remnants of symantec on your system as the symantec shared folder hasn't been removed.

The second is that in your HP recovery partition ?
I suspect so and I guess symantec was pre-installed. If so I doubt there is much you can do about that one I would have though it is a protected partition (the probable cause of the error). Other than excluding this file from scanning (see false positive link below) D:\hp\apps\APP04471\src\Setup\Setup.msi until it is resolved, I suspect it is more likely to be a false detection.

I don't believe the detections are indicating a cast iron trojan hence the [Embedded#Dodgy] suffix, it may just be the way the installation is packed.

Do you have any Symantec applications installed now ?

You could also check the offending/suspect file (to confirm or deny the detection) at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

[sunsets]

Yes, Norton’s Internet Security 2008 came pre-installed, unfortunately. Can you please tell me how to remove the Symantec shared folder? I don’t have any Symantec products installed. I uninstalled it as soon as I set up my computer.

I have no idea if D:\hp\apps\APP04471\src\Setup\Setup.msi is in my HP recovery partition. I don’t know anything about partitions. It’s not in my chest, so I can‘t do Virus Total. I did run Panda Active Scan, and it didn’t find anything. I tried to run Trend Micro Housecall65, but a file wouldn’t install on my computer.

Before I posted here, I did report the second one using the link at the bottom of the pop up virus warning window.

[CharleyO]

***

Welcome to the forums, sunsets.   

This ...  D:\hp\apps\APP04471\src\Setup\Setup.msi ... is the setup engine HP used to install your version of Windows and other applications on your computer. Read here for more information ...

http://en.wikipedia.org/wiki/Windows_Installer

But, this is the short form of where an apparent problem is located. The full version from your first post is ... D:\hp\apps\APP04471\src\Setup\Setup.msi\Binary.SymLCSVC.9E3C0E2F_0873_4AD9_995B_D9DAAF9B9E76\ ... and from this I am surmising that this was used by HP to install the former Symantec program.

Have you used the appropriate Symantec removal tool for Norton Internet Security 2008? Symantec/Norton is well known for leaving offending files and registry entries behind when uninstalled only through Add/Remove Programs. If not, I would suggest that should be your next step.

*David, please correct me if you think I am wrong.


***

[Lisandro]

Yes, Norton’s Internet Security 2008 came pre-installed, unfortunately. Can you please tell me how to remove the Symantec shared folder? I don’t have any Symantec products installed. I uninstalled it as soon as I set up my computer.

1) Remove through Add/Remove programs from Control Panel. Boot.
2) Use Norton Removal Tool for Windows 2000/XP/Vista. Boot.
3) Install avast! (or repair the installation) and boot.

I have no idea if D:\hp\apps\APP04471\src\Setup\Setup.msi is in my HP recovery partition. I don’t know anything about partitions.

Do you use a disk D: or it is your recover disk (partition)?

It’s not in my chest

Do not delete files directly. Send them to Chest that allow further inverstigation.

so I can‘t do Virus Total

Into Chest, files can't be submitted to virustotal... they're protected and safe by avast.

I did run Panda Active Scan, and it didn’t find anything. I tried to run Trend Micro Housecall65, but a file wouldn’t install on my computer.

Panda lefts things behind and it's not a good on-line scanner. Try:
Kaspersky (very good detection rates)
ESET NOD32
Trendmicro housecall
F-Secure
BitDefender (free removal of the malware)

[sunsets]

The following is in response to Tech’s message.

I have Vista Home Premium Service Pack 1.

1. I had already used remove Add/Remove program to uninstall Norton’s Internet Security after I set up my computer.

2. I clicked on the Norton’s Removal Tool link that Tech provided. It is the same one I used yesterday. Does it matter if I right click on the Norton Removal Tool icon, select Properties, click on the Compatibility tab and put a check mark in the box next to Run this program in compatibility mode for and in the pull down menu, there is no listing for Vista. I noticed that today.

3. I already had Avast installed. How do I repair the installation? I looked in the help file, but I couldn’t find it.

Regarding D:\hp\apps\APP04471\src\Setup\Setup.msi and a disk D: or is it a recover disk (partition), I don’t understand. In Windows Explorer, it says Factory Image D:

Regarding it not being in my Chest, I didn’t delete anything. The recommended action was to move it to the Chest, which I tried to do. I received an error message.

Kaspersky didn’t find anything.

I couldn’t use ESET NOD32 because of Administrator Rights.

I tried to use Trendmicro house call again. Like yesterday, I got an error message saying it couldn’t transfer data.

F-Secure didn’t find anything; however, it skipped 22 files. I have a list of the files if you need them.

I couldn’t run BitDefender because of Administrator Rights.

I clicked on Control Panel/User Accounts. It has my name as Administrator.

[Lisandro]

1. I had already used remove Add/Remove program to uninstall Norton’s Internet Security after I set up my computer.

Ok.

2. I clicked on the Norton’s Removal Tool link that Tech provided. It is the same one I used yesterday. Does it matter if I right click on the Norton Removal Tool icon, select Properties, click on the Compatibility tab and put a check mark in the box next to Run this program in compatibility mode for and in the pull down menu, there is no listing for Vista. I noticed that today.

It's Vista compatible, it does not (should not) require compatibility...

3. I already had Avast installed. How do I repair the installation? I looked in the help file, but I couldn’t find it.

Go to Control Panel > Add/Remove programs > avast! antivirus > Remove. Then choose Repair function in the popup window (Repair).

Regarding D:\hp\apps\APP04471\src\Setup\Setup.msi and a disk D: or is it a recover disk (partition), I don’t understand. In Windows Explorer, it says Factory Image D:

Factory image = Recovery partition...

Regarding it not being in my Chest, I didn’t delete anything. The recommended action was to move it to the Chest, which I tried to do. I received an error message.

Good, seems a false positive, maybe you could send the file D:\hp\apps\APP04471\src\Setup\Setup.msi to virus(at)avast(dot)com for analysis.

[jsejtko]

Hello, this false positive is fixed in actual vps 080705-0, please update your avast.

[DavidR]

thanks, this is what I suspected.

[sunsets]

Thank you DavidR, CharleyO, Tech, and jsejtko for you help. 

I updated the definitions and ran the scan. It's been fixed. 

[DavidR]

You're welcome, they are usually quick to correct when it is identified.

[Lisandro]

Thank you DavidR, CharleyO, Tech, and jsejtko for you help.

You're welcome. Feel free to come back any time you need help or just to change experiences

[CharleyO]

***

You are welcome, sunsets. I am happy if I helped in some small way but I am happier that your problem is solved.   


***