Author Topic: File in virus chest  (Read 3908 times)

0 Members and 1 Guest are viewing this topic.

quebec400

  • Guest
File in virus chest
« on: July 12, 2008, 03:32:43 PM »

Avast has detected a trojan, so I moved it to the virus chest but the file is still showing under C:windows\system32...

Is this normal?  This scares me because I ran the file through Virus Total and there are 2 other virus programs that identify the file as being a trojan.  The file is called autochk.exe

Also, I did a restore file (in virus chest)to see if it would do anything (my intention was to rescan it and put it back in the virus chest) but the file does not move out of the virus chest...

Can someone help me?

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 87660
  • No support PMs thanks
Re: File in virus chest
« Reply #1 on: July 12, 2008, 03:51:03 PM »
1. it isn't normal to see it in the original location after it has been successfully sent to the chest.

How long after detection and moving to the chest did you check (as it could well have been regenerated by another element of the infection) ?

2. It isn't wise to restore an infected/suspect file as that outs it back in the original location, making it active again. Use the extract file, this allows you to select a temporary location, not the original and is safer.

What file is it that you were wanting to scan again and what section of the chest was it in ?

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

3. A copy will remain in the chest, that is normal as a) it allows you to scan it within the chest, b) if you are restoring a file from the chest you want to ensure it has been successfully moved before deleting the 'only' copy.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 23.4.6062 (build 23.4.8118.762) UI 1.0.762/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67203
Re: File in virus chest
« Reply #2 on: July 12, 2008, 04:05:32 PM »
No. The file is replicating...
I suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
4. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.
The best things in life are free.

quebec400

  • Guest
Re: File in virus chest
« Reply #3 on: July 12, 2008, 06:53:59 PM »
This is the result from Virus Total

I will try to follow Tech advice and get back to you with the result

Thanks a lot

Antivirus Version Last Update Result
AhnLab-V3 2008.7.11.0 2008.07.11 Win-Trojan/Xema.variant
AntiVir 7.8.0.64 2008.07.11 -
Authentium 5.1.0.4 2008.07.11 -
Avast 4.8.1195.0 2008.07.12 -
AVG 7.5.0.516 2008.07.12 -
BitDefender 7.2 2008.07.12 -
CAT-QuickHeal 9.50 2008.07.11 -
ClamAV 0.93.1 2008.07.11 -
DrWeb 4.44.0.09170 2008.07.12 -
eSafe 7.0.17.0 2008.07.10 -
eTrust-Vet 31.6.5949 2008.07.12 -
Ewido 4.0 2008.07.12 -
F-Prot 4.4.4.56 2008.07.11 -
F-Secure 7.60.13501.0 2008.07.12 -
Fortinet 3.14.0.0 2008.07.12 -
GData 2.0.7306.1023 2008.07.12 -
Ikarus T3.1.1.26.0 2008.07.12 Trojan.NtRootKit.270
Kaspersky 7.0.0.125 2008.07.12 -
McAfee 5337 2008.07.11 -
Microsoft 1.3704 2008.07.12 -
NOD32v2 3263 2008.07.11 -
Norman 5.80.02 2008.07.11 -
Panda 9.0.0.4 2008.07.12 -
Prevx1 V2 2008.07.12 -
Compact
VirusTotal - Free Online Virus and Malware Scan - Result http://www.virustotal.com/analisis/0b79460eb08db5c3ee9f148840f3f0e8
1 of 3 12/07/2008 12:42 PM
Rising 20.52.52.00 2008.07.12 -
Sophos 4.31.0 2008.07.12 -
Sunbelt 3.1.1536.1 2008.07.12 -
Symantec 10 2008.07.12 -
TheHacker 6.2.96.376 2008.07.10 -
TrendMicro 8.700.0.1004 2008.07.11 -
VBA32 3.12.6.9 2008.07.12 Trojan.NtRootKit.270
VirusBuster 4.5.11.0 2008.07.12 -
Webwasher-Gateway 6.6.2 2008.07.11 -
Additional information
File size: 642560 bytes
MD5...: 7f6b041e60fe153e7584aeb9d708570c
SHA1..: e1af10fe8e95d8a932ce04b1fb6f1230b6a98c4e
SHA256: e5c5fd8402996d42fcdbf9e57cfb60f95c52c663c8d9aff7fcb4e5b479104cfb
SHA512: 53e4e35bf9564171a76fdcbb2e66ca2cd827fa10a2fdb329268737371f2e97a3
6bea09b9db209c55367120d69e9561e069f0346ec95504eb3f96e3c5834a22d8
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x4016ce
timedatestamp.....: 0x46130dca (Wed Apr 04 02:30:34 2007)
machinetype.......: 0x14c (I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x9ce 0xa00 6.08 f189542e08c559931787766ce6450847
.cdata 0x2000 0x4400 0x4400 6.00 69746fe74257d029d538c3b8429ea0f4
.mdata 0x7000 0x300 0x400 1.94 aadc0c535edf312205c3a2153c4a3283
.reloc 0x8000 0x60 0x200 1.51 737c7c8641e2692a26d3adfc985b4135
( 1 imports )
> ntdll.dll: NtCreateKey, NtOpenProcessToken, NtCreateFile, NtClose,
NtAdjustPrivilegesToken, NtDeleteFile, NtWriteFile, RtlInitUnicodeString,
NtSetSecurityObject, NtTerminateProcess, NtSetValueKey,
NtQuerySecurityObject, NtReadFile, RtlQueryEnvironmentVariable_U,
NtQueryInformationToken, RtlUnwind, wcscpy
( 0 exports )
packers (F-Prot): embedded

wyrmrider

  • Guest
Re: File in virus chest
« Reply #4 on: July 12, 2008, 07:00:47 PM »
autochek.exe MAY be a Microsoft system file
http://support.microsoft.com/kb/831426

when it is in its CORRECT LOCATION and Properties check out
and a TROJAN if elsewhere or even in the correct location
Be Very Very Careful and take the actions in the previous thread
you might do a search and post the location of the file and then right click and look at properties
It is not unusual for baddies to use MS file names
take a filename that is not Critical and replace the code with malicious which runs when the MS file is called for
does autocheck show up in your start page? programs that run automatically at boot up?

I just saw your virus total results
I'd leave this one in the vault for awhile as it is not a critical system file
 and submit the code to AVAST for analysis
you could also follow the advise and run an antispyware scan as shown above

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67203
Re: File in virus chest
« Reply #5 on: July 12, 2008, 07:46:11 PM »
Seems another false positive... I can't believe ::)
The best things in life are free.

quebec400

  • Guest
Re: File in virus chest
« Reply #6 on: July 12, 2008, 10:20:26 PM »
You are right, it probably is a FP

DrWebCureIt did not detect it, neither did my already installed programs (AdAware, Spybot, ThreatFire).  Avast Bootscan does not detect it anymore either.

This file was detected a while ago by Avast (over a month ago) and was then moved to Chest.  I was just wondering what to do with it, move it back to its original location or leave as is in the Virus Chest.  This is when I found out it was still showing under C:\windows\system32.....

I will leave it as is for now.  My computer works just fine.....

Thanks a lot for your help. It was very much appreciated.

wyrmrider

  • Guest
Re: File in virus chest
« Reply #7 on: July 13, 2008, 01:19:26 AM »
Sure could be a FP but with that file you would think everyone would have hit it
Did you submit it as a FP?