Author Topic: How to deal (..) [CHECK DAVID LAST QUESTION]  (Read 26289 times)

0 Members and 1 Guest are viewing this topic.

Pierolle

  • Guest
How to deal (..) [CHECK DAVID LAST QUESTION]
« on: September 30, 2008, 01:17:50 PM »
Hello,

well avast! just detected a virus/trojan. But after I've moved the virus to the chest, what should I
do next? Sure I could let it be there to make sure windows/my programs is still working as they
should. But then what? Should I keep it in the chest or delete it?
Thanks.
« Last Edit: November 17, 2008, 09:07:05 PM by Pierolle »

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86659
  • No support PMs thanks
Re: How to deal with a virus?
« Reply #1 on: September 30, 2008, 03:11:43 PM »
We thrive on information and with the lack of it we are guessing.
I take it that your aren't using the server version of avast ?

What Operating System are you using ?

What is the malware name, the infected file name, where was it found e.g. (malware name, C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

You have done the right thing, 'first do no harm' don't delete, send virus to the chest and investigate.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.
« Last Edit: September 30, 2008, 03:13:28 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Pierolle

  • Guest
Re: How to deal with a virus?
« Reply #2 on: October 01, 2008, 10:28:18 PM »
Hi,

the name is Ravenhearst.exe. It can be found in a map which I got with my new computer (Acer GameZone).
And thats abit strange, I mean, why would Acer put a virus in their own program? Anyway,
It says that its a Win32: Trojan. Anyway, if the file isn't in the system files, I can just have it in the chest for
some time and then scan again - delete?

(Whole adress; C:\Program Files\Acer GameZone\MCF Rave...) <- and thats the whole adress I can find, and yes, avast! also shows three dots at the end.
Thanks!

BTW, how do I rescan in the chest? Just press the scan button when you open the virus chest?
« Last Edit: October 01, 2008, 10:30:24 PM by Pierolle »

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86659
  • No support PMs thanks
Re: How to deal with a virus?
« Reply #3 on: October 01, 2008, 11:30:15 PM »
That is the reason why we ask about the file, location and malware name as I think that it is win32:Trojan-gen

The three ... dots signify that there is more info (concatenated) you can expand the column width by left click and hold whilst dragging the mouse pointer to the right (this works in most windows applications with columns.

The avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected. So you should confirm the detection, see below.

When you open the chest, Infected Files section, highlight the file, right click on it and select scan.

- The only area you should be interested in is the Infected Files section, this is where the files detected by avast and selected by you to move to the chest are placed.
- The User Files section is where the user can add files they suspect of being malware but not detected by avast.
- The System Files section is where avast keeps back-up copies of important system files in case the original becomes infected (leave them alone).


####
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.
####
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Pierolle

  • Guest
Re: How to deal with a virus?
« Reply #4 on: October 06, 2008, 05:49:36 PM »
O.O

Heh, alright. But anyway, I don't really care so much about that file since I don't play it. So to make
it simple, if I rescan it and it's still a Virus (And as I said, if I don't care about the file), I can delete it?

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86659
  • No support PMs thanks
Re: How to deal with a virus?
« Reply #5 on: October 06, 2008, 06:26:40 PM »
It isn't so much if you care as you don't use it, but submitting it to virustotal to confirm or deny the validity of the detection. Sending it to avast to correct the detection for all other users of avast who might just have this file as well if it is a false positive.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Pierolle

  • Guest
Re: How to deal with a virus?
« Reply #6 on: October 06, 2008, 07:16:16 PM »
Can't I just in someway send it to Avast! and let them check it? xD

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86659
  • No support PMs thanks
Re: How to deal with a virus?
« Reply #7 on: October 06, 2008, 07:48:16 PM »
The point is if it isn't a false positive there is no point in sending it.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67241
Re: How to deal with a virus?
« Reply #8 on: October 06, 2008, 10:14:45 PM »
Can't I just in someway send it to Avast! and let them check it? xD
Yes you can... but like David said if it is not a false, i.e., if it is really infected, well, sending will not help you, you need to get rid of the file. As we don't know (you need to submit the file to virustotal and give us more info), the safer now will be moving the file to Chest and test it within there (right clicking it).
The best things in life are free.

Pierolle

  • Guest
Re: How to deal with a virus?
« Reply #9 on: October 06, 2008, 11:10:04 PM »
Okay.

So first, I have tested the file once again in the chest and still avast! says it's a virus. So here is what I should do;

Go to Virus Total and check the file, if it's a virus, delete. If it's not, send it to avast(!)?

To David, but if I move/copy the file to another map to check it on VirusTotal, then I'm "releasing it"? And the pic you had in your second post I believe, was that from VirusTotal or what?
And can't I just create the folder on the desktop?
« Last Edit: October 06, 2008, 11:11:40 PM by Pierolle »

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86659
  • No support PMs thanks
Re: How to deal with a virus?
« Reply #10 on: October 07, 2008, 12:17:43 AM »
You would be taking a copy, Extract (as opposed to Restore (which sends it to the original location) to a temporary location (the c:\suspect folder I suggested creating and excluding) where it can be uploaded to virustotal without avast alerting again.

Whilst outside the chest in a different location to the original location presents virtually no risk as nothing knows it is there and there is no command to run it from that location, it is effectively inert.

The image isn't of virustotal but showing how to expand the column width so you can see the full text.

Using windows explorer it is easier to create a folder in the C:\ folder than to create one on the desktop. It also makes it easier to upload the file to virus total as when you click browse (in VT) to indicate where the file is located on your HDD it will be much easier to find the c:\suspect folder where the files it than find the desktop and any folder on that, it is buried. Just try and find your desktop folder in windows explorer.

Believe me when I give you a suggestion I'm trying to give the easiest option. You can also believe me that I'm not going to suggest doing something that is harmful to your system (certainly not without full notification), like Extracting a file from the chest, that is absolutely necessary as you can't upload the file in the chest it is a protected area.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67241
Re: How to deal with a virus?
« Reply #11 on: October 07, 2008, 03:31:37 AM »
Go to Virus Total and check the file, if it's a virus, delete. If it's not, send it to avast(!)?
You can send the file to virus@avast.com in any case...
You can zip and password the files... Inform a link to this thread and the password used.
You can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks.

Maybe it will be good to add in the email body a link to this thread.
The best things in life are free.

Pierolle

  • Guest
Re: How to deal with a virus?
« Reply #12 on: October 07, 2008, 04:52:00 PM »
David,

sure I believe you. But I rather ask some stupid questions then doing something wrong. I'm not that of a pro. :p
Anyway. So I'll do exactly as you've posted. I'll let you know how it went! (It'll take some minutes I believe!)

Pierolle

  • Guest
Re: How to deal with a virus?
« Reply #13 on: October 07, 2008, 05:01:30 PM »
By the way, I can delete the extracted file yes? <- Nevermind, I had avast! take the file in again by detecting it



[Edit:]

It's done. It got 5/36, so some programs took it as a virus. Delete? :)
« Last Edit: October 07, 2008, 05:10:36 PM by Pierolle »

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86659
  • No support PMs thanks
Re: How to deal with a virus? [CHECK DAVID]
« Reply #14 on: October 07, 2008, 07:06:21 PM »
Personally I would leave the extracted files alone until we have completed thie whole process.

If you can either copy and paste the results or copy and paste the URL in the address bar of the VT results page.

This information, e.g. what other scanners detected it and what they called the detections, helps us greatly.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security