Move to chest

[KevinB12]

I scanned my system with the free home use avast 4.8.  The scan found a virus and recommended I move it to chest.  When I select "move to chest"  I recieve an error message that the virus chest server is not running and the RPC communication failed.  What do I do next?

[DavidR]

How long have you had avast installed ?

Have (or did) you another AV installed in this system, if so what was it and how did you get rid of it ?
RPC errors can sometimes be caused by having another AV  or remnants on your system.

If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php.

[KevinB12]

I installed avast earlier today for the first time to see how it works.  Not knowing how it works and how to use it, I kept my McAfee security suite enabled.

I did eventually get to move the two virues to the chest.  How do I know if they are truly viruses?

Thanks.

[DavidR]

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

Welcome to the forums.

[KevinB12]

C:\windows\trueprocess
C:\systemvolumeinformation\_restore............

Thanks

[DavidR]

I will deal with a bit I missed in an earlier post. Having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable. This could be the conflict that stopped the file being moved/deleted.

So you need to make a decision as to which AV you are going to have installed and uninstall the other. The problem being the McAfee Suite you may want to keep the firewall element, you would need to uninstall, reboot and do a custom install including only the firewall element.

Re the file names, that doesn't show the actual file name just the folder.
Ignore the C:\System Volume Information\_restore one as that is no relation to the original file name, it is allocated one by system restore when it creates the restore point. It is possible that it is the same as the other one if they were given the same malware detection name...

[KevinB12]

Do I need to remove Mcafee or can it be disabled?

Will there be a problem if I remove avast, with a potential virus in the chest? 

I am more comfortable with McAfee right now and I know my way around the program.  I am concerned about removing it and going with an AV that I don't know how to use right now.  Is avast user freindly for a novice?

[YoKenny]

Do I need to remove Mcafee or can it be disabled?

It has to be removed.

Will there be a problem if I remove avast, with a potential virus in the chest? 

I am more comfortable with McAfee right now and I know my way around the program.  I am concerned about removing it and going with an AV that I don't know how to use right now.  Is avast user freindly for a novice?

Try using their forum for support:
http://community.mcafee.com/index.php

[oldman]

Will there be a problem if I remove avast, with a potential virus in the chest?

You should find out more about the file before you remove avast. If the file is in the chest when you remove avast, the file will go also.

This may interest you
http://forum.avast.com/index.php?topic=38856.msg325739#msg325739

[KevinB12]

How do I temporarily disable avast so I don't have 2 AV's running while I figure out how to handle the potential virus?

I currently do not have any operating issues, as far as I can tell.  I am confused with what I need to do first.  can you help?

[DavidR]

Disabling as has been said simply isn't enough, resident scanners operate at low level and load low level virtual device drivers, it is these that can conflict.

Disabling the resident AV doesn't stop these low level drivers from being loaded and that is the problem with multiple resident AVs.

The first thing you should do is confirm the detection at VT as I first said.

Sorry but I beg to differ in your comment "I currently do not have any operating issues, as far as I can tell." The problem that you first posted about not being able to deal with a detection is a classic of AVs locking files and fighting for control and RPC issues as I also mentioned is frequently related to other AVs installed or remnants.

[KevinB12]

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

Do I type in C:\suspect\*  or C:\suspect\TrueProcess.  ?  I typed in just suspect and I received an avast alarm.

Also when go to VT and upload the file , the last step in uploading asks me to open the file.  Is that what I should do?

[DavidR]

Exactly what I said and what you quoted, c:\suspect\* as it said it will exclude any file that you put in there.

Yes you want to open the file (it isn't running it, just uploading it), but you must have the exclusion setup as I said or avast would alert and block the upload.

[KevinB12]

Results of upload to VT:

 2008.11.1.0 2008.11.02 -
AntiVir 7.9.0.10 2008.11.02 TR/Small.jhy.5632
Authentium 5.1.0.4 2008.11.02 -
Avast 4.8.1248.0 2008.11.02 Win32:Trojan-gen {Other}
AVG 8.0.0.161 2008.11.02 -
BitDefender 7.2 2008.11.02 -
CAT-QuickHeal 9.50 2008.11.01 -
ClamAV 0.94.1 2008.11.02 -
DrWeb 4.44.0.09170 2008.11.02 -
eSafe 7.0.17.0 2008.11.02 -
eTrust-Vet 31.6.6185 2008.11.01 -
Ewido 4.0 2008.11.02 -
F-Prot 4.4.4.56 2008.11.02 -
F-Secure 8.0.14332.0 2008.11.02 -
Fortinet 3.117.0.0 2008.10.31 -
GData 19 2008.11.02 Win32:Trojan-gen {Other}
Ikarus T3.1.1.45.0 2008.11.02 Trojan.Small.jhy.5632
K7AntiVirus 7.10.514 2008.11.01 -
Kaspersky 7.0.0.125 2008.11.02 -
McAfee 5422 2008.11.02 -
Microsoft 1.4005 2008.11.02 -
Norman 5.80.02 2008.10.31 -
Panda 9.0.0.4 2008.11.02 -
PCTools 4.4.2.0 2008.11.02 -
Prevx1 V2 2008.11.02 -
Rising 21.01.62.00 2008.11.02 -
SecureWeb-Gateway 6.7.6 2008.11.02 Trojan.Small.jhy.5632
Sophos 4.35.0 2008.11.02 -
Sunbelt 3.1.1767.2 2008.10.31 -
Symantec 10 2008.11.02 -
TheHacker 6.3.1.1.135 2008.10.31 -
TrendMicro 8.700.0.1004 2008.10.31 -
VBA32 3.12.8.9 2008.11.02 -
ViRobot 2008.10.31.1446 2008.10.31 -
VirusBuster 4.5.11.0 2008.11.02 -
Additional information
File size: 5632 bytes
MD5...: 90d33bbd0728ee46a184894bc1576c9b
SHA1..: 980be43c75e9465adaf21613a3a6dc9e58962cf4
SHA256: db922b8adafa97829d1cb6e620b929832e204e1e3fe4b68f2dfc460fa4acd1f2
SHA512: 0b9a56ef2f462f078dfcc5089ae5f625811d66c2f6aa5dead34ec6586d579782
cfe7fc8c16fb82ce23c9c70c6fcf5cb1bd3a12fef7534a2fac79e8cdc2334f22
PEiD..: Armadillo v1.71
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4017e2
timedatestamp.....: 0x3ed98478 (Sun Jun 01 04:43:36 2003)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x97c 0xa00 6.04 6895717e56e6a8c8796fbb9a3a1d5f0b
.rdata 0x2000 0x37c 0x400 4.42 14149f80fee71a04f6b34d1bebd82a25
.data 0x3000 0x1f4 0x200 2.81 d016170842963e05c88b1dcf62491cd0
.rsrc 0x4000 0x200 0x200 2.72 81ad42278e07fe0536cec00e7199b9cd

( 3 imports )
> MSVCRT.dll: _controlfp, __2@YAPAXI@Z, _except_handler3, __p__commode, __set_app_type, __p__fmode, _initterm, _adjust_fdiv, __setusermatherr, exit, __getmainargs, _acmdln, strtok, _XcptFilter, _exit, __3@YAXPAX@Z
> KERNEL32.dll: GetProcAddress, GetStartupInfoA, GetModuleHandleA, GetExitCodeProcess, lstrcmpiA, WaitForSingleObject, Sleep, CreateFileA, CopyFileA, WriteFile, ReadFile, LoadLibraryA, OpenProcess, FreeLibrary, CloseHandle
> USER32.dll: FindWindowA

( 0 exports )
 
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=90d33bbd0728ee46a184894bc1576c9b

[Lisandro]

KevinB12, I don't think it's a false positive... maybe a good detection of avast (before a lot of others).
Disable is not enough... you'll have bad conflicts between avast and McAfee.