restore from virus chest

[finsthwaite]

i have recently registered a game called 'bubble shooter golden pack' and have played with no problems. today when i tried to open the game, Avast said it contained a virus so i transferred it to the virus chest. now i can't play the game, i have tried to restore it but it hasn't worked. when i click on the icon on the desktop i get a pop-up saying windows cannot access the specific drive path or file? can anyone help?

[DavidR]

File name and location of the original would be helpful ?

What icon on the desktop ?

Restoration (from where and how ?) is pointless if avast considers it infected it still won't let you run it.

####
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

[finsthwaite]

thanks for your reply, i was trying to restore the file so that i could use it again. i clicked on restore from the virus chest but it didn't work, as when i clicked on the desktop shortcut to Bubble Golden Pack, windows says the path or file is not available?
the file name is C:\Program Files\absolutist.com\Bubble GJolden Pack\bgpack.exe. the malware name is showing as Win32:Trojan-gen (Other), showing as a Virus/Worm, VPS 081114.0, 14/11/2008. i don't really understand how a virus got into this file as i play offline? How can i get rid of the infected part but still keep the game?

[DavidR]

You still don't say How or Where you were trying to restore this file, I ask because there is a specific means of doing this in avast, but a file should not be restored unless confirmed to be a bad detection. You also say it didn't work, why, what errors, etc. ?

If you have mover the file to the chest, the desktop short cut would be pointing at a non-existent file, so that should account for the (location error).

If you do as I suggest and upload the file to virustotal, you will have to jump through some hoops to avoid avast alerting as I have pointed out.

You can't get rid of an infected part as generally trojans can't be repaired as the whole file is malicious. Only true 'virus' infections can't be repaired and the Repair option would be available in the detection if it were.

Also the avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected. So I suspect that it may be a false positive, another reason why there is nothing to repair and the chief reason I ask you to confirm the detection (or otherwise) at virustotal.

So please follow the instruction in my first post, believe me it will be quicker in the long run.

[finsthwaite]

thanks David, i have followed your instructions & uploaded the files to VirusTotal & have the results. unfortunately i have no idea what the results mean. there is a long list of anti virus programmes with numbers & then some have red writing after them. it doesn't give any specific advice about what to do next. how do i know if this is a real virus or not? when i was trying to restore the game, i just clicked on restore in the virus chest page, but nothing happened at all, i didn't get any error messages or anything, it just didn't restore. i apologise for my lack of knowledge but this is all new to me.

[DavidR]

Which is why I suggested posting the results and we can have a stab at the results.

When you scan using VT when it is complete, just copy and paste the URL in the address bar of that page into your post (or copy and paste the text of the results, but the link is easier all round).

It is simply an analysis/scanning tool it doesn't give advice on what to do next, we can do that.

[finsthwaite]

http://www.virustotal.com/analisis/8e0873325b361452c5fa49d5fd75f2a9
Hi, is this what your mean?

[finsthwaite]

http://www.virustotal.com/reanalisis.html?c848404e7eb5cdc669637f1dfd0f4955http://www.virustotal.com/reanalisis.html?0aac2d23d042c0f0f650986345b41bde.  also this but i think this is the same thing (i have 3 applications in the virus chest:- bgoldpak(1) (4360kb). BGPack (940kb) and BubbleGoldPaid (4589). i scanned them all but it said they had already been scanned?

[DavidR]

Yes that is what I mean the red is just the malware name that was found by that particular scanner.

The GData also uses avast as one of its two scanners, so effectively there is only one detection (1/36) and that is a strong indication that the detection is a false positive.

Send the file to avast for further analysis and correction, as in the link how to report and exclude from scans in my first reply.

[finsthwaite]

sorry to be so dim but can you talk me through what to do next please? also what will happen when i do, will i be able to get my game back & if so, how?

[DavidR]

http://www.virustotal.com/reanalisis.html?c848404e7eb5cdc669637f1dfd0f4955 http://www.virustotal.com/reanalisis.html?0aac2d23d042c0f0f650986345b41bde .  also this but i think this is the same thing (i have 3 applications in the virus chest:- bgoldpak(1) (4360kb). BGPack (940kb) and BubbleGoldPaid (4589). i scanned them all but it said they had already been scanned?

The fact that they have been scanned before just means someone has previously submitted a file to be scanned, you should always have it reanalised as the previous scan could be quite old

BGPack.exe now shows more detections, http://www.virustotal.com/analisis/c848404e7eb5cdc669637f1dfd0f4955  10/36 (9/35 when gdata is removed) normally the more detections the less likely it is a false positive detection. However most of the detections are either suspicious (heuristic), generic, which are more prone to false positives so I still think you should send this to avast.

Bubble_Gold_Paid.exe seems the same as the one you posted first with only the two/one detection.

[DavidR]

sorry to be so dim but can you talk me through what to do next please? also what will happen when i do, will i be able to get my game back & if so, how?

Do as I said click on the link I posted about how to report and exclude in my first post.

If you have, then you have to be more specific as I would just be repeating what is in that link.

[finsthwaite]

i have tried to email the files to alwil by highlighting them in the virus chest & clicking on email to alwil, but it came up they are too big to send, i'm afraid i don't understand the other option of restoring them & zipping them & sending them to Avast. do i have to send the files before i can restore them?

[DavidR]

The first thing I would suggest is a manual program update to the latest version (right click the avast 'a' icon, select Updating, Program Update), that may get round this as it doesn't actually email them now but uploads via http).

You can Increase the sizes in Program Settings (right click the avast 'a' icon) Chest and increase the Maximum file size to send, so that it is large enough to cope with your file.

You don't have to send the file before you restore it (a copy remains in the chest), but what you would have to do is exclude the original location or avast would just detect it when you try to restore it.

[finsthwaite]

i increased the size & tried again, it said 'unspecified errors', then when i clicked cancel it came up files sent with errors?
what happens now, is it safe to restore the file? do i just highlight the files & click on restore? what do you mean by 'exclude the original location'?