Extracted Files

[Wheresthelove]

As the name said... i extracted a File that was said to be infected.. and uploaded to virustotal.com where only 3/38 scanners found something wrong. So i was wonder can i delete the files i extracted to a certain folder and it will it do any harm to my computer??? Also if 3/38 scanner found something wrong is that a good enough reason to delete it?

[DavidR]

What was the URL for the VT results ?

The scanners and the malware name could help us.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe

[Wheresthelove]

Alright here is the link to the scan report on virustotal.com
http://www.virustotal.com/analisis/9fde2933b9408b7566844ec118953f8a

The name of virus that was detect by Avast was "Js:Packed-N[trojan]" it was found in These 3 system32 files

Kernel32.dll E:\Windows\System32
Winsock.dll E:\Windows\System32
Wsock32.dll E:\Windows\System32   All windows files and program files go to my E  drive or w/e its call

[DavidR]

Well The VT results are effectively 2 detections as GData also uses avast as one of its two scanners, so you should send that file for further analysis.

If it is indeed a false positive (and it seems so), see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

The three files you mention don't happen to be in the System Files section, as they are back-ups of your system files and shouldn't be infected, or effectively the originals (that they were coyed from) would be infected

So I believe what you mean was the file you uploaded to VT was infected by that malware but I find it very hard to believe the others are infected, have you scanned them in the chest ?

I really do wish Alwil would get rid of this All Chest Files collation of the three sections.
- The only area you should be interested in is the Infected Files section, this is where the files detected by avast and selected by you to move to the chest are placed.
- The User Files section is where the user can add files they suspect of being malware but not detected by avast.
- The System Files section is where avast keeps back-up copies of important system files in case the original becomes infected (leave them alone).

[Wheresthelove]

Yes, your right. when i went to the system folder and scanned them it says no virus. but the infected file name " Js[1].htm was found in "temporary internet files" folder... so after i reported this should restore those system files??

[Wheresthelove]

David, those files in the chest called "system files" are just copies of important system files isn't... now i know why.. basically i shouldnt even touch that part of the chest i'm i correct? only worry about infected files

[DavidR]

Post 1. You could report this as it may be a false positive (the one you posted the VT results for), however, since it was from the Temporary Internet Files, if isn't quite such a priority and it puts a different spin on it.

avast has been relatively effective in pinning bad web pages with scripts using generic style signatures (I don't know if this is one of them) and the malware name JS:Packed-N could be a packed form of javascript (as the name implies). In normal circumstances there should be no need to pack or otherwise obfuscate javascript, as it is a language which can be read as plain language and there shouldn't be a need to change that. So that makes me a little more suspicious of the file than the VT results.

So it could well be a good detection after all even with such a small number of detections, but that doesn't mean you shouldn't send it for further analysis as a possible false positive as in the instructions on how to report in my last post.

Post 2. That's right ignore what is in the system files section they are backup copies that only avast can use. Even if you tried to restore them Windows would stop you because the originals are running/in use.

[jsejtko]

Hello,

Not a false positive guys, I have found same file (same hash) in our db and this is crypted script which is preparing Adobe Reader to download malicious pdf which is detected too as JS:Packed-N [trj].

Regards

[DavidR]

Thanks jsejtko,

I thought with its file name, location (temp internet files) and the malware name, etc. it was still suspect but worth checking. Thanks for the clarification.

[Wheresthelove]

hmm i see, so should i disable my system retore (without reboot) and delete it? since we now know is not a false positive.

[DavidR]

I normally never like deleting so I would send it to the chest where it can do no harm. Though with the advice of one of the virus labs team you could delete it and the fact that it is in a temporary location makes it somewhat more redundant.

That same fact on its location shouldn't require disabling system restore before deleting it (as system restore only protects files in the system folders). So just emptying/deleting the Temporary Internet Files would do that job.

If it is in the avast chest 'Infected Files' section you van just delete it from there.