Deleted from Chest by mistake

[Donlee]

I'm new here and deleted some viruses from the chest.  Is that going to be a problem?  When the virus pops up Avast recommends that it be sent to the chest but should I instead try to repair it first?

[spg SCOTT]

Hi Donlee, welcome to the forum

Please could you stick to one topic as it makes it harder for those here to help you. Since this one is in the right place I will post here.

Normally, the recommended action is to put the files in the chest, as secure encrypted location that cannot be access other than by avast! itself. If after some time (say, a couple of weeks) you have not noticed any advesrse effects, (for example problems with the using of the pc or programs not working) then it should be reasonable to delete.

To be sure, we would need the filenames and locations of the files that you deleted.

Right click avast icon-->click 'Avast log viewer'-->click 'warning' section-->look at the bottom of the log (or click the date time header to bring the most recent to the top)

Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the last few entries.

-Scott-

[Pondus]

just something to read

Clean, Quarantine, or Delete?
http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm

[Donlee]

Okay Scott here you go
1/16/2010   6:54:57 PM   1263686097   SYSTEM   1588   Sign of "Win32:Trojan-gen" has been found in "C:\WINDOWS\default32.dll" file. 
1/16/2010   7:13:49 PM   1263687229   Administrator   2424   Sign of "Win32:Trojan-gen" has been found in "C:\System Volume Information\_restore{E2FD6C42-B93A-4152-A6E5-324F632CD4D3}\RP82\A0008821.dll" file. 
1/16/2010   7:18:26 PM   1263687506   Administrator   2424   Sign of "Win32:Spyware-gen [Spy]" has been found in "C:\WINDOWS\system32\FontReg.exe" file. 
1/16/2010   7:20:32 PM   1263687632   Administrator   2424   Sign of "Win32:Trojan-gen" has been found in "C:\WINDOWS\trz96.tmp" file. 

[Donlee]

Thanks Pondus

[spg SCOTT]

1/16/2010   6:54:57 PM   1263686097   SYSTEM   1588   Sign of "Win32:Trojan-gen" has been found in "C:\WINDOWS\default32.dll" file.

Not sure about this one, I can't seem to find any info on it. (I presume that this would mean a genuine detection...)

1/16/2010   7:13:49 PM   1263687229   Administrator   2424   Sign of "Win32:Trojan-gen" has been found in "C:\System Volume Information\_restore{E2FD6C42-B93A-4152-A6E5-324F632CD4D3}\RP82\A0008821.dll" file.

This should be okay to delete, as it is a restore point:

...
####
Infected Restore Points - There really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore.
 
- Worst case scenario it isn't infected and you delete it, you can't use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.
 
- So if there is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.

1/16/2010   7:20:32 PM   1263687632   Administrator   2424   Sign of "Win32:Trojan-gen" has been found in "C:\WINDOWS\trz96.tmp" file.

A temp file, again, this should be okay to delete.

1/16/2010   7:18:26 PM   1263687506   Administrator   2424   Sign of "Win32:Spyware-gen [Spy]" has been found in "C:\WINDOWS\system32\FontReg.exe" file.

This one I am not too sure about. It looks like a genuine detection, as the real version, if there should be at     C:\WINDOWS\SYSTEM\ not in the system32 folder.
http://www.bleepingcomputer.com/filedb/fontreg.exe-32022.html

If you are having no adverse effects, I would think that you are ok, maybe someone else here could confirm...

-Scott-

[Donlee]

thank you so much

[DavidR]

I'm new here and deleted some viruses from the chest.  Is that going to be a problem?  When the virus pops up Avast recommends that it be sent to the chest but should I instead try to repair it first?

Trojans generally can't be repaired (either by the VRDB or avast virus cleaner), because the entire content of the file is malware, so it is either move to chest or delete, move to the chest being the best option (first do no harm). When a file is in the chest it can't do any harm and you can investigate the infected warning.

The VRDB only protects certain files, mainly .exe files, it doesn't protect data files or all files, it is not a back-up program, so there are going to be many occasions where repair won't be an option.

Only true virus infection can be repaired, e.g. when a virus infects a file it adds a small part to it, provided that file is one that avast's VRDB would monitor and you have run the VRDB, then it may be possible to repair the file to its uninfected state.

However, for the most part so called viruses, trojans (adware/spyware/malware, etc.) can't be repaired because the complete content of the file is malicious.

[CharleyO]

***

Information on ... default32.dll ... can be found at the link below :

http://www.prevx.com/filenames/X2065179817566393827-X1/DEFAULT32.DLL.html   ( Malware Downloader )


***

[mvance0211]

I am also new to this.  If a virus is detected and is in the chest, does that mean it will not harm my computer?  On the screen it says that there are 5 infected files?  How can I get this off?

[DavidR]

Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, so it is best to send virus to the chest (quarantine) and investigate.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

[trunkster]

1/16/2010   7:18:26 PM   1263687506   Administrator   2424   Sign of "Win32:Spyware-gen [Spy]" has been found in "C:\WINDOWS\system32\FontReg.exe" file.

This one I am not too sure about. It looks like a genuine detection, as the real version, if there should be at     C:\WINDOWS\SYSTEM\ not in the system32 folder.
[url]http://www.bleepingcomputer.com/filedb/fontreg.exe-32022.html[/url]

If you are having no adverse effects, I would think that you are ok, maybe someone else here could confirm...

-Scott-

I believe the FontReg that Donlee has is the one that come with the RyanVM post-SP3 hotfix pack http://www.ryanvm.net/forum/viewtopic.php?t=6729]

1/16/2010   7:18:26 PM   1263687506   Administrator   2424   Sign of "Win32:Spyware-gen [Spy]" has been found in "C:\WINDOWS\system32\FontReg.exe" file.

This one I am not too sure about. It looks like a genuine detection, as the real version, if there should be at     C:\WINDOWS\SYSTEM\ not in the system32 folder.
http://www.bleepingcomputer.com/filedb/fontreg.exe-32022.html

If you are having no adverse effects, I would think that you are ok, maybe someone else here could confirm...

-Scott-

I believe the FontReg that Donlee has is the one that come with the RyanVM post-SP3 hotfix pack http://www.ryanvm.net/forum/viewtopic.php?t=6729. Basically it's for slipstreaming hotfixes beyond SP3 into a Windows XP CD. I'm pretty sure it is a false positive, a lot of people have tested these packs and I'm sure it would have been caught. I have the exact same detection as Donlee from Avast but I can't get any other antivirus program to complain. I've tried both kaspersky and MSE with clean results.

The issue could be that the FontReg program uses part of the Microsoft source code from the old 1995 file installation utility. Microsoft released this code to the public so it is legit. I wonder if Avast is detecting FontReg as a compromised Microsoft system file because of this.

Long story short, it's safe to delete FontReg, you will probably never use it since it's for installing fonts via the command prompt.