AV picking out .EXE files from HDD's

[moonraker]

Hi I have just added a HDD from our old PC it seemed like the AV was
scanning the slave HDD and seeing the .exe files as viruses, so I have
disconnected it again for now, is this common?

With the slave unplugged the AV has just picked out a .exe file from the
original HDD as if it was a threat, is this common?

I am concerned that it will lock away or quarantine some of the operating
files...

Any ideas.

Many thanks

Steve

 

[PA Bear [MS MVP]]

What AV?

 

[moonraker]

Yes..sorry...reallised I had omitted the details as my finger lifted off the
mouse...whoosh...to late it had gone!!!!

AVIRA Antivir personal (free) was on PC when aquired.

Since the first post the PC has been sat there and another warning flashed
up with a file from the existing HDD drive the (I drive 9 (the slave (C
drive is disconnected for now)

Note!! when I plugged the HDD into the PC I removed the jumper from the rear
as it said on the back that no jumper was "slave"

Some one has mentioned that no jumper is slave ribbon select....as the slave
HDD is listed in the boot menu as maxtor 1st slave do I need to fit the
jumper or not.

Many thanks

 

[Anteaus]

Send one or two to http://virustotal.com for an opinion.

One of the problems with AV these days is that there are now so many
viruses, some of which are bound to be similar to genuine files, false
detections are very common

 

[moonraker]

Hi there, thanks for that.

Looking at the AV history it looks like it has been happening for some time.

(I is the original HDD (160gb) to the pc I added a slave (C yesterday
but disconnected it for now when the av started "seeing threats in the
files"

Most are showing "detected in (I system volume
information......................................................

looking at the log, it loks like the av has run every hour (exactly) and
picked out the same file several times and ""deny access"" 5 times (5 hours)
in a row.:-

Guard:malware found
date 15\11\2009 22.47.36

virus or unwanted program "adware\adware.Gen [adware] detected in file
"I: \ system volume
information\restore(79543F85-E178-4BC5-AB89-3972695E-1B68)\RP1354\A0175290.exe

as I say. this entry is lised once every hour 5 times that day....3 times
the next day...4 times the next....6 times on the 20\11\2009

Then when I fitted the slave (C drive the av reported

Guard:malware found
date 14\12\2009 18.42.02

virus or unwanted program "adware\adware.Gen [adware] detected in file

this time in

C: \program files\hewlett-packard\digital
imaging\..................................................

Hope this helps

Cheers........steve

 

[Paul]

Hi there, thanks for that.

Looking at the AV history it looks like it has been happening for some time.

(I is the original HDD (160gb) to the pc I added a slave (C yesterday
but disconnected it for now when the av started "seeing threats in the
files"

Most are showing "detected in (I system volume
information......................................................

looking at the log, it loks like the av has run every hour (exactly) and
picked out the same file several times and ""deny access"" 5 times (5 hours)
in a row.:-

Guard:malware found
date 15\11\2009 22.47.36

virus or unwanted program "adware\adware.Gen [adware] detected in file
"I: \ system volume
information\restore(79543F85-E178-4BC5-AB89-3972695E-1B68)\RP1354\A0175290.exe

as I say. this entry is lised once every hour 5 times that day....3 times
the next day...4 times the next....6 times on the 20\11\2009

Then when I fitted the slave (C drive the av reported

Guard:malware found
date 14\12\2009 18.42.02

virus or unwanted program "adware\adware.Gen [adware] detected in file

this time in

C: \program files\hewlett-packard\digital
imaging\..................................................

Hope this helps

Cheers........steve

Take Anteaus's advice, and upload the smallest infected file
to the www.virustotal.com web site. Virustotal has about 20 different
virus scanners in it. You upload a file to them, they decompress it
if that is necessary, take it apart, run it through all the scanners,
and give you a report automatically. It's a great service and it is free.

Paul

 

[moonraker]

Thankyou for the reply,

The pc in question is not online as yet, could I copy the file to a memory
stick and upload it via this PC

Take Anteaus's advice, and upload the smallest infected file

Do I take it I hunt down the actual file on the PC, copy it and then upload
it?

to the www.virustotal.com web site. Virustotal has about 20 different
virus scanners in it. You upload a file to them, they decompress it
if that is necessary, take it apart, run it through all the scanners,
and give you a report automatically. It's a great service and it is

free.

Many thank
Steve

 

[Lem]

Hi there, thanks for that.

Looking at the AV history it looks like it has been happening for some time.

(I is the original HDD (160gb) to the pc I added a slave (C yesterday
but disconnected it for now when the av started "seeing threats in the
files"

Most are showing "detected in (I system volume
information......................................................

looking at the log, it loks like the av has run every hour (exactly) and
picked out the same file several times and ""deny access"" 5 times (5 hours)
in a row.:-

Guard:malware found
date 15\11\2009 22.47.36

virus or unwanted program "adware\adware.Gen [adware] detected in file
"I: \ system volume
information\restore(79543F85-E178-4BC5-AB89-3972695E-1B68)\RP1354\A0175290.exe

as I say. this entry is lised once every hour 5 times that day....3 times
the next day...4 times the next....6 times on the 20\11\2009

Then when I fitted the slave (C drive the av reported

Guard:malware found
date 14\12\2009 18.42.02

virus or unwanted program "adware\adware.Gen [adware] detected in file

this time in

C: \program files\hewlett-packard\digital
imaging\..................................................

Hope this helps

Cheers........steve

Send one or two to http://virustotal.com for an opinion.

One of the problems with AV these days is that there are now so many
viruses, some of which are bound to be similar to genuine files, false
detections are very common

The first example you picked (I:\system volume information\restore ...)
is in a System Restore point. I suggest clearing out all restore points
on that partition by turning off System Restore. It's not clear from
your post which partition is your system partition (e.g., the one where
Windows is located). As a general rule, you should turn off System
Restore on all partitions *other* than the system partition.

 

[Paul]

Thankyou for the reply,

The pc in question is not online as yet, could I copy the file to a memory
stick and upload it via this PC


Do I take it I hunt down the actual file on the PC, copy it and then upload
it?

free.

Many thank
Steve

Well, every idea has a few gotchas.

There is some malware, that spreads from computer to computer
vis USB flash. It could be using "autorun" as a mechanism.
Pressing and holding the "shift" key, while inserting
the USB stick, may stop "autorun". But I don't know if that
is guaranteed to be enough to stop something like that or
not.

You could set up networking on the machine in question, and
try to upload from there. There is even malware, that won't
let the browser reach the virustotal.com web site (that
can be done by adding an entry to the "hosts" file). But that
would be a dead giveaway the machine was infected, so you'd know
there was trouble if that happened.

You could use a "security by obscurity" technique. If you copied
the file to USB flash on the suspect Windows computer, and
plugged the USB flash into a Linux computer, there is a chance
the malware may not be able to infect all OSes equally. So perhaps
using a browser on a Linux machine might be an alternative.

Is it that hard to get networking going on the affected machine ?

Yet another thing to consider, is if the machine you're going
to use to do the upload, has its own AV software running. It
could scan the USB flash as soon as it is plugged in and
quarantine the file. I suppose that proves it is infected
too, so doesn't really raise any additional issues. If
the AV on that computer doesn't complain, and you don't
manage to infect the networked computer, then you're ready
to upload to virustotal.

Paul