# Solved: Trojan or false alarm



## Novictory (Nov 18, 2007)

I am having a very frustrating experience with AVG. As an additional security check, I ran a Kaspersky online scan a few days ago. They picked up one virus as follows: Win32/CIH virus. When I scanned the alleged infected file with AVG, it did not detect anything. I wrote avg tech support with this info and they requested the file - after sending them the infected file, they responded as follows: 
_Please let us inform you, that the file contained inactive and damaged
Win32/CIH virus. In this case AVG does not detect it. In atachment of
this email we send you the fully healed file, that is currently not
detect by any other Anti-Virus._​The plot thickens  the next day after booting system, avg comes up with Threat Detected! Trojan horse Patched_c.UK. for that file they did not detect anything in the day before. Also infection is supposedly in a program that I have been using for months without any detection of any kind. I removed the threat to the virus vault and thought all was set. However, I installed a new program yesterday (not related to any of this) and as I always do I set a restore point for that day before installing. (This is a day after all of this other trojan stuff was detected). Last nite I booted up and it came up with that threat again but now I am unable to remove it. The options on avg are to heal or remove to vault. When I tried to do either of these, I received a msg that those options had failed and that access was denied to the file. Keep in mind that this threat now resides in c\system volume information\_restore followed by a string of letters & numbers.
I have written AVG repeatedly about this and they have yet to answer my emails. I dont know if I really have a trojan or what  I am not symptomatic at all  I run avg, firewall, spybot  spyware blaster  ad aware. I am also very careful about what I download so I really dont know what is going on. Would appreciate any help you may offer. Thanks in advance.


----------



## mrss (Jun 13, 2007)

Won't get into whether real or false positive, but if it was detected only in the System Restore volume, not sure that AVG can go in there. You would have to disable System Restore, which loses any and all restore points, and then re-enable it and set a new restore point. So if it's only there, you could always ignore it, providing that you remember it's there.


----------



## Novictory (Nov 18, 2007)

Thank you for explaining that AVG cannot go into that file. So, if I understand correctly, this trojan is harmless in that file and can be ignored. However, since I am probably going to continue to receive the Threat Detected! window from AVG, I think I will disable the S.R. settings and reset a new one. That will get rid of that trojan in that file location, correct? Thanks for quick reply.


----------



## tomdkat (May 6, 2006)

If you are able to identify the actual file that is infected, you can test it against other anti-virus scanners using the Jotti virus scan service. I used it to confirm a false positive I had with Avast!. The Jotti service will scan the file you upload with just about every anti-virus app out there. That way, you can see if something was actually missed or if something is being reported as a false positive.

I was in a similar situation as you where Avast! reported an infected file that AVG 7.5 didn't detect. The Jotti scan I ran reported Avast! and Panda detecting the same infection where AVG, AntiVir, Kaspersky, NOD32, F-Secure, and the rest of the lot didn't detect anything.

What version of AVG are you using?

Peace...


----------



## Novictory (Nov 18, 2007)

Thanks for response. I have bookmarked that scanner contained in your answer for future use. Right now the original trojan is the avg virus vault. The second one (in the sys restore file is also gone as I reset the restore points). I couldn't get to that one anyway it would appear. I am using AVG 8 and find it cumbersome. I liked 7.5 better as it did not seem to take so long to do scans as set up by avg (whole computer, etc). My license is up in feb 09 so maybe I'll move on. Thanks again. P.S. I was born in San Francisco a million or so years ago. Now in New England.


----------



## tomdkat (May 6, 2006)

Sounds good. 

Keep in mind, I *do not* mention the Jotti site as a suggestion for using that as a primary tool to scan files but it can be handy to determine if you're dealing with a false positive or not. 

In my case, based on the fact that only 2 of the scanners they have found anything I'm thinking I had a false positive.

Good luck!

Peace...


----------



## Novictory (Nov 18, 2007)

Yes, thanks for that followup and I will keep that scanner handy for the false-positive moments. Onward and upward - (hopefully).


----------

