aswboot.txt log interpretation and remedial advice please

[GTG]

Hello you good people of the avast forums,

I only discovered the site today as a result of a search engine search for "aswboot.exe". I was promoted to do this when Spybot S&D informed me of a registry change involving this file. Anyway I solved the problem with reference to this good site. In the process I learned that it's posssible to schedule an Avast boot scan so I did just that, that's the easy part. To my great surprise the scan revealed a vast number of discrepancies and some malware as follows:

<sup><sub>06/14/2008 20:36
Scan of all local drives

File C:\Applications\Tool\Microsoft Windows XP Updates\WU\WindowsXP-KB826939-x86-ENU.exe\_sfx_0004._p Error 42127 {CAB archive is corrupted.}
File C:\Applications\Tool\Microsoft Windows XP Updates\WU\WMP9_MM2.exe\setup.exe\sample.wmv Error 42127 {CAB archive is corrupted.}
File C:\Applications\Tool\Microsoft Windows XP Updates\WU\WMP9_MM2.exe\setup.exe Error 42127 {CAB archive is corrupted.}
File C:\b85ed6347264b814d3\wcu\dotNetFramework\dotNetFX20\ASPNET.msp\PCW_CAB_NetFX\FL_System_Web_Mobile_dll_____X86.3643236F_FC70_11D3_A536_0090278A1BB8 Error 42127 {CAB archive is corrupted.}
File C:\My Downloads\Drivers\Graphics - Video\CLE266_16-94-44-45_XP_Rotation_logod.zip\CLE266_16944445_XP_Rotation_logod\vtdisp.dll Error 42125 {ZIP archive is corrupted.}
File C:\My Downloads\Open Office\OOo_2.0.1_Win32Intel_install.exe\$INSTDIR\openofficeorg3.cab\reflection.uno.dll Error 42127 {CAB archive is corrupted.}
File C:\Program Files\Microsoft Works\WKSv7std.sbt\147033 Error 42136 {CHM archive is corrupted.}
File C:\Program Files\S3\S3\s3setvga.exe is infected by Win32:Otwycal-AF [Wrm], Moved to chest
File C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP295\A0059552.dll\[Embedded#22250] is infected by Win32:Trojan-gen {Other}, Moved to chest
File C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP299\A0059977.exe is infected by Win32:Otwycal-AF [Wrm], Moved to chest
File C:\WINDOWS\Help\odbcjet.chm\$WWAssociativeLinks\Data Error 42136 {CHM archive is corrupted.}
File C:\WINDOWS\I386\ARTICLE.CH_\article.chm\hn_topology24.gif Error 42136 {CHM archive is corrupted.}
File C:\WINDOWS\I386\ARTICLE.CH_\article.chm Error 42127 {CAB archive is corrupted.}
File C:\WINDOWS\Installer\10592f19.msp\PCW_CAB_NetFX\FL_System_dll_____X86.3643236F_FC70_11D3_A536_0090278A1BB8 Error 42127 {CAB archive is corrupted.}
File C:\WINDOWS\Installer\10592f1d.msp\PCW_CAB_NetFX\FL_SYSTEM_WINDOWS_FORMS_DLL_____X86.3643236F_FC70_11D3_A536_0090278A1BB8 Error 42127 {CAB archive is corrupted.}
File C:\WINDOWS\Installer\1bb290.msi\Icon.NewShortcut1_407B9B5CDAC54F44A756B57CAB4E6A8B.exe Error 42145 {OLE archive is corrupted.}
File C:\WINDOWS\Installer\1bb290.msi\Icon._7EA1FFEF_B7AE_43A5_8841_DBB045C2D037 Error 42145 {OLE archive is corrupted.}
File C:\WINDOWS\Installer\213dae.msp\PCW_CAB_NetFX\FL_alink_dll_____X86.3643236F_FC70_11D3_A536_0090278A1BB8 Error 42127 {CAB archive is corrupted.}
File C:\WINDOWS\Installer\23287f5.msp\PCW_CAB_NetFX\FL_SYSTEM_WINDOWS_FORMS_DLL_____X86.3643236F_FC70_11D3_A536_0090278A1BB8 Error 42127 {CAB archive is corrupted.}
File C:\WINDOWS\Installer\238ded.msp\PCW_CAB_NetFX\FL_System_dll_____X86.3643236F_FC70_11D3_A536_0090278A1BB8 Error 42127 {CAB archive is corrupted.}
File C:\WINDOWS\Installer\26a465.msp\PCW_CAB_NetFX\FL_prc_nlp_____X86.3643236F_FC70_11D3_A536_0090278A1BB8 Error 42127 {CAB archive is corrupted.}
File C:\WINDOWS\Installer\3a46a.msp\PCW_CAB_NetFX\FL_AspNetMMCExt_dll_66806_____X86.3643236F_FC70_11D3_A536_0090278A1BB8 Error 42127 {CAB archive is corrupted.}
File C:\WINDOWS\Installer\3b0613.msp\PCW_CAB_NetFX\FL_System_Design_dll_____X86.3643236F_FC70_11D3_A536_0090278A1BB8 Error 42127 {CAB archive is corrupted.}
File C:\WINDOWS\Installer\3bcf60.msp\PCW_CAB_NetFX\Microsoft.JScript_dll_2_____X86.3643236F_FC70_11D3_A536_0090278A1BB8 Error 42127 {CAB archive is corrupted.}
File C:\WINDOWS\Installer\47c50.msp\PCW_CAB_NetFX\FL_cscomp_dll_____X86.3643236F_FC70_11D3_A536_0090278A1BB8 Error 42127 {CAB archive is corrupted.}
File C:\WINDOWS\Installer\496e0.msp\PCW_CAB_NetFX\FL_sysglobl_dll_92791_____X86.3643236F_FC70_11D3_A536_0090278A1BB8 Error 42127 {CAB archive is corrupted.}
File C:\WINDOWS\Installer\5a6e03.msp\PCW_CAB_NetFX\mscorwks_dll_4_____X86.3643236F_FC70_11D3_A536_0090278A1BB8 Error 42127 {CAB archive is corrupted.}
File C:\WINDOWS\Installer\5a6e05.msp\PCW_CAB_NetFX\dw20.exe_0001.D0DF3458_A845_11D3_8D0A_0050046416B9 Error 42127 {CAB archive is corrupted.}
File C:\WINDOWS\Installer\77fe52.msp\PCW_CAB_NetFX\FL_System_XML_dll_____X86.3643236F_FC70_11D3_A536_0090278A1BB8 Error 42127 {CAB archive is corrupted.}
File C:\WINDOWS\Installer\89f7d4.msp\PCW_CAB_NetFX\FL_WebAdminWithConfirmationNoButtonRow_mas_102343_____X86.3643236F_FC70_11D3_A536_0090278A1BB8 Error 42127 {CAB archive is corrupted.}
File C:\WINDOWS\Installer\c159c.msp\PCW_CAB_NetFX\FL_shfusion_dll_____X86.3643236F_FC70_11D3_A536_0090278A1BB8 Error 42127 {CAB archive is corrupted.}
File C:\WINDOWS\Installer\d3ef0.msp\PCW_CAB_NetFX\FL_big5_nlp_____X86.3643236F_FC70_11D3_A536_0090278A1BB8 Error 42127 {CAB archive is corrupted.}
File C:\WINDOWS\Installer\d56b011.msp\PCW_CAB_NetFX\msvcp80.dll.8.0.50727.1433.98CB24AD_52FB_DB5F_FF1F_C8B3B9A1E18E Error 42127 {CAB archive is corrupted.}
File C:\WINDOWS\ServicePackFiles\i386\msncli.exe\msnmetal.dll Error 42127 {CAB archive is corrupted.}
Number of searched folders: 9864
Number of tested files: 333994
Number of infected files: 3</sub></sup>


I instructed the malware to be moved to the chest but noticed that some of it was located in "System Restore" so does this mean I will have to delete my system restore in order to remove these or are they safely locked away in the chest?

I should say that immediately after the boot scan I ran scandisk with the two correction and repair boxes ticked before running. I think this may repair some of the corrupt files, is this correct?

 Would some kind soul please take a look through and diagnose the problem and advise on any remedial action.

Thanks :-)

[Lisandro]

File C:\Program Files\S3\S3\s3setvga.exe is infected by Win32:Otwycal-AF [Wrm], Moved to chest
File C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP295\A0059552.dll\[Embedded#22250] is infected by Win32:Trojan-gen {Other}, Moved to chest
File C:\System Volume Information\_restore{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP299\A0059977.exe is infected by Win32:Otwycal-AF [Wrm], Moved to chest

Could be false positives... but it's ok to send them to Chest for further analysis.

I instructed the malware to be moved to the chest but noticed that some of it was located in "System Restore" so does this mean I will have to delete my system restore in order to remove these or are they safely locked away in the chest?

Yes, if you disable and enable, infected restore points will be deleted.

I should say that immediately after the boot scan I ran scandisk with the two correction and repair boxes ticked before running. I think this may repair some of the corrupt files, is this correct?

Sometimes, yes.
But I won't worry that much with archive corruption: could due to avast error on unpacking, could the error be on the archive itself... archive files are inert: if a malware is inside them, when unpacked, will be detected by avast (as resident).

[GTG]

Thanks for your reassuring reply Tech it looks like a have n't got anything to be concerned about.

I do think that one or more of the reported infections were positive, my computer has speeded up considerably. Before the scan it was slow and in particular loading and navigating around in IE7, I had frequent "hangs" and close downs in IE7 with "application incompatible" messages but thought that it may be because there was a conflict with Ad-aware (free) and Spybot (see below).

As you can see from my sig. I take security quite seriously by keeping software up to date and taking precautions with attachments etc. I recently started to use P2P software for watching live football and I suspect I may have got the worm through that. I have got rid of that software now.

Would it be best to use my system for a few days to make sure it's running OK before deleting my restore points?

but it's OK to send them to Chest for further analysis.

How do I do the further analysis?

One other question, I like Ad-aware (free) and had it installed until recently for "on demand" scans only, will it reside OK with my other security software (see sig.)?

Once again thanks for your help, it's great having experts like yourself around.

ATB

Rob
 

[Lisandro]

Would it be best to use my system for a few days to make sure it's running OK before deleting my restore points?

No problems. Viruses there cannot be restored unless you manual ask to do so.

How do I do the further analysis?

Right click the file and scan after some days. False positives are corrected generally very quickly.

One other question, I like Ad-aware (free) and had it installed until recently for "on demand" scans only, will it reside OK with my other security software (see sig.)?

It will, but it is very poor on detection imho. I'll use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

Once again thanks for your help, it's great having experts like yourself around.

We try to help

[CharleyO]

***

Welcome to the forums, GTG.   

You already have SpywareBlaster and Spybot-Search & Destroy which are both much better than Adaware. I also use to have Adaware and found it ineffective compared to the ones you have.


***

[GTG]

Thanks for the welcome CharleyO, great to be in your company.

Tech, I got around to scanning individually the three offending files in the chest by using the right click menu as suggested. There was no virus in two but the third one gave me this report:

 Scanning of selected files

Action was completed successfully!

Virus has been detected!
File Name: A0059552.dll
FileID: 18
Virus Description: Win32:Trojan-gen {Other}[/i]

The path is C:\System Volume Information\_restore{1A2EF

1) Do I need to turn off system restore and then create another restore point to avoid re-infection should I need to restore my system in the future?

Thanks :-)



 

[Lisandro]

1) Do I need to turn off system restore and then create another restore point to avoid re-infection

Not to avoid reinfection but to clean the infected restore points.
Files into System Restore can only be restored by Windows. Malware can't (as far I know) restore a system without user intervention.

should I need to restore my system in the future?

Yes... you can disable/enable it (no restore points will exist) and then create a new one. There is no reason to keep System Restore disabled.

[GTG]

Fantastic, that's me off to clear/disable system restore and then create/enable it again and I should be sorted.

Thanks again Tech.

All the best

Rob

[Lisandro]

Thanks again Tech.

You're welcome. Feel free to come back any time you need help or just to change experiences