Author Topic: Win32:Malware-gen showing in boot scan  (Read 8452 times)

0 Members and 1 Guest are viewing this topic.

bobstg

  • Guest
Win32:Malware-gen showing in boot scan
« on: July 22, 2012, 12:33:48 AM »
Hi,
I am receiving a boot scan warning of a Win32:Malware-gen this does not show up in a normal scan with avast or Malwarebytes. My first boot scan showed 3 infected files now it is showing 10 infected files. How can I delete this? When I tried to move it to the virus vault or delete it it gives me this error message. The operation is not supported for this type of archive (42111). I took a picture of the boot scan screen but the image is to big to post here. If anyone can assist me with this I would really appreciate it.

Thanks Bob

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Win32:Malware-gen showing in boot scan
« Reply #1 on: July 22, 2012, 12:44:25 AM »
Without more detailed information, it is almost impossible to say.

What are the file names, locations and malware names of the detections ?

Your error means that the detection found inside an archive (packed/compressed) file can't be extracted (and put the file pack together) without probable damage/corruption to the archive.

Look in the:
C:\Documents and Settings\All Users\Application Data\Avast Software\Avast\report\aswBoot.txt file (XP location)
C:\ProgramData\Avast Software\Avast\report\aswBoot.txt (Vista, Win7, may be a hidden location)
Check this file using notepad for info on the scan/detections, etc. and you can copy and paste the detection lines.

@@@@
Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest (a protected area) and investigate.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.
« Last Edit: July 22, 2012, 12:46:05 AM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

bobstg

  • Guest
Re: Win32:Malware-gen showing in boot scan
« Reply #2 on: July 22, 2012, 01:19:09 AM »
Without more detailed information, it is almost impossible to say.

What are the file names, locations and malware names of the detections ?

Your error means that the detection found inside an archive (packed/compressed) file can't be extracted (and put the file pack together) without probable damage/corruption to the archive.

Look in the:
C:\Documents and Settings\All Users\Application Data\Avast Software\Avast\report\aswBoot.txt file (XP location)
C:\ProgramData\Avast Software\Avast\report\aswBoot.txt (Vista, Win7, may be a hidden location)
Check this file using notepad for info on the scan/detections, etc. and you can copy and paste the detection lines.

@@@@
Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest (a protected area) and investigate.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.
Here is a copy of the message i received in the boot scan.


File C:\Program Files\EarthLink Setup\Windows\access\SpywareBlocker.msi|>Data1.cab|>ElShowSpyAbout.exe|>[UPX] is infected by Win32:Malware-gen, Delete: Error 42111 {The operation is not supported for this type of archive.}, Delete: Error 42111 {The operation is not supported for this type of archive.}, Move to chest: Error 42111 {The operation is not supported for this type of archive.}, Move to chest: Error 42111 {The operation is not supported for this type of archive.}, Move to chest: Error 42111 {The operation is not supported for this type of archive.}, Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}
File C:\Program Files\EarthLink Setup\Windows\access\SpywareBlocker.msi|>Data1.cab|>SpywareBlocker.exe|>[UPX] is infected by Win32:Malware-gen, Repair: Error 42060 {The file was not repaired.}
File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1957\A0194811.msi|>Data1.cab|>ElShowSpyAbout.exe|>[UPX] is infected by Win32:Malware-gen
File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1957\A0194811.msi|>Data1.cab|>SpywareBlocker.exe|>[UPX] is infected by Win32:Malware-gen
File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1957\A0194899.msi|>Data1.cab|>ElShowSpyAbout.exe|>[UPX] is infected by Win32:Malware-gen
File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1957\A0194899.msi|>Data1.cab|>SpywareBlocker.exe|>[UPX] is infected by Win32:Malware-gen
File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1957\A0194904.msi|>Data1.cab|>ElShowSpyAbout.exe|>[UPX] is infected by Win32:Malware-gen
File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1957\A0194904.msi|>Data1.cab|>SpywareBlocker.exe|>[UPX] is infected by Win32:Malware-gen
File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1958\A0195040.msi|>Data1.cab|>ElShowSpyAbout.exe|>[UPX] is infected by Win32:Malware-gen
File C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1958\A0195040.msi|>Data1.cab|>SpywareBlocker.exe|>[UPX] is infected by Win32:Malware-gen
Number of searched folders: 14928
Number of tested files: 951425
Number of infected files: 10

I have no idea what they mean or if they are doing harm. Thank you for your help.
bob

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Win32:Malware-gen showing in boot scan
« Reply #3 on: July 22, 2012, 01:40:11 AM »
Where did you get this SpywareBlocker.msi from in C:\Program Files\EarthLink Setup\Windows\access\SpywareBlocker.msi ?

Is this what it is 'Spy Sweeper' http://www.processlibrary.com/directory/files/spywareblocker/197571/ ?

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

bobstg

  • Guest
Re: Win32:Malware-gen showing in boot scan
« Reply #4 on: July 22, 2012, 01:46:29 AM »
Where did you get this SpywareBlocker.msi from in C:\Program Files\EarthLink Setup\Windows\access\SpywareBlocker.msi ?

Is this what it is 'Spy Sweeper' http://www.processlibrary.com/directory/files/spywareblocker/197571/ ?
Yes I believe that is where it came from. However i never installed anything called Spy Sweeper.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Win32:Malware-gen showing in boot scan
« Reply #5 on: July 22, 2012, 02:05:41 AM »
It may be that your ISP provided what it called SpywareBlocker (or something like that) that was a licensed version of Spy Sweeper ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

bobstg

  • Guest
Re: Win32:Malware-gen showing in boot scan
« Reply #6 on: July 22, 2012, 02:17:33 AM »
So will what is showing cause damage to my computer or breach my security for online banking etc.?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Win32:Malware-gen showing in boot scan
« Reply #7 on: July 22, 2012, 02:54:04 AM »
The detections are in archive files, which are inert by nature, they have to be opened, the files extracted and run before they would present a risk. Even then when unpacked or run avast would scan the file/s and this time outside the archive they could be dealt with.

The msi file is a MicroSoft Installation file (archive) and it is possibly this archive that is unsupported, plus the fact that there is another archive contained within that 'Data1.cab' and it is within that second archive file that the detection is made. Now choices can be made in the scan settings to delete the whole archive if the infected/suspect file can't be extracted.

The detections in the C:\System Volume Information\_restore 'system restore points' are only in there because at some point the original was removed/modified, etc. so they could be removed without problem. These could be removed without problem, easiest way to do that is to disable system restore, reboot and enable system restore again.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

bobstg

  • Guest
Re: Win32:Malware-gen showing in boot scan
« Reply #8 on: July 22, 2012, 03:46:14 AM »
Thank you for your assistance, I think at this time I am not going to do anything. But, if I wanted to remove them exactly where/how do I disable system restore?
Thanks again!
« Last Edit: July 22, 2012, 03:55:03 AM by bobstg »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Win32:Malware-gen showing in boot scan
« Reply #9 on: July 22, 2012, 12:15:45 PM »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

brobryce2009

  • Guest
Re: Win32:Malware-gen showing in boot scan
« Reply #10 on: October 23, 2013, 09:02:38 AM »
I found this very same detection today during a scheduled boot scan of a freshly factory-wiped HP DV5000 laptop computer.   It was found in the "C:\Program Files\Online Services\Earthlink\" folder.

"...windows\access\SpywareBlocker.msi|>Data1.cab|>SpywareBlocker.exe|>[UPX] is infected by Win32:Malware-gen"

Are we seriously looking at computers being infected right out of the box?