Author Topic: Virus in Windows folder  (Read 7953 times)

0 Members and 1 Guest are viewing this topic.

RJE

  • Guest
Virus in Windows folder
« on: May 05, 2013, 05:09:48 PM »
I'm not sure if this question goes here or Other Products.

I ran a Boot Scan the other day with Avast Free, and it found a few viruses.  I was able to deal with most, but there was what appeared to be a virus in my Windows directory, and I wasn't able to quarantine or delete it.

Obviously, the first question is -- any suggestions?

But the second question is if Avast has a Rescue Disk or Emergency Disk of some sort?  I did look in the Other Products forum, and see something referred to as Bart -- but I can't find any link to it on the Avast site.  Am I missing something, or has it been discontinued, or what?  Even an Internet search doesn't offer much help.  It explains what the Bart CD is (or was...), but nothing more about availability.  The last download link I can find is from almost three years ago.

Thanks.


Robert

Offline mikaelrask

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1556
Re: Virus in Windows folder
« Reply #1 on: May 05, 2013, 05:13:28 PM »
hey i suggest you follow this guide and attach your logs.

http://forum.avast.com/index.php?topic=53253.0

we need otl, mbam, adwclener, and aswmbr.
Windows 8.1 amd a10-5700 64 bit
12 GB ram 1 tb hard drive. Avast 18, MBAM

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37643
  • F-Secure user
Re: Virus in Windows folder
« Reply #2 on: May 05, 2013, 05:19:34 PM »
Quote
but there was what appeared to be a virus in my Windows directory, and I wasn't able to quarantine or delete it.
what name does avast give this virus?
where is it located.... full file path?


RJE

  • Guest
Re: Virus in Windows folder
« Reply #3 on: May 05, 2013, 06:20:01 PM »
Thanks for the replies.  I don't know the answer (yet) -- I did the boot scan a couple days ago, didn't write it down, and didn't think of asking here until today.  I plan to run another boot scan today and will hopefully find the answer and post it here.  And I'll also do my best to follow that guide and attach the logs.

Thanks again.  Updates as they occur...


Robert

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89421
  • No support PMs thanks
Re: Virus in Windows folder
« Reply #4 on: May 05, 2013, 07:23:46 PM »
Before doing another boot-time scan check for this file, it gets overwritten the next boot-time scan you run.
Look in the C:\Documents and Settings\All Users\Application Data\Avast Software\Avast\report\aswBoot.txt file (XP location) C:\ProgramData\Avast Software\Avast\report\aswBoot.txt (Vista, Win7 location), check this file using notepad for info on the scan/detections, etc.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

RJE

  • Guest
Re: Virus in Windows folder
« Reply #5 on: May 05, 2013, 07:59:19 PM »
Okay, I've run all four programs as suggested, and am attaching the text files. 

There are five text files, and the restriction says four per post is the maximum.  So, I'll post a another message here following with the .txt file for ASWmbr.


Robert

RJE

  • Guest
Re: Virus in Windows folder
« Reply #6 on: May 05, 2013, 08:03:27 PM »
And this is the fifth text file.  Few of which mean anything to me, but hopefully will to others.

I didn't exactly follow the message that suggested not doing a new boot-time scan yet.  I'll do my best to find the .txt log, though I'm not sure what information I'm looking for.  Perhaps it will be clear when I get there...

As always, thanks so much for the time and thoughtfulness.

RJE

  • Guest
Re: Virus in Windows folder
« Reply #7 on: May 05, 2013, 08:22:56 PM »
Okay, using that suggestion from DavidR about checking aswBoot.txt, I found the line that describes that one virus file that it wasn't repaired or moved to the quarantine chest.  I've copy/pasted it below.

Hopefully this will mean something to others, and offer a direction of what I should try next.

Thanks.

Robert

* * *

File C:\Windows\Installer\4cc1c.msi|>Binary.New_Binary2|>Wise0013.bin is infected by Win32:Malware-gen, Move to chest: Error 42111 {The operation is not supported for this type of archive.}, Delete: Error 42111 {The operation is not supported for this type of archive.}, Repair: Error 42060 {The file was not repaired.}, Delete: Error 42111 {The operation is not supported for this type of archive.}
Scanning aborted

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89421
  • No support PMs thanks
Re: Virus in Windows folder
« Reply #8 on: May 05, 2013, 08:58:59 PM »
The malware-gen detection is buried deep inside of an archive file 4cc1c.msi (which is a bit of a weird installation file name and no hits on a search for it) in the C:\Windows\Installer\ folder. Trying to remove it from within the archive could result in the corruption of the archive, which is why you get the 'operation is not supported for this type of archive' error.

That said I still believe that C:\Windows\Installer\4cc1c.msi archive file with the suspect file inside is suspicious in its own right.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

RJE

  • Guest
Re: Virus in Windows folder
« Reply #9 on: May 05, 2013, 09:09:04 PM »
Thank you.  This all leads back to the original question about a Rescue disk is available from Avast -- and if running that would even help.

In lieu of that, are there any thoughts or suggestions for dealing with either this "malware-gen" detection-- or the suspicious archive "4cc1c.msi"?


Robert

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Virus in Windows folder
« Reply #10 on: May 05, 2013, 10:01:34 PM »
Hi not a great deal there just a few suspicious ADS streams.  How is the computer behaving 

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


Code: [Select]
:OTL
[2011/10/12 12:06:20 | 000,000,025 | -H-- | C] () -- C:\ProgramData\.811261211181235583101118113995
@Alternate Data Stream - 1379 bytes -> C:\Program Files (x86)\Common Files\System:GmACk56ZqcxZUan6gzn4Up
@Alternate Data Stream - 1322 bytes -> C:\ProgramData\Microsoft:rVKrOJamXpSWRcj1PJG
@Alternate Data Stream - 1261 bytes -> C:\ProgramData\Microsoft:X7Hg35cJ0P1ZbK8tsuDG7naPgw
@Alternate Data Stream - 1259 bytes -> C:\ProgramData\Microsoft:f4TAAJUHbv6XDchyFJ9
@Alternate Data Stream - 119 bytes -> C:\ProgramData\TEMP:5C321E34
@Alternate Data Stream - 1184 bytes -> C:\ProgramData\Microsoft:kLyP3c1ukCBRSXLJXVxQ0XZ3K
@Alternate Data Stream - 1184 bytes -> C:\Program Files (x86)\Common Files\microsoft shared:Zy9EuipuXOk09WdOO5026uq

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

RJE

  • Guest
Re: Virus in Windows folder
« Reply #11 on: May 05, 2013, 10:14:21 PM »
Thanks.  The system seems to be running okay, though that doesn't mean the virus isn't doing some off-system damage with email, I suppose.

I'll run the OTLFix, and send the results -- though it appears that this won't have any impact on that malware-gen, which seems to be the virus I had spotted in the Windows directory.

RJE

  • Guest
Re: Virus in Windows folder
« Reply #12 on: May 05, 2013, 10:38:53 PM »
I ran OTL Fix, and here's the log file.

As I said, though, this doesn't appear to have any impact on the "C:\Windows\Installer\4cc1c.msi|>Binary.New_Binary2|>Wise0013.bin" file.

(Then again, when I just now looked through Windows Explorer, I don't even see a sub-directory "C:\Windows\Installer" listed, even with "Show hidden files and folders" turned on.

The search continues.

Thanks.


Robert

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Virus in Windows folder
« Reply #13 on: May 05, 2013, 10:56:09 PM »
I can delete that file for you but I do not know what programme it is associated with.  Removal of the MSI will also remove the uninstall data

RJE

  • Guest
Re: Virus in Windows folder
« Reply #14 on: May 05, 2013, 11:12:19 PM »
If I could figure out how to simply find "C:\Windows\Installer\4cc1c.msi|>Binary.New_Binary2|>Wise0013.bin", I might be able to help figure out what it's associated with.  (Then again, I'm be happy to just find "C:\Windows\Installer" to start with.

Though I know it potentially can be problematic, I'm less concerned with removing the uninstall data of some program I use than I am with having a virus sitting in my Windows directory.

How *does* one delete that file -- especially given that I'm bewildered just finding the directory...?

Sorry for the confusion, but the answers here are appreciated.


Robert