Hi magna86,
Boot scan immediately after infection found (as recommended):
12/29/2013 15:52
Scan of all local drives
File C:\Documents and Settings\Colin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\quarantine.db|>data Error 42125 {ZIP archive is corrupted.}
File C:\Documents and Settings\Colin\My Documents\Downloads\w_E_20120615.mp3.zip|>w_E_20120615_01.mp3 Error 42125 {ZIP archive is corrupted.}
File C:\Program Files\McAfee\SiteAdvisor\Download\s2tc.c|>$TEMP\$[32]\MSADMLKit.cab|>sares.dll Error 42127 {CAB archive is corrupted.}
File C:\Program Files\McAfee\SiteAdvisor\Download\s3l8.c|>$TEMP\$[32]\MSADMLKit.cab|>sares.dll Error 42127 {CAB archive is corrupted.}
Number of searched folders: 8137
Number of tested files: 430596
Number of infected files: 0
I did a new one today, but the results are practically no different.
12/31/2013 08:32
Scan of C:
File C:\Documents and Settings\Colin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\quarantine.db|>data Error 42125 {ZIP archive is corrupted.}
File C:\Documents and Settings\Colin\My Documents\Downloads\w_E_20120615.mp3.zip|>w_E_20120615_01.mp3 Error 42125 {ZIP archive is corrupted.}
File C:\Program Files\McAfee\SiteAdvisor\Download\s2tc.c|>$TEMP\$[32]\MSADMLKit.cab|>sares.dll Error 42127 {CAB archive is corrupted.}
File C:\Program Files\McAfee\SiteAdvisor\Download\s3l8.c|>$TEMP\$[32]\MSADMLKit.cab|>sares.dll Error 42127 {CAB archive is corrupted.}
Number of searched folders: 9735
Number of tested files: 438588
Number of infected files: 0
What worries me is there are some unusually named folders on my machine, all containing copies of NTUSER.DAT which do show as infected with the same thing, when I scan the files individually.
My user name folder is C\:Documents and Settings\Colin
There are three others now, I haven't seen before, and have added '.Computer Name.and some numbers.' to their names. Like so:
C\:Documents and Settings\Colin.COLIN-130824
C\:Documents and Settings\Colin.COLIN-130824.0000
C\:Documents and Settings\Colin.COLIN-130824.0001
All three are being missed by Boot Scan, it would seem. That is a concern, because it looks like malicious behavior to me - replicating and hiding! (Plus, I'm still hooked into one of those ntuser.dat's anyway - since there isn't one in my own user folder.)
On the other hand, here is the result fom
Virustotal. Could it be a false positive?
I read elsewhere on this forum that the "VB" part stands for Visual Basic. It happens I was prompted to update Silverlight a few days ago, and gather Visual Basic is part of Silverlight set up, so I would guess that is where the problem came from.