I did a full scan with Avast today, and found 3 win32:malware-gen infections. Two were in the C drive, which I was able to remove with Avast, but there is one in the D drive, which of course is the partitioned recovery drive, which cannot be accessed, as far as I know. Location is D:\hp\Drv\APP00038\offline_driver\UIU32m.exe. First, can you tell me how this segregated part of the disk can become infected? And most importantly, how can I remove it? Do you think any other damage may have resulted, like to registry? Any help would be much appreciated.
In theory they could have been infected from the start and a new or modified signature, could pick it up. When something has been on your system for some time (without showing any adverse effects), then there is in my opinion no reason to rush to a decision and if a decision is made it should be to send to the chest, 'first do no harm' as this can be reversed. The HP recovery partition is likely to be protected and that would block attempts to do anything with it.
whoops. If I had bothered to read a little further down in the posts, I would have seen the one from mjplante. The poster on the CNET forum that DAVIDR supplies a link to, had exactly the same three files come up as win32:malware-gen as I. The conclusion they seem to reach, is they are false positives. Should I relax? Should I restore the two files in "C" that are in the vault? Thanks!!
That was/is my summation and why I asked for the locations in the other topic. So it needs confirmation one way or an other.
####
You should check the offending/suspect file at:
VirusTotal - Multi engine on-line virus scanner and
report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract a copy of it to a temporary (not original) location first, see below.
Create a folder called
Suspect in the
C:\ drive. Now exclude that folder in the
File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste)
C:\Suspect\* {br}That will stop the File System Shield scanning any file you put in that folder.
If only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.
Send the sample to avast as a False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.
- In the meantime (if you accept the risk), add it to the exclusions lists:
File System Shield, Expert Settings, Exclusions, Add and avast Settings, Exclusions Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.