A0007478.exe ???

[jazzmay]

I posted yesterday regarding PopWait.exe and submitted a sample.  I'm hoping that it may have been a false positive.
I ran another scan this morning and A0007478.exe was detected....
So, I decided to reformat the HD, as it has not been done in quite some time. 
After reinstalling, updating, etc.  I've run two scans since reformat.  The first scan  PopWait.exe showed up again.  I just finished another scan and A0007478.exe showed up again.
A0007478.exe is located in C:\system volume information\_restore{DDE3EB95....}\RP17\A000.7478.exe

Just like PopWait.exe... A0007478.exe shows last changed in April 2004. 

VirusTotal:  http://www.virustotal.com/file-scan/report.html?id=b7e30515c975e328a641dca74eda9cfe2cb3d6044165340fe81b64a3f82dce5b-1296162694

Is this likely a threat or a false positive?

[Pondus]

Clear your restore points and try again

[jazzmay]

Forgive me, but I am not sure if I understand exactly what you have asked me to do?

I turned off system restore, clearing the restore points and then ran a full scan again.  A0007478.exe showed up during scan, but it was located only in the 'c:\SUSPECT' folder i created for VirusTotal to analyze. No other 'threats' were detected.

What should I do next?

[Pondus]

the detection was in one of the restore points, so when you have cleared those the malware is gone

delete the sample from the C:\supect folder, enable sytem restore again and you shold be fine


If you don`t have it, recomended extra scanner
Malwarebytes Anti-Malware 1.50.1  http://filehippo.com/software/antimalware/

[Lisandro]

Forgive me, but I am not sure if I understand exactly what you have asked me to do?

http://support.microsoft.com/kb/264887/en-us

What should I do next?

I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, it is better and safer to send the infected file(s) to quarantine (Chest), rather than simply deleting them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Clean your Hosts file (replacing it) with HostsMan tool.
7. Disable System Restore and then reenable it again.
8. Immunize your system with SpywareBlaster.
9. Check if you have insecure applications with Secunia Software Inspector.

[jazzmay]

I've completed most all of the steps suggested
1.  Cleared temp files
2.  Boot scan produced two results:  A0008187.exe  and killit.exe. Both were Win32:KillApp-w (pup)
3.  I've been running malwarebytes and it has never shown signs of infection
4.  Ran aswar.exe - Log was clean
5.  Ran Hijack this:  see log
6.  Installed Hostman - not sure what to do with it though
7.  Disabled and reenabled system restore
8.  I've used spybot in the past - should i change to spywareblaster, is it a better program?
9.  I cannot connect to secunia - Explorer just tries to recover the tab repeatedly.

[Pondus]

8.  I've used spybot in the past - should i change to spywareblaster, is it a better program?

use none of them, and spywareblaster is a passive program not a scanner
i recomend Malwarebytes and Superantispyware

Win32:KillApp-w (pup)

A PUP (potentially unwanted program)
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci1066761,00.html



so they are back.....

Let Essexboy have a look inside...


Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(post the logs here in this topic and not in the guide)


To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt. / Extras.Txt.)

Esseboy will be notified when you have posted the logs...

[jazzmay]

Here are the requested logs

Thanks

[Pondus]

Essexboy is notified, check back tomorrow

[essexboy]

It is in the restore points and my assesment is that they are a part of the OEM setup for your computer.  Inasmuch as they are programmes that could be used for good or bad purposes.  I will reset your restore points for you - this should remove the alert.  But, I feel it is not a problem.  On completion of this see if Avast still detects it 

 Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :Commands
  [resethosts]
  [purity]
  [emptytemp]
  [EMPTYFLASH]
  [CLEARALLRESTOREPOINTS]
  [Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done