Win32 Malware-gen in Boot

[dkpbxman]

When I run MBAM, it finds nothing but when I do a boot scan in Avast, it turns up a few files infected with Win32 Malware-gen. It won't delete them, Quarrantine them or repair them. The only thing I can do is ignore them.

Ive run SuperAntiSpyware, MS Essentials, AVG and a few others but I can't get rid of it.

Please help,

Thanks

Dan

[CraigB]

A screen shot of the detections would be helpful.
Also i hope you dont have MSE and AVG on your system at the same time with avast.

[dkpbxman]

A screen shot of the detections would be helpful.
Also i hope you dont have MSE and AVG on your system at the same time with avast.

I would be glad to but I'm pretty illiterate when it comes to computers-how do I do that?-are the scan results stored anywhere?

and No I never had two A/V programs on at the same time.

[Pondus]

what OS do you have ... XP/vista/win7

if you scan again can you write down the full message and post it here ?

[DavidR]

A screen shot of the detections would be helpful.
<snip>

I would be glad to but I'm pretty illiterate when it comes to computers-how do I do that?-are the scan results stored anywhere?
<snip>

Check the C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report\aswBoot.txt (XP) or C:\ProgramData\AVAST Software\Avast\report\aswBoot.txt (Vista, Win7) using notepad that contains information on the boot-time scan.

Copy and paste the information on the detections into your next reply.

[dkpbxman]

Check the C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report\aswBoot.txt (XP)
________________________________________________________________________________________________

I have XP (home) but when I navigate to C:\Documents and Settings\All Users\ I see folders for Desktop, Favorites, Shared Documents and Start Menu and a file marked NTUSER---No Application Data

Doing a boot time scan , The infected files are:

C:\System Volume Information\_Restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1788\A0367550.msiI>DATAL.cabI>EIshowspyabout.exeI>[UPX]

C:\System Volume Information\_Restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1788\A0367601.msiI>DATAL.cabI>EIshowspyabout.exeI>[UPX]

C:\System Volume Information\_Restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1807\A0370319.msiI>DATAL.cabI>EIshowspyabout.exeI>[UPX]

C:\System Volume Information\_Restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1807\A0370434.msiI>DATAL.cabI>EIshowspyabout.exeI>[UPX]

All found at 54% of the scan and all infected with Win32:Malware-gen

[DavidR]

This is an archive file within another archive file,  and looks like it is within yet another archive file. First A0367550.msi, then DATAL.cab, then EIshowspyabout.exe (zro google info on this file) and possibly another UXP archive after that and it looks like that is the protected one.

So I would say avast's detection is correct:
- Infected Restore Points - There really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore.
 
- Worst case scenario it isn't infected and you delete it, you can't use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.
 
- So if there is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.

I would suggest manually clearing your restore points (disable, reboot, enable):
Windows XP System Restore General Information System Restore Guide

[dkpbxman]

I would suggest manually clearing your restore points (disable, reboot, enable)
--------------------------------------------------------------------------------------------------

Thank you

Did that and the next scan came up clean.

[DavidR]

You're welcome, don't forget to enable system restore again.