Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avast found malware, moved to chest.


  • Please log in to reply
3 replies to this topic

#1 M332

M332

  • Members
  • 211 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:22 PM

Posted 09 January 2011 - 04:22 PM

I'm running winxp pro sp3 with avast 4.8 and spyware terminator 2.8.2.192. I ran the avast boot scan and it found 5 new infections. There are no new computer problems that I can detect. How do I fix this?

Avast boot scan log:
01/09/2011 00:10
Scan of all local drives

File C:\Documents and Settings\Owner\.housecall6.6\AU_Temp\1028_3016\AU_Down\engine\dce-exe-v6.0-1053.zip\tsc.exe Error 42125 {ZIP archive is corrupted.}
File C:\Program Files\Microsoft Office\OFFICE11\FINDER.EXE is infected by Win32:Malware-gen, Moved to chest
File C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP1762\A0249195.exe\i386\ieencode.dl_ Error 42127 {CAB archive is corrupted.}
File C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP1811\A0265033.sys is infected by Win32:Hupigon-ONX [Trj], Move to chest: Error 0xC000007F {An operation failed because the disk was full.}
File C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP1812\A0269234.sys is infected by Win32:Hupigon-ONX [Trj], Move to chest: Error 0xC000007F {An operation failed because the disk was full.}
File C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP1812\A0270974.exe\{embedded}\setup.exe Error 42051 {Unknown packer version.}
File C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP1812\A0274201.exe\{embedded}\setup.exe Error 42051 {Unknown packer version.}
File C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP1824\A0283021.EXE is infected by Win32:Malware-gen, Moved to chest
File D:\i386\Apps\App31030\mshdqfe\win2k3\ara\kb835221.exe\commonfiles\hdaudbus.sys Error 42127 {CAB archive is corrupted.}
File D:\i386\Apps\App30227\l2561412.cab\FINDER.EXE is infected by Win32:Malware-gen, Moved to chest
Number of searched folders: 8609
Number of tested files: 509947
Number of infected files: 5

Edited by M332, 09 January 2011 - 04:23 PM.


BC AdBot (Login to Remove)

 


#2 M332

M332
  • Topic Starter

  • Members
  • 211 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:22 PM

Posted 11 January 2011 - 06:49 PM

No more malware problem. Ran system recovery.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:22 PM

Posted 14 January 2011 - 10:03 PM

Thank you for letting us know.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:22 PM

Posted 16 January 2011 - 11:06 PM

For future reference:

Looks like most of the detections were in the System Volume Information Folder (SVI) which is a part of System Restore. The number after 'A00' represents a sequential number where the original file was backed up and renamed except for its extension. To learn more about this, refer to:System Restore is the feature that protects your computer by monitoring a core set of system and application files and by creating backups (snapshots saved as restore points) of vital system configurations and files before changes are made. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. See What's Restored when using System Restore and What's Not.

System Restore is enabled by default and will back up the good as well as malevolent files, so when malware is present on the system it gets included in restore points as an A00***** file. If you only get a detection on a file in the SVI folder, that means the original file was on your system in another location at some point and probably has been removed. However, when you scan your system with anti-virus or anti-malware tools, you may receive an alert that a malicious file was detected in the SVI folder (in System Restore points) and moved into quarantine. When a security program quarantines a file, that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat. Thereafter, you can delete it at any time.

If your anti-virus or anti-malware tool cannot move the files to quarantine, they sometimes can reinfect your system if you accidentally use an old restore point. If your anti-virus or anti-malware tool was able to move (quarantine) the file(s) it is no longer a threat. When an anti-virus or security program quarantines a file and moves it into a virus vault (chest) or a dedicated Quarantine folder, that file is safely held there and no longer a threat. The file is essentially disabled and prevented from causing any harm to your system through security routines which may copy, rename, encrypt and password protect the file the file before moving. Quarantine is just an added safety measure which allows you to view and investigate the files while keeping them from harming your computer. When the quarantined file is known to be malicious, you can delete it at any time by launching the program which removed it, going to the Quarantine tab, and choosing the option to delete.

One reason for doing this is to prevent deletion of a legitimate file file that may have been flagged as a "false positive" especially if the scanner uses heuristic analysis technology. Heuristics is the ability of a scanning program to detect possible new variants of malware before the vendor can get samples and update the program's definitions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as suspicious or infected. If that is the case, then you can restore the file and add it to the exclusion or ignore list.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users