C: \ Windows \ Installer \ pe5x86.zip . . . BootSect.exe


After the Avast Boot Time scan, it said that I must activate Windows.

I took a look at System / “View basic information about your computer” / After a minute, it said activated - that didn’t seem good


What did Avast find?

File C:\Windows\Installer\pe5x86.zip|>Windows AIK\Tools\PETools\x86\BootSect.exe is infected by Win32:Malware-gen, Moved to chest

Please see screenshots


What is Windows AIK\Tools\PETools\x86\BootSect.exe . . . http://technet.microsoft.com/en-us/library/cc749177(v=ws.10).aspx

This looks like a false positive.

Avast could not restore BootSect.exe from the Virus Chest. I think it’s safe, so I wanted to.


I went to Win 8.1 Safe Mode / I went to a restore point I do, before doing a Boot Time Scan / It said the restore was successful, but I’m not sure if the restore point restored BootSect.exe


Next thing to try: I ran these two, in this order:

C:>dism /online /cleanup-image /restorehealth

C:>sfc /scannow

. . . I ran sfc first, but it failed. So I ran dism first, and then sfc - and it then said that sfc succeeded.

In looking in File Manager, I see that the pe5x86.zip is back

Questions:

1.) Should I unzip the archive, and run BootSect.exe, or just leave it as is

2.) Should I find all occurrences of BootSect.exe on my C: drive, and scan them with Avast? Please see screenshot for the ones on my hard drive.

3.) Is it now safe to delete the BootSect.exe entry in the Virus Chest?

I see that I got this error on 11/27/14 . . . and the last “modification” to one of the three copies of BootSect.exe on there was on 11/19/14

. . . are there supposed to be more than three copies of BootSect.exe installed (which I have), in three different places?

So, Avast just doesn’t like the .zip file for some reason . . . This .zip file has been restored, so the problem is fixed? . . . Some program must works with pe5x86.zip, because I never did.

I’ll have to see if it happens again

Do you have an imaging/backup programme as that is generally used by them

I tried these a while back - months, or maybe even a year, before this error:

Macrium
SeaGate Disc Wizard (Acronis)
Windows 7 File Recovery

. . . but decided on, and have been using Clonezilla

. . . you boot to the Clonezilla CD, so as I understand it, it doesn’t use anything on my computer, it just blindly makes a sector by sector copy of my C: drive to the other hard drive. I think it boots to Linux - it uses a whole different operating system than Win 8.1

In that case the file belonged to macrium reflect,

Why would Avast flag it in the zip file, but not the extracted versions?

I’ll was able to delete it from the Virus Chest. I’ll try running the Boot Time Scan again soon, it takes 2 hours 15 minutes.

I’ve been running Boot Time Scan, and just letting it “Fix All”


This page says that you should not do that - it says to just use Boot Time Scan as a last resort. Can it cause that much of a problem?

https://www.winhelp.us/avast-free-antivirus-boot-time-scan.html

Do not use the Yes or Yes all options for system files - your computer might become unstable or unbootable!


I have been setting a restore point before I do the Boot Time scan, in case there is a problem. I would go into Win 8.1 Safe Mode with the USB drive, and get to the restore point that way.

Boot scan is a last resort method and can produce false positives so you would need to monitor it

I’ll do some more experimenting and report back the findings. Thank you!


11/29/14

I deleted this from the Virus Chest, and see that it had put it in Exclusions, before:

File C:\Windows\Installer\pe5x86.zip|>Windows AIK\Tools\PETools\x86\BootSect.exe

I just re-ran Boot-Time Scan - this didn’t come up, and is not in Exclusions, either


I’ve been running Boot-Time Scan with the following settings:

Areas to scan: All harddisks, and Auto-start programs (all users)
Heuristics sensitivity: High
[check] Scan for PUPs
[check] Unpack archive files
When a threat is found: Fix automatically

These settings are as high as you can go. Maybe that’s why it found this error, and it’s a false positive.