FALSE positive or AVAST crazy? help...

strage, i have tested my pc and it say that in:

C:\system volume information\restore

there are this 4 virus:

[b]A0000076.exe
A0000077.exe
A0000078.exe
A0000079.exe

infected named WIN32:crypt-CZU[/b]

and AVAST delete the mbr rootkir remover: MBR.EXE!!!

infected with virus crypt-CZU

its true or AVAST is crazy ??? help me…please

help me

You asked a question followed less than 1 minute later with the plea help me, we’re quick on this forum but not that quick.

Well the mbr rootkir remover: MBR.EXE file is a tool which modifies the mbr file I presume and tools are often flagged as an AV doesn’t know who is using the tool or if it is for good or evil.

Lets not forget that avast doesn’t delete anything, it alerts to infection and gives the user a number of options, delete being one, the best and safest option to choose is to send to the chest.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.


Depending on the OS of your computer, the detection in … C:\system volume information\restore … can possibly be fixed by turning off system restore, rebooting your computer, and then turning on system restore again to create a new restore point.

What is the OS?


I suggest:

  1. Clean your temporary files.
  2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
  6. Disable System Restore and then reenable it again.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.