Listener.exe and Win32:Malware-gen boot scan alert

Hello,

A few days ago, just after I had turned on my laptop and was opening my internet browser (Google Chrome) I received an
Avast warning that a threat had been detected. The recommended action was to perform a boot scan. The boot scan identified one infected file:

File C:\Documents and Settings\All Users\Application Data{A2A58654-12AA-408A-B411-58A76959BE7F}\default.msi|>Data1.cab|listener.exe is infected by Win32:Malware-gen

However, when I tried deleting the file or moving it to the chest I received the following error message:

{The operation is not supported for this type of archive.}

I pressed Esc to exit the Avast boot-scan and ran MalwareBytes, which did not detect any infection.

I decided to also run MalwareBytes on my sister’s laptop which I had borrowed. Again MalwareBytes did not detect a problem
while the Avast boot-scan identified an infected file:

File C:\Program Files\Online Services\EarthLink\EarthLink Setup.exe|>$_OUTDIR\Windows\access\SpywareBlocker.msi|>Data1.cab|>ElShowSpyAbout.exe|>[UPX] is infected by Win32:Malware-gen

I chose “Move to Chest”, and Avast reported that the file had been moved to the chest. The boot-scan then continued and reported the following infection:

File C:\System Volume Information_restore{1368902D-6A36-4B35-812D-DDC763090AC0\RP207\A0038286.exe|>$_OUTDIR\Windows\access\SpywareBlocker.msi|>Data1.cab|>ElShowSpyAbout.exe|>[UPX] is infected by Win32:Malware-gen

I chose “Delete”, and Avast reported that the file had been deleted, and the boot-scan was eventually completed.

I am not sure why the removal appears to have been successful for the second laptop but not for the first. I’ve read some posts about Avast occasionally issuing false-positives so I don’t know if the alert (relating to “listener.exe” on the 1st laptop) should be a cause for concern.

I would be grateful if I could receive advice on how to identify and resolve the potential source of the problem.

I followed the instructions under the “Logs to assist in cleaning malware” topic by running OTL and aswMBR, and I have attached the generated files for both laptops (named A and B to differentiate the two laptops), since I am not so confident that the “ElShowSpyAbout.exe” has been deleted from the second laptop.

Is asking for help on two computers acceptable in the same post? If not, then help with either one of the laptops would be appreciated.

Thank you.

Mees

C:\Program Files\Online Services\EarthLink\EarthLink Setup.exe|>$_OUTDIR\Windows\access\SpywareBlocker.msi|>Data1.cab|>ElShowSpyAbout.exe|>[UPX]

do you know what EartLInk is… seems to be an ISP http://www.earthlink.net/
so is it the internet provider you use…or was this preinstalled on your computer ?
the spywareblocker seems to come from that

anyway, Essexboy is notified…should here when he is out of bed and had his tea :wink:

Hi both logs look OK - although at some stage you have had a brush with an infected USB. What problems are you experiencing ?

LAPTOP A

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O33 - MountPoints2\{97319d1c-872b-11dd-9f8b-00023f839062}\Shell\AutoRun\command - "" = E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe O33 - MountPoints2\{97319d1c-872b-11dd-9f8b-00023f839062}\Shell\open\command - "" = E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe O33 - MountPoints2\{d78e3a38-64fa-11da-9989-00023f839062}\Shell\AutoRun\command - "" = E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe O33 - MountPoints2\{d78e3a38-64fa-11da-9989-00023f839062}\Shell\open\command - "" = E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe O33 - MountPoints2\{d86e14ee-76d5-11dd-9f83-00023f839062}\Shell\AutoRun\command - "" = E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe O33 - MountPoints2\{d86e14ee-76d5-11dd-9f83-00023f839062}\Shell\open\command - "" = E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

LAPTOP B

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O3 - HKU\S-1-5-21-2546585076-962154886-654367899-1006\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found. O3 - HKU\S-1-5-21-2546585076-962154886-654367899-1006\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found. O3 - HKU\S-1-5-21-2546585076-962154886-654367899-1006\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O33 - MountPoints2\{7acfab60-5643-11dc-a0f4-001a7302a1c8}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL prezoo.exe e O33 - MountPoints2\{7acfab60-5643-11dc-a0f4-001a7302a1c8}\Shell\Auto\command - "" = F:\prezoo.exe e

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Hello essexboy and Pondus,

Thank you very much for your replies.

Pondus, I don’t know what Earthlink is. I use a college internet link for both laptops, but it is not clear from the entry portal who the service provider is.

I wasn’t experiencing any specific malfunctions. I was mainly concerned that the alerts were indications of a problem that could escalate if not addressed correctly. Also at about the same time the Google Chrome security settings on laptopA had changed from a green padlock to a grey padlock with a yellow triangle, and although I looked up the meaning of this on the Google help pages, I wasn’t sure if the two events were related.

essexboy, I followed your instructions and have attached the generated files.

Thank you for your help.

amesn

I am not familiar with chrome but I will have a look around

Hello,

Just thought I would let you know that the Google Chrome security setting indicator for the entry page to my internet portal has returned to the green (secure connection) padlock for laptopA.

Thanks again.

amesn

To remove OTL cleanly - Run OTL and press the cleanup button