Hi, I did a boot scan and Avast detected a win32:pup-gen virus in Regclean.msil app.cab application.exe

I had it deleted.

Several very old zip files were corrupted - so I deleted them too.

I was wondering later whether that was an error?

Did anyone else have the same result?

Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest (a protected area) and investigate.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

Files that can’t be scanned are just that, not an indication they are suspicious/infected, just unable to be scanned.

Many programs (usually security based ones) password protect their files for legitimate reasons such as AdAware and Spybot Search & Destroy, there are others (and avast doesn’t know the password or have any way of using it even if it did know it).

When you run scans with the above programs and you delete harmful entries that they detect, a copy is kept (in quarantine/restore/backup) in case you need to reverse what you did. These are usually password protected, you should do some housekeeping and delete old backup/recovery/quarantine entries (older than two weeks or so), this will reduce the numbers of files that can’t be scanned.

By examining 1) the reason given by avast! for not being able to scan the files, 2) the location of the files, you can get an idea of what program they relate to.

So I will let you answer your own question on if you should have deleted them.

Thanks David. You’re right I shouldn’t have deleted it but sent it to the virus chest.

It was 3am and I just wasn’t thinking properly. :-X

I have included my avast bootscan if you might be able to shed some light into it. It seems that a number of very old archival zip files were corrupted. I deleted them (same time as the regclean) because they were so old but again, should have sent them to the vault for further analysis.

If you can shed some light onto them I’d appreciate your advice, thank you and have a good weekend.

The archival hard drive is actually rather old - about 8 years old.

11/12/2011 08:49
Scan of all local drives

File C:\Program Files\iriver\iriver plus 3\PlugIns\mypodder.001|>mypodder\myPodder User Manual.pdf Error 42125 {ZIP archive is corrupted.}
File C:\Program Files\Valve\Steam\SteamApps\Targcomputers\team fortress 2\tf\cache\cp_castle3.bsp.bz20000|>{bzip} Error 42130 {BZIP2 archive is corrupted.}
File D:\2gig\xp\VX2S_XP_drivers.part1.rar|>Styles\Theme\uxpatcher.exe|>%WIN%\System32\dllcache\uxtheme.dll Error 42145 {Installer archive is corrupted.}
File D:\2gig\xp\VX2S_XP_drivers.part1.rar|>Styles\Theme\uxpatcher.exe|>%WIN%\System32\dllcache\uxtheme.dll Error 42145 {Installer archive is corrupted.}
File D:\2gig\xp\VX2S_XP_drivers.part1.rar|>Styles\Theme\uxpatcher.exe|>%WIN%\System32\dllcache\uxtheme.dll Error 42145 {Installer archive is corrupted.}
File D:\2gig\xp\VX2S_XP_drivers.part1.rar|>Styles\Theme\uxpatcher.exe|>%WIN%\System32\dllcache\uxtheme.dll Error 42145 {Installer archive is corrupted.}
File D:\2gig\xp\VX2S_XP_drivers.part1.rar|>Styles\Theme\uxpatcher.exe|>%WIN%\System32\dllcache\uxtheme.dll Error 42145 {Installer archive is corrupted.}
File D:\2gig\xp\VX2S_XP_drivers.part1.rar|>Styles\Theme\uxpatcher.exe|>%WIN%..\VTPFiles\uxtheme.dll Error 42145 {Installer archive is corrupted.}
File R:\richie\jeremy\Transport Tycoon\1million-forth.zip|>Try01.ss1 Error 42125 {ZIP archive is corrupted.}
File R:\Mainuser\setupxv.exe|>RegClean.msi|>app.cab|>ApplicationExe is infected by Win32:PUP-gen [PUP], Deleted
Number of searched folders: 26949
Number of tested files: 1340837
Number of infected files: 1

Win32:PUP-gen [PUP]

PUP (potentially unwanted program)
http://searchsecurity.techtarget.com/definition/PUP

it is telling that you have a program that can be used for good or bad, depending on what it can do and who installed it

@ sniper968

• Corrupted Archive file, this could simply mean that avast is unable to unpack it to scan the contents of the archive and assuming it is because it is corrupt. Even if it were corrupt there is nothing that a user can do to resolve any corruption, short of replacing the file. This I wouldn’t recommend (especially if this is for archives in the \System Volume Information folder, part of the system restore function) unless you are getting problems relating to that file outside of the avast scan.

The pup-gen, again it is within an archive so essentially it is inert unless the archive is unpacked and the application.exe file run. Given the name of the installation file (.msi file) RegClean.msi, this is a registry cleaner of sorts, not these kind of tools could be used for good or evil and that is what a PUP (Potentially Unwanted Program) part of the win32:pup-gen [PUP] detection is all about.

So the boot time scan looks for PUPs by default, the on-demand scans don’t. My reasoning on that is the term PUP isn’t widely known and may well cause the user more concern than comfort. The user has to know what PUP means and have an idea of what is installed on their system to make the determination if this is an unwanted program or not (for most this isn’t easy).

I don’t believe you have anything further to be concerned with.