Unable to get rid of

Avast Free Antivirus / Premium Security
1

win32:pswspy.
I have 2 instances of this in system volume information …xpkey. exe and system volume information officekey.exe

When I try to get rid of this I get “an error has occured during processing” I have tried the chest, delete and
repair all give the same message and cannot get rid of this malware.
any help would be appreciated.
Thank you,
Charlorne :frowning:

2

The c:\System Volume Information folder is a part of the system restore function and as such is protected by windows, the only way to clean infected _restore points is do disable system restore and reboot. This will clear ALL _restore points. Once you have disabled system restore, reboot, scan your PC again and if clear enable system restore.

Win XP-ME - How to disable System Restore

3

If a virus is replicant (coming and coming again), you should, after disabling system restore like David posted:

  1. Clean your temporary files.
  2. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
  3. Use a-squared or ewido (trojan removers). 8)
4

thank you both I did what you said and I now have a
squeaky clean computer.

Number of searched folders: 5628
Number of tested files: 151652
Number of infected files: 0

Charlorne

5

My Avast is marking officekey.exe in the same maner, but I have this program on my computer for legitimate purposes. I support a network of aobut 25 PCs and it comes in handy if I need to reinstall Windows or Office on a particular PC, but don’t remember which CD I used originally.

Is there something about officekey.exe that is inherently malicious, so that I should remove it? Or is it just dangerous if used improperly?

Thanks,

Ben

6

Which is the producer of this program? Microsoft? If so, maybe you can add it to the Exclusion lists of avast.
If not, well, maybe you should test it with on-line scanners (like virustotal or jotti) and see what they say about the file.

7

I could do that, but I’m more interested in what Avast says about this program, than what other AV programs say, since Avast is the virus scanner installed on my network. :slight_smile:

In other words, why does Alwil Software consider this “spyware”? Simply because it has the capability of extracting product keys, which could be dangerous if mis-used? Or because it does malicious things on its own, without user interaction?

officekey.exe is part of Magical Jelly Bean Keyfinder. I don’t know if it’s even possible to get in touch with Magical Jelly Bean Software – their web site has not been update since 2003.

Thanks,

Ben

8

:slight_smile: Hi Ben :

  I had never heard of "officekey.exe", so I did a "google
  search"; after looking through 3 pages, I could find
  nothing "inherently malicious" about it, but did find
 "references" of some malware/spyware "attaching" itself
   to it . You say Avast is marking in the same manner as
  the other poster, who implied spyware was "attached"
  to their "officekey.exe". 
  Avast is not geared to identifying "spyware", but does
  say "TRJ" ( trojan ), "ADW" ( adware ), "WRM" ( Worm ),
  etc . If you have one or more of those, you would be 
  better off using  antiSPYWARE program(s) to remove it .
 Programs that have NOT been updated in a while are
 more susceptible to malware "infection(s)" ; perhaps you
 should see if there may be a more recent program that
 does the same or near to it as "Magic Jelly Bean
 Keyfinder" !?
9

I hope some virus analyst post the answer… maybe Karel 8)

10
I could do that, but I'm more interested in what Avast says about this program, than what other AV programs say, since Avast is the virus scanner installed on my network.

The point is if avast is the only AV to detect it it could simply be a false positive. In which case there are things that you can do, add to the exclusions lists, send to avast for analysis. It can be checked against the detection signature and if it is determined to be a false the signature can be modified and the VPS updated. This could help you and other avast users.

I too have some tools that can be used for good or evil and avast picks those up, e.g. killbox.exe, breakout.exe (firewall tester), etc. these type of tools I keep in a folder that I exclude from avast scans.

11

turns out that this is all covered very thoroughly over in the “viruses and worms” forum:

http://forum.avast.com/index.php?topic=21861.0

In my case, the file detected was called “officekey.exe” and it was packed into a tool called “keyfinder.exe”, but otherwise my experience was much the same as that of the person who posted the “False positive?” thread in the other forum. I’m satisfied with the information there.

Thanks, Ben