Hi, another forum has been helping me remove Win32/Toolbar with the use of ComboFix, AdwCleaner, RogueKiller, Malwarebytes, HijackThis!, ESET online, and of course I used Avast. As far as I can tell they’ve helped me remove most of it, but seem to be unable to remove it from system restore.
Avast continually picks this up on a boot time scan.
File C:\System Volume Information_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0001480.rbf|>Data1.cab|>ElShowSpyAbout.exe|>[UPX] is infected by Win32:Malware-gen, Delete: Error 42111 {The operation is not supported for this type of archive.}, Move to chest: Error 42111 {The operation is not supported for this type of archive.}, Repair: Error 42060 {The file was not repaired.}, Move to chest: Error 0xC0000034 {Object Name not found.}
File C:\System Volume Information_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0001480.rbf|>Data1.cab|>SpywareBlocker.exe|>[UPX] is infected by Win32:Malware-gen, Move to chest: Error 0xC0000034 {Object Name not found.}, Delete: Error 42111 {The operation is not supported for this type of archive.}, Repair: Error 42060 {The file was not repaired.}, Move to chest: Error 42111 {The operation is not supported for this type of archive.}
Number of searched folders: 33326
Number of tested files: 757317
Number of infected files: 2
The uninstallation of Combofix doesn’t seemed to have gotten rid of it when the new restore point was created. Deleting the old system restore points, and then running the boot time scan again also didn’t help, nor did turning off system restore, and trying again.
I would appreciate any help you can offer me. Thanks.
I used the normal scan initially, but afterwards, Avast prompts me to do a boot time scan, which I did. The normal scan picks up nothing, but the boot time scan picks up what I posted earlier.
The errors given are: Delete: Error 42111 {The operation is not supported for this type of archive.}, Move to chest: Error 42111 {The operation is not supported for this type of archive.}, Repair: Error 42060 {The file was not repaired.}, Move to chest: Error 0xC0000034 {Object Name not found.} for both files, from within the boot time scan.
I’ve tried to disable system restore, and reboot, this clears the old restore points out, but when I run Avast again, it recommends a boot time scan, after the initial scan, and the boot time scan finds those two infected files in system restore each time. In other words, even when I disable system restore and reboot, a new scan still finds those files.
The problem is that avast can’t extract the infected file from within the archive and put it back together without the likelihood of corrupting the whole archive. System Restore being disabled should have removed those two files, I don’t know why it hasn’t, something else you can try, see #### below.
You can change the settings in your scan so if avast can’t extract from the archive it does nothing, move to the second option, ‘Try to remove the packed file; if it fails, remove the whole containing archive’ see image.
Only true viruses can be repaired, e.g. the small part injected into an executable file, trojans and non-virus infections can’t be repaired as the whole content is considered malicious.
What is avast recommending a boot time scan for (after you have disabled system restore and rebooted), e.g that must mean you have had a detection, what was that ?
Create a clean System Restore point (System Restore has to be enabled obviously):
Click Start, All Programs, Accessories, System tools, System Restore.
In the pop-up that appears fill in the radio button to Create a Restore Point
Click NEXT
Enter a useful name that you will remember if you need to find this again (Clean Restore Point)
Click CREATE
You now have a clean restore point, you should clear the old ones:
Click Start, All Programs, Accessories, System tools, Disk Clean Up
Click OK on the C: drive
Click the More Options tab
In the System Restore section click the Clean Up button
Avast did pick up an infection during a normal scan called a0000022.exe, and labeled as Win32:Malware-gen. It deleted that, and then recommended a boot time scan. It found the two files I mentioned earlier on the boot time scan. I then tried to clear out the old system restore points by turning off system restore, and rebooting. I then ran another boot time scan, and Avast picked up the two files again. I then tried to clear out the old system restore points by making a new system restore point, and using disk cleanup to remove the old ones, as mentioned in your last post. After that, I ran another boot time scan, but Avast still finds those same two files. It appears as if the old system restore points are not being removed?
That looks like a restore point, system restore renames files in that way and retains the original file type (.exe in this case).
There is certainly something wrong on your system as restore points shouldn’t survive either of the methods suggested.
What operating system do you have ?
I don’t know if this might be a permissions thing not allowing you to do it, so you could try clearing them from an account that has administrator privileges.
I’ve actually been doing all of this them from the Administrator account, and always get the same results. Operating system is Vista. I don’t see anything in that search that stands out for me. This is starting be become very frustrating. It makes me not want to use my computer until this is fixed. It’s been about a week now.
I don’t understand why it ‘clearly’ isn’t working, now I know there is a system restore ‘system volume information’ folder for each drive, I don’t know if that also extends to for each user (but I rather think not).
Have you done as suggested before and change the avast settings so that it will remove the archive if it can’t extract the file (reply #3 above and see attached image) ?
I don’t know where you were getting help for the Win32/Toolbar from system restore. So I don’t know if these tools may have messed up the system restore function.
I changed the settings in the scan to remove the archive if it can’t extract the file, but this setting appears to only be available for a normal scan, not a boot time scan?
Avast no longer finds any infection during a regular scan, whether I tell it to remove the archive or not. It DOES however, find the same infected files in system restore when I run a boot time scan.
The infected files are found each time I run a boot time scan.
But didn’t you run a normal scan and this is where they were first found, weird that they aren’t detected now ?
Still my biggest concern is why system restore fails to clear all restore points when disabled or clear old restore points when told to do so. I don’t know why that is and I have never used Vista.
Sorry I’m not a malware removal specialist, so I can’t say one way or another and the malware removal specialists that help on this forum wouldn’t want to be crossing sites to gather information.
I have asked a malware removal specialist to have a look at this topic and see if he can get to the bottom of the inability to remove these restore points.
[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
File C:\System Volume Information_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0001480.rbf|>Data1.cab|>ElShowSpyAbout.exe|>[UPX] is infected by Win32:Malware-gen, Delete: Error 42111 {The operation is not supported for this type of archive.}, Move to chest: Error 42111 {The operation is not supported for this type of archive.}, Repair: Error 42060 {The file was not repaired.}, Move to chest: Error 0xC0000034 {Object Name not found.}
File C:\System Volume Information_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0001480.rbf|>Data1.cab|>SpywareBlocker.exe|>[UPX] is infected by Win32:Malware-gen, Move to chest: Error 0xC0000034 {Object Name not found.}, Delete: Error 42111 {The operation is not supported for this type of archive.}, Repair: Error 42060 {The file was not repaired.}, Move to chest: Error 42111 {The operation is not supported for this type of archive.}
Number of searched folders: 33326
Number of tested files: 757317
Number of infected files: 2