Virus in Windows folder

I’m not sure if this question goes here or Other Products.

I ran a Boot Scan the other day with Avast Free, and it found a few viruses. I was able to deal with most, but there was what appeared to be a virus in my Windows directory, and I wasn’t able to quarantine or delete it.

Obviously, the first question is – any suggestions?

But the second question is if Avast has a Rescue Disk or Emergency Disk of some sort? I did look in the Other Products forum, and see something referred to as Bart – but I can’t find any link to it on the Avast site. Am I missing something, or has it been discontinued, or what? Even an Internet search doesn’t offer much help. It explains what the Bart CD is (or was…), but nothing more about availability. The last download link I can find is from almost three years ago.

Thanks.

Robert

hey i suggest you follow this guide and attach your logs.

http://forum.avast.com/index.php?topic=53253.0

we need otl, mbam, adwclener, and aswmbr.

but there was what appeared to be a virus in my Windows directory, and I wasn't able to quarantine or delete it.
what name does avast give this virus? where is it located.... full file path?

Thanks for the replies. I don’t know the answer (yet) – I did the boot scan a couple days ago, didn’t write it down, and didn’t think of asking here until today. I plan to run another boot scan today and will hopefully find the answer and post it here. And I’ll also do my best to follow that guide and attach the logs.

Thanks again. Updates as they occur…

Robert

Before doing another boot-time scan check for this file, it gets overwritten the next boot-time scan you run.
Look in the C:\Documents and Settings\All Users\Application Data\Avast Software\Avast\report\aswBoot.txt file (XP location) C:\ProgramData\Avast Software\Avast\report\aswBoot.txt (Vista, Win7 location), check this file using notepad for info on the scan/detections, etc.

Okay, I’ve run all four programs as suggested, and am attaching the text files.

There are five text files, and the restriction says four per post is the maximum. So, I’ll post a another message here following with the .txt file for ASWmbr.

Robert

And this is the fifth text file. Few of which mean anything to me, but hopefully will to others.

I didn’t exactly follow the message that suggested not doing a new boot-time scan yet. I’ll do my best to find the .txt log, though I’m not sure what information I’m looking for. Perhaps it will be clear when I get there…

As always, thanks so much for the time and thoughtfulness.

Okay, using that suggestion from DavidR about checking aswBoot.txt, I found the line that describes that one virus file that it wasn’t repaired or moved to the quarantine chest. I’ve copy/pasted it below.

Hopefully this will mean something to others, and offer a direction of what I should try next.

Thanks.

Robert


File C:\Windows\Installer\4cc1c.msi|>Binary.New_Binary2|>Wise0013.bin is infected by Win32:Malware-gen, Move to chest: Error 42111 {The operation is not supported for this type of archive.}, Delete: Error 42111 {The operation is not supported for this type of archive.}, Repair: Error 42060 {The file was not repaired.}, Delete: Error 42111 {The operation is not supported for this type of archive.}
Scanning aborted

The malware-gen detection is buried deep inside of an archive file 4cc1c.msi (which is a bit of a weird installation file name and no hits on a search for it) in the C:\Windows\Installer\ folder. Trying to remove it from within the archive could result in the corruption of the archive, which is why you get the ‘operation is not supported for this type of archive’ error.

That said I still believe that C:\Windows\Installer\4cc1c.msi archive file with the suspect file inside is suspicious in its own right.

Thank you. This all leads back to the original question about a Rescue disk is available from Avast – and if running that would even help.

In lieu of that, are there any thoughts or suggestions for dealing with either this “malware-gen” detection-- or the suspicious archive “4cc1c.msi”?

Robert

Hi not a great deal there just a few suspicious ADS streams. How is the computer behaving

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
[2011/10/12 12:06:20 | 000,000,025 | -H-- | C] () -- C:\ProgramData\.811261211181235583101118113995
@Alternate Data Stream - 1379 bytes -> C:\Program Files (x86)\Common Files\System:GmACk56ZqcxZUan6gzn4Up
@Alternate Data Stream - 1322 bytes -> C:\ProgramData\Microsoft:rVKrOJamXpSWRcj1PJG
@Alternate Data Stream - 1261 bytes -> C:\ProgramData\Microsoft:X7Hg35cJ0P1ZbK8tsuDG7naPgw
@Alternate Data Stream - 1259 bytes -> C:\ProgramData\Microsoft:f4TAAJUHbv6XDchyFJ9
@Alternate Data Stream - 119 bytes -> C:\ProgramData\TEMP:5C321E34
@Alternate Data Stream - 1184 bytes -> C:\ProgramData\Microsoft:kLyP3c1ukCBRSXLJXVxQ0XZ3K
@Alternate Data Stream - 1184 bytes -> C:\Program Files (x86)\Common Files\microsoft shared:Zy9EuipuXOk09WdOO5026uq

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Thanks. The system seems to be running okay, though that doesn’t mean the virus isn’t doing some off-system damage with email, I suppose.

I’ll run the OTLFix, and send the results – though it appears that this won’t have any impact on that malware-gen, which seems to be the virus I had spotted in the Windows directory.

I ran OTL Fix, and here’s the log file.

As I said, though, this doesn’t appear to have any impact on the “C:\Windows\Installer\4cc1c.msi|>Binary.New_Binary2|>Wise0013.bin” file.

(Then again, when I just now looked through Windows Explorer, I don’t even see a sub-directory “C:\Windows\Installer” listed, even with “Show hidden files and folders” turned on.

The search continues.

Thanks.

Robert

I can delete that file for you but I do not know what programme it is associated with. Removal of the MSI will also remove the uninstall data

If I could figure out how to simply find “C:\Windows\Installer\4cc1c.msi|>Binary.New_Binary2|>Wise0013.bin”, I might be able to help figure out what it’s associated with. (Then again, I’m be happy to just find “C:\Windows\Installer” to start with.

Though I know it potentially can be problematic, I’m less concerned with removing the uninstall data of some program I use than I am with having a virus sitting in my Windows directory.

How does one delete that file – especially given that I’m bewildered just finding the directory…?

Sorry for the confusion, but the answers here are appreciated.

Robert

I will get OTL to delete it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Files
C:\Windows\Installer\4cc1c.msi

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.