Win32:Magef

Hi,

Avast found the following:

3/1/2007 8:24:35 PM 1112 Sign of "Win32:Magef-B [Wrm]" has been found in "C:\System Volume Information\_restore{8ADEB7BA-D87F-485B-A93C-4EC054CACEE0}\RP1\snapshot\Repository\FS\INDEX.BTR" file. 3/1/2007 8:55:22 PM 1112 Sign of "Win32:Magef-B [Wrm]" has been found in "C:\System Volume Information\_restore{8ADEB7BA-D87F-485B-A93C-4EC054CACEE0}\RP2\snapshot\Repository\FS\INDEX.BTR" file. 3/1/2007 9:31:26 PM 1112 Sign of "Win32:Magef-B [Wrm]" has been found in "C:\System Volume Information\_restore{8ADEB7BA-D87F-485B-A93C-4EC054CACEE0}\RP3\snapshot\Repository\FS\INDEX.BTR" file.
I've been having a lot of problems with this computer during the past two weeks. Last week I reformated and decided to troubleshoot because last time I reformated and reinstalled everything, I again got infected with something called "RegScan.exe" which, for some reason, wasn't picked up by Avast or any Spyware app I used.

I’ve never seen Magef before as long as I had this computer. How do I know it’s gone?

Hi VirusHunter,

My money would be on a false positive detection as this seems to be a Windows index file.

Unfortunately, I don’t think it’s possible to access these files to be able to submit the file to VirusTotal to see if other AV’s detect it, but you could try a few online scans, Kaspersky for example.

I tried to upload the files to an online scanner but couldn’t.

I did go to Kaspersky. I couldn’t tell if I was infected or not. ???

Thanks

I tried to upload the files to an online scanner but couldn't.

That was what I thought would happen.

Unfortunately, I don't think it's possible to access these files to be able to submit the file to VirusTotal
I did go to Kaspersky. I couldn't tell if I was infected or not.

If Kaspersky did not report the same index.btr files in system restore (or indeed anywhere else) I think it’s pretty safe to assume you are not infected.

The fact that they may not be infected won’t stop avast detecting them again, yes you can try entering them in the exclusion lists, but that if you use wildcards could let through genuine detections.

Was avast able to put a copy in the chest ?
If so send the sample from the chest (select the file, right click, email to Alwil Software) and in the comments indicate you believe it may be a false positive.

Personally I would disable system restore and reboot (and re-enable again after the boot), this will completely clear ALL restore points in the system volume information folder, then there is no doubt and no need to add exclusions.

The downside is you haven’t got any system restore history to go back to, if your system is running fine, that isn’t a problem as when you re-enable system restore it creates a restore point. This is your start point for the future.