My laptop has been painfully slow for a month or so. I ran a scan with avast! 4.8 this afternoon and came up with 6 infected files, 3 on epsom realated files (possible FPs) and 3 on other files, all related to Win32: Malware-gen. All of which I shoved in quarantine.

I’ve run a Malwarebytes scan and removed the 3 files which came up there, as well as cleaning the problems located by my copy of advanced system care.

I’m wondering whether or not I’ve actually fixed anything. Performance has improved, but do I need to run an OTL scan, and if so, can I pass the results by someone here?

Thoughts please chaps?

What are the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe

• Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.

Post the contents of the MBAM log.

Right: the most recent entries in my Virus chest are:

DspReadme.exe
C:\ Program Files\ EPSON\Creativity Suite\Attach to Email

DspReadme.exe
C:\ Program Files\ EPSON\Creativity Suite\Easy Photo Print

DspReadme.exe
C:\ Program Files\ EPSON\Creativity Suite\File Manager

A0181012.exe
C:\System Volume Information_restore{D5431F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP695

A0181013.exe
C:\System Volume Information_restore{D5431F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP695

A0181014.exe
C:\System Volume Information_restore{D5431F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP695

My Log from Malwarebytes is as follows:

Malwarebytes’ Anti-Malware 1.44
Database version: 3658
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

29/01/2010 20:05:15
mbam-log-2010-01-29 (20-05-15).txt

Scan type: Quick Scan
Objects scanned: 116543
Time elapsed: 5 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\setup.player (Spyware.MarketScore) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\setup.player.2k2 (Spyware.MarketScore) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{ca3eb689-8f09-4026-aa10-b9534c691ce0} (Adware.Ecobar) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

OK the three in the C:\System Volume Information restore points are likely to be the same as the other detections and when moved to the chest probably caused system restore to make the restore points.

It seems strange to have DspReadme.exe in three different folders for the same program, but not to worry about that for now. So we will check out the file to confirm the detection.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

• avast4 - Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

The MBAM log detections look OK.

Thanks for the confirmation.
I’ll send the file for inspection.

Any other next steps?

For now I would say no, just monitor your systems activity.