Win32:Spyware-gen error 42111

Did a boot scan and found 4 files infected with Win32:Spyware-gen but avast can’t move to chest/repair/delete it - “error 42111: the operation is not supported for this type of archive”

I have logs from HJT, OTL and MBAM if that will help.

What can I do?

If they are archive files, firstly there is no immediate threat, as the archive has to be unpacked and run for the malware to activate.

MBAM and OTL logs would be good, for those more expert than myself at interpreting them.

One thing you could post in your next reply is the full path and file names for these detections, please; logs can be attached using the “+Additional Options…” link to the lower left of the reply pane.

Cheers I’ll post all that then

And the rest

bump

Hi Steve_c

going on the most recent scan OTL (12-7-2010) the system has been and likely still is heavily infested / infected.

If the filename (oflpydin) is still accessible, and you can do so, then you should upload it to virustotal http://www.virustotal.com/
C:\DOCUME~1\user\LOCALS~1\Temp\oflpydin.sys

  • please reply post the results here with a link to the site analysis

The infection may be sourced to WPA KILL EXE CRYPT DLL

  • one of the biggest torrents indexer with more then 900000 torrents listed.
    This is made apparent by the following entry
    O4 - HKLM…\Run: C:\DOCUME~1\user\LOCALS~1\Temp\tmp0a014ee3\crypt_KillEXE.exe File not found

The filename in this case is [nonep] - here are some links
http://www.systemlookup.com/Startup/21910-anr1_exe.html
http://www.threatexpert.com/report.aspx?md5=062edb027adecf8f7b6f36ab083b54a8

here is a rundown of some of the extent of the infection
C:\WINDOWS{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini (file created in system known alias)
http://www.threatexpert.com/report.aspx?md5=46b485f61396f2dcfa0e65821ad3a3a8

[2010/06/25 11:31:57 | 1901,940,360 | -HS- | M] () – C:\WINDOWS\System32\aaaamonm.sys (known alias)
http://www.prevx.com/filenames/3227458260899559805-X1/ADMPARSEJ.EXE.html

further

[2009/01/27 17:57:00 | 000,002,098 | -HS- | C] () – C:\WINDOWS\System32\zogadeli.dll
[2009/01/27 17:57:00 | 000,002,098 | -HS- | C] () – C:\WINDOWS\System32\wisahiri.dll
etc…down to…
[2009/01/15 17:50:01 | 000,002,098 | -HS- | C] () – C:\WINDOWS\System32\lavusita.dll

and

[2009/01/14 17:52:57 | 000,002,098 | -HS- | C] () – C:\WINDOWS\System32\yirumuno.dll
[2009/01/14 17:52:57 | 000,002,098 | -HS- | C] () – C:\WINDOWS\System32\ruhefife.dll
etc…down to…
[2009/01/12 18:09:53 | 000,002,098 | -HS- | C] () – C:\WINDOWS\System32\hofonike.dll

this is also horrible in the systemdrive - < %SYSTEMDRIVE%*.* >
[2010/07/11 11:38:31 | 000,003,476 | -H-- | M] () – C:\aaw7boot.cmd

I post the instances only in case they might provide some clue to best method of removal
But to my thinking the only thing to do here is to run combofix or something similar
so if I were you I would sit tight and wait for essexboy, I very much doubt if the infection can be removed manually

Are you still there Steve_c?
Is the computer in the same situation?

If you run a fresh OTL scan and post the logs here, we can have a look at the current state of play.

You could run from the OTL already on yr computer
or if that wont work, you could download a fresh copy of OTL.exe to a clean computer
and copy it across to the infected computer in Safe Mode, ready for you to run as soon as you boot to Normal Mode

reply post the logs here