Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: DaSwee on October 15, 2011, 02:47:54 AM
-
Today's weekly full scan with Avast Internet Security came up with 1 threat, Adobe Photoshop Album Starter has Win32:Malware-gen. I clicked to put it in the Virus Chest and was prompted to run boot scan. Avast is up to date including engine and virus and I do use the included firewall with all shields enabled. I run Windows XP. I was going to follow this with Malewarebytes scan, which the last scan last week came out clean, just as Avast did.
Results said C:\Windows\Downloaded Installations\{8379D168-79F6-4394-81A2-BB1944E8F892}\Adobe Photoshop Album 3 SE.msi|>Data1.cab|>ADB2.exe|>[UPX] is infected by Win32: Malware-gen File is in windows folder, are you sure? It gives me the options of 1-Yes, 2-Yes all, 3-No, Esc-Exit
I haven't clicked on anything. I tried to find other questions in support/forums related to this issue but nothing came up in the search
It also shows that this same malware plus Win32:PUP-gen has infected C:\System volume information\_restore{7E6001F9-0A8D-45EC-B593-E452c096Cf95}\RP903\A0050790.exe These were both moved to the chest.
I'm not sure what else you may need.
Thanks for your help
D
UPDATE: It is getting late, I don't know how I should answer Avast's query and am concerned if there will be a problem if the computer goes to sleep. Can anyone tell me if being in the boot scan mode will keep the computer awake until the situation can be modified? Is there any danger of this generic maleware doing further damage while I have it in this state or if the computer goes to sleep?
-
Also see this topic, same issue. http://forum.avast.com/index.php?topic=86662.0 (http://forum.avast.com/index.php?topic=86662.0).
There is some uncertainty about this file name with some saying it it OK and some saying it is malicious, http://spywarefiles.prevx.com/RRFIGA18699/ADB2.EXE.html (http://spywarefiles.prevx.com/RRFIGA18699/ADB2.EXE.html) and http://www.online-armor.com/oasis2/file/leader_technologies_atari/powerreg/adb2_exe/7185 (http://www.online-armor.com/oasis2/file/leader_technologies_atari/powerreg/adb2_exe/7185). Now file names can be absolutely anything, so there is no certainty based on the file name alone.
Have you or someone recently installed this program C:\Windows\Downloaded Installations\{8379D168-79F6-4394-81A2-BB1944E8F892}\Adobe Photoshop Album 3 SE.msi ?
Do you have Adobe Photoshop Album 3 SE installed ?
Given its location C:\Windows\Downloaded Installations\ even if the whole file (.msi) were moved to the chest it shouldn't cause an issue as it has probably been installed or at worst you might have to download it again.
####
The one in the C:\System volume information\_restore point could be a saved copy of the above:
There really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore.
- Worst case scenario it isn't infected and you delete it, you can't use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.
- So if there is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.
However, PUPs (Potentially Unwanted Programs) are generally tools that can be used for good or malicious intent or applications with undesirable features.
-
I've read these others threads but my main problem at the moment is what am I supposed to answer to Avast question in the boot scan? It is asking "File is in windows folder, are you sure? It gives me the options of 1-Yes, 2-Yes all, 3-No, Esc-Exit" This is for the installation file only "C:\Windows\Downloaded Installations\{8379D168-79F6-4394-81A2-BB1944E8F892}\Adobe Photoshop Album 3 SE.msi|>Data1.cab|>ADB2.exe|>[UPX] is infected by Win32: Malware-gen"
This means I'm still stuck on the boot scan page on that computer not knowing what I am supposed to click on.
Also it doesn't say that this downloader file was moved to the chest or give an error, it looks exactly like I have it my original post.
I can't answer your other questions yet since this is on the computer my husband uses and he said he doesn't recognize the program, Adobe Photoshop Album 3. Although I believe the program is on there and has been for quite sometime. And he says he hasn't downloaded anything. But I can't check anything until I am able to get this boot scan completed.
Once I am given instructions on what to do with the boot scan question I can than address your other questions.
Should I contact Avast through that computer if I am able? Or just stay with contacting via my laptop?
Thanks so much.
-
If you are ever unsure in a boot-time scan (in order to get out of it), select no action as that is preferable to deletion or moving to the chest as the file might be required on boot (not the case here) for when you reboot.
I would like to know why you choose to do a boot-time scan ?
This really only needs to be run if something is detected in normal window mode, which can't be dealt with in normal mode.
A full system scan I would imaging would detect these and you can send both to the chest.
There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.
-
I noticed in your OP you stated you moved "it" to the chest. Since it is already there I can't see where a decision should be made. Have you tried to exit out of the boot scan and run another full system scan? If it is in the chest do as David advised and re-scan it in the chest in a few weeks. :)
-
I'll try to address both David and Para-Noid in the same response and hope I'm giving the answers that will help you to help me. Avast did its full weekly system scan yesterday and came up with "Adobe Photoshop Album Starter has Win32:Malware-gen" I didn't write down the exact location of that file because I didn't realize I wouldn't be able to get back to it yet. I do not remember it saying it was in "Downloaded Installations" but can't be sure. I then selected that it be moved into the chest. Avast never gave me a confirmation really, it said it suggested I do a boot-scan and did I want to schedule it now. I was going to do the Maleware Bytes but I figured Avast asking to do the boot-scan was of more importance.
The scan results came up with the files mentioned "ame malware plus has infected C:\System volume information\_restore{7E6001F9-0A8D-45EC-B593-E452c096Cf95}\RP903\A0050790.exe was infected with the Gen32:Malware-gen and another (same exact file volume information restore point) came up with infected with Win32:PUP-gen. These have been moved to the chest. The last file, C:\Windows\Downloaded Installations\{8379D168-79F6-4394-81A2-BB1944E8F892}\Adobe Photoshop Album 3 SE.msi|>Data1.cab|>ADB2.exe|>[UPX] only asks "File is in windows folder, are you sure? It gives me the options of 1-Yes, 2-Yes all, 3-No, Esc-Exit" I don't have the option of moving to the chest or no action, only the options I have listed. The closes to no action is Esc-Exit. Would that be the same thing? No, I haven't tried exiting out of the boot-scan and doing a full scan because that was what my original question was about, how was I supposed to answer this question.
If you guys say it is safe for me to hit the Esc-Exit option I will do so.
Thanks again.
-
The warning "File is in windows folder, are you sure?" is a general one and not all things in the windows folders are actually windows or system files. It is quite a common tactic of some malware to place their malware in windows folders to put that doubt in the users mind to start with.
It is safe to hit the exit/esc on the scan as that just stops the scan if you haven't taken any action then these files would be in the same locations. As I have said in my previous post, there would be no downside really in removing both these files.
However, what I'm also trying to do is get you thinking in the right way, never delete anything until you have investigated (as you are) and are sure it will do no harm.
-
Okay, I'm going to hit Esc-Exit and see what happens. Will post back after doing this.
Yes, please be assured I read previous posts and instructions to not delete anything just move it into the chest.
-
After hitting escape it said 3 files infected, I have no idea what the other is? Only showed the two restore and the Adobe. Computer rebooting now.
Should I check boot-scan log to see what the 4 files are? Or do an Avast full scan or Maleware scan?
UPDATE: I checked the boot-scan log, the other file infected is C:\hp\bin\ProcessLogger.exe infected with Win32:PUP-gen but that along with the two restore point files have been moved to the chest so I'm not concerned about those right now. The last and original file in question C:\Windows\Downloaded Installations\{8379D168-79F6-4394-81A2-BB1944E8F892}\Adobe Photoshop Album 3 SE.msi|>Data1.cab|>ADB2.exe|>[UPX] has no action done and no errors. It only say infected with Win32:Malware-gen, scanning aborted.
The file that came up in the regular Avast full scan yesterday infected with Win32:Malware-gen, which did get moved to the chest, is a different file. C:\Program Files\Adobe\Photoshp Album Starter Edition\3.0\Shared_Assets\locales\en_us
Name of the file is ABD2.EXE This was not downloaded but has been on the computer for 5 years, cant remember if it came with the system or was part of my full Photoshop photo editing software. So the answer to a previous question is no this was not downloaded in the past or recently.
I will do a full Avast scan.
-
Quicker and easier to check the log, as you found.
Any detections in the c:\system volume information\ folder can be moved to the chest without issue.
The C:\hp\bin\ProcessLogger.exe is a legitimate tool in that location if you have an HP System ?
The only issue as I have said before is it is a PUPs (Potentially Unwanted Programs) are generally tools that can be used for good or malicious intent or applications with undesirable features, not a problem ignore. In normal scans looking for PUPs isn't done by default (boot-time scan is an exception) as the tendency is it confuses more than it helps when it comes to tools, the user has to know what is on their system and what it does.
Action probably can't be taken on the ADB2.exe file as it is inside two archive files, the Adobe Photoshop Album 3 SE.msi and then inside the Data1.cab. Trying to extract just the adb2.exe from within the Adobe Photoshop Album 3 SE.msi and Data1.cab is likely to corrupt that main C:\Windows\Downloaded Installations\{8379D168-79F6-4394-81A2-BB1944E8F892}\Adobe Photoshop Album 3 SE.msi file.
As I have said earlier it is safe to get rid of this file C:\Windows\Downloaded Installations\{8379D168-79F6-4394-81A2-BB1944E8F892}\Adobe Photoshop Album 3 SE.msi manually as in that location it is redundant.
The C:\Program Files\Adobe\Photoshp Album Starter Edition\3.0\Shared_Assets\locales\en_us\abd2.exe file I would have analysed:
@@@@
Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here, post the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.
####
If only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.
Send the sample to avast as a False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.
-
I have Avast doing a full scan, should I stop it to go to VirusTotal to check C:\Program Files\Adobe\Photoshp Album Starter Edition\3.0\Shared_Assets\locales\en_us\abd2.exe? I also assume I can't do the other things mentioned while Avast is performing scan. I will await your reply.
Thank you
-
Leave the scan if any of the ones come up that can be dealt with, send to chest.
Then take any other actions.
-
Will do, Scan is at about 60%. I will follow through with VirusTotal and setting up "Suspect" file, etc., upon completion.
-
Results from VirusTotal scan of ABD2.exe file.
File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:
MD5: fd5e0390cd4b0980c0aa1c6c459f5ab9
Date first seen: 2006-08-12 14:38:33 (UTC)
Date last seen: 2011-07-16 04:28:00 (UTC)
Detection ratio: 0/43
0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
ADB2.EXE
Submission date:
2011-10-15 22:37:35 (UTC)
Current status:
finished
Result:
0/ 43 (0.0%)
VT Community
not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.10.13.00 2011.10.13 -
AntiVir 7.11.15.252 2011.10.13 -
Antiy-AVL 2.0.3.7 2011.10.13 -
Avast 6.0.1289.0 2011.10.13 -
AVG 10.0.0.1190 2011.10.13 -
BitDefender 7.2 2011.10.13 -
ByteHero 1.0.0.1 2011.09.23 -
CAT-QuickHeal 11.00 2011.10.13 -
ClamAV 0.97.0.0 2011.10.13 -
Commtouch 5.3.2.6 2011.10.13 -
Comodo 10440 2011.10.13 -
DrWeb 5.0.2.03300 2011.10.12 -
Emsisoft 5.1.0.11 2011.10.13 -
eSafe 7.0.17.0 2011.10.11 -
eTrust-Vet 36.1.8617 2011.10.13 -
F-Prot 4.6.5.141 2011.10.13 -
F-Secure 9.0.16440.0 2011.10.13 -
Fortinet 4.3.370.0 2011.10.13 -
GData 22 2011.10.13 -
Ikarus T3.1.1.107.0 2011.10.13 -
Jiangmin 13.0.900 2011.10.12 -
K7AntiVirus 9.115.5278 2011.10.13 -
Kaspersky 9.0.0.837 2011.10.13 -
McAfee 5.400.0.1158 2011.10.13 -
McAfee-GW-Edition 2010.1D 2011.10.13 -
Microsoft 1.7702 2011.10.13 -
NOD32 6541 2011.10.13 -
Norman 6.07.11 2011.10.13 -
nProtect 2011-10-13.01 2011.10.13 -
Panda 10.0.3.5 2011.10.13 -
PCTools 8.0.0.5 2011.10.13 -
Prevx 3.0 2011.10.16 -
Rising 23.79.03.02 2011.10.13 -
Sophos 4.70.0 2011.10.13 -
SUPERAntiSpyware 4.40.0.1006 2011.10.13 -
Symantec 20111.2.0.82 2011.10.13 -
TheHacker 6.7.0.1.322 2011.10.13 -
TrendMicro 9.500.0.1008 2011.10.13 -
TrendMicro-HouseCall 9.500.0.1008 2011.10.13 -
VBA32 3.12.16.4 2011.10.13 -
VIPRE 10749 2011.10.13 -
ViRobot 2011.10.13.4717 2011.10.13 -
VirusBuster 14.1.11.0 2011.10.13 -
Additional information
MD5 : fd5e0390cd4b0980c0aa1c6c459f5ab9
SHA1 : 53a888612e2d74a8c61f19eafebbc43a4c1ff4af
SHA256: f6465c63e838510fc9538064758e29842c9990a9bb287c64a56216eacd5dcb11
VT Community
This file has never been reviewed by any VT Community member. Be the first one to comment on it!
VirusTotal Team
-
When you find that the file has previously been scanned you should always have it scanned again. As in this case the avast signatures were two days old and pre-date your problem.
When the scan is complete, just copy and paste the URL from the address window of the virustotal results, saves all that hassle of copying the whole text across.
-
Just saw your post, I did have it "reanalyzed" by VirusTotal. Is that what you mean by rescanned? I'll have to go back to the computer in question and send that URL for you.
I sent the sample as a false positive since it looked like nothing came up in the VirusTotal scan. Should I do a manual update of Avast or just let it run its regular update? Do I leave the file in the C:\Suspect? How do I put it back in the chest? Should I do the Malewarebytes scan? Also should I clean out the restore points as I have seen recommended before, or is that unnecessary in this case?
I will delete C:\Windows\Downloaded Installations\{8379D168-79F6-4394-81A2-BB1944E8F892}\Adobe Photoshop Album 3 SE.msi I just can't figure out why it is showing up in downloaded installations since it is software we already have and that has no automatic updates. Would Secunia have anything to do with that?
Before I forget, I appreciate your help. I volunteer for a tax software online support and have an idea how much of your own time you put in. So thank you and all the volunteers in support help, where would we be without you!?!
-
Here is the VirusTotal URL http://www.virustotal.com/file-scan/report.html?id=f6465c63e838510fc9538064758e29842c9990a9bb287c64a56216eacd5dcb11-1318721082
I see what you mean about the Avast signatures being 2 days old, all signatures are from 10/13. Is there anyway for me to manually change that?
-
OK, that set of results are still showing an old version of the virus definitions:
Avast 6.0.1289.0 2011.10.13
However the likelihood of this being a false positive detection are good, so it should be sent to avast for analysis:
Send the ADB2.EXE sample to avast as a False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.
@@@@
- In the meantime (if you accept the risk), add the full path to the file to the exclusions lists (see Note below):
File System Shield, Expert Settings, Exclusions, Add and
avast Settings, Exclusions
Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.
Note: When using the Browse button it only goes down to folder level accept that. Now open the entry in the exclusions and change the \* to \file_name.exe where file_name.exe is the file you want to exclude.
-
I sent it to Avast virus lab as per your previous instructions.
I'm a little confused, I think you are saying restore the ABD2.exe to it's original folder after adding it Avast's File Shield Exclusions with the full file extension. Is this correct? What do I do with the "Suspect" file you had me create for the VirusTotal, is it okay to delete or send to chest?
-
Yes you can use the Restore function in the chest to send it back to the original location (if you accept the very limited risk in doing so before knowing it is clear). A copy remains in the chest, confirm it is back in the C:\Program Files\Adobe\Photoshp Album Starter Edition\3.0\Shared_Assets\locales\en_us folder, then you can delete the backup in the chest.
The suspect 'folder' (and the copy of abd2.exe) was to allow you to send it to virustotal (VT) without avast blocking it. Once this action is complete you can delete the copy of abd2.exe in the suspect folder provided you have your copy in the chest or original location (so you aren't deleting the only copy).
Don't delete the suspect folder or the exclusion for it, that way if you need to submit a file to VT you don't have to remember how to create it and exclude it.
-
Okay, will do. Thanks again! I know it is getting late your way so very much appreciate your efforts.
I think once I do the moves you mention I will run the Malewarebytes. Is this okay to do now?
-
No problem, only 1:25 here, though I'm going off-line now, getting up early to watch the F1 Grand Prix (S Korea) start time 7am UK, yawn ;D
-
I know this is not the place to post this normally, but David you mentioned getting up to see the Grand Prix race today. I just couldn't help but post about the sad news, that was just confirmed here in the states, 6:20 PM EST, that Dan Wheldon, Indy car driver and winner of this years Indy 500 (his second) and 2005 champion, died in today's race in Las Vegas.
-
I hadn't heard about that, but yes very sad news. We tend to forget the dangers of motor sport as F1 and Indy Cars have massive levels of protection and we see that many walk away from bid accidents. It only takes something like this to remind us of the dangers involved.
-
Yes, exactly. It is always humbling when we are reminded of the dangers. Apparently 3 other drivers were taken to the hospital but none life threatening. It was one of the worst Indy accidents I'd seen in a long time. I just thought you would like to know, being a race fan and he being a countryman of yours. Here's a link http://espn.go.com/racing/indycar/story/_/id/7111712/dan-wheldon-dies-following-indycar-crash-vegas
-
Yes I have seen the link huge crash.