Why am I told I have a Virus?

[Confused Computer User]

Hi,
I have an E-machines H5088 with Windows Vista Home Basic. My antivirus is Avast 4.8 Home Edition (build Jul2008 4.8.1229) with VPS 28/07/2008. The computer has a two partitions C: and D:. The first is for the operating system files and the second is for Recovery. This is the setup that was made by the company, and I in no way touched or modified the setting for the D: partition.
The problem I have is that yesterday when I updated to this current version of the Antivirus, I rebooted the computer. All was well until I opened Avast. What happened was that it warned me that one of my system files was infected and that I would have to do a boot scan. I did this and during the scan it told me this:

07/27/2008 19:59
Scan of all local drives
File C:\Boby\Win95 Files\Cheats\Pharaoh Cleopatra\gripctrainer\P-C trainer.exe is infected by Win32:Trojan-gen {Other}, Deleted
File C:\Boby\Win95 Files\Downloads\p-c_trainer\P-C trainer.exe is infected by Win32:Trojan-gen {Other}, Deleted
File C:\hiberfil.sys is infected by Zipper-2778
File C:\WINDOWS\System32\BAE.dll is infected by Win32:Adware-gen [Adw], Repair: Error 42060 {The file was not repaired.}, Move to chest: Error 0xC0000034 {Object Name not found.}
File D:\i386\Apps\App000179\BAE.dll is infected by Win32:Adware-gen [Adw]
File D:\i386\Apps\App000333\BAE.dll is infected by Win32:Adware-gen [Adw]
Number of searched folders: 10969
Number of tested files: 84695
Number of infected files: 6

Now after that I did a second boot scan and I got:

07/27/2008 21:06
Scan of all local drives

File D:\i386\Apps\App000179\BAE.dll is infected by Win32:Adware-gen [Adw]
File D:\i386\Apps\App000333\BAE.dll is infected by Win32:Adware-gen [Adw]
Number of searched folders: 10970
Number of tested files: 84709
Number of infected files: 2

Now my Question is this: Given that I did not modify D: how is it that I get the warning that bae.dll is infected. I scanned this partition a week ago and there was no problems with it. What is going on?
Also does the fact that Hiberfil.sys was not detected as infected a second and third time mean that it was a false positive?

[DavidR]

I would hazard a guess that this might cast some light on why, cheats/cracks, etc. can be a high risk affair.

I think the hiberfil.sys is a file that perhaps should be excluded from scans as what is in there is effectively what is in memory and this might or probably be detected by avast.

Signatures get added and updated so it is entirely possible that something is found after clean scans. However, the modification of a generic signature (the -gen at the end of the malware name), is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected.

Upload bae.dll, the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

You can upload the other suspect files if you wish, there is a 10MB upload limit so the hiberfil.sys is out of the question. I believe you can set this file to be deleted on system shutdown I don't use it so I'm not that familiar with it.

[Confused Computer User]

Hi DavidR,

You say:
"Upload bae.dll, the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below."

Now I get this but the problem is that the offending file D:\i386\Apps\App000179\BAE.dll is in a secured partition. Meaning that I can't access it. Keep in mind I'm on vista so I find it odd that this particular region would get viruses.

I agree that cheats/cracks are hazardous but in my defense these were placed in archives which were never unzipped on this computer. Also I scanned all these files previously and no viruses were found at that time (used avast and the archives came from my old Win95.. which is still working).

So how would I proceed?

Thank you for the help.

[DavidR]

Check and see if you can find this one manually using windows explorer and use that.

- Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, see image.

I can't see it being very well protected if avast can get in and scan the contents, perhaps the above might allow you to see it and you may be able to copy bae.dll to the c:\suspect folder.

Some google search results on this file, http://www.google.co.uk/search?q=BAE.dll, do any of them ring any bells, like do you have a Dell, etc. e.g. trying to find a legitimate reason it would be there.

In the meantime, you could exclude the D:\i386\Apps\App000179\BAE.dll file from scans (since as you say this is a protected partition and you can't use it) as in the link I gave in my first post.

Whether they be in archives that aren't opened they are on your system but as your first post reports you deleted them, not really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest and investigate.

[Confused Computer User]

Hello DavidR,

Thank you for the quick reply. I will try what you said but there are a few problems. I will be as detailed as possible in my explanation.

So, you gave me a great way of seeing the hidden files on my computer. However, I presume you first oppened a Folder which you knew that it had hidden files and then you did the proceeder shown in your picture. My problem is this. When I access the D: partition all I see is a small icon shaped like a golden lock. when I double click on it it opens up only to show me a message along the lines that it is a recovery partition and that any modification brought to it will have negative affects on my computer. Not word for word but pretty much that's what it says. There are no folders or any buttons in this window which will allow me to see it's contents.

Another thing which I find weird (Well to be expected), is that usually if you go into the Start menu and start typing D:\i386\Apps\App000179 you should be given a link to the file. That's how I find most of my hidden files (these files are always in C: and by most I mean the folder setting file that gives certain folder icons a groovy design... not relevant in this case). But I am not given that link.

You say:
"Some google search results on this file, http://www.google.co.uk/search?q=BAE.dll, do any of them ring any bells, like do you have a Dell, etc. e.g. trying to find a legitimate reason it would be there."

Well the computer is an E-machines which came with Google bar Pre-installed.
What is not mentioned in my previous post where I gave the log of infected files found during the boot scan is that and this might help is that When I got the computer I un-installed Google Task Bar from it using the Add/remove software. However, even if the de-installation went well there was still the folder C:\google left on my computer. I left it there mostly because I forgot to remove it. Now getting back, before rebooting and doing a boot scan, Avast found the file C:\google\bae.dll to be infected with Win32:Adware-gen. This was before the boot scan and since the file was on C: in the google Folder which I did not care about I sent it to the Virus chest (precaution... I learned the hard way not to delete .dll files or update them before double checking what they do... Win95... bad experience with some installs).

N.B. the file bae.dll from C:\gooogle is not spelled the same way as BAE.dll from D:\i386\Apps\App000179. That's to say i made sure my spelling is correct. I'm not certain if capitalizing the letters would mean that the two are different.

Thanks again for the help.

[DavidR]

Whilst it gives you "a message along the lines that it is a recovery partition and that any modification brought to it will have negative affects on my computer," does it not allow you to access that partition ?

All we are trying to do is to copy that file (not delete it) to a temporary folder outside the recovery partition, e.g. the c:\suspect folder I suggested earlier (you may need to pause the standard shield to be able to copy it to that folder, assuming you are able to access it). From there it should be possible to upload the copied file to VirusTotal and if required submit it to avast for analysis.

The file name is identical as Case isn't an issue it can be upper, lower or mixed case and it is still the same. So if you have this file in the chest you can export it to the c:\suspect folder. Open the chest, right click the avast ' a ' icon and select avast! Virus Chest. Select the Infected Files section and right click on the bae.dll file and select export, navigate to the c:\suspect folder and send it there.

Now you should be able to upload it.

[Confused Computer User]

Thanks again for the quick reply David.

So if the infected file is in the virus, I can simply exported to the folder C:\suspicious. Now when I upload I am essentially sending a copy. So the file will still stay in C:\suspicios after the upload is complete.

What do I do with that after the upload is done?

Also do I still turn off or pause the active scan when I export it to the file? Or do I put the the file on an exception list through Avast. Or when exporting from the virus chest to a Folder will  I have to suspend the active scanner, and after the transfer is done reactivate the scanner to ensure that the virus does not cause any problems. Once this is done I connect to the internet and then upload it (at this point the scanner is working).

Please tell me if I do any of the above what are my chances of causing more problems? I know I'm kind of asking the same question but I just want to make sure I won't make things worst since if I have to format there's no way I can restore the system back the way it was since I don't have the Vista CD.

Thanks

[DavidR]

You can delete it if you wish, but personally I would leave it there until the matter is concluded satisfactorily.

avast! isn't going to scan it in that folder and since it isn't in the original folder it is effectively inert (there would be no command in registry, etc. to run it in the suspicious folder), even if it is infected.

Exporting from the chest to the suspicious folder shouldn't need you to pause the standard shield, assuming you gave added that folder to the exclusions lists as previously outlined.

If you do the things as outlined it will have no impact on your system, there will still be a copy of the file in the Infected Files section of the Chest, the export makes a copy to send to the suspicious folder.

[Confused Computer User]

Ok.

I did what you said and it went relatively well. No bells went off on my computer. To be sure I'll run a full scan after I post this.
I uploaded the file and I got a score of 3/25. This being said I don't quite understand what the site is telling me.
Here is the permalink to my results:
http://www.virustotal.com/analisis/fb0ef3dc0cbdb6cfbb70816f479acf6b

Thanks for the help so far.

[DavidR]

Well first the avast win32:Trojan-gen is generic signature ( the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected.

The three detections on VT aren't avast's (that in itself isn't strange as VT can't update the avast signatures in real time as the user can so it can be out of step), but classed as adware redirects by two of the others

Description:
   BAE.dll is GoogleAFE (Browser Address Error Redirector) object which is a browser plugin that redirects browser error pages to vendor customized Google search pages, often found on Dell PCs. This is a non-essential program. It is recommended that you remove it from your system to boost up the performance of your IE browser.

So this may be where the adware redirect bit comes from in those two detections.

The third detection AdWare.Win32.Agent.zuk from Rising (which is a Chinese AV I believe) isn't one I'm familiar with so can't say how good it might be.
See http://en.wikipedia.org/wiki/Rising_AntiVirus, if Wiki doesn't know much about it, that doesn't fill me with confidence.

The upshot of all this is it warrants additional analysis and you should send that sample to avast.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and possible false positive in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

[Confused Computer User]

Hi and thank you for the detailed post.
It's greatly appreciated. Now this may sound stupid but when I try to send the bae.dll file to Avast from the virus chest it tell me I have to set up my account or something that has to do with OutLook which I never used... mostly because I have dial up and prefer web based e-mail.
My question now is: Can I just send the file from my normal E-mail to virus@avast.com. Also How do you set the zip password?
Again help you for the continued help.

[Confused Computer User]

"Hi and thank you for the detailed post.
It's greatly appreciated. Now this may sound stupid but when I try to send the bae.dll file to Avast from the virus chest it tell me I have to set up my account or something that has to do with OutLook which I never used... mostly because I have dial up and prefer web based e-mail.
My question now is: Can I just send the file from my normal E-mail to virus@avast.com. Also How do you set the zip password?
Again thank you for the continued help."

One last thing. On my Vista computer I don't have WinZip or WinRar or Ace since I don't really need to archive files. But I do have these types of programs on my Win95. you mentioned that if I keep the bae.dll in a folder with a different name (separate of google it shouldn't have any effect. By this token would it be wise to just transfer the file to the old computer, zip it and password it there and then sent it to Avast?
This seems like a complication but I dislike having to install WinZip on Vista... Uninstalling it will be a pain.. and if I have to deal with the same thing as with Google task bar I rather not even think about it.
Cheers.

[DavidR]

Well I don't use Vista, but I would imagine it has the ability to zip a file, though I don't know if it has the ability to password protect the zip file.

It wouldn't really matter where the file is sent from (however, the problem is getting an attachment up to your webmail many block this and you would have to have already zipped and password protected the zip file) if you are able to get it to the win95 system you can send it from there (avast might have a whinge) when you try to move it or save it on its way to win95.

[Confused Computer User]

Ok. I have a very annoying problem. If I zip and password the file, when I upload it to the e-mail (I use mail.yahoo.com) I get a message saying that the file is virused and that it couldn’t be cleaned no mater what type of password I set. If I simply upload the file then it does upload but I'm thinking that it is cleaned by Norton or whatever antivirus Yahoo uses. What's worse is that if Norton finds that the file is virused then I have a serious problem. (I would have liked to think of this as a false positive).

What should I do?

[Confused Computer User]

OK,

So I decided to try and send the Dll as is (not ziped) to virus@avast.com. Before doing this I sent the file to myself to see if indeed Norton cleans it (supposing that it was virused to begin with). Once I started to downlod it Avast automaticaly pop-up and worns me that the file is a threat to the computer and tells me to abourt the download. It also detecs two othe dll files in a temp folder for firetox which I tell to send to the virus chest. I presume of course that these are simply teporary file downloaded from yahoo. The files are:
C:\User\Bobby\AppData\Local\Mozila\Firefox\Profiles\ast19pel.default\Cache\D11397A4d01
C:\User\Bobby\AppData\Local\Temp\4rv9breh.dll
Both were found to be infected with Win32: Adware-gen (AdW)

So this in my opinion would go to show that Avast is indeed giving a Flase possitive. I'm waiting for the answer from Avast to my E-mail. and then I'll post any solutions.

Thank you for the help so far
cheers