Win32: Malware-Gen

[Odd.Girl]

Hello.  I was looking at the log of my scheduled scan this morning and to my surprise, Avast found Win32: Malware-Gen.  I looked at the log and there was only one file infected.  I tried to move it to the chest and repair it, but I got "Error: Access is denied. (5)"  So, I scanned with MBAM and it came up with absolutely nothing.  Avast's location of the file says: C:\Program Files\Pando Networks\Media Booster\uninst.exe  And the threat is rated as "High".

How can I remove this?

[DavidR]

Don't rush, especially if this has been on your system for some time (check the file properties) ?

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below. Or in your case from the original location so you would need to copy the file from the original location to a temporary one, see below.

- avast5 - Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\* That will stop the File System Shield scanning any file you put in that folder. Now enter the chest again and Extract the file to the Suspect folder and upload it to VT.

[Odd.Girl]

I do weekly scans, so it had to be from this week, not sure when.

And I can't get it into the chest because of the error stated in my first post.

**Edit:  I got it into the chest while in safe mode.  I'm moving back to normal mode to extract/upload it to the website.

[Ms Bookworm]

I was able to put it in the chest in safe mode.  But malwarebytes does not recognize it.  Is it a false positive?

[Odd.Girl]

Says it has already been analyzed.

Here's my link anyhow:  http://www.virustotal.com/reanalisis.html?0d05d0c98cd83413a2d042d26f36669db4ea3d67dde4f82253b7cdebc3feefbd-1278872646

[DavidR]

Says it has already been analyzed.

Here's my link anyhow:  http://www.virustotal.com/reanalisis.html?0d05d0c98cd83413a2d042d26f36669db4ea3d67dde4f82253b7cdebc3feefbd-1278872646

I tend to always have it scan it again to ensure we have the latest results, these are the latest results, http://www.virustotal.com/analisis/0d05d0c98cd83413a2d042d26f36669db4ea3d67dde4f82253b7cdebc3feefbd-1278872646, only 3/41.

Only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.

Send the sample to avast as a False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.

- In the meantime (if you accept the risk), add it to the exclusions lists:
File System Shield, Expert Settings, Exclusions, Add and
avast Settings, Exclusions

Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

[Odd.Girl]

I don't even remember when it got downloaded or what it does, really.  I looked it up online and some people say it is spyware, but McAfee Site Advisor says it is a green download.  And on the Advisor site it had a link to one of the games I once downloaded.  It isn't a needed program.  Can't I just delete it somehow and be rid of it?

[DavidR]

Of course you could just delete it or uninstall the program if as you say you don't use it, but that really isn't the best thing to do.

By sending the sample to avast and the detection corrected, it not only resolves your problem but also helps every other avast user that might be using the same program and improves detection.

[Odd.Girl]

Went ahead and sent in the false positive.  We'll see what happens.

[DavidR]

Thanks, hopefully it won't be long for it to be corrected.

Periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

[Seffrid]

Any update on this one? I have the same virus report on the same file as the OP.

[DavidR]

Well it wasn't that long ago that it was submitted, late last night. If you have this file in the chest, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

Have you got the latest virus definitions and nave you scanned the file again as that really is the easiest way to tell of its progress, other than avast are usually quite quick to correct any FP once identified.

[Seffrid]

Thanks DavidR. Yes, it's in the chest, virus definitions have been updated, and it's still scanning as infected. I'll keep an eye on it as you suggest.

[DavidR]

No problem.

[BigLightBulb]

Would the folks who've had this detection be kind enough to post the MD5 hash of uninst.exe? Mine doesn't appear to match the one VirusTotal analyzed.

Here's mine: D41D8CD98F00B204E9800998ECF8427E