Boot scan asking if sure file is a Windows folder, infected with Malware -gen

[DaSwee]

Just saw your post, I did have it "reanalyzed" by VirusTotal. Is that what you mean by rescanned? I'll have to go back to the computer in question and send that URL for you.

I sent the sample as a false positive since it looked like nothing came up in the VirusTotal scan. Should I do a manual update of Avast or just let it run its regular update? Do I leave the file in the C:\Suspect? How do I put it back in the chest? Should I do the Malewarebytes scan? Also should I clean out the restore points as I have seen recommended before, or is that unnecessary in this case?

I will delete C:\Windows\Downloaded Installations\{8379D168-79F6-4394-81A2-BB1944E8F892}\Adobe Photoshop Album 3 SE.msi I just can't figure out why it is showing up in downloaded installations since it is software we already have and that has no automatic updates. Would Secunia have anything to do with that?

Before I forget, I appreciate your help. I volunteer for a tax software online support and have an idea how much of your own time you put in. So thank you and all the volunteers in support help, where would we be without you!?!

[DaSwee]

Here is the VirusTotal URL http://www.virustotal.com/file-scan/report.html?id=f6465c63e838510fc9538064758e29842c9990a9bb287c64a56216eacd5dcb11-1318721082

I see what you mean about the Avast signatures being 2 days old, all signatures are from 10/13. Is there anyway for me to manually change that?

[DavidR]

OK, that set of results are still showing an old version of the virus definitions:
Avast   6.0.1289.0   2011.10.13

However the likelihood of this being a false positive detection are good, so it should be sent to avast for analysis:
Send the ADB2.EXE sample to avast as a False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.

@@@@
- In the meantime (if you accept the risk), add the full path to the file to the exclusions lists (see Note below):
File System Shield, Expert Settings, Exclusions, Add and
avast Settings, Exclusions

Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

Note: When using the Browse button it only goes down to folder level accept that. Now open the entry in the exclusions and change the \* to \file_name.exe where file_name.exe is the file you want to exclude.

[DaSwee]

I sent it to Avast virus lab as per your previous instructions.

I'm a little confused, I think you are saying restore the ABD2.exe to it's original folder after adding it Avast's File Shield Exclusions with the full file extension. Is this correct? What do I do with the "Suspect" file you had me create for the VirusTotal, is it okay to delete or send to chest?

[DavidR]

Yes you can use the Restore function in the chest to send it back to the original location (if you accept the very limited risk in doing so before knowing it is clear). A copy remains in the chest, confirm it is back in the C:\Program Files\Adobe\Photoshp Album Starter Edition\3.0\Shared_Assets\locales\en_us folder, then you can delete the backup in the chest.

The suspect 'folder' (and the copy of abd2.exe) was to allow you to send it to virustotal (VT) without avast blocking it. Once this action is complete you can delete the copy of abd2.exe in the suspect folder provided you have your copy in the chest or original location (so you aren't deleting the only copy).

Don't delete the suspect folder or the exclusion for it, that way if you need to submit a file to VT you don't have to remember how to create it and exclude it.

[DaSwee]

Okay, will do. Thanks again! I know it is getting late your way so very much appreciate your efforts.

I think once I do the moves you mention I will run the Malewarebytes. Is this okay to do now?

[DavidR]

No problem, only 1:25 here, though I'm going off-line now, getting up early to watch the F1 Grand Prix (S Korea) start time 7am UK, yawn

[DaSwee]

I know this is not the place to post this normally, but David you mentioned getting up to see the Grand Prix race today. I just couldn't help but post about the sad news, that was just confirmed here in the states, 6:20 PM EST, that Dan Wheldon, Indy car driver and winner of this years Indy 500 (his second) and 2005 champion, died in today's race in Las Vegas.

[DavidR]

I hadn't heard about that, but yes very sad news. We tend to forget the dangers of motor sport as F1 and Indy Cars have massive levels of protection and we see that many walk away from bid accidents. It only takes something like this to remind us of the dangers involved.

[DaSwee]

Yes, exactly. It is always humbling when we are reminded of the dangers. Apparently 3 other drivers were taken to the hospital but none life threatening. It was one of the worst Indy accidents I'd seen in a long time. I just thought you would like to know, being a race fan and he being a countryman of yours. Here's a link http://espn.go.com/racing/indycar/story/_/id/7111712/dan-wheldon-dies-following-indycar-crash-vegas

[DavidR]

Yes I have seen the link huge crash.