Author Topic: Boot scan asking if sure file is a Windows folder, infected with Malware -gen  (Read 8710 times)

0 Members and 1 Guest are viewing this topic.

Offline DaSwee

  • Newbie
  • *
  • Posts: 15
Today's weekly full scan with Avast Internet Security came up with 1 threat, Adobe Photoshop Album Starter has Win32:Malware-gen. I clicked to put it in the Virus Chest and was prompted to run boot scan. Avast is up to date including engine and virus and I do use the included firewall with all shields enabled. I run Windows XP. I was going to follow this with Malewarebytes scan, which the last scan last week came out clean, just as Avast did.

Results said C:\Windows\Downloaded Installations\{8379D168-79F6-4394-81A2-BB1944E8F892}\Adobe Photoshop Album 3 SE.msi|>Data1.cab|>ADB2.exe|>[UPX] is infected by Win32: Malware-gen File is in windows folder, are you sure? It gives me the options of 1-Yes, 2-Yes all, 3-No, Esc-Exit
I haven't clicked on anything. I tried to find other questions in support/forums related to this issue but nothing came up in the search

It also shows that this same malware plus Win32:PUP-gen has infected C:\System volume information\_restore{7E6001F9-0A8D-45EC-B593-E452c096Cf95}\RP903\A0050790.exe These were both moved to the chest. 

I'm not sure what else you may need.

Thanks for your help

D

UPDATE: It is getting late, I don't know how I should answer Avast's query and am concerned if there will be a problem if the computer goes to sleep. Can anyone tell me if being in the boot scan mode will keep the computer awake until the situation can be modified? Is there any danger of this generic maleware doing further damage while I have it in this state or if the computer goes to sleep?
« Last Edit: October 15, 2011, 05:36:07 AM by DaSwee »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72616
  • No support PMs thanks
Also see this topic, same issue. http://forum.avast.com/index.php?topic=86662.0.

There is some uncertainty about this file name with some saying it it OK and some saying it is malicious, http://spywarefiles.prevx.com/RRFIGA18699/ADB2.EXE.html and http://www.online-armor.com/oasis2/file/leader_technologies_atari/powerreg/adb2_exe/7185. Now file names can be absolutely anything, so there is no certainty based on the file name alone.

Have you or someone recently installed this program C:\Windows\Downloaded Installations\{8379D168-79F6-4394-81A2-BB1944E8F892}\Adobe Photoshop Album 3 SE.msi ?
Do you have Adobe Photoshop Album 3 SE installed ?

Given its location C:\Windows\Downloaded Installations\ even if the whole file (.msi) were moved to the chest it shouldn't cause an issue as it has probably been installed or at worst you might have to download it again.

####
The one in the C:\System volume information\_restore point could be a saved copy of the above:
There really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore.
- Worst case scenario it isn't infected and you delete it, you can't use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.
 
- So if there is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.

However, PUPs (Potentially Unwanted Programs) are generally tools that can be used for good or malicious intent or applications with undesirable features.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2015 10.4.2227 R4 beta1/ Outpost Firewall Pro9.1/ Firefox 40.0.3, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.1.8/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline DaSwee

  • Newbie
  • *
  • Posts: 15
I've read these others threads but my main problem at the moment is what am I supposed to answer to Avast question in the boot scan? It is asking "File is in windows folder, are you sure? It gives me the options of 1-Yes, 2-Yes all, 3-No, Esc-Exit" This is for the installation file only "C:\Windows\Downloaded Installations\{8379D168-79F6-4394-81A2-BB1944E8F892}\Adobe Photoshop Album 3 SE.msi|>Data1.cab|>ADB2.exe|>[UPX] is infected by Win32: Malware-gen"
This means I'm still stuck on the boot scan page on that computer not knowing what I am supposed to click on.

Also it doesn't say that this downloader file was moved to the chest or give an error, it looks exactly like I have it my original post.

I can't answer your other questions yet since this is on the computer my husband uses and he said he doesn't recognize the program, Adobe Photoshop Album 3. Although I believe the program is on there and has been for quite sometime. And he says he hasn't downloaded anything. But I can't check anything until I am able to get this boot scan completed.

Once I am given instructions on what to do with the boot scan question I can than address your other questions.

Should I contact Avast through that computer if I am able? Or just stay with contacting via my laptop?

Thanks so much.


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72616
  • No support PMs thanks
If you are ever unsure in a boot-time scan (in order to get out of it), select no action as that is preferable to deletion or moving to the chest as the file might be required on boot (not the case here) for when you reboot.

I would like to know why you choose to do a boot-time scan ?
This really only needs to be run if something is detected in normal window mode, which can't be dealt with in normal mode.

A full system scan I would imaging would detect these and you can send both to the chest.
There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2015 10.4.2227 R4 beta1/ Outpost Firewall Pro9.1/ Firefox 40.0.3, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.1.8/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline Para-Noid

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6070
  • Trust only what you test yourself!
I noticed in your OP you stated you moved "it" to the chest. Since it is already there I can't see where a decision should be made. Have you tried to exit out of the boot scan and run another full system scan? If it is in the chest do as David advised and re-scan it in the chest in a few weeks.  :)
Dell Inspiron, Win10x64, MalwareBytes Premium--HP Envy Win10x64, MalwareBytes Premium,--Both systems Avast Free v2015.10.3.2225, MalwareBytes Anti-Exploit Free, Super Anti-Spyware, Spyware Blaster, MCShield, Unchecky, Firefox (latest build) and, various browser security tools.

"Look before you leap!" Use online scanners before you click on any link.

Offline DaSwee

  • Newbie
  • *
  • Posts: 15
I'll try to address both David and Para-Noid in the same response and hope I'm giving the answers that will help you to help me. Avast did its full weekly system scan yesterday and came up with "Adobe Photoshop Album Starter has Win32:Malware-gen" I didn't write down the exact location of that file because I didn't realize I wouldn't be able to get back to it yet. I do not remember it saying it was in "Downloaded Installations" but can't be sure. I then selected that it be moved into the chest. Avast never gave me a confirmation really, it said it suggested I do a boot-scan and did I want to schedule it now. I was going to do the Maleware Bytes but I figured Avast asking to do the boot-scan was of more importance.

The scan results came up with the files mentioned "ame malware plus  has infected C:\System volume information\_restore{7E6001F9-0A8D-45EC-B593-E452c096Cf95}\RP903\A0050790.exe was infected with the Gen32:Malware-gen and another (same exact file volume information restore point) came up with infected with Win32:PUP-gen. These have been moved to the chest. The last file, C:\Windows\Downloaded Installations\{8379D168-79F6-4394-81A2-BB1944E8F892}\Adobe Photoshop Album 3 SE.msi|>Data1.cab|>ADB2.exe|>[UPX] only asks "File is in windows folder, are you sure? It gives me the options of 1-Yes, 2-Yes all, 3-No, Esc-Exit" I don't have the option of moving to the chest or no action, only the options I have listed. The closes to no action is Esc-Exit. Would that be the same thing? No, I haven't tried exiting out of the boot-scan and doing a full scan because that was what my original question was about, how was I supposed to answer this question.

If you guys say it is safe for me to hit the Esc-Exit option I will do so.

Thanks again.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72616
  • No support PMs thanks
The warning "File is in windows folder, are you sure?" is a general one and not all things in the windows folders are actually windows or system files. It is quite a common tactic of some malware to place their malware in windows folders to put that doubt in the users mind to start with.

It is safe to hit the exit/esc on the scan as that just stops the scan if you haven't taken any action then these files would be in the same locations. As I have said in my previous post, there would be no downside really in removing both these files.

However, what I'm also trying to do is get you thinking in the right way, never delete anything until you have investigated (as you are) and are sure it will do no harm.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2015 10.4.2227 R4 beta1/ Outpost Firewall Pro9.1/ Firefox 40.0.3, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.1.8/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline DaSwee

  • Newbie
  • *
  • Posts: 15
Okay, I'm going to hit Esc-Exit and see what happens. Will post back after doing this.

Yes, please be assured I read previous posts and instructions to not delete anything just move it into the chest.


Offline DaSwee

  • Newbie
  • *
  • Posts: 15
After hitting escape it said 3 files infected, I have no idea what the other is? Only showed the two restore and the Adobe. Computer rebooting now.

Should I check boot-scan log to see what the 4 files are? Or do an Avast full scan or Maleware scan?

UPDATE: I checked the boot-scan log, the other file infected is C:\hp\bin\ProcessLogger.exe infected with Win32:PUP-gen but that along with the two restore point files have been moved to the chest so I'm not concerned about those right now. The last and original file in question C:\Windows\Downloaded Installations\{8379D168-79F6-4394-81A2-BB1944E8F892}\Adobe Photoshop Album 3 SE.msi|>Data1.cab|>ADB2.exe|>[UPX] has no action done and no errors. It only say infected with Win32:Malware-gen, scanning aborted.

The file that came up in the regular Avast full scan yesterday infected with Win32:Malware-gen, which did get moved to the chest, is a different file. C:\Program Files\Adobe\Photoshp Album Starter Edition\3.0\Shared_Assets\locales\en_us
Name of the file is ABD2.EXE This was not downloaded but has been on the computer for 5 years, cant remember if it came with the system or was part of my full Photoshop photo editing software. So the answer to a previous question is no this was not downloaded in the past or recently.

I will do a full Avast scan.
« Last Edit: October 15, 2011, 11:06:42 PM by DaSwee »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72616
  • No support PMs thanks
Quicker and easier to check the log, as you found.

Any detections in the c:\system volume information\ folder can be moved to the chest without issue.

The C:\hp\bin\ProcessLogger.exe is a legitimate tool in that location if you have an HP System ?
The only issue as I have said before is it is a PUPs (Potentially Unwanted Programs) are generally tools that can be used for good or malicious intent or applications with undesirable features, not a problem ignore. In normal scans looking for PUPs isn't done by default (boot-time scan is an exception) as the tendency is it confuses more than it helps when it comes to tools, the user has to know what is on their system and what it does.

Action probably can't be taken on the ADB2.exe file as it is inside two archive files, the Adobe Photoshop Album 3 SE.msi and then inside the Data1.cab. Trying to extract just the adb2.exe from within the Adobe Photoshop Album 3 SE.msi and Data1.cab is likely to corrupt that main C:\Windows\Downloaded Installations\{8379D168-79F6-4394-81A2-BB1944E8F892}\Adobe Photoshop Album 3 SE.msi file.
As I have said earlier it is safe to get rid of this file C:\Windows\Downloaded Installations\{8379D168-79F6-4394-81A2-BB1944E8F892}\Adobe Photoshop Album 3 SE.msi manually as in that location it is redundant.

The C:\Program Files\Adobe\Photoshp Album Starter Edition\3.0\Shared_Assets\locales\en_us\abd2.exe file I would have analysed:
@@@@
Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.

####
If only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.
Send the sample to avast as a False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.

Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2015 10.4.2227 R4 beta1/ Outpost Firewall Pro9.1/ Firefox 40.0.3, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.1.8/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline DaSwee

  • Newbie
  • *
  • Posts: 15
I have Avast doing a full scan, should I stop it to go to VirusTotal to check C:\Program Files\Adobe\Photoshp Album Starter Edition\3.0\Shared_Assets\locales\en_us\abd2.exe? I also assume I can't do the other things mentioned while Avast is performing scan. I will await your reply.

Thank you

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72616
  • No support PMs thanks
Leave the scan if any of the ones come up that can be dealt with, send to chest.

Then take any other actions.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2015 10.4.2227 R4 beta1/ Outpost Firewall Pro9.1/ Firefox 40.0.3, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.1.8/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline DaSwee

  • Newbie
  • *
  • Posts: 15
Will do, Scan is at about 60%. I will follow through with VirusTotal and setting up "Suspect" file, etc., upon completion.


Offline DaSwee

  • Newbie
  • *
  • Posts: 15
Results from VirusTotal scan of ABD2.exe file.

File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:
MD5:   fd5e0390cd4b0980c0aa1c6c459f5ab9
Date first seen:   2006-08-12 14:38:33 (UTC)
Date last seen:   2011-07-16 04:28:00 (UTC)
Detection ratio:   0/43

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
ADB2.EXE
Submission date:
2011-10-15 22:37:35 (UTC)
Current status:
finished
Result:
0/ 43 (0.0%)
   
VT Community

not reviewed
 Safety score: -
Compact
Print results
Antivirus    Version    Last Update    Result
AhnLab-V3   2011.10.13.00   2011.10.13   -
AntiVir   7.11.15.252   2011.10.13   -
Antiy-AVL   2.0.3.7   2011.10.13   -
Avast   6.0.1289.0   2011.10.13   -
AVG   10.0.0.1190   2011.10.13   -
BitDefender   7.2   2011.10.13   -
ByteHero   1.0.0.1   2011.09.23   -
CAT-QuickHeal   11.00   2011.10.13   -
ClamAV   0.97.0.0   2011.10.13   -
Commtouch   5.3.2.6   2011.10.13   -
Comodo   10440   2011.10.13   -
DrWeb   5.0.2.03300   2011.10.12   -
Emsisoft   5.1.0.11   2011.10.13   -
eSafe   7.0.17.0   2011.10.11   -
eTrust-Vet   36.1.8617   2011.10.13   -
F-Prot   4.6.5.141   2011.10.13   -
F-Secure   9.0.16440.0   2011.10.13   -
Fortinet   4.3.370.0   2011.10.13   -
GData   22   2011.10.13   -
Ikarus   T3.1.1.107.0   2011.10.13   -
Jiangmin   13.0.900   2011.10.12   -
K7AntiVirus   9.115.5278   2011.10.13   -
Kaspersky   9.0.0.837   2011.10.13   -
McAfee   5.400.0.1158   2011.10.13   -
McAfee-GW-Edition   2010.1D   2011.10.13   -
Microsoft   1.7702   2011.10.13   -
NOD32   6541   2011.10.13   -
Norman   6.07.11   2011.10.13   -
nProtect   2011-10-13.01   2011.10.13   -
Panda   10.0.3.5   2011.10.13   -
PCTools   8.0.0.5   2011.10.13   -
Prevx   3.0   2011.10.16   -
Rising   23.79.03.02   2011.10.13   -
Sophos   4.70.0   2011.10.13   -
SUPERAntiSpyware   4.40.0.1006   2011.10.13   -
Symantec   20111.2.0.82   2011.10.13   -
TheHacker   6.7.0.1.322   2011.10.13   -
TrendMicro   9.500.0.1008   2011.10.13   -
TrendMicro-HouseCall   9.500.0.1008   2011.10.13   -
VBA32   3.12.16.4   2011.10.13   -
VIPRE   10749   2011.10.13   -
ViRobot   2011.10.13.4717   2011.10.13   -
VirusBuster   14.1.11.0   2011.10.13   -
Additional information
MD5   : fd5e0390cd4b0980c0aa1c6c459f5ab9
SHA1  : 53a888612e2d74a8c61f19eafebbc43a4c1ff4af
SHA256: f6465c63e838510fc9538064758e29842c9990a9bb287c64a56216eacd5dcb11

VT Community

    This file has never been reviewed by any VT Community member. Be the first one to comment on it!

VirusTotal Team

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72616
  • No support PMs thanks
When you find that the file has previously been scanned you should always have it scanned again. As in this case the avast signatures were two days old and pre-date your problem.

When the scan is complete, just copy and paste the URL from the address window of the virustotal results, saves all that hassle of copying the whole text across.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2015 10.4.2227 R4 beta1/ Outpost Firewall Pro9.1/ Firefox 40.0.3, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.1.8/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security