Author Topic: Win32:BogEnt [Susp] Corrupted Installer  (Read 6467 times)

0 Members and 1 Guest are viewing this topic.

tqhafq

  • Guest
Win32:BogEnt [Susp] Corrupted Installer
« on: June 12, 2012, 12:15:06 AM »
Hello. I see that there have been multiple posts about this malware, but none in a while. I followed the guidelines mentioned on the sticky. Here are the responses.

How it was detected: AVAST File System Shield (Background).  No file was being downloaded, opened, etc.

Location of file:
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb

Don't know when downloaded or received.  It was detected 6/9/12 2:04pm, but AVAST said it was
modified 6/9/12 6:59pm.  That would have been in the future.  **Edit** After I extracted, the same thing happened.  Modification was at a future date.

What happened: Original message said suspicious file blocked (I think) and moved to virus chest.  That is not an exact quote.

Too late to look at last pop-up.  AVAST has updated since then.

Virus description: Win32:BogEnt [Susp]

File is in chest; scan in chest still indicates that it has the Win32:BogEnt malware based on AVAST scan.

I scanned the system with Dr. Web, but I'm guessing that it could not detect it because it was moved to the chest.
I found a topic that dealt with extracting the file to a temporary folder. I was able to upload the file to Virustotal,
virscan, and metascan. Results:

Virustotal:

Avast: Win32:BogEnt[Susp]
ClamAV: PUA.Win32.Packer.Upolyx-5
GData: Win32:BogEnt

Virscan:

ClamAV: Same as above

No threats found on metascan.

Not sure if this is enough information to help.  I can't find much online about BogEnt or PUA.Win32.Packer.

This seems like it could be a legitimate threat.  More importantly, what is the risk of deleting the file?

Another issue:

I ran a boot scan after the initial detection.  AVAST did not find malware, but did find something else.  The entry appeared on the boot scan display (while it was scanning), but not in the scan log.  Here is the entry:

C:\Users\poi\AppData\Local\temp\GLBE705.tmp\|>wise0003.bin Error 42145 {Installer archive is corrupted}

I'm sure this is unrelated, but can anyone let me know what this means?



Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37181
Re: Win32:BogEnt [Susp] Corrupted Installer
« Reply #1 on: June 12, 2012, 01:06:56 AM »
Quote
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb
i think this has something to do with windows update....

Quote
Virustotal:

Avast: Win32:BogEnt[Susp]
ClamAV: PUA.Win32.Packer.Upolyx-5
GData: Win32:BogEnt
could you post the link to the virustotal scan......there are some extra info we want to see



Quote
C:\Users\poi\AppData\Local\temp\GLBE705.tmp\|>wise0003.bin Error 42145 {Installer archive is corrupted}
avast is rerporting a scan error....and it does not mean infected
it is also located in a temp folder.....so if you empty it...it should be gone

TFC - Temp File Cleaner by OldTimer
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.


« Last Edit: June 12, 2012, 01:10:50 AM by Pondus »

tqhafq

  • Guest
Re: Win32:BogEnt [Susp] Corrupted Installer
« Reply #2 on: June 12, 2012, 02:19:20 AM »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37181
Re: Win32:BogEnt [Susp] Corrupted Installer
« Reply #3 on: June 12, 2012, 06:09:35 AM »
First seen by VirusTotal
 2012-06-11 20:10:14 UTC ( 7 timer, 57 minutter ago )



Sigcheck
publisher................: Pando Networks
product..................: Pando Media Boster Control Panel
internal name............: PMB
copyright................: Copyright (C) 2008
original name............: PMB.cpl
file version.............: 1, 0, 0, 1
description..............: Pando Media Boster Control Panel



ClamAV PUA Engine
 Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: http://www.clamav.net/support/faq/pua.



right click the file in chest and upload it to avast lab as a possible False Positive  (it will then be uploaded at next auto/manual update)
you may add a link to this topic





« Last Edit: June 12, 2012, 06:11:42 AM by Pondus »

tqhafq

  • Guest
Re: Win32:BogEnt [Susp] Corrupted Installer
« Reply #4 on: June 13, 2012, 05:52:34 AM »
Thanks again.  I'm not sure I follow the Sigcheck.  Regardless, how is this related to PANDO?  Evidently PANDO came installed on my VAIO.  I have never used it to my knowledge.  Quick search revealed that this is some kind of P2P software.  I don't believe I need this software.  There are two processes running that appear to be related to Pando.  PMB.exe is definitely related (desc. says Pando Media Booster).  The other is PMBVolumeWatcher (media check tool).  Do you know anything about this program and these processes?  If I don't play games or stream video that utilize Pando, what good is it to me?  I realize you may not know anything about Pando, so I'm not expecting a whole lot of info on it.

Another web search suggests that the file tmp.edb is related to Windows.  Please see below.

http://answers.microsoft.com/en-us/windows/forum/windows_7-security/suspected-trojandropper-in-tmpedb-file/8fe699fc-aae1-4b26-9bc0-55cb24608fbe

http://answers.microsoft.com/en-us/Search/Search?SearchTerm=C%3A%5CWindows%5CSoftwareDistribution%5CDataStore%5CLogs&CurrentScope.ForumName=Windows&CurrentScope.Filter=windows_7-security&askingquestion=false&page=1&tab=answers

http://answers.microsoft.com/en-us/Search/Search?SearchTerm=C%3A%5CWindows%5CSoftwareDistribution%5CDataStore%5CLogs&CurrentScope.ForumName=Windows&CurrentScope.Filter=windows_7-security&askingquestion=false&page=1&tab=Microsoft

http://answers.microsoft.com/en-us/Search/Search?SearchTerm=C%3A%5CWindows%5CSoftwareDistribution%5CDataStore%5CLogs&CurrentScope.ForumName=Windows&CurrentScope.Filter=windows_7-security&askingquestion=false

Any thoughts?  Do you have any idea if it would be bad to delete the file?  Should it be restored?

I submitted the file to the virus lab shortly after discovering it. 

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37181
Re: Win32:BogEnt [Susp] Corrupted Installer
« Reply #5 on: June 13, 2012, 07:25:04 AM »
Quote
Any thoughts?  Do you have any idea if it would be bad to delete the file?  Should it be restored?
right click the file in chest and rescan to see if it still detected, if not restore it

tqhafq

  • Guest
Re: Win32:BogEnt [Susp] Corrupted Installer
« Reply #6 on: June 13, 2012, 07:23:29 PM »
Same result.  I submitted it as potential malware when I submitted it earlier.  Should I submit it as false positive?  I really would prefer to delete it if at all possible, especially if it is something I don't need.

true indian

  • Guest
Re: Win32:BogEnt [Susp] Corrupted Installer
« Reply #7 on: June 15, 2012, 11:30:36 AM »
Same result.  I submitted it as potential malware when I submitted it earlier.  Should I submit it as false positive?  I really would prefer to delete it if at all possible, especially if it is something I don't need.

yes please submit it as false positive.  :)

ClamAV also removed the detection see: https://www.virustotal.com/file/c96c6550a4fcb4e3645ac88661ca33d85e9706d1448742b91055bc51caddc325/analysis/1339752532/
« Last Edit: June 15, 2012, 11:35:30 AM by true indian »

tqhafq

  • Guest
Re: Win32:BogEnt [Susp] Corrupted Installer
« Reply #8 on: June 18, 2012, 07:52:56 PM »
AVAST still identifies it as suspicious.