Hello. I see that there have been multiple posts about this malware, but none in a while. I followed the guidelines mentioned on the sticky. Here are the responses.
How it was detected: AVAST File System Shield (Background). No file was being downloaded, opened, etc.
Location of file:
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb
Don't know when downloaded or received. It was detected 6/9/12 2:04pm, but AVAST said it was
modified 6/9/12 6:59pm. That would have been in the future. **Edit** After I extracted, the same thing happened. Modification was at a future date.
What happened: Original message said suspicious file blocked (I think) and moved to virus chest. That is not an exact quote.
Too late to look at last pop-up. AVAST has updated since then.
Virus description: Win32:BogEnt [Susp]
File is in chest; scan in chest still indicates that it has the Win32:BogEnt malware based on AVAST scan.
I scanned the system with Dr. Web, but I'm guessing that it could not detect it because it was moved to the chest.
I found a topic that dealt with extracting the file to a temporary folder. I was able to upload the file to Virustotal,
virscan, and metascan. Results:
Virustotal:
Avast: Win32:BogEnt[Susp]
ClamAV: PUA.Win32.Packer.Upolyx-5
GData: Win32:BogEnt
Virscan:
ClamAV: Same as above
No threats found on metascan.
Not sure if this is enough information to help. I can't find much online about BogEnt or PUA.Win32.Packer.
This seems like it could be a legitimate threat. More importantly, what is the risk of deleting the file?
Another issue:
I ran a boot scan after the initial detection. AVAST did not find malware, but did find something else. The entry appeared on the boot scan display (while it was scanning), but not in the scan log. Here is the entry:
C:\Users\poi\AppData\Local\temp\GLBE705.tmp\|>wise0003.bin Error 42145 {Installer archive is corrupted}
I'm sure this is unrelated, but can anyone let me know what this means?
