A Virus or a legitimate File for Thief Deadly Shadows?

Hello there,

I’ve recently installed Thief Deadly Shadows and when i run the exe avast discovers some malware in my c:\documents and settings\account name\temp folder and the game crashes. I’ve tried all the options available to me i.e. delete/move to chest/etc but the malware still returns. I’m not entirely convinced that this is malware and just a temp file involved in running the game. I’ve tried turning off the on-access scanner briefly and loading the game. The game loads up perfectly so I alt-tab back to the desktop to turn it on again but the game does not support alt-tab and crashes once again. I’ve even used the advanced setting for the on-access scanner to tell avast not to scan that particular temp folder but still with no joy. Any help on this matter would be greatly appreciated because im at a loss ???

Regards,

Roachman

Sorry i forgot to mention that the file is called asbp2poa.sys, silly me. :slight_smile:

To know if a file is a false positive, please submit it to JOTTI or VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the ‘a’ blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button…
You can use wildcards like * and ?. But be carefull, you should ‘exclude’ that many files that let your system in danger.
After that, please, periodically check it - scan it into Chest, right clicking the file - there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected as being infected then you can also remove it from the Exclusion list.

This link is a tutorial on how to help correct a virus detection that you believe to be false:
http://forum.avast.com/index.php?topic=25009.msg204838#msg204838

Hi there,

Thanks for the reply. I managed to upload the file to jotti and it is indeed infected with malware. I’ve already tried to use the advanced options in standard shield scanner to tell avast to leave the file alone but it hasn’t worked. Seeing as the file is not a false positive does anyone have any suggestions as to cure this file?

Thanks

Roachman

I would also try VirusTotal as it has 32 different engines and if there are loads od scanners detect it you didn’t mention anything about that.

A copy and paste or image of the VT/Jotti detections would be nice ?

You also didn’t tell us what the malware name or the infected file name and full location was this helps us with any advice we give e.g. (malware name, C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

We can’t realistically give advice on what to do as I don’t think we have enough information.

Hi DavidR,

The filename and location are in my first two posts however:

filename: asbp2poa.sys
location: C:\Documents and Settings\account name\local settings\temp\asbp2poa.sys
error message: Sign of Win32:Trojan-Gen (Other) has been found in…see above line
The avast log viewer doesn’t give me much info at all.

Here are my results from Virus Total and Jotti.

Virus Total

AhnLab-V3 2007.4.19.1 04.19.2007 no virus found
AntiVir 7.3.1.53 04.19.2007 no virus found
Authentium 4.93.8 04.18.2007 is a security risk or a “backdoor” program
Avast 4.7.981.0 04.19.2007 Win32:Trojan-gen. {Other}
AVG 7.5.0.464 04.19.2007 no virus found
BitDefender 7.2 04.19.2007 no virus found
CAT-QuickHeal 9.00 04.19.2007 no virus found
ClamAV devel-20070416 04.19.2007 no virus found
DrWeb 4.33 04.19.2007 no virus found
eSafe 7.0.15.0 04.19.2007 no virus found
eTrust-Vet 30.7.3579 04.19.2007 no virus found
Ewido 4.0 04.19.2007 no virus found
FileAdvisor 1 04.19.2007 no virus found
Fortinet 2.85.0.0 04.19.2007 PossibleThreat!03178
F-Prot 4.3.2.48 04.18.2007 W32/Malware!1df3
F-Secure 6.70.13030.0 04.19.2007 no virus found
Ikarus T3.1.1.5 04.19.2007 no virus found
Kaspersky 4.0.2.24 04.19.2007 no virus found
McAfee 5013 04.19.2007 no virus found
Microsoft 1.2405 04.19.2007 no virus found
NOD32v2 2205 04.19.2007 no virus found
Norman 5.80.02 04.19.2007 no virus found
Panda 9.0.0.4 04.19.2007 no virus found
Prevx1 V2 04.20.2007 no virus found
Sophos 4.16.0 04.17.2007 no virus found
Sunbelt 2.2.907.0 04.19.2007 Backdoor.Genlot.DX
Symantec 10 04.19.2007 no virus found
TheHacker 6.1.6.095 04.15.2007 no virus found
VBA32 3.11.3 04.19.2007 no virus found
VirusBuster 4.3.7:9 04.19.2007 no virus found
Webwasher-Gateway 6.0.1 04.19.2007 no virus found

And now Jotti

AntiVir Found nothing
ArcaVir Found Trojan.NtRootkit.Mrkr
Avast Found Win32:Trojan-gen. {Other}
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found security risk or a “backdoor” program
F-Secure Anti-Virus Found nothing
Fortinet Found PossibleThreat!03178
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found RootKit.Agent.ma
VirusBuster Found nothing
VBA32 Found nothing

I’ve fully scanned my pc with Avast (with the latest additions)\AVG Anti Spyware\Spybot\Ad-Aware Professional and AVG anti rootkit however no sign of this infection(s). Its odd because one minute Avast knows exactly where it is the next it doesn’t.

Please continue your help,

Roachman

Although there are only a limited number detecting this I would still consider that enough to be very suspicious. Strange that f-prot detects it as two different malware names.

If you added the file to the exclusions then it won’t be scanned so won’t be detected.

To me it seems strange that this file would be placed in the Temp folder which can obviously be deleted I would have though a legit file would be located in the games program folder. It may be that this file is downloaded when the game runs.

A google search for this file name returns several hits http://www.google.com/search?q=asbp2poa.sys.

This is one hit, http://forums.mcafeehelp.com/viewtopic.php?t=91684, different game same file and location.

Is there a support forum for the game, if so a search for this file name might reveal something as I wouldn’t expect you are the first to experience this. It may give some information on what its purpose is.