Actual virus? False Positive? Bug?

Yesterday randomly Avast popped up saying it had blocked a threat from “nwn2server.exe” targeting rundll32.exe, I’m assuming it was random because it happened while I was away from the PC. I had gotten up, turned on the PC, watched a few videos and checked some news and then went downstairs to have breakfast.

I came back about an hour later greeted with the popup. It was one that said it had blocked the threat and no further action was needed combined with the popup asking for an action "fix automatically, move to chest, delete, etc). The pop up in the corner “threat blocked, no further action required” closed as normally but the other pop up kept re-opening after I chose an action. I tried fix automatically, move to chest and delete. None would do anything, the pop up would come back and the file wouldn’t be moved to the chest or deleted. Both files were in the regular spots though, C:/GOG Games/Neverwinter Nights 2 complete for “nwn2server.exe” and c:/windows/system32 for rundll32.exe.

Stupidly I just figured it was a false positive as Avast hardened mode likes to block GOG.com games when I try to uninstall or install them. So I uninstalled the game using the GOG uninstaller and opted to delete everything even my saved games as I hadn’t touched it since the summer. That all went fine and all the game files were deleted, HOWEVER that pop up still wouldn’t go away. So like they say, I rebooted my PC.

Everything came back and seemed fine, I ran an Avast Quick scan and then a custom scan of the c:/GOG Games and c:/windows/system32. After that I ran a Malwarebytes Threat scan, and then custom scans of both those folders. Everything came up clean but I still couldn’t shake the feeling something was seriously wrong.

What worries me the most is that I haven’t played Neverwinter 2 since the summer, therefore the nwn2server.exe file hadn’t been run since then. There’s no reason for it to try and execute. When I left the PC to eat the only programs open were Steam and Origin, neither of which have anything to do with the game in question. Also GOG games do not update automatically as they are mostly older games. Furthermore Avast wasn’t running a scheduled scan as those only run on Sundays at around 7 (more like 4 because of the bug). So there is no real reason for that file to have been doing anything at all, which I’m finding TERRIFYING at this moment.

After all that I realized I should’ve saved the file and posted it here along with a screenshot of the popup. So I spent the last few hours before work trying to find it in the log files, which I couldn’t. So feeling defeated I set Avast to run a boot time scan for both my drives, scanning in archives, for rootkits and everything it could, rebooted to start the scan and left for work.

When I got back at around midnight (it was 5 when I left) everything seemed okay, I logged in to everything being normal. I checked the log of the boot scan and it said it found nothing in all 640 GB it scanned. I then ran a Malwarebytes threat scan, and then a custom scan of all drives which took a few hours. Those came up clean, I then ran another Avast quick scan which came up clean.

I then spent this morning running various scans again to be sure, the popup never reappeared and every scan came up clean. I then decided to re-install the game and see if I can get it to pop up again. Basically to ease my worry and figure out that it was indeed the culprit and because I couldn’t remember which malware it said the infection was. Strangely when I went to install the game Avast Hardened didn’t try to block the installer. The game installed and then I scanned the file in question “nwn2server.exe” and Avast said it was clean, as did Malwarebytes. So I’m at a lost…

My questions are, after all that: Considering nothing has happened in 24 hours or so am I probably safe? Can someone tell me which log to look in to find that pop-up message/ threat blocking?

System: Windows 7 Pro, running Avast Pro and Malwarebytes Pro for about a year. The two have never interfered with each other. i5 2500 3.3 Ghz (sandy bridge), 8 GB ram, evga gtx 760 2GB. All programs, drivers and Windows is fully updated. I have everything set to update automatically and I always update when Avast tells me something is out of date, also this PC has NEVER had java installed on it.

Any and all help is greatly appreciated.

Thanks

Hi Echoes83,

And welcome to the forums.

Since you’ve got your game re-installed, suggest uploading your nwn2server.exe file to virustotal dot com and scan it with 52 virus scanners and then copy/paste the resulting scan url in your next reply.

Always a good way to check to see if a file detected by avast! is detected by other virus scanners.
https://www.virustotal.com/

Also:
http://virusscan.jotti.org/en
https://www.metascan-online.com/

Clean, Quarantine, or Delete: http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm

Well like I said in my original post, after the re-install Avast! wasn’t detecting the file as malicious. This obviously left me really confused, I suppose its possible it was a false positive that got fixed by one of the day’s updates but I didn’t see it reported here. Granted I have no idea how Avast! truly functions so its possible they caught the error themselves, I just don’t know. I really wish I could find the log of that pop-up so I could find out which malware Avast! said was the culprit inside nwn2server.exe, and why it was targeting rundll32.exe.

Like I said I hadn’t run that game in ages, and made no attempt to that day. I wouldn’t have even thought of that game if Avast! had not popped up, my best guess is that there was a definitions update and the file system shield did a re-scan outside of a scheduled virus scan. At least that’s how I interpret the real time file system shield working with its caches and what not.

I’m not sure if scanning this particular instance of nwn2server.exe proves anything, as the instance of the file (and installer for that matter) that caused the threat popup are long gone. As since without thinking I uninstalled the game, and I had deleted the installer ages ago to preserve drive space.

Also thank you for pointing me to these sites, I wasn’t familiar with them. Though I think ultimately virustotal might be bad for my inherent paranoia about such things :P.

Virustotal’s findings:

https://www.virustotal.com/en/file/e2e601be2f0626b42bb01896b35d428cfe66eb2b223fd39ed2fd1a49e4f12e95/analysis/1419011356/

Only this instance of the software was being detected: http://www.herdprotect.com/nwn2server.exe-1fccd54bac22d68d212649fe29212741aacf8b01.aspx
This is a generic detection for malicious files that are hidden, or obfuscated, to protect them from detection and analysis.
In this case spyware.

polonus

So it was an older version of the software I had installed then? So do I have anything to worry about? I’m assuming by generic detection you mean it may get triggered by many things and it doesn’t necessarily mean anything was wrong with my system?

Though I installed that game in 2014 (around May), and according to information I could find on GOG.com the only thing they updated was to remove the DRM from one of the expansion packs. So I should’ve had the most recent version of that file. But I suppose anything is possible, I just wish I could find out for sure so I could put my mind at ease.

Thanks for the help and information.