After running a routine scan this morning avast showed two infections:

1. PopWait.exe - Win32:JunkPoly-B (cryp)
2. Killit.exe - Win32:KillApp-W (pup)

Should I be concerned about these and if so how do I remove them from my system?

Thanks in advance for your assistance

1. Do you know what this popwait.exe is for, has it been on your system for long, what is its original location ?

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect*
That will stop the File System Shield scanning any file you put in that folder.

2. What is the location for killit.exe, I suspect this is an HP tool ?

When you elect to scan for PUPs expect to find things that are tools that can be used for good or evil. So you really have to know what is installed on your system when you select this option.

1. No i don’t know what the popwait.exe is for, it has not appeared in any other scans since i installed avast

Popwait.exe Location: C:\Program Files\Online Services\PeoplePC\System
Last Modification according to log is April 2004
I’ve tried to restore it to it’s original location, but avast keeps placing it back in the chest. I did extract it to the c:\Suspect successfully however
I will run the Virus total and report findings

2. Killit.exe is located in C:\hp\bin

Thanks

Here are the Virus Total Results

http://www.virustotal.com/file-scan/reanalysis.html?id=b7e30515c975e328a641dca74eda9cfe2cb3d6044165340fe81b64a3f82dce5b-1296069663

Your link to the virus total results doesn’t work, it shows that there was an earlier analysis and is seeking to re-analyse, which obviously I can’t do without the file. When you upload it, if it offer an older analysis, have it re-analyse once complete, copy the URL at the address bar.

1 Restoring the file to its original location would be a mistake as a) that would mean it could be active and b) obviously avast will alert and that is the purpose of the suspect folder and exclusion.

2 Yes this is an HP tool used to kill processes, etc if you were restoring or something like that and is a tool which can be use for good or evil and consequently a PUP (Potentially Unwanted Program). Which is why I would suggest either leaving avasts scans on the default settings (not scanning for PUPs) to avoid this type of alert.

Thanks for your assistance

I reanalyzed the file, here are the results

http://www.virustotal.com/file-scan/report.html?id=b7e30515c975e328a641dca74eda9cfe2cb3d6044165340fe81b64a3f82dce5b-1296072265

OK, based on that set of results there is a possibility the detection is a false positive.

Send the sample to avast as a False Positive:
Open the chest and right click on the file and select ‘Submit to virus lab…’ complete the form and submit(see ~~~ below), the file will be uploaded during the next update.

• In the meantime (if you accept the risk, though there is no rush if there are no adverse affects from it being in the chest), add the full path to the file to the exclusions lists:
  File System Shield, Expert Settings, Exclusions, Add and
  avast Settings, Exclusions

Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

Info to include in the report, a link to this topic, the virustotal results the fact that it is an old file last modified April 2004.

Thanks for your assistance. Will submit sample to avast

You’re welcome.