Win32: Adware-gen found

Hi, while I was conducting a thorough scan with Avast it told me that it had found Win32:Adware-gen [Adw] in the location C:\Documents and Settings[i]owner[/i]\Local Settings\Application Data\Wildtangent\Cdacache\00\00\1A.dat, I instructed Avast to move it to the chest. I tried looking the name up in various places but couldn’t find detailed info, what can this type of virus do? I scanned it a 2nd time from within the chest and Avast said it was a virus again. I have also uploaded the file from the chest to Jotti, none of the scanners detected a virus but there was additional info which is below:

Status:
MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren’t packed and don’t force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)

MD5 e53214e532e72f1312f636acc76a54b9

Packers detected:
PE-CRYPT.XORPE, UPX

One of the folders it was in, Wildtangent, is a games add-on that I downloaded with AIM, could this be a false positive? I noticed that Avast won’t give me an option to restore the file, if the file turns out to be a false positive and/or safe is there any way I can put it back in it’s original location?

The version of Avast I’m using is 4.1.501

I would appreciate any guidance you can give me.

  1. I sugest you update your version of avast, the latest version of avast is 4.6.744 and the VPS is 0603-4 so first ensure you are using the lates version of both.

If you are getting a virus warning that you believe is a false positive, then if you can zip and password protect (‘virus’, will do) the suspect file and send it to virus @ avast.com (no spaces), or send from the chest.

Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a either a new, undetected virus or false positive and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

Having checked the file at Jotti it did say suspect because of the time and number of packers used (this may well be why avast detected it under a Adware-Gen [Adw] (Adware General Category), it may be an FP but definitely suspicious, I suggest you send it to avast from the chest with some details and probably a link to this thread.

If it is indeed a false positive, add it to the exclusions lists and check scan it periodically using the ashQuick scan (right click scan), when it is no longer detected then remove it from the exclusions.
Also see (Mini Sticky) False Positives

Wildtangent is a game vendor that, according to many people, is notorious for installing spyware. Wildtangent denies this but its web site does confirm that it collects anonymous usage infomation. The full statement is at:

http://support.wildgames.com/wt_nsp.html

Personally I would treat anything from Wildtangent as very suspicious.

The games usually get good reviews and , unfortunately, removing the data collection aspect will probably disable the game as well. So you need to make a choice.

For a second opinion try Spybot S&D. This usually identifies Wildtangent as spyware too.

Hello, I’m very new to computers and I have Avast,sygate,ad-ware. This is a hand me down puter, 98se, received it in april of last yr. Yes, I know, Im hurrying! I ran avast yesterday and it found this C/windows\HblnstE.dll windows 32adware-gen malware(adw). I moved it to the virsus chest. Now what do I do with it there? I have read on the past post, it can stay there for 2 wks, then how do you remove it? Also, read about avast not removing all of some items! I would appreciate any and all help. If you would go slow as Iam so new, it is sad! :-[ 60!

Hi 60,

Better to have posted this in a new thread, but here it goes:

Processlibrary.com describes your file as:

hbinst.exe is an advertising program by Hotbar.com - This process monitors your browsing habits and distributes the data back to the author’s servers for analyses. This also prompts advertising popups. This program is a registered security risk and should be removed immediately<<

You can access the above description by clicking on the following link:

http://www.processlibrary.com/directory/files/hbinst/

Leaving an item in quarantine is a good idea if your not 100% certain its malware (ie a virus, spyware, adware, etc). This way as your anti-malware programs get updated you can check later to make sure no mistakes were made in identifying the program as suspect (ie a false positive).

Since it is pretty certain that hbinst.exe is spyware I would go ahead and delete it.

That’s true. Consider two things: an antivirus solution is just that - antivirus. Not necessarily antispyware or anti-adware. Also, no program is 100% effective, including avast! That’s why its a good idea to have a layered security approach.

You already have 3 good layers with avast! (anti-virus), sygate (firewall), and ad-aware (for adware). For additional protection think about adding the following:

A nonresident antispyware program for second opinions. Bitdefender (free edition only) and CalmWin are both good and both free. Since they are nonresident (meaning they don’t monitor everything; they just scan when you tell them to) they should not cause any conflicts with avast!.

A-aquared is a good trojan detector for Windows 98 and will fill in some gaps.

In addition to Ad-Aware I would also get Spybot Search and Destroy which is more adept at finding spyware. Make sure to download it from http://www.safer-networking.org/ as there are many sound-alike programs that are actually spyware themselves.

After everything is cleaned up you can get SpywareBlaster - this will prevent many bad programs from installing in the first place.

Finally, a process monitor like WinPatrol will alert you to changes made in your registry, start up lists, etc.

You can find all these programs with a google search but post again if you needs links.


Welcome to the forums, 60! :slight_smile:

A quick Google search for “Hbinst” gives this results:

http://search.earthlink.net/search?area=earthlink-ws&q=Hbinst

You should read at least the first 3 of those results to be better informed. In brief, that is the dll for HotBar … known to deliver ads and spyware to your computer.

Since you have it in the Chest, it is safe there and can do no harm. After 2 weeks and you have no problems associated with this, you can simply delete this from the chest.

I would also suggest that you get Spybot-Search & Destroy as it will detect any other parts of HotBar (exe and such) and delete them.

SpyBot-S&D is here: http://www.safer-networking.org/

I hope this helps you! :slight_smile:

OOPS … mauserme also posted while I was writing. Thanks for the help! :slight_smile:


… just returning the favor done for me on this forum.

and oops on my part. In my first post "Calmwin should read “Clamwin” and “A-aquared” should read “A-squared”. If you search for these maybe you can type better than I did.

:-[ Thank you one and all! I have been so afarid to do anything! Was ready to go buy a new puter! I will delate it , as so as I can.Its terrible to be so new, but I guess you have to start some place. So, I didnt start a new thread. Got a lot to learn. 60!

If I use the “Mail To…” option in the chest to send the file to Avast will I need to zip and password protect the file?

Also, as I asked in my first post, why is it that Avast doesn’t give me an option to restore the file and is there any way I could do this if I needed to?

Thanks.