Win32: Malware-Gen

Hello. I was looking at the log of my scheduled scan this morning and to my surprise, Avast found Win32: Malware-Gen. I looked at the log and there was only one file infected. I tried to move it to the chest and repair it, but I got “Error: Access is denied. (5)” So, I scanned with MBAM and it came up with absolutely nothing. Avast’s location of the file says: C:\Program Files\Pando Networks\Media Booster\uninst.exe And the threat is rated as “High”.

How can I remove this?

Don’t rush, especially if this has been on your system for some time (check the file properties) ?

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below. Or in your case from the original location so you would need to copy the file from the original location to a temporary one, see below.

  • avast5 - Create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect* That will stop the File System Shield scanning any file you put in that folder. Now enter the chest again and Extract the file to the Suspect folder and upload it to VT.

I do weekly scans, so it had to be from this week, not sure when.

And I can’t get it into the chest because of the error stated in my first post.

**Edit: I got it into the chest while in safe mode. I’m moving back to normal mode to extract/upload it to the website.

I was able to put it in the chest in safe mode. But malwarebytes does not recognize it. Is it a false positive?

Says it has already been analyzed.

Here’s my link anyhow: http://www.virustotal.com/reanalisis.html?0d05d0c98cd83413a2d042d26f36669db4ea3d67dde4f82253b7cdebc3feefbd-1278872646

I tend to always have it scan it again to ensure we have the latest results, these are the latest results, http://www.virustotal.com/analisis/0d05d0c98cd83413a2d042d26f36669db4ea3d67dde4f82253b7cdebc3feefbd-1278872646, only 3/41.

Only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.

Send the sample to avast as a False Positive:
Open the chest and right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update.

  • In the meantime (if you accept the risk), add it to the exclusions lists:
    File System Shield, Expert Settings, Exclusions, Add and
    avast Settings, Exclusions

Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

I don’t even remember when it got downloaded or what it does, really. I looked it up online and some people say it is spyware, but McAfee Site Advisor says it is a green download. And on the Advisor site it had a link to one of the games I once downloaded. It isn’t a needed program. Can’t I just delete it somehow and be rid of it?

Of course you could just delete it or uninstall the program if as you say you don’t use it, but that really isn’t the best thing to do.

By sending the sample to avast and the detection corrected, it not only resolves your problem but also helps every other avast user that might be using the same program and improves detection.

Went ahead and sent in the false positive. We’ll see what happens.

Thanks, hopefully it won’t be long for it to be corrected.

Periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

Any update on this one? I have the same virus report on the same file as the OP.

Well it wasn’t that long ago that it was submitted, late last night. If you have this file in the chest, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

Have you got the latest virus definitions and nave you scanned the file again as that really is the easiest way to tell of its progress, other than avast are usually quite quick to correct any FP once identified.

Thanks DavidR. Yes, it’s in the chest, virus definitions have been updated, and it’s still scanning as infected. I’ll keep an eye on it as you suggest.

No problem.

Would the folks who’ve had this detection be kind enough to post the MD5 hash of uninst.exe? Mine doesn’t appear to match the one VirusTotal analyzed.

Here’s mine: D41D8CD98F00B204E9800998ECF8427E

Then it isn’t the same file, not all detections by the malware-gen signature are going to be the same as the signature is generic, trying to identify multiple variants of a malware type.

You need to upload your file to virustotal and then post the URL in the results window.

I got the same page and results from VirusTotal as above. Looks like avast probably interfered with my md5 hash. That’s kind of cool, actually.

Well the md5 that you gave D41D8CD98F00B204E9800998ECF8427E is actually = to a zero byte file size (see image), so that can’t be used for comparison.

avast didn’t interfere with the md5 hash, but what might have happened is that avast alerted on the movement to a temporary location and actually blocked the upload resulting in a 0 byte file size.

That is why I gave the information in Reply #1 of this topic (see below) on how to create a temp location and exclude it from scans so it doesn’t interfere with the VT upload.

Hello Guys,
I’m Peter from Pando Networks support here to chime in on some elements of the thread. PMB is a application used to assist with game downloads, video playback and other functions using our P2P network. You can read more about PMB here:

http://www.pandonetworks.com/pando-media-booster-support-faq

The correct MD5 for the latest version of PMB should be:

b2c223c971c44dcbe14da9f08c1f705c

We have verified that the error is with our older version of PMB, and will contact Avast to clear up the false positive . In the meantime you can drag and drop this file over the existing uninst.exe file:

http://cdn.pandonetworks.com/pando/pmb/win/uninst.exe

If you have any problems feel free to contact us at: downloader@pandonetworks.com

Hi Peter,

Thanks for your input and link to the latest uninst.exe, I have downloaded and scanned it and confirm the MD5 and no detection by avast, see image.

Welcome to the avast forums.