Overcompressed Files

Antic
edited October 2009 in Bitdefender 2009 products

Hi,


I'm running windows vista on my computer and the 2009 edition of bit defender. I recently had a scan in which I had a file that couldn't be scanned because it is overcompressed. The folder is...


D:\i386\Apps\App001978\vcredist_x86_ENU.exe=](NO_NAME) Overcompressed Not scanned


I did a search on it and it appears to be a Vundo Trojan, I guess. How is that I can remove this since bit defender can't? I'd really appreciate the help. Thank you. :)

Comments

  • Hello Corey,


    The state Overcompressed means that the file(s) were compressed in an unusual way and BitDefender failed to correctly extract the files. It doesn't necessarily mean that the archive is corrupted.


    However, this doesn't mean that those files are infected (with Vundo, or something else). Actually, I never heard about any relation between "overcompressed" and an infection of any kind.


    When a file is reported as overcompressed, it means that it just couldn't be scanned, just like the cases when a file is archived with a password.


    Also, files located in <drive>\i386 are usually files belonging to OS installation kits, so they should be clean. If you want to be sure, please find that file (D:\i386\Apps\App001978\vcredist_x86_ENU.exe), put it in a password-protected archive (with the password infected), upload it on a file-sharing server and send me the download link through PM. I will forward it for analysis and send you the result.


    Details:


    http://forum.bitdefender.com/index.php?s=&...post&p=1222


    http://forum.bitdefender.com/index.php?s=&...post&p=1223


    Cris.

  • csalgau
    csalgau ✭✭
    edited May 2009

    Dear user,


    It would be interesting to see where you found the relation between that file and a Vundo infection.


    To be more precise - Overcompressed means that BitDefender skipped scanning within that archive because unpacking it proved to take up too many system resources. The content will be scanned on real time access if needed.


    As Cris stated, the i386 folder contains files from the installation media of your operating system. The Apps folder is a non-standard location on some modified, unofficial Windows installation CDs that contains applications that will be run as needed during installation or from a post install application.


    The file vcredist_x86_ENU.exe corresponds to the Microsoft Visual C++ Runtime library - English redistributable. Same file name is used for multiple editions of the file.


    If you have any doubts, please follow the above instructions so we can check the file.

  • Antic
    edited May 2009
    Dear user,


    It would be interesting to see where you found the relation between that file and a Vundo infection.


    To be more precise - Overcompressed means that BitDefender skipped scanning within that archive because unpacking it proved to take up too many system resources. The content will be scanned on real time access if needed.


    As Cris stated, the i386 folder contains files from the installation media of your operating system. The Apps folder is a non-standard location on some modified, unofficial Windows installation CDs that contains applications that will be run as needed during installation or from a post install application.


    The file vcredist_x86_ENU.exe corresponds to the Microsoft Visual C++ Runtime library - English redistributable. Same file name is used for multiple editions of the file.


    If you have any doubts, please follow the above instructions so we can check the file.


    Well, there are two reasons why I grew suspicious. The first thing is that the overcompressed file in question has never once come up since I bought my computer and installed Bitdefender (over 200 days ago). When doing a search with yahoo with the "D:\i386\Apps\App001978\vcredist_x86_ENU.exe", that's how I came to the conclusion that it might be Vundo.


    I'll most likely take the route Cris outlined.

  • I would be curious about this too. I got the identical message, and that was after installing and running bit defender for the first time ever. Don't know if it makes any difference but the D drive is my Recovery drive and I don't actively ever save anything to that drive. Also running Vista premium.

  • csalgau
    csalgau ✭✭

    Please upload the file, as Cris suggested.

  • Please upload the file, as Cris suggested.


    Has it been determined if this is a virus of some sort or just a false positive? I'm having the same issue.

  • csalgau
    csalgau ✭✭

    As soon as somebody will bother uploading a sample, I'll post an answer to that question.

  • Hello Corey,


    The state Overcompressed means that the file(s) were compressed in an unusual way and BitDefender failed to correctly extract the files. It doesn't necessarily mean that the archive is corrupted.


    However, this doesn't mean that those files are infected (with Vundo, or something else). Actually, I never heard about any relation between "overcompressed" and an infection of any kind.


    When a file is reported as overcompressed, it means that it just couldn't be scanned, just like the cases when a file is archived with a password.


    Also, files located in <drive>\i386 are usually files belonging to OS installation kits, so they should be clean. If you want to be sure, please find that file (D:\i386\Apps\App001978\vcredist_x86_ENU.exe), put it in a password-protected archive (with the password infected), upload it on a file-sharing server and send me the download link through PM. I will forward it for analysis and send you the result.


    Details:


    http://forum.bitdefender.com/index.php?s=&...post&p=1222


    http://forum.bitdefender.com/index.php?s=&...post&p=1223


    Cris.


    I am having this same problem. How do I access the file in order to upload it? When I attempt to access my D drive to try to locate the file, I get a Recovery Partition Warning and I am unable to go any further. I'd like to figure out how to do this so I can upload a file to you.


    thanks


    craig

  • csalgau
    csalgau ✭✭

    could somebody try the following:


    open a Command Prompt(found under accessories in the start menu)


    type following followed by pressing the enter key:


    copy D:\i386\Apps\App001978\vcredist_x86_ENU.exe %userprofile%\desktop\


    you should see a message stating that 1 file was copied successfully.


    now look on your desktop and you should find that file.


    please upload the file as shown in the links Cris posted.

  • could somebody try the following:


    open a Command Prompt(found under accessories in the start menu)


    type following followed by pressing the enter key:


    copy D:\i386\Apps\App001978\vcredist_x86_ENU.exe %userprofile%\desktop\


    you should see a message stating that 1 file was copied successfully.


    now look on your desktop and you should find that file.


    please upload the file as shown in the links Cris posted.


    I have tried using the command prompt to do this multiple times. Every time I do, I get the following message - "The syntax of the command is incorrect."


    Any thoughts? I did this from both c: and d: starting points multiple times, always with the same result.


    The exact name of the uncompressed file in question for me is D:\i386\Apps\App001978\vcredist_x86_ENU.exe=](NO_NAME).


    thx

  • csalgau
    csalgau ✭✭

    Your username probably has spaces in it. I did not account for that.


    Please try:


    copy D:\i386\Apps\App001978\vcredist_x86_ENU.exe "%userprofile%\desktop\"


    (enclosing the last part in quotes)

  • csalgau
    csalgau ✭✭

    After a deep 3 minute analysis, I'm certain the files are clean. Why? Because this is identical to the Visual C++ 2005 redistributable found on microsoft.com, which has already been analyzed in the past. The file is unnecessarily packed four times and this makes BitDefender refuse to scan it on demand. Only the outer two layers are scanned.


    So files are clean.

  • I am having the same problem but with 2 GLB files. Anyone know what they are or should I follow the same steps?

  • Hello Robert1,


    GLB files are Global Module in Basic Program. What exactly they contain and what is their purpose depends on what application uses them.


    Please provide a BitDefender scan log to see exactly what is the situation.


    Cris

  • Hello Robert1,


    GLB files are Global Module in Basic Program. What exactly they contain and what is their purpose depends on what application uses them.


    Please provide a BitDefender scan log to see exactly what is the situation.


    Cris


    UM dumb question but how do I do that? :blink:

  • First of all, make a Deep Scan with BitDefender. At the end of the scan, click Show log file. Your browser will open showing the scan log. Find the file that is written in the browser's address bar and upload it to your next post here.


    Cris.

  • I got an overcompressed warning this morning for the first time. Is it something I should keep, or can I delete it?


    Reason Final Status


    C:\Windows\SoftwareDistribution\Download\ded4b331409da6d0253f7acc870fcc2d\Windows6.0-KB969897-x64-EXPRESS.cab=]amd64_ed7e990854364d8c41cbbcc094b6788f_31bf3856ad364e35_6.0.6000.21


    046_none_846e013c9a802976.manifest


    Thanks for any help.

  • alexcrist
    alexcrist
    edited June 2009

    Hello twiller,


    As far as I can find out, that file belongs to a Windows update released yesterday, which is a very good reason why the warning appeared today. :)


    The files kept in C:\Windows\SoftwareDistribution\Download\ are all Windows Update installation kits. Once they are installed, they can be safely removed from your system. And, usually, they are automatically installed after they are downloaded. I say usually, because it depends on your Automatic Update settings. But, by default, they are installed immediately after download, or at the first system shutdown.


    So, to be certain: restart your system, then move that file to another folder. If you don't have problems in the next week or so, you can delete the file.


    Cris.

  • I'm starting to have the same kind of problem. I'm getting this after a scan: D:\hp\apps\APP02109\src\MSWORKS\PSS\J4S89XNT.EXE=](NO_NAME) Over compressed Not scanned


    BitDefender Log File


    Product : BitDefender Antivirus 2009


    Version : BitDefender UIScanner v.12


    Scanning task : Deep System Scan


    Log date : 20/06/2009 11:47:06 PM


    Log path : C:\ProgramData\BitDefender\Desktop\Profiles\Logs\deep_scan\1245566826_1_02.xml


    Scan Paths:Path 0000: C:\


    Path 0001: D:\


    Scan Options:Scan for viruses : Yes


    Scan for adware : Yes


    Scan for spyware : Yes


    Scan for applications : Yes


    Scan for dialers : Yes


    Scan for rootkits : Yes


    Target Selection Options:Scan registry keys : Yes


    Scan cookies : Yes


    Scan boot sectors : Yes


    Scan memory processes : Yes


    Scan archives : Yes


    Scan runtime packers : Yes


    Scan emails : Yes


    Scan all files : Yes


    Heuristic Scan : Yes


    Scanned extensions :


    Excluded extensions :


    Target Processing:Default action for infected objects : Disinfect


    Default action for suspicious objects : None


    Default action for hidden objects : None


    Default action for encrypted infected objects : None


    Default action for encrypted suspicious objects : None


    Default action for password-protected objects : Log as not scanned


    Scan engines summaryNumber of virus signatures : 3439691


    Archive plugins : 45


    Email plugins : 6


    Scan plugins : 13


    System plugins : 5


    Unpack plugins : 7


    Overall scan summaryScanned items : 331175


    Infected items : 0


    Suspicious items : 0


    Resolved items : 0


    Unresolved items : 1


    Password-protected items : 0


    Overcompressed items : 1


    Individual viruses found : 0


    Scanned directories : 23372


    Scanned boot sectors : 0


    Scanned archives : 4763


    Input-output errors : 0


    Scan time : 01:21:56


    Files per second : 67


    Scanned processes summaryScanned : 62


    Infected : 0


    Scanned registry keys summaryScanned : 1225


    Infected : 0


    Scanned cookies summaryScanned : 0


    Infected : 0


    Objects that were not scanned:Object Name Reason Final Status


    D:\hp\apps\APP02109\src\MSWORKS\PSS\J4S89XNT.EXE=](NO_NAME) Over compressed Not scanned

  • As stated MANY times before in this topic, this doesn't represent any kind of problem/issue/alert/whatever! It's just a normal log entry, just like the password-protected items. Those items do NOT represent any kind of threat to your system.


    And, since all the above reports were about files which belonged official installers from to Windows or HP, these files are 99.99% clean. So please post here ONLY in case you have suspicious files, not official files. Thank you.


    Cris.

  • Jack_B
    edited October 2009

    Cris:


    I am having a similar problem except my file is at C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP275\A0043822.EXE=](NO_NAME) and Windows will not allow me to access the System Volume Information folder. How can I determine if this file is a threat? How and should I delete it?


    Thanks,


    CrackerJack

  • I'm starting to have the same kind of problem. I'm getting this after a scan: D:\hp\apps\APP02109\src\MSWORKS\PSS\J4S89XNT.EXE=](NO_NAME) Over compressed Not scanned


    BitDefender Log File


    Product : BitDefender Antivirus 2009


    Version : BitDefender UIScanner v.12


    Scanning task : Deep System Scan


    Log date : 20/06/2009 11:47:06 PM


    Log path : C:\ProgramData\BitDefender\Desktop\Profiles\Logs\deep_scan\1245566826_1_02.xml


    Scan Paths:Path 0000: C:\


    Path 0001: D:\


    Scan Options:Scan for viruses : Yes


    Scan for adware : Yes


    Scan for spyware : Yes


    Scan for applications : Yes


    Scan for dialers : Yes


    Scan for rootkits : Yes


    Target Selection Options:Scan registry keys : Yes


    Scan cookies : Yes


    Scan boot sectors : Yes


    Scan memory processes : Yes


    Scan archives : Yes


    Scan runtime packers : Yes


    Scan emails : Yes


    Scan all files : Yes


    Heuristic Scan : Yes


    Scanned extensions :


    Excluded extensions :


    Target Processing:Default action for infected objects : Disinfect


    Default action for suspicious objects : None


    Default action for hidden objects : None


    Default action for encrypted infected objects : None


    Default action for encrypted suspicious objects : None


    Default action for password-protected objects : Log as not scanned


    Scan engines summaryNumber of virus signatures : 3439691


    Archive plugins : 45


    Email plugins : 6


    Scan plugins : 13


    System plugins : 5


    Unpack plugins : 7


    Overall scan summaryScanned items : 331175


    Infected items : 0


    Suspicious items : 0


    Resolved items : 0


    Unresolved items : 1


    Password-protected items : 0


    Overcompressed items : 1


    Individual viruses found : 0


    Scanned directories : 23372


    Scanned boot sectors : 0


    Scanned archives : 4763


    Input-output errors : 0


    Scan time : 01:21:56


    Files per second : 67


    Scanned processes summaryScanned : 62


    Infected : 0


    Scanned registry keys summaryScanned : 1225


    Infected : 0


    Scanned cookies summaryScanned : 0


    Infected : 0


    Objects that were not scanned:Object Name Reason Final Status


    D:\hp\apps\APP02109\src\MSWORKS\PSS\J4S89XNT.EXE=](NO_NAME) Over compressed Not scanned


    I suspect that the virus may be

  • Hello Cris


    I already read the said topic, but I thought that there may be some different details of Overcompressed Items in 2009 and 2010 products, but as you said that information is same so I edit my queries.


    1) I've come to know that the message ("overcompressed") is received when the size of the extracted files from an archive is larger than 30*(the_size_of_the_archive), so that's why I asked the 2nd question. Is this information true?


    2) 3) Is there any relation between "Overcompressed Items" and the option in the Bitdefender Real-Time Protection Setting "Don't Scan archive deeper than -----"?


    3) And as you said above "this doesn't represent any kind of problem/issue/alert/whatever!...........Those items do NOT represent any kind of threat to your system." , so is it possible that these items added to some trusted zone like skipped items even though temporarily, to increase the scanning speed and thus reduce scan time.?


    Detailed reply is requested.

  • 1) I've come to know that the message ("overcompressed") is received when the size of the extracted files from an archive is larger than 30*(the_size_of_the_archive), so that's why I asked the 2nd question. Is this information true?


    Yes, it's true.


    2) 3) Is there any relation between "Overcompressed Items" and the option in the Bitdefender Real-Time Protection Setting "Don't Scan archive deeper than -----"?


    No. Those options affect only the Realtime scanner.


    3) And as you said above "this doesn't represent any kind of problem/issue/alert/whatever!...........Those items do NOT represent any kind of threat to your system." , so is it possible that these items added to some trusted zone like skipped items even though temporarily, to increase the scanning speed and thus reduce scan time.?


    Yes, if you know and trust those files (and you are sure they are clean), you can add these items to exclusions (BitDefender Security Center (Expert Mode) -> Antivirus -> Exclusions). After that, they won't be scanned again.


    Adding them to exclusions should be a fairly safe operation. Since BitDefender failed to extract the files, I kinda doubt that there is a malware that will try that hard to decompress those files, infect them and re-compress them. So if they were clean at the beginning, they should remain clean.


    Cris.

  • My "deep" scan kicked back the following over-compressed files (among various password-protected archives that I know are fine) last night. They appear to be in a system folder but they've never shown up before, which is why I am concerned. Previous posts seem to instruct to ignore official-looking files, but since most viruses attempt to infect those specifically that seems unwise, unless I misinterpreted? Anyway, if anyone can tell me if these are safe I would be grateful:


    C:\Windows\Logs\CBS\CbsPersist_20100803200653.cab


    C:\Windows\Logs\CBS\CbsPersist_20100805164329.cab


    C:\Windows\Logs\CBS\CbsPersist_20100807085430.cab


    Also, I take issue with the fact that BitDefender telling me that they "can be scanned later" but not saying how (the "more help" doesn't even mention over-compressed files). I certainly don't want to skip them in future until I know more - right now I want to know why they've started to show up on my virus scan. I would also like to know why a supposedly "deep" scan refuses to scan them even though it had literally all night to do it. I'd just run it again with different settings but I can't find any settings regarding over-compressed files.


    -Z

  • Hello Zadok13,


    Those files are clean. They are packed backups of the CBS.LOG file (which is stored in the same folder). Periodically, a new CBS.LOG file is created, and at that moment the old one is moved into a ”persistent” log (it's compressed using Microsoft's CAB and won't be modified anymore).


    This log is used by internal system tools, such as System File Protection (SFC) or TrustedInstaller (during Windows Update installations).


    Judging after the filenames you posted, they were created on 3, 5 and 7 of August, so only a few days ago (the first 8 digits represent the persistent log creation date). This might explain why these files didn't appear in any previous scans.


    Why they appear in the scan? The logs are text files. Depending on their size and compression rate and method, the resulting archive can become very hard to extract. The result is that BitDefender omits to fully extract them, as it was already explained in the previous posts. There are no settings in BitDefender that can be changed so these files are scanned.


    Cris.

  • OK, I'll add them to the exclusion list. Thanks.


    -Z

  • rootkit
    rootkit ✭✭✭

    Hello,


    The official answer was provided here:


    http://forum.bitdefender.com/index.php?sho...ost&p=57028


    Thank you!

This discussion has been closed.