3

I installed the popular software 'Synthesia' from its official website. It is a program for piano transcriptions. It has always been safe.

I decided to uninstall it and as soon as I uninstalled it, a virus came up. I mean, I tried to uninstall it from the Panel Control > Programs [list] > Uninstall a Program.

The uninstall.exe stopped and a warning from Avast came up saying that the .exe has been stopped and the virus [Trojan] moved to the chest [Avast virus chest].

I checked it out and it is quite strange because the name is au_.exe found in the Temp Folder -- C:/Users/MyUserName/AppData/Local/Temp/~nsu.tmp

As Avast has reported the virus is a FileRepMalware

I decided to scan the computer but nothing has been labelled as infected.

Anyway, the software is still there, not uninstalled. How can I remove it if the uninstaller is infected?

p.s - as far as I know, au_.exe is a virus. au.exe is not a virus, at all. Anyway I got the first one so it is a virus and not a false positive of course!

Jason Aller
  • 2,360
Francis
  • 121

1 Answers1

4

Au_.exe is indeed a false positive. It's a scripting engine packed inside of AutoIt executables. I've seen many applications nowadays use AutoIt during installation or uninstallation. Because of it's rampant use inside of adware installers and the like, it's detected by some AVs however it is definitely a false positive.

The AV has no way of knowing if the script that Au_.exe is running is legitimate or means harm, so they just tag it all. I assure you that if you downloaded the AutoIt scripting suite and compiled an application into .exe format, then ran it, you would see Au_.exe running in your task manager while your script is running. (I guess compiled isn't exactly a good word as there's no compilation going on, it's just packing your script into a SFX file that autostarts the script engine with the script as the argument..

Toxus
  • 41