Cannot locate software decompression bomb

Posted on 2011-04-27
Last Modified: 2012-06-27
I ran an Avast BART PE utility and the final report listed a decompression bomb at the address below

C:\WINDOWS\Installer\270be3.msi\01AdminExecuteSequence\7 9 : @ ¬ À Á e=>   e=

As you can see, the last line in the address is garbled text. Also, the address was not found when I tried to manually locate the file. After the scan there was no virus activity. The listing may be false but I wanted to run this question just in case I can locate it. A search on any file name similar to the garbled text had no returns. Any suggestions?
Question by:Tech_20
    LVL 29

    Expert Comment

    by:Sudeep Sharma
    Its under the file "C:\WINDOWS\Installer\270be3.msi" which is a compressed format in itself. Hence you are unable to search it as well.

    Just like all the AV solutions Avast did the uncompression to scan the files and reported that one of the compress files has "decompression bomb".

    I would suggest you to scan with some other AV as well and if the same thing or similar is reported then remove the "C:\WINDOWS\Installer\270be3.msi"

    I hope that would help

    LVL 60

    Expert Comment

    Some bootable AV for scanning to ascertain as well @

    I am thinking from command line browsing, you should be able to see the 270be3.msi.
    Alternatively, LiveCD type of file explorer can be able to see it - I am assuming your machine is not infected with rootkit

    With the sample, it can then be submitted for more check such as VirusTotal, ThreatExpert etc
    But the probably the key attention is how it even come onto the machine - root source ...
    LVL 38

    Accepted Solution

    The expression "decompression bomb" is a bit misleading and can be ambiguous.  The term refers to contents that are compressed into a package, then that package is recompressed into another, and so on.  It doesn't necessarily indicate that there is any infection in the packaged files, but most antivirus applications have a user setting to report or not report "decompression bombs" in much the same way as they have a setting to report password protected files that cannot be fully scanned.  It is really just a warning to indicate that the file could not be scanned because the application could not dig through to all the files inside the package, or that all the levels of unpacking could swamp and overwhelm the system or antivirus package.

    An *.MSI package IS a compressed package comprising, in some cases, thousands of files that would extract out to some very deep folder hierarchies. Windows installer routines place a copy of the setup package in the C:\Windows\Installer folder for re-use, for example a repair or maintenance install of the application concerned.  You can delete them without harming the system, but that can affect the ability to later add or remove components or uninstall the application.

    You can Right-Click on an MSI file and choose Properties to get details of what application the package pertains to.

    The file name is random, so it's not as though you can just google "270be3.msi" and get an idea what installed it there.  If, however, you searched the registry using REGEDIT, the name of that *.MSI file should be found against the key(s) that store the "Uninstall" inscructions used by the Control Panel > Add/Remove Programs.  Other clues as to its origin may also be found in the MRU (recently accessed) keys.

    Open REGEDIT (or use a registry file viewer on a copy of the registry hive files from that computer if preserving it) and search for "270be3.msi".  If it appears in a sub-key of:


    or (under user profile GUID):


    then the software is installed and you should see the relevant details indicated.
    LVL 60

    Expert Comment

    We may also want to make sure that it is of true file extension (it is as what it claimed to be MSI)


    If interested, we can even decompile the MSI into XML (using the 'Dark' from the WiX toolset below) and check out its GUID - this can be used to search key as well to (they would not be able to "replay" existing one though, unless overwritten but unlikely). The GUID can also be used for uninstalling e.g. msiexec.exe /x {GUID STRING} /QN


    ** but we need to be careful to run the artefact in separate isolated environment (VM image) since it is deem malicious...

    Author Comment

    @BillDL: Thanks, I'll check the registry.

    Author Closing Comment

    This solution was right on the money! It was simply a  package recompressed into another, and so on.  Thanks!
    LVL 38

    Expert Comment

    Thank you Tech_20.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Suggested Solutions

    By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
    Malware seems to be getting smarter and smarter. If you are having trouble being able to launch your malware removal tools such as (and recommended): MalwareBytes, HiJackThis, ComboFix, etc. you can try some of the workarounds listed below. 1. Ma…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now