Load.exe - what is it?

[Guest]

Well, I've been trying some more of the online scanners. Today I tried
Panda's Spyxposer, and it told me I was infected with 1 item of spyware:
C:Windows\Load.exe.

I can see clear enough that a program file 'Load.exe' is sitting there under
C:\Windows. It's not hiding. As far as I can see, it's been there since 20th
October 2005, which is within a few days of when I bought this computer. If I
scan the file directly with AVG/Ewido, it's says it's clean. Kapersky online
scanner also says its clean.

I've scanned my whole system with AdAware, Spybot, Defender, AVG/Ewido,
Kaspersky online and Trend Micro online scanner, and none of them has
recorded Load.exe as a threat. When I had Norton installed, it never
objected to it either.

Can someone help, please? I haven't a clue how to resolve this.

 

[Guest]

I've scanned my whole system with AdAware, Spybot, Defender, AVG/Ewido,
Kaspersky online and Trend Micro online scanner, and none of them has
recorded Load.exe as a threat. When I had Norton installed, it never
objected to it either.

I've just found an entry in the AVG virus encyclopaedia for the 'nimda'
worm, which says that Load.exe is one of the files the worm generates. But,
but - if I've been infected for the last 12 months with a well-known worm,
whose load.exe file is not hidden away but obvious, why has it never been
detected by AVG, Norton, Kaspersky, Trend Micro, Ewido, Defender, AdAware or
Spybot?

I do hope someone can shed some light on this.

 

[Guest]

"Alan D" wrote:

I've just found an entry in the AVG virus encyclopaedia for the 'nimda'
worm

Still struggling to understand all the stuff on this AVG page, but it seems
that if this worm has been active, then I ought to have loads of files of the
type .eml and .nws scattered all over my hard drive; but if I search for
those file types, I find none. On the other hand, I do find things like
mmc.exe and riched20.dll.

Is it possible that I got infected but the thing was never properly
activated for some reason? But that still wouldn't explain why no scanners
have ever found something so obvious.....

Should I download the nimda removal tool and run it? Can I do any harm by
doing that?

 

[Dave M]

Alan;

Hopefully, Panda is testing Load.exe more thoroughly than just looking at
the name on a blacklist... but maybe not, based on the lack of detection by
your other in-place scanners. But, I could send you a copy of anything
and call it load.exe. First look at it's properties and see if you can
tell who originated it, then do this since you can locate the specific
file, send it off to both these web sites and see what a broad spectrum of
scanners reports back to you, it's the only practical way to really tell
that it's not a false positive. If it's real you can expect a number of
alerts back:
http://virusscan.jotti.org/
http://www.virustotal.com/en/indexf.html

 

[Guest]

Alan,

The question becomes how much do you trust Panda?

The arsenal you list:

AdAware,
Spybot,
Defender,
Norton,
AVG/Ewido,
Kaspersky online and Trend Micro online

seems pretty thorough.

If you are having No other Problems I would say just wait.
I rank the "value" of a threat by the "value" of the scanner.

If a "new" scanner (or a trusted scanner with new defs) finds something that
a more trusted scanner does not, I assume a False Alarm and investigate.

It sounds like you've never used Panda before. Why would you trust this
"newbie" (for you that is) over your "good old reliables".

Most of us established members of this group rarely acutally get
Adware/Spyware and Viruses. We use all these products so we can evaluate
them for others or because we are paranoid (I mean that in a good way ? of
course).

Is your machine crashing, are you getting popups, has your homepage changed,
are you getting ANY symptoms of infection? No.

Wait till Panda has a chance to update and try again.
Do Not Delete Anything Yet.

?
Tim
Geek w/o Portfolio
Only the Paranoid Survive
(so be Paranoid about false alarms as well)

 

[Guest]

First look at it's properties and see if you can
tell who originated it

I did that straight away when I found it, and was troubled by the fact that
there was no info about its origin in Properties, except the date of
installation - it has been there for a year.

then send it off to both these web sites and see what a broad spectrum of
scanners reports back to you, it's the only practical way to really tell
that it's not a false positive. If it's real you can expect a number of
alerts back:
http://virusscan.jotti.org/
http://www.virustotal.com/en/indexf.html

I sent it to both those sites, and every single one of more than 20 scanners
reported it virus-free. None of them even hiccupped as far as I can see. I
think that says all I need to know - whatever it is, it's doing no harm.

Dave - many, many thanks for this excellent advice (and not for the first
time either). I didn't know about these multiple-scanner sites, and it had
never occurred to me that a single file could be tested online in this way.

If I could readily buy you a pint or three, I would.

 

[Guest]

The question becomes how much do you trust Panda?
It sounds like you've never used Panda before. Why would you trust this
"newbie" (for you that is) over your "good old reliables".

Tim - thanks for this eminently sane response. If you take a look at my
reply to Dave's post, you'll see that Panda is the only one out of (now) more
than 20 scanners that thinks there's anything there; and it begins to look
(as Dave wondered) as if it merely responded to the name (and perhaps
location) of the file. (That's not good, is it? It's the same kind of stupid
thing as fooling a firewall into letting Gibson's leak test program through
just by renaming it.)

So many thanks for this reassurance and good sense. I still don't know what
this program was for, nor how it got there - but it's obviously doing no
damage, as you say.

 

[Guest]

Panda is tools are among the best out there. However, it *STILL* does not
keep them from the occasional false positive. There is not a single
anti-malware tool that won't.

Prevx just generated, not one but TWO false positives on my two day old H-P
laptop. AVG/ewido, OneCare. Defender, SpywareBlaster, a couple of online
scans, etc. were not the least bit aroused by these suspect .DLL files.
Nevertheless, I submitted the two suspect files to VirusTotal to put my worst
fears to rest. Their submission was greeted by a huge round of yawns by all
engines, but you can never be too careful.

Please keep in mind that I am about as (rationally) paranoid as they come!
Always glad to see others practicing "safe hex".

 

[Guest]

Ahh,

That "rationally" is what's gonna get you someday!

&

"safe hex", I like that.

?
Tim

 

[Guest]

Rationalaity is strictly in the eye of the beholder.

For example, I drive a Subaru SVX all-wheel-drive as my winter "beater".

My summer "beater" is a Corvette with extra FAT tires. The 'vette gets 10%
better gas mileage (30mpg at 65MPH) than does my Subaru (27mpg at 65mph). My
kids can't drive a stick and my wife prefers mini-vans. It also retains its
value.

To me, my choices are completely rational. To others, it may appear to be
more of a rationalization. Go figure. ;-)

I do a "safe hex" rant on my Internet Security page, along with much other
irreverent banter. I'd like to think that I inveted the term, but I am
certain that someone more clever than I had beat me to the punch. I do
beleive that I first wordsmithed the term "Malware Transmitted Disease". It
is truly unfortunate that it is far easier to contract an MTD than and STD no
matter how risky your lifestyle.

 

[Guest]

I still don't know what
this program was for, nor how it got there

Still following this up with Google (I'd like to get to the bottom of it) I
find that 'C:\Windows\load.exe' is ubiquitously identified with the nimda
worm. I can't find any reference to anything called Load.exe that isn't so
related, and yet the file itself is clearly not recognised as a threat by any
scanners. Also, I've submitted associated files in which this worm stores
itself (admin.dll, riched20.dll, mmc.exe)to the multiple online scanners, and
all are clear. Neither do I have any of the file types .eml and .nws that the
virus generates, nor do I have the characteristic startup line in the
system.ini file (boy am I learning stuff here!!)

It still niggles me what that load.exe file is though. It has a blue icon
that glows with a 3-D letter 'i' - so it's really prominent in program files!

 

[Robin]

maybe you should just give up, look at all the good programs and online
scans you did and nothing was found.
I would go with the majority and consider it a false positive and be done
with it or you can really drive yourself crazy.
robin

 

[Guest]

I would go with the majority and consider it a false positive and be done
with it or you can really drive yourself crazy.

Well, I've been showing an alarming tendency recently to jump onto the table
and call myself a teapot, so I think you're right.
Actually Robin I think I've reached the end of the road anyway, so there's
nowhere else to go. I learned a lot though!

 

[Robin]

"learning is a good thing"

btw this was on my local news last night

http://www.nj.com/newsflash/nationa...al-73/1161227378239340.xml&storylist=national

robin

 

[Guest]

Scott D,
D. Scott Secor
http://SecorConsulting.net/pages/security.html
Tantum paranoid superstes! (ex Latin: Only the paranoid survive!)

Duh!
Your site is the one where I got my motto [though my latin is better ;-)
I had not made the connection between you, Scott D, the poster and D. Scott
Secor of the site. Well paint me pink and call me stupid.
I'm surprised you never called me on the paraphasing of you sites motto.
Well, at least now I give credit where credit is due.

?
Tim
Geek w/o Portfolio
Tantum suspiciosissimi supersunt!