Mystery

[Ernie B.]

I have a minor mystery....

I did a boot-time scan with Avast free on the 17th. No infected files were
found.

Early this morning I started a complete scan with a-squared and heard the
Avast siren after a few minutes. The file, C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
\a2archive\keygen.exe, was moved to the Virus Chest and the a-squared scan
allowed to complete. It found a few tracking cookies but nothing else.

I do have keygen.exe on my system, scanned it with Avast. No complaints, so I
suppose that the file is clean.

The file was scanned with Avast from the VC with the following result:
==============================================================
Scanning of selected files
------------------------------------------------------------------------------
------------
Program will try to scan 1 selected file(s) in the Chest

Move files to temporary folder: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_avast4_
\unp231646429.tmp
FileID: 0000000035 Original file name: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
\a2archive\keygen.exe New folder: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_avast4_
\unp231646429.tmp\35.exe

Scan files in the temporary folder: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_avast4
_\unp231646429.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_avast4_\unp231646429.tmp\35.exe
Win32:Keygen-AO [Trj]
------------------------------------------------------------------------------
------------
Action was completed successfully!
================================================================

The same thing happened on 2/25/08 and again just now when I re-ran the a-
squared scan. I also note that the 'Last changed' time for one of the files
in the Avast VC is 3/19/2008 6:31:28 PM, which isn't here yet, and the
'Transfer time' to the VC is 3/19/2008 1:31:46 PM, which is correct. The
other subject file move to the VC early this morning has a similar time
discrepancy.

Where did this infected file come from? Is it an artifact of a-squared?

What causes the time discrepancy noted above?

I don't belive my computer is infected but it's puzzling, any thoughts would
be appreciated.

 

[David H. Lipman]

From: "Ernie B." <ebaresch_REMOVE_@cox._THIS_net>

| I have a minor mystery....
|
| I did a boot-time scan with Avast free on the 17th. No infected files were
| found.
|
| Early this morning I started a complete scan with a-squared and heard the
| Avast siren after a few minutes. The file, C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
| \a2archive\keygen.exe, was moved to the Virus Chest and the a-squared scan
| allowed to complete. It found a few tracking cookies but nothing else.
|
| I do have keygen.exe on my system, scanned it with Avast. No complaints, so I
| suppose that the file is clean.
|
| The file was scanned with Avast from the VC with the following result:
| ==============================================================
| Scanning of selected files
| ------------------------------------------------------------------------------
| ------------
| Program will try to scan 1 selected file(s) in the Chest
|
| Move files to temporary folder: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_avast4_
| \unp231646429.tmp
| FileID: 0000000035 Original file name: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
| \a2archive\keygen.exe New folder: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_avast4_
| \unp231646429.tmp\35.exe
|
| Scan files in the temporary folder: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_avast4
| _\unp231646429.tmp
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_avast4_\unp231646429.tmp\35.exe
| Win32:Keygen-AO [Trj]
| ------------------------------------------------------------------------------
| ------------
| Action was completed successfully!
| ================================================================
|
| The same thing happened on 2/25/08 and again just now when I re-ran the a-
| squared scan. I also note that the 'Last changed' time for one of the files
| in the Avast VC is 3/19/2008 6:31:28 PM, which isn't here yet, and the
| 'Transfer time' to the VC is 3/19/2008 1:31:46 PM, which is correct. The
| other subject file move to the VC early this morning has a similar time
| discrepancy.
|
| Where did this infected file come from? Is it an artifact of a-squared?
|
| What causes the time discrepancy noted above?
|
| I don't belive my computer is infected but it's puzzling, any thoughts would
| be appreciated.

Where did you get A-Squared anti Trojan ?

It looks like you obtained it with with a Keygen which uis considered malware.

Delete ALL files from all TEMP folders amd clear all IE/Browser caches.

Use teh following Multi AV Scanning Tool to re-scan the system.


Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe

http://www.pctipp.ch/downloads/dl/35905.asp

English:
http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[Ernie B.]

Where did you get A-Squared anti Trojan ?

It looks like you obtained it with with a Keygen which uis considered malware.

No. I used the keygen program once, for something else, about two years ago.
I moved it to a flash drive for storage although scanning the file with Avast
didn't show any problems. The path C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
\a2archive\... caused me to wonder if it's an a-squared artifact.

Delete ALL files from all TEMP folders amd clear all IE/Browser caches.
Okay.

Use teh following Multi AV Scanning Tool to re-scan the system.

I tried to run the Kaspersky module earlier without success. I'll download a
fresh copy and try again.

* * * Please report back your results * * *

Probably tomorrow...

Thanks.

 

[Ernie B.]

Probably tomorrow...

Results from McAfee scan in normal mode:
==========================================================
Virus Scan Report File
Virus Scan Information

McAfee VirusScan for Win32 v5.20.0
Copyright (c) 1992-2007 McAfee, Inc. All rights reserved.
(408) 988-3832 LICENSED COPY - Jun 5 2007

Scan engine v5.2.00 for Win32.
Virus data file v5255 created Mar 19 2008
Scanning for 384817 viruses, trojans and variants.

Virus Scan Results

03/19/2008 18:37:31

Options:
"C:\" /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /ALL /MIME /PROGRAM
/EXCLUDE C:\AV-CLS\EXCLIST.TXT /HTML "C:\AV-CLS\MCAFEE\SCANREPORT.HTML"

Scanning C: []
Scanning C:\*.*
C:\From Drive_D\BACKUP\Toolbox\setmeup\SMU97\setmeup.zip\SETMEUP.EX_
\SETMEUP.EXE ... Found the W32/Generic.worm!p2p virus !!!

------> Note: I scanned this folder with Avast, no virus noted. <---------

Summary report on C:\*.*
File(s)
Total files: ........... 142239
Clean: ................. 142122
Possibly Infected: ..... 1
Non-critical Error(s): 3


Time: 00:59.20
=======================================================

 

[David H. Lipman]

From: "Ernie B." <ebaresch_REMOVE_@cox._THIS_net>

< snip >

| "C:\" /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /ALL /MIME /PROGRAM
| /EXCLUDE C:\AV-CLS\EXCLIST.TXT /HTML "C:\AV-CLS\MCAFEE\SCANREPORT.HTML"
|
| Scanning C: []
| Scanning C:\*.*
| C:\From Drive_D\BACKUP\Toolbox\setmeup\SMU97\setmeup.zip\SETMEUP.EX_
| \SETMEUP.EXE ... Found the W32/Generic.worm!p2p virus !!!
|

You didn't run with the delete or clean options.
Extract the SETMEUP.EX_ file and submit it to Virus Total.

 

[Ernie B.]

You didn't run with the delete or clean options.

Correct. I'm wary of giving software unbridled permission to delete things.

Extract the SETMEUP.EX_ file and submit it to Virus Total.

Okay. I'll post the results. Thanks.

 

[Ernie B.]

Okay. I'll post the results. Thanks.

Antivirus Version Last Update Result
AhnLab-V3 2008.3.19.1 2008.03.19 -
AntiVir 7.6.0.75 2008.03.19 -
Authentium 4.93.8 2008.03.20 -
Avast 4.7.1098.0 2008.03.20 -
AVG 7.5.0.516 2008.03.19 -
BitDefender 7.2 2008.03.20 -
CAT-QuickHeal 9.50 2008.03.20 -
ClamAV 0.92.1 2008.03.20 -
DrWeb 4.44.0.09170 2008.03.19 -
eSafe 7.0.15.0 2008.03.18 -
eTrust-Vet 31.3.5628 2008.03.19 -
Ewido 4.0 2008.03.19 -
FileAdvisor 1 2008.03.20 -
Fortinet 3.14.0.0 2008.03.20 -
F-Prot 4.4.2.54 2008.03.19 -
F-Secure 6.70.13260.0 2008.03.19 -
Ikarus T3.1.1.20 2008.03.20 -
Kaspersky 7.0.0.125 2008.03.20 -
McAfee 5255 2008.03.20 W32/Generic.worm!p2p
Microsoft 1.3301 2008.03.19 -
NOD32v2 2961 2008.03.20 -
Norman 5.80.02 2008.03.19 -
Panda 9.0.0.4 2008.03.20 -
Prevx1 V2 2008.03.20 -
Rising 20.36.22.00 2008.03.19 -
Sophos 4.27.0 2008.03.20 -
Sunbelt 3.0.978.0 2008.03.18 -
Symantec 10 2008.03.20 -
TheHacker 6.2.92.250 2008.03.19 -
VBA32 3.12.6.3 2008.03.17 -
VirusBuster 4.3.26:9 2008.03.19 -
Webwasher-Gateway 6.6.2 2008.03.19 -

Additional information
File size: 1189376 bytes
MD5: cea816c13c14f950c8185a9c0b06c94b
SHA1: 737f669f1771e078eb819194e9c3ae1efb54728f
PEiD: -

 

[David H. Lipman]

From: "Ernie B." <ebaresch_REMOVE_@cox._THIS_net>


| Antivirus Version Last Update Result
| AhnLab-V3 2008.3.19.1 2008.03.19 -
| AntiVir 7.6.0.75 2008.03.19 -
| Authentium 4.93.8 2008.03.20 -
| Avast 4.7.1098.0 2008.03.20 -
| AVG 7.5.0.516 2008.03.19 -
| BitDefender 7.2 2008.03.20 -
| CAT-QuickHeal 9.50 2008.03.20 -
| ClamAV 0.92.1 2008.03.20 -
| DrWeb 4.44.0.09170 2008.03.19 -
| eSafe 7.0.15.0 2008.03.18 -
| eTrust-Vet 31.3.5628 2008.03.19 -
| Ewido 4.0 2008.03.19 -
| FileAdvisor 1 2008.03.20 -
| Fortinet 3.14.0.0 2008.03.20 -
| F-Prot 4.4.2.54 2008.03.19 -
| F-Secure 6.70.13260.0 2008.03.19 -
| Ikarus T3.1.1.20 2008.03.20 -
| Kaspersky 7.0.0.125 2008.03.20 -
| McAfee 5255 2008.03.20 W32/Generic.worm!p2p
| Microsoft 1.3301 2008.03.19 -
| NOD32v2 2961 2008.03.20 -
| Norman 5.80.02 2008.03.19 -
| Panda 9.0.0.4 2008.03.20 -
| Prevx1 V2 2008.03.20 -
| Rising 20.36.22.00 2008.03.19 -
| Sophos 4.27.0 2008.03.20 -
| Sunbelt 3.0.978.0 2008.03.18 -
| Symantec 10 2008.03.20 -
| TheHacker 6.2.92.250 2008.03.19 -
| VBA32 3.12.6.3 2008.03.17 -
| VirusBuster 4.3.26:9 2008.03.19 -
| Webwasher-Gateway 6.6.2 2008.03.19 -
|
| Additional information
| File size: 1189376 bytes
| MD5: cea816c13c14f950c8185a9c0b06c94b
| SHA1: 737f669f1771e078eb819194e9c3ae1efb54728f
| PEiD: -

Looks like a possible False Positive.

 

[Ernie B.]

Looks like a possible False Positive.

I think so. Since the program is an antique, should we tell McAfee about it?

That doesn't answer the original question though; where is a-squared getting a
ghost of keygen and why does it trigger Avast when I do a deep scan with a-
squared? I had the same result last night even though keygen isn't on my
machine any longer, I had emptied the trash and done a cold boot. I suppose I
should ask that question in the emsisoft forum though.

 

[David H. Lipman]

From: "Ernie B." <ebaresch_REMOVE_@cox._THIS_net>

| On Thu, 20 Mar 2008 10:41:44 GMT David H. Lipman wrote:
|| I think so. Since the program is an antique, should we tell McAfee about it?
|
| That doesn't answer the original question though; where is a-squared getting a
| ghost of keygen and why does it trigger Avast when I do a deep scan with a-
| squared? I had the same result last night even though keygen isn't on my
| machine any longer, I had emptied the trash and done a cold boot. I suppose I
| should ask that question in the emsisoft forum though.

Yes to both.

 

[Ernie B.]

From: "Ernie B." <ebaresch_REMOVE_@cox._THIS_net>

| On Thu, 20 Mar 2008 10:41:44 GMT David H. Lipman wrote:
|
| I think so. Since the program is an antique, should we tell McAfee about it?
|
| That doesn't answer the original question though; where is a-squared getting a
| ghost of keygen and why does it trigger Avast when I do a deep scan with a-
| squared? I had the same result last night even though keygen isn't on my
| machine any longer, I had emptied the trash and done a cold boot. I suppose I
| should ask that question in the emsisoft forum though.

Yes to both.

Okay. Thanks for your help.

 

[Ernie B.]

Okay. Thanks for your help.

Just so that everyone knows....

"Avert Sample Analysis
Issue Number: 4574878
Virus Research Engineer - Tokyo: S. Honjo
Identified: FALSE DETECTION
On File: Setmeup.exe
Detection Name: W32/Generic.worm!p2p virus

AVERT Labs, Tokyo

Thank you for submitting your suspicious file.

Synopsis -

Our Senior Virus Research Engineers have examined the file in question
and no virus was found.

Solution -

Attached is an extra.dat with corrected detection. This correction will
be included in the next DAT update."

 

[David H. Lipman]

From: "Ernie B." <ebaresch_REMOVE_@cox._THIS_net>


| Just so that everyone knows....
|
| "Avert Sample Analysis
| Issue Number: 4574878
| Virus Research Engineer - Tokyo: S. Honjo
| Identified: FALSE DETECTION
| On File: Setmeup.exe
| Detection Name: W32/Generic.worm!p2p virus
|
| AVERT Labs, Tokyo
|
| Thank you for submitting your suspicious file.
|
| Synopsis -
|
| Our Senior Virus Research Engineers have examined the file in question
| and no virus was found.
|
| Solution -
|
| Attached is an extra.dat with corrected detection. This correction will
| be included in the next DAT update."

Cool breeze. Thanx for the update.