is this a virusC:\SETUP.EXE (Trojan.Agent)

[blue]

Scan type: Quick Scan

Objects scanned: 66676

Time elapsed: 6 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\SETUP.EXE (Trojan.Agent) -> Quarantined and deleted successfully. [3857535134303627618470

[Insomniac]

Well, going off what I've read (I may be wrong, but this is how I remember it), there is no reason why an .exe should be located in the root of C drive (IE, not in a subfolder)

Did you put this setup file in this location? If you did, I'm guessing it's safe and MBAM's heuristics would have picked it up based on location.

If you've never seen it before and don't know what it does, then it is probably a trojan.

Try restoring it from quaranteen for long enough to make a copy and upload the copy to here: http://www.virustotal.com/

This will scan it with a ton of different antivirus programs so you can see if it contains any (known) malicious code.

I'd let MBAM keep it in quaranteen until you get an answer from a developer.

[blue]

here is what you asked for in last post

MD5: 920a328906cf4e1bb3f4d761271cacfd

First received: -

Date: 01.24.2009 05:11:27 (CET) [>46D]

Results: 0/38

Permalink: analisis/291f7544c32a73dbf774d5a8f1e95325

[Tigger93]

I'm going to have to say this is not a false positive. While the file is likely legit, there should be no reason to ever have a .exe in your main drive letter. Moving the file to somewhere else should resolve this.

[AdvancedSetup]

I normally don't reply to these and leave it up to the developers but I would have to agree. The root of C: or %SystemDrive% is not an appropriate place for any executable file like that. Much better to move it to a Folder for running or storing.

[blue]

Scan type: Quick Scan

Objects scanned: 75811

Time elapsed: 10 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\VTtrayp.exe

C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\DOCUME~1\JAMESC~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skybroadband.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Sky Broadband

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java

[astrospacerich]

I'm no expert on this stuff but whenever I come up with an unknown the first thing I do is quarintine it because if I find out later it's part of something I need I can esasily restore it.

[blue]

is is this a false positive or not cant see it in any virus stuff???

[Tigger93]

Again:

I'm going to have to say this is not a false positive. While the file is likely legit, there should be no reason to ever have a .exe in your main drive letter. Moving the file to somewhere else should resolve this.

[AdvancedSetup]

Upload it to here: http://virusscan.jotti.org/ and have them scan it. If it's not a virus then you should be safe.

You now have 2 choices.

1. Move it out of the root of the C: volume as Malwarebytes probably will not de-list it based on it's location.

2. Place it on your IGNORE list and MBAM will no longer alert you that it's infected.

[Raid]

is is this a false positive or not cant see it in any virus stuff???

It's a hueristics hit. The file itself doesn't matter, it shouldn't be in root. Because it is, and it's executable, MBAM will alert on it. Unless you move it, or tell MBAM to ignore it.

[nosirrah]

One of the things that we must do to ensure that we detect as much malware as possible is to proactively add definitions for malware that while it does not exist (yet) , will hit files doing something that no legit software should be doing .

On the flip side this has the potential of hitting poorly coded software and the creative modifications that people sometimes do to their system . As stated before root (C:\) is not a storage location for executables . Root IS a very common location to launch malware from and as such we don't let much go on from there and actually plan to increase heuristics further from this location .