Jump to content
Sign in to follow this  
blue

is this a virusC:\SETUP.EXE (Trojan.Agent)

Recommended Posts

Scan type: Quick Scan

Objects scanned: 66676

Time elapsed: 6 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\SETUP.EXE (Trojan.Agent) -> Quarantined and deleted successfully. [3857535134303627618470

Share this post


Link to post
Share on other sites

Well, going off what I've read (I may be wrong, but this is how I remember it), there is no reason why an .exe should be located in the root of C drive (IE, not in a subfolder)

Did you put this setup file in this location? If you did, I'm guessing it's safe and MBAM's heuristics would have picked it up based on location.

If you've never seen it before and don't know what it does, then it is probably a trojan.

Try restoring it from quaranteen for long enough to make a copy and upload the copy to here: http://www.virustotal.com/

This will scan it with a ton of different antivirus programs so you can see if it contains any (known) malicious code.

I'd let MBAM keep it in quaranteen until you get an answer from a developer.

Share this post


Link to post
Share on other sites

here is what you asked for in last post

MD5: 920a328906cf4e1bb3f4d761271cacfd

First received: -

Date: 01.24.2009 05:11:27 (CET) [>46D]

Results: 0/38

Permalink: analisis/291f7544c32a73dbf774d5a8f1e95325

Share this post


Link to post
Share on other sites

I'm going to have to say this is not a false positive. While the file is likely legit, there should be no reason to ever have a .exe in your main drive letter. Moving the file to somewhere else should resolve this.

Share this post


Link to post
Share on other sites

I normally don't reply to these and leave it up to the developers but I would have to agree. The root of C: or %SystemDrive% is not an appropriate place for any executable file like that. Much better to move it to a Folder for running or storing.

Share this post


Link to post
Share on other sites

Scan type: Quick Scan

Objects scanned: 75811

Time elapsed: 10 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\VTtrayp.exe

C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\DOCUME~1\JAMESC~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skybroadband.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Sky Broadband

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java

Share this post


Link to post
Share on other sites

I'm no expert on this stuff but whenever I come up with an unknown the first thing I do is quarintine it because if I find out later it's part of something I need I can esasily restore it.

Share this post


Link to post
Share on other sites

is is this a false positive or not cant see it in any virus stuff???

Share this post


Link to post
Share on other sites

Again:

I'm going to have to say this is not a false positive. While the file is likely legit, there should be no reason to ever have a .exe in your main drive letter. Moving the file to somewhere else should resolve this.

Share this post


Link to post
Share on other sites

Upload it to here: http://virusscan.jotti.org/ and have them scan it. If it's not a virus then you should be safe.

You now have 2 choices.

1. Move it out of the root of the C: volume as Malwarebytes probably will not de-list it based on it's location.

2. Place it on your IGNORE list and MBAM will no longer alert you that it's infected.

Share this post


Link to post
Share on other sites
is is this a false positive or not cant see it in any virus stuff???

It's a hueristics hit. The file itself doesn't matter, it shouldn't be in root. Because it is, and it's executable, MBAM will alert on it. Unless you move it, or tell MBAM to ignore it.

Share this post


Link to post
Share on other sites

One of the things that we must do to ensure that we detect as much malware as possible is to proactively add definitions for malware that while it does not exist (yet) , will hit files doing something that no legit software should be doing .

On the flip side this has the potential of hitting poorly coded software and the creative modifications that people sometimes do to their system . As stated before root (C:\) is not a storage location for executables . Root IS a very common location to launch malware from and as such we don't let much go on from there and actually plan to increase heuristics further from this location .

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.