Mystery

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I have a minor mystery....

I did a boot-time scan with Avast free on the 17th.  No infected files were
found.  

Early this morning I started a complete scan with a-squared and heard the
Avast siren after a few minutes.  The file, C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
\a2archive\keygen.exe, was moved to the Virus Chest and the a-squared scan
allowed to complete.  It found a few tracking cookies but nothing else.

I do have keygen.exe on my system, scanned it with Avast.  No complaints, so I
suppose that the file is clean.  

The file was scanned with Avast from the VC with the following result:
==============================================================
Scanning of selected files
------------------------------------------------------------------------------
------------
Program will try to scan 1 selected file(s) in the Chest

Move files to temporary folder: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_avast4_
\unp231646429.tmp
FileID: 0000000035  Original file name: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
\a2archive\keygen.exe  New folder: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_avast4_
\unp231646429.tmp.exe

Scan files in the temporary folder: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_avast4
_\unp231646429.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_avast4_\unp231646429.tmp.exe  
Win32:Keygen-AO [Trj]
------------------------------------------------------------------------------
------------
Action was completed successfully!
================================================================

The same thing happened on 2/25/08 and again just now when I re-ran the a-
squared scan.  I also note that the 'Last changed' time for one of the files
in the Avast VC is 3/19/2008 6:31:28 PM, which isn't here yet, and the
'Transfer time' to the VC is 3/19/2008 1:31:46 PM, which is correct.  The
other subject file move to the VC early this morning has a similar time
discrepancy.

Where did this infected file come from?  Is it an artifact of a-squared?

What causes the time discrepancy noted above?

I don't belive my computer is infected but it's puzzling, any thoughts would
be appreciated.  
--
Ernie B.

Communication:  The art of moving an idea from one mind to another, hopefully
without distortion.

Re: Mystery


| I have a minor mystery....
|
| I did a boot-time scan with Avast free on the 17th.  No infected files were
| found.
|
| Early this morning I started a complete scan with a-squared and heard the
| Avast siren after a few minutes.  The file, C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
| \a2archive\keygen.exe, was moved to the Virus Chest and the a-squared scan
| allowed to complete.  It found a few tracking cookies but nothing else.
|
| I do have keygen.exe on my system, scanned it with Avast.  No complaints, so I
| suppose that the file is clean.
|
| The file was scanned with Avast from the VC with the following result:
| ==============================================================
| Scanning of selected files
| ------------------------------------------------------------------------------
| ------------
| Program will try to scan 1 selected file(s) in the Chest
|
| Move files to temporary folder: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_avast4_
| \unp231646429.tmp
| FileID: 0000000035  Original file name: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
| \a2archive\keygen.exe  New folder: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_avast4_
| \unp231646429.tmp.exe
|
| Scan files in the temporary folder: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_avast4
| _\unp231646429.tmp
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_avast4_\unp231646429.tmp.exe
| Win32:Keygen-AO [Trj]
| ------------------------------------------------------------------------------
| ------------
| Action was completed successfully!
| ================================================================
|
| The same thing happened on 2/25/08 and again just now when I re-ran the a-
| squared scan.  I also note that the 'Last changed' time for one of the files
| in the Avast VC is 3/19/2008 6:31:28 PM, which isn't here yet, and the
| 'Transfer time' to the VC is 3/19/2008 1:31:46 PM, which is correct.  The
| other subject file move to the VC early this morning has a similar time
| discrepancy.
|
| Where did this infected file come from?  Is it an artifact of a-squared?
|
| What causes the time discrepancy noted above?
|
| I don't belive my computer is infected but it's puzzling, any thoughts would
| be appreciated.

Where did you get A-Squared anti Trojan ?

It looks like you obtained it with with a Keygen which uis considered malware.

Delete ALL files from all TEMP folders amd clear all IE/Browser caches.

Use teh following Multi AV Scanning Tool to re-scan the system.


Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe

http://www.pctipp.ch/downloads/dl/35905.asp

English:
http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free /

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal
Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the
PC.

You can choose to go to each menu item and just download the needed files or you
can
download the files and perform a scan in Normal Mode. Once you have downloaded
the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode
[F8 key
during boot] and re-run the menu again and choose which scanner you want to run
in Safe
Mode.  It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive
PDF help
file.

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * *   Please report back your results  * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Mystery

On Wed, 19 Mar 2008 21:14:04 GMT David H. Lipman wrote:

Quoted text here. Click to load it
From the emsisoft page, <http://www.emsisoft.com/en/

Quoted text here. Click to load it
No.  I used the keygen program once, for something else, about two years ago.  
I moved it to a flash drive for storage although scanning the file with Avast
didn't show any problems.  The path C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
\a2archive\... caused me to wonder if it's an a-squared artifact.

Quoted text here. Click to load it
Okay.

I tried to run the Kaspersky module earlier without success.  I'll download a
fresh copy and try again.
<snip>
Quoted text here. Click to load it
Probably tomorrow...

Thanks.
--
Ernie B.

Communication:  The art of moving an idea from one mind to another, hopefully
without distortion.

Re: Mystery

On Wed, 19 Mar 2008 22:35:08 GMT Ernie B. wrote:

Quoted text here. Click to load it
Results from McAfee scan in normal mode:
==========================================================
Virus Scan Report File
Virus Scan Information

McAfee VirusScan for Win32 v5.20.0
Copyright (c) 1992-2007 McAfee, Inc. All rights reserved.
(408) 988-3832  LICENSED COPY - Jun  5 2007

Scan engine v5.2.00 for Win32.
Virus data file v5255 created Mar 19 2008
Scanning for 384817 viruses, trojans and variants.

Virus Scan Results

03/19/2008  18:37:31

Options:
"C:\" /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /ALL /MIME /PROGRAM
/EXCLUDE C:\AV-CLS\EXCLIST.TXT /HTML "C:\AV-CLS\MCAFEE\SCANREPORT.HTML"

Scanning C: []
Scanning C:\*.*
C:\From Drive_D\BACKUP\Toolbox\setmeup\SMU97\setmeup.zip\SETMEUP.EX_
\SETMEUP.EXE ... Found the W32/Generic.worm!p2p virus !!!

------> Note:  I scanned this folder with Avast, no virus noted. <---------

Summary report on C:\*.*
File(s)
        Total files: ...........  142239
        Clean: .................  142122
        Possibly Infected: .....       1
Non-critical Error(s):                 3


Time: 00:59.20
=======================================================
--
Ernie B.

Communication:  The art of moving an idea from one mind to another, hopefully
without distortion.

Re: Mystery


< snip >

| "C:\" /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /ALL /MIME /PROGRAM
| /EXCLUDE C:\AV-CLS\EXCLIST.TXT /HTML "C:\AV-CLS\MCAFEE\SCANREPORT.HTML"
|
| Scanning C: []
| Scanning C:\*.*
| C:\From Drive_D\BACKUP\Toolbox\setmeup\SMU97\setmeup.zip\SETMEUP.EX_
| \SETMEUP.EXE ... Found the W32/Generic.worm!p2p virus !!!
|

You didn't run with the delete or clean options.
Extract the SETMEUP.EX_ file and submit it to Virus Total.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Mystery

On Thu, 20 Mar 2008 01:48:49 GMT David H. Lipman wrote:

Quoted text here. Click to load it

Correct.  I'm wary of giving software unbridled permission to delete things.

Quoted text here. Click to load it
Okay.  I'll post the results.  Thanks.
--
Ernie B.

Communication:  The art of moving an idea from one mind to another, hopefully
without distortion.

Re: Mystery

On Thu, 20 Mar 2008 03:14:45 GMT Ernie B. wrote:

Quoted text here. Click to load it
Antivirus     Version     Last Update     Result
AhnLab-V3     2008.3.19.1     2008.03.19     -
AntiVir         7.6.0.75         2008.03.19     -
Authentium     4.93.8         2008.03.20     -
Avast         4.7.1098.0     2008.03.20     -
AVG             7.5.0.516     2008.03.19     -
BitDefender     7.2             2008.03.20     -
CAT-QuickHeal     9.50         2008.03.20     -
ClamAV         0.92.1         2008.03.20     -
DrWeb         4.44.0.09170     2008.03.19     -
eSafe         7.0.15.0         2008.03.18     -
eTrust-Vet     31.3.5628     2008.03.19     -
Ewido         4.0             2008.03.19     -
FileAdvisor     1             2008.03.20     -
Fortinet         3.14.0.0         2008.03.20     -
F-Prot         4.4.2.54         2008.03.19     -
F-Secure         6.70.13260.0     2008.03.19     -
Ikarus         T3.1.1.20     2008.03.20     -
Kaspersky     7.0.0.125     2008.03.20     -
McAfee         5255         2008.03.20     W32/Generic.worm!p2p
Microsoft     1.3301         2008.03.19     -
NOD32v2         2961         2008.03.20     -
Norman         5.80.02         2008.03.19     -
Panda         9.0.0.4         2008.03.20     -
Prevx1         V2             2008.03.20     -
Rising         20.36.22.00     2008.03.19     -
Sophos         4.27.0         2008.03.20     -
Sunbelt         3.0.978.0     2008.03.18     -
Symantec         10             2008.03.20     -
TheHacker     6.2.92.250     2008.03.19     -
VBA32         3.12.6.3         2008.03.17     -
VirusBuster     4.3.26:9         2008.03.19     -
Webwasher-Gateway     6.6.2     2008.03.19     -

Additional information
File size: 1189376 bytes
MD5: cea816c13c14f950c8185a9c0b06c94b
SHA1: 737f669f1771e078eb819194e9c3ae1efb54728f
PEiD: -
--
Ernie B.

Communication:  The art of moving an idea from one mind to another, hopefully
without distortion.

Re: Mystery



| Antivirus  Version  Last Update  Result
| AhnLab-V3  2008.3.19.1  2008.03.19  -
| AntiVir   7.6.0.75   2008.03.19  -
| Authentium  4.93.8   2008.03.20  -
| Avast   4.7.1098.0  2008.03.20  -
| AVG    7.5.0.516  2008.03.19  -
| BitDefender  7.2    2008.03.20  -
| CAT-QuickHeal  9.50   2008.03.20  -
| ClamAV   0.92.1   2008.03.20  -
| DrWeb   4.44.0.09170  2008.03.19  -
| eSafe   7.0.15.0   2008.03.18  -
| eTrust-Vet  31.3.5628  2008.03.19  -
| Ewido   4.0    2008.03.19  -
| FileAdvisor  1    2008.03.20  -
| Fortinet   3.14.0.0   2008.03.20  -
| F-Prot   4.4.2.54   2008.03.19  -
| F-Secure   6.70.13260.0  2008.03.19  -
| Ikarus   T3.1.1.20  2008.03.20  -
| Kaspersky  7.0.0.125  2008.03.20  -
| McAfee   5255   2008.03.20  W32/Generic.worm!p2p
| Microsoft  1.3301   2008.03.19  -
| NOD32v2   2961   2008.03.20  -
| Norman   5.80.02   2008.03.19  -
| Panda   9.0.0.4   2008.03.20  -
| Prevx1   V2    2008.03.20  -
| Rising   20.36.22.00  2008.03.19  -
| Sophos   4.27.0   2008.03.20  -
| Sunbelt   3.0.978.0  2008.03.18  -
| Symantec   10    2008.03.20  -
| TheHacker  6.2.92.250  2008.03.19  -
| VBA32   3.12.6.3   2008.03.17  -
| VirusBuster  4.3.26:9   2008.03.19  -
| Webwasher-Gateway  6.6.2  2008.03.19  -
|
| Additional information
| File size: 1189376 bytes
| MD5: cea816c13c14f950c8185a9c0b06c94b
| SHA1: 737f669f1771e078eb819194e9c3ae1efb54728f
| PEiD: -

Looks like a possible False Positive.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Mystery

On Thu, 20 Mar 2008 10:41:44 GMT David H. Lipman wrote:

Quoted text here. Click to load it
I think so.  Since the program is an antique, should we tell McAfee about it?

That doesn't answer the original question though; where is a-squared getting a
ghost of keygen and why does it trigger Avast when I do a deep scan with a-
squared?  I had the same result last night even though keygen isn't on my
machine any longer, I had emptied the trash and done a cold boot.  I suppose I
should ask that question in the emsisoft forum though.
--
Ernie B.

Communication:  The art of moving an idea from one mind to another, hopefully
without distortion.

Re: Mystery


| On Thu, 20 Mar 2008 10:41:44 GMT David H. Lipman wrote:
|
Quoted text here. Click to load it
| I think so.  Since the program is an antique, should we tell McAfee about it?
|
| That doesn't answer the original question though; where is a-squared getting a
| ghost of keygen and why does it trigger Avast when I do a deep scan with a-
| squared?  I had the same result last night even though keygen isn't on my
| machine any longer, I had emptied the trash and done a cold boot.  I suppose I
| should ask that question in the emsisoft forum though.

Yes to both.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Mystery

On Thu, 20 Mar 2008 20:04:44 GMT David H. Lipman wrote:

Quoted text here. Click to load it
Okay.  Thanks for your help.
--
Ernie B.

Communication:  The art of moving an idea from one mind to another, hopefully
without distortion.

Re: Mystery

On Fri, 21 Mar 2008 01:20:44 GMT Ernie B. wrote:

Quoted text here. Click to load it
Just so that everyone knows....

"Avert Sample Analysis
Issue Number:  4574878
Virus Research Engineer - Tokyo: S. Honjo
Identified: FALSE DETECTION
On File:  Setmeup.exe
Detection Name: W32/Generic.worm!p2p virus

AVERT Labs, Tokyo

Thank you for submitting your suspicious file.

Synopsis -

Our Senior Virus Research Engineers have examined the file in question
and no virus was found.

Solution -

Attached is an extra.dat with corrected detection.  This correction will
be included in the next DAT update."
--
Ernie B.

Communication:  The art of moving an idea from one mind to another, hopefully
without distortion.

Re: Mystery



| Just so that everyone knows....
|
| "Avert Sample Analysis
| Issue Number:  4574878
| Virus Research Engineer - Tokyo: S. Honjo
| Identified: FALSE DETECTION
| On File:  Setmeup.exe
| Detection Name: W32/Generic.worm!p2p virus
|
| AVERT Labs, Tokyo
|
| Thank you for submitting your suspicious file.
|
| Synopsis -
|
| Our Senior Virus Research Engineers have examined the file in question
| and no virus was found.
|
| Solution -
|
| Attached is an extra.dat with corrected detection.  This correction will
| be included in the next DAT update."

Cool breeze.  Thanx for the update.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Site Timeline