2 Replies Latest reply on Feb 20, 2009 3:50 AM by Mal09

    Strange Detection

      I had a strange detection with McAfee VirusScan Enterprise v 8.5i. Could someone take a look at it and let me know if it's for real or a false positive. If it's actually a virus, advice on how to proceed would be appreciated. My scan log is below.

      2/19/2009 9:31:22 AM Engine version =5300.2777
      2/19/2009 9:31:22 AM AntiVirus DAT version =5530.0000
      2/19/2009 9:31:22 AM Number of detection signatures in EXTRA.DAT =None
      2/19/2009 9:31:22 AM Names of detection signatures in EXTRA.DAT =None
      2/19/2009 9:31:15 AM Scan Started BOSTON-228CBD46\Administrator Full Scan
      2/19/2009 9:47:20 AM Not scanned (The file is encrypted) Administrator c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsIEFirewallBypass.zip\sbRecovery.reg

      2/19/2009 9:47:20 AM Not scanned (The file is encrypted) Administrator c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsIEFirewallBypass1.zip\sbRecovery.reg

      2/19/2009 10:07:55 AM Deleted Administrator C:\SYSTEM VOLUME INFORMATION\_RESTORE{BEE2E0D1-1F58-4F48-A53B-4BE818A454D8}\RP46\A0019573.EXE RemAdm-ProcLaunch!171(Remote Admin Tool)

      2/19/2009 10:08:01 AM Deleted (Clean failed) Administrator c:\System Volume Information\_restore{BEE2E0D1-1F58-4F48-A53B-4BE818A454D8}\RP46\A0019573.exe\PS EXEC.CFEXE RemAdm-ProcLaunch!171(Remote Admin Tool)

      2/19/2009 10:08:12 AM Deleted Administrator C:\SYSTEM VOLUME INFORMATION\_RESTORE{BEE2E0D1-1F58-4F48-A53B-4BE818A454D8}\RP46\A0020025.EXE RemAdm-ProcLaunch!171(Remote Admin Tool)

      2/19/2009 10:08:17 AM Deleted (Clean failed) Administrator c:\System Volume Information\_restore{BEE2E0D1-1F58-4F48-A53B-4BE818A454D8}\RP46\A0020025.exe\PS EXEC.CFEXE RemAdm-ProcLaunch!171(Remote Admin Tool)

      2/19/2009 10:40:16 AM Scan Summary BOSTON-228CBD46\Administrator Scan Summary
      2/19/2009 10:40:16 AM Scan Summary BOSTON-228CBD46\Administrator Processes scanned : 4
      2/19/2009 10:40:16 AM Scan Summary BOSTON-228CBD46\Administrator Processes detected : 0
      2/19/2009 10:40:16 AM Scan Summary BOSTON-228CBD46\Administrator Processes cleaned : 0
      2/19/2009 10:40:16 AM Scan Summary BOSTON-228CBD46\Administrator Boot sectors scanned : 1
      2/19/2009 10:40:16 AM Scan Summary BOSTON-228CBD46\Administrator Boot sectors detected: 0
      2/19/2009 10:40:16 AM Scan Summary BOSTON-228CBD46\Administrator Boot sectors cleaned : 0
      2/19/2009 10:40:16 AM Scan Summary BOSTON-228CBD46\Administrator Files scanned : 83974
      2/19/2009 10:40:16 AM Scan Summary BOSTON-228CBD46\Administrator Files with detections: 2
      2/19/2009 10:40:16 AM Scan Summary BOSTON-228CBD46\Administrator File detections : 4
      2/19/2009 10:40:16 AM Scan Summary BOSTON-228CBD46\Administrator Files cleaned : 0
      2/19/2009 10:40:16 AM Scan Summary BOSTON-228CBD46\Administrator Files deleted : 2
      2/19/2009 10:40:16 AM Scan Summary BOSTON-228CBD46\Administrator Files not scanned : 30
      2/19/2009 10:40:16 AM Scan Summary BOSTON-228CBD46\Administrator Run time : 1:09:01
      2/19/2009 10:40:16 AM Scan Complete BOSTON-228CBD46\Administrator Full Scan

      Moved to the correct area - MOD
        • 1. RE: Strange Detection
          D-Fens
          if got the same A*******.exe detection today, with mcafee and avira.
          at virustotal, only 9 of 36 scanners detect this. i think it's an virustotal-virus...

          sent this to mcafee this morning.
          "
          inconclusive [ a0091642.exe a0091992.exe a0095012.exe a0095013.exe dc3.exe live-player_setup.exe ]
          Upon analysis the file submitted does not appear to contain one of the 200,000 known threats in the AutoImmune database. The file may contain a new threat, or no code capable of being infected. Your submission is being forwarded to an Avert Labs Researcher for further analysis. You will be contacted by AVERT through e-mail with the results of that analysis.
          "

          no answer from mcafee yet...

          sent this to avira too, they checked it again and said it's malware (TR/Dropper.Gen)
          • 2. RE: Strange Detection
            Have you installed SysInternal tools on this machine previously?