Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan or OK File?


  • Please log in to reply
16 replies to this topic

#1 cathyn

cathyn

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 09 September 2009 - 01:22 AM

Hope someone can help here - Got a new comp yesterday which is a compaq/HP

Any way AVG is picking up one of the hp/bin/ files as a trojan - Comodo is picking it up as a trojan also

File is called setsupport.exe and looking around on the net cant find much but one french page i found (and google translated) seems to say its not a trojan and that its a false positive...

Its currently quarrantined but i can restore it if needed ?

So do i leave it quarrantined?

Ran the rescue disk creation earlier (while it was in quarrantine and it seemed to jam up a bit at the start until i moved it out nd then it seemed to work) but its since back in cause cuse of AVG and big threat detected messages...

Thanks Cathy

BC AdBot (Login to Remove)

 


#2 lol-o

lol-o

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 09 September 2009 - 05:14 AM

Hello,

I have the same problem : I also bought a Compaq/HP computer (model cq2200), and installed and ran Avast! antivirus (I previously removed Norton antivirus, pre-installed but I hate it !) : The file "setsupport.exe" in c:/hp/bin directory appeared like trojan...

I also found a french topic about this problem (guess you found the same : is it the post from "bernard53" in "serialcomputer" website ?)

I reported this file "setsupport" as false positive in my avast! parameters, but didn't put it in quarantine (when I put it first, my computer seemed also a little bit slower)

However, the alert is still popping up about this file when I run a avast! scan...

Pity there's no other explicit topics about this file around the web, I think I'll send a query to the HP community in order to know what to do... (and post the answer here of course)

#3 cathyn

cathyn
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 09 September 2009 - 05:23 AM

Hi

Yeah I think it was that same french site I found that nae sounds the same .. I've still got it sitting in quarrantine but so far doesnt seem to be overley affecting performace (i hope) apart from that recovery cd prog...

Really hope its a false positive and that the av co's will fix up their av info soon...

This is CQ2250 i think and I also uninstalled the Norton that was on it..

Edited by cathyn, 09 September 2009 - 05:26 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,605 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:58 PM

Posted 09 September 2009 - 11:22 AM

rdsok, Moderator at the AVG forum posted these instructions for suspected FP's.

If you suspect a file to be a false positive. Test the file at [virusscan.jotti.org]] and if it is a false positive, archive (zip, arc, tar etc) the file using a password and email a copy to virus@grisoft.com with a brief description as well as the password you used to archive it with.

If it is a false positive, turn off heuristic scanning for the time being. When Grisoft adjusts the virus definitions you can turn it back on. If turning off Heuristics still doesn't allow access to the file while testing and emailing... disable the resident shield temporarily.

AVG Forum: A possible False Positive Detected

In case AVG Free detects some file on your PC as infected, this file was moved to AVG Virus Vault, and you are sure that this file is correct and clean, it is possible that the detected file is a false alarm. If so, we shall prepare the correction as soon as possible. Unfortunately, false alarms do appear from time to time in every Anti-Virus software.

To solve the problem, please send us this file for analysis directly from the AVG Free program...

AVG FAQ 1320: AVG detects infection on file that I suppose to be clean

Please try to update your AVG Free system and run the whole computer scan again. When the file is not detected and you are still in doubt, put the file into password protected archive using WinZip, WinRar, PowerArchiver etc., attach this archive to an e-mail and send it to virus@avg.com. Describe why you are sending the file and write the password for the archive into the e-mail.

AVG FAQ 1318: What to do when I suspect any file it is infected?


RejZoR, avast! Evangelist at the avast forum posted these instructions for suspected FP's.

If you encounter alert for which you think that it's a false positive, do the following:

Check the file with this service:
http://virusscan.jotti.org
http://www.virustotal.com

- if file is detected by any other antivirus too (like Kaspersky), than its most probably not a false positive. Treat it with caution.
- false positive files are usually detected as: Win32:Trojan-Gen
(this usually happens because of generic detection)
- if scan still shows that only avast! detects the file, then it could be a virus detected only by avast!. If you think that it's still a false positive,then follow the next step:

Pack the "infected" file into ZIP archive and lock it with password "virus" (without quotes) and attach it to e-mail.
Write the same password inside mail body, so Alwil virus analysts will know the password right away without guessing.
You can also add web address to that file (or webpage of the file/program) if it's on the internet.
Add your own note on why do you think that it's a false positive. Every info helps Alwil staff.
Send the mail to: virus@avast.com

You'll probably get a reply mail about file info (if it was really a false positve) after some time.
If not, check the file with Explorer extension when new VPS is released.
This way you'll know if the false positive was fixed.

Until then, you can add the "false positive" file into exclusions:...

avast forum [Mini Sticky] False Positives
avast forum: Tutorial For False detection
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 cathyn

cathyn
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 09 September 2009 - 05:52 PM

thanks for that have tried sending it via the avgo sftware and it keeps failing... will keep trying

#6 cathyn

cathyn
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 09 September 2009 - 09:57 PM

AVG now have the file for investigation

#7 cathyn

cathyn
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 10 September 2009 - 05:54 AM

reply from avg on file - is NOT a trojan YAY

Dear Sir/Madam,

thank you for your e-mail.

Unfortunately, the current virus database version may detect the
mentioned virus on some legitimate applications. We can confirm that
it is a false alarm. We would like to inform you that the false
positive will be removed in the next Definitions update. Please update
your AVG and if a new Definitions update was downloaded, check whether
the file is still detected.

If you need to restore deleted files from AVG Virus Vault you can do
it this way:
- Open AVG user interface.
- Choose "Virus Vault" option from the "History" menu.
- Locate the file that was incorrectly removed and select it (one
click).
- Click on the "Restore" button.

We are sorry for the inconvenience.

Best regards,



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,605 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:58 PM

Posted 10 September 2009 - 07:09 AM

Thanks for letting us know what they said. :thumbsup:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 lol-o

lol-o

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 10 September 2009 - 02:19 PM

Hi again,

Thanks to all for your answers !

I forgot to say one thing, perhaps important : the first time I scanned my computer and had this alert about "setsupport.exe", another alert popped up few minutes after, concerning the file "A0002666.exe", located in the following path :

C:\System Volume Information\_restore{59F1419E-3E98-47A3-9938-D066F1548199}\RP1\A0002666.exe

The alert message was exactly the same : file infected by "Win32:Trojan-gen {Other}... weird !

Tonight, I experimented one thing : I decided to scan again my computer and put in quarantine all the files infected, BUT : I checked the option "scan archives" and launched the scan (the first time I let the box unchecked)

The result is a little strange : Avast! found the file "setsupport.exe" detected as infected (I knew it before), the "A0002666.exe" file also infected (knew it too), but a third file appeared as infected : "A0005356.exe", located this time in the path "C:\System Volume Information\_restore{59F1419E-3E98-47A3-9938-D066F1548199}\RP9\A0005356.exe"

So... 3 files infected ? Or is it possible to have 3 false positives files detected in the same scan ?
Or is it the same file, also located in the restore option ?

I have to notice that I put these 3 files in quarantine, and the computer seems OK... (behaves the same as before)

I did what quietman said in his post and tested the "setsupport" file with the 2 scan services (virusscan and virustotal) : the results indicated that approx. 58 percent of the other antivirus detected this file as a threat... but what threat ??? the AVG team said that it was a false alarm...

Who believe ? For the moment, I'll stay with my 3 files in quarantine few days and will post a new message next week to inform you...

Edited by lol-o, 10 September 2009 - 02:21 PM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,605 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:58 PM

Posted 10 September 2009 - 02:42 PM

The detected _restore{GUID}\RP***\A00*****.xxx file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. The *** after RP represents a sequential number automatically assigned by the operating system. The ***** after A00 represents a sequential number where the original file was backed up and renamed except for its extension. To learn more about this, refer to:System Restore is the feature that protects your computer by creating backups (snapshots saved as restore points) of vital system configurations and files. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. The SVI folder is protected by permissions that only allow the system to have access and is hidden by default on the root of every drive, partition or volume including most external drives, and some USB flash drives. For more detailed information, read System Restore Overview and How it works and How antivirus software and System Restore work together.

System Restore is enabled by default and will back up the good as well as malicious files, so when malware is present on the system it gets included in restore points as an A00***** file. When you scan your system with anti-virus or anti-malware tools, you may receive an alert or notification that a malicious file was detected in the SVI folder (System Restore points) but the anti-virus software was unable to remove it. Since the SVI folder is a protected directory, most anti-virus and scanning tools cannot access it to disinfect or delete these files.

To remove these file(s), the easiest thing to do is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point.
Vista users can refer to these links: Create a New Restore Point in Vista and Disk Cleanup in Vista.

AVG corrected their detection on the file. If other vendors are detecting it, then they probably need samples so they can do the same.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 cathyn

cathyn
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 10 September 2009 - 04:10 PM

I found a couple of restore points picking up also - they seemed though to be relating to the same false positive name as the setsupport.exe - I gathered there was a reference to that in them and thats why it did it possibly? AVG's definition this morning fixed up the false positive (its now back in the dir and no warnings popping up everywhere yay)

Will do a scan later on and see if they (the restore points) pick up (moved them back to their normal dir's from the vault when moved back setsupport this morning)

#12 lol-o

lol-o

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 11 September 2009 - 01:35 AM

Huh...

I started my computer this morning (with the "infected" files put in quarantine zone yesterday) and... have been confronted to slow start, difficulties to load all the background progs (like sound, and network detection) - the icons near the clock not all appeared, and not as quickly as before...

So I restored the 3 files in their original location, restarted again the computer and this time, all was fine at startup...

I guess i'll write to Avast!, send them the file zipped and tell them to update their definitions including this "false positive"...

Edited by lol-o, 11 September 2009 - 04:22 AM.


#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,605 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:58 PM

Posted 11 September 2009 - 06:51 AM

:thumbsup:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 lol-o

lol-o

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 12 September 2009 - 05:08 AM

Me again ^^

It's strange : I tried to zip this "setsupport.exe" file but an error occured : "access denied"

I'm currently using the freeware "7zip" to do that, but the same problem occurs with the included compression utility of windows.

How can I do to zip this file and send it to avast ?

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,605 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:58 PM

Posted 12 September 2009 - 09:42 AM

Copy setsupport.exe to a temp folder or your desktop and try zipping it from there.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users