UpdImports.exe, I get a virus alert TR/Hijacker.Gen

Discussion in 'Windows 8' started by nexus76, Apr 29, 2011.

  1. nexus76

    nexus76 MDL Addicted

    Jan 25, 2009
    783
    296
    30
    #1 nexus76, Apr 29, 2011
    Last edited: Apr 29, 2011
    using

    6.2.7955.0.fbl_srv_wdacxml.110228-1930_x86fre_client-ultimate_en-us.iso
    CRC32: E7D3D3A8
    MD5: 0B4B00CBBA6250F0606CD1486A59ED61
    SHA-1: CD6CB55F28647860B6252186E5C747D7D03A243C

    I get this antivirus alert (trojan horse):

    h ttp://img42.imageshack.us/img42/8562/alarmt.jpg

    the file is stored twice: in BIN/IDW + BuildBinaries/BIN/idw

    virustotal shows the same result, maybe it's a fake alert, don't know, but I have very rare fake alerts with avira.

    details on virustotal:

    PEInfo: PE structure information

    [[ basic data ]]
    entrypointaddress: 0x20E9
    timedatestamp....: 0x4D68B8CC (Sat Feb 26 08:24:44 2011)
    machinetype......: 0x14C (Intel I386)

    [[ 3 section(s) ]]
    name, viradd, virsiz, rawdsiz, ntropy, md5
    .text, 0x1000, 0x1A54, 0x1C00, 6.01, 00aa0af074d73deff3195903b853f481
    .data, 0x3000, 0x378, 0x200, 0.3, f469ad5b2093f991d68e4d904c938cb7
    .reloc, 0x4000, 0x206, 0x400, 3.02, 6b1ff886770480386483a73327d2513b

    [[ 2 import(s) ]]
    kernel32.dll: OpenProcess, WriteProcessMemory, VirtualAllocEx, VirtualProtectEx, SetLastError, GetLastError, ReadProcessMemory, VirtualQueryEx, TerminateProcess, Sleep, InterlockedExchange, InterlockedCompareExchange, SetUnhandledExceptionFilter, GetModuleHandleA, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, GetTickCount, UnhandledExceptionFilter, GetCurrentProcess
    msvcrt.dll: _except_handler4_common, _controlfp, _terminate@@YAXXZ, _initterm, __setusermatherr, __p__fmode, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, __p__commode, _XcptFilter, atoi, __3@YAXPAX@Z, __2@YAPAXI@Z, memset

    http ://w ww.virustotal.com/file-scan/report.html?id=d9e7bb40452537ed499fdf0f6dc6bff34d57b13a746e5b173acd483b3e4c1b2d-1303827399
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. OvaryActing

    OvaryActing MDL Senior Member

    Jan 4, 2011
    280
    151
    10
    #2 OvaryActing, Apr 29, 2011
    Last edited: Apr 29, 2011
    is that the torko iso, or the BA/MSFT/iND iso?

    -edit: ok now that you provided checksums that would be torko's image.
    Could you post a link of the virustotal scan?
    BTW, you ar enot the first person to claim their was nasty stuff in the torko image. A few days ago someone posted on facebook a malwarebytes scan that showed like 4-6 "flags" pointing out registry entries.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. nexus76

    nexus76 MDL Addicted

    Jan 25, 2009
    783
    296
    30
    #3 nexus76, Apr 29, 2011
    Last edited: Apr 29, 2011
    (OP)
    t's within the build from winboard, this structure:

    01.03.2011 11:11 <DIR> $RECYCLE.BIN
    01.03.2011 10:36 24 autoexec.bat
    01.03.2011 11:51 <DIR> Bin
    01.03.2011 11:53 <DIR> BuildBinaries
    01.03.2011 10:36 10 config.sys
    01.03.2011 11:51 <DIR> Debuggers
    01.03.2011 11:04 <VERBINDUNG> Documents and Settings [D:\Users]
    01.03.2011 10:38 <DIR> PerfLogs
    01.03.2011 12:24 <DIR> Program Files
    01.03.2011 11:04 <DIR> ProgramData
    01.03.2011 12:06 <DIR> sources
    01.03.2011 11:51 <DIR> SysInt
    29.04.2011 22:09 <DIR> System Volume Information
    01.03.2011 11:04 <DIR> Users
    01.03.2011 12:25 <DIR> Windows
    01.03.2011 11:51 <DIR> XPerf

    found here htt p: //winboards.net/viewtopic.php?t=5595

    crc, sha + md5 ^^

    an untouched image would be great
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Claysoft65

    Claysoft65 MDL Member

    Sep 4, 2009
    136
    51
    10
    nexus, usually 'TR/Hijacker.Gen ' are false positive, first of all when you receive 1/42 even on VirusTotal... Don't you think ?
    Euristic scan, if it's setted too high, can be full of false alerts...

    Those Folders are full of Debugging and Developers stuff, so it's still possible that an AV could try a false alert in one of them, but they are not, be sure...
    ( Bin - BuildBinaries - Debuggers ) Tose folders aren't needed for te O.S. of "normal users" and you an easily delete tem if you're really afraid, even if,
    i'll tell you again :p, there's no harmful files into them, if your ISO comes from the torrent posted here at MDL.

    CU
    Clay