Announcement

Collapse
No announcement yet.

Anyone know if this is a false positive?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Anyone know if this is a false positive?

    anyone know if this file: ibhfcyte.exe is a virus or is my avg anti-virus giving me a false positive? i ask because even though this popped up with AVG, they dont list the thing in their virus encyclopedia/database and google has nothing on it either.

    AVG says it's a 'Trojan horse downloader.Generic3XEN' . i've got so many automatic downloaders that i just cant tell if this is a legitimate file or a virus.

  • #2
    Re: Anyone know if this is a false positive?

    It gets zero google hits, so I definitely wouldn't trust it.
    Learn by teaching
    Take responsibility for learning

    Comment


    • #3
      Re: Anyone know if this is a false positive?

      Hi Craig

      This does sound like a random file name and is probably a bad file.
      You may get more info by checking its properties (right click the file and click properties)

      You can test the file at jotti or virustotal.
      [*]Go to VirusTotal or Jotti's, and scan the following file(s).

      ibhfcyte.exe
      • Click on the Browse button at the top of the screen.
      • Browse to the file.
      • Click OK.
      • Click Send, and the file will upload to VirusTotal / Jotti, where it will be scanned by several anti-virus programmes.
      • After a while, a window will open, with details of what the scans found.
      • Note details of any viruses found.


      Ken.

      Comment


      • #4
        Re: Anyone know if this is a false positive?

        thanks, doug, ken.

        this thing is quite weird. it's only 9kb and when i open windows explorer and go to windows, system32 to look at the file, when the file comes into view, the avg alert goes off. i dont have to click on anything or even mouse ever anything. all i have to do is see the file name in windows explorer and the alert goes off.

        but, that's not even the strangest part. i decided to go to microsoft.com and see if they recognized it. i entered the file name into their search and it came up with nothing, but on the new results page of the search, avg once again went off seeing the name.

        then, going down to the task bar and minimizing windows explorer or internet explorer and then maximizing either one again with that same name showing, avg would go off again.

        quite odd.

        oh, and i went to both of those sites, ken and both gave the same results, the file wouldnt upload so they couldnt analyze it.

        and when the avg alert comes up, it gives me 4 options, ignore, info, heal or move to vault. when i click on info, it takes me to avg's encyclopedia. they have no knowledge of the file/virus.

        when i try to open it in notepad, i'm denied because it's a 'system file'.

        never seen a file act quite like this.

        Comment


        • #5
          Re: Anyone know if this is a false positive?

          If this is only 9kb I would drop it into a notepad or text pad to see what is hidden inside. Could you send it to me? I'll try to play with it.

          Comment


          • #6
            Re: Anyone know if this is a false positive?

            when i try to open it in notepad, i'm denied because it's a 'system file'.
            sorry, chillin, tried that.

            Comment


            • #7
              Re: Anyone know if this is a false positive?

              2 things, do a system search for the file name and try to find out what folder it is hiding itself in...that could give you an idea of what program it is attached to.

              2nd thing.....go to your "run" command under the start menu, type "msconfig" without quotes, and click the startup tab....look through the list and try to spot that file, it will typically tell you what program is running that exe file.

              basically, it IS a program that is running on your computer. My guess is some plugin that you recently installed.

              Comment


              • #8
                Re: Anyone know if this is a false positive?

                photo678, it's in the system32 folder.

                well, there's lots of programs in system32 that dont get run until you call something else up. the file is not in my startup list, at least not in the stuff that msconfig can see. the file has been there since january of this year, apparently.

                i dont ever recall seeing that name come up in zone alarm asking for permissions and i dont recall win patrol ever asking about it either. it doesnt seem to be an active program. it's not denying me access to because of 'file in use'. it's just denying me access because it's a 'system file', or so it says. but microsoft has no knowledge of it and google has no knowledge of it and avg has no knowledge of it, even though the avg alerter is calling it a 'trojan horse downloader.generic3xen'. so, i dont know where it came from or if it's doing anything or associated with some other program. it may well be a legit file and associated with something i installed back in january of this year, but i cant tell.

                i suppose i could isolate it to the avg virus vault and see if anything then fails to run. but i hate doing things like that blindly, with no knowledge of if this is legit or not.

                Comment


                • #9
                  Re: Anyone know if this is a false positive?

                  Hi Craig.

                  That is often the effect of files in use and malware files that protect themself.
                  Try copying the files to some other place and submit them from there. If that does not work try the following:
                  1. Go to Start > My Computer. Click the C drive. On the right side of the window please find Make a new folder and click it. Call it Cleanup
                  2. Now download IceSword from http://www.majorgeeks.com/Icesword_d5199.html to a place where you can find it.
                  3. Extract it to a place where you can find it.
                  4. Once you have extracted it click on Icesword.exe to start the program.
                    Next find the tab Files on the right side. Click it and it will open up an interface that looks like Windows Explorer.
                  5. Navigate your way to >ibhfcyte.exe<
                  6. Right click it and select "copy to". Send it to C:\Cleanup
                  7. Next please submit C:\cleanup\bad File to be scanned by Jotti and/or by Virus Total.



                  Ken.

                  Comment


                  • #10
                    Re: Anyone know if this is a false positive?

                    Run a HJT scan and post the log back here Craig, there may be other items on your log that will give us a clue as to what your problem file is connected with.


                    Glad to see you've been reading Elrond's posts Ken.

                    Comment


                    • #11
                      Re: Anyone know if this is a false positive?

                      it wont do it, ken. i got icesword, followed everything exactly as you said, but it wont enter the file name or save in the copy to window. enclosed is a screenshot of where i got to. everything worked fine up to being able to save to 'Cleanup'.
                      Attached Files

                      Comment


                      • #12
                        Re: Anyone know if this is a false positive?

                        in fact, i cant copy anything with this. nothing will enter into where the file name shld go. this is version 1.20. maybe bugged or blocked? and yes, i can do normal copies in windows explorer. just tried it.

                        Comment


                        • #13
                          Re: Anyone know if this is a false positive?

                          this must be a newer/older version. the 'files' tab is on the lower left, not the right.

                          and what is this 'cooperator' thing that came with icesword?

                          Comment


                          • #14
                            Re: Anyone know if this is a false positive?

                            here's the hjt logfile, gary:

                            Logfile of HijackThis v1.99.1
                            Scan saved at 12:11:12 AM, on 6/28/2007
                            Platform: Windows XP SP2 (WinNT 5.01.2600)
                            MSIE: Internet Explorer v7.00 (7.00.5730.0011)

                            Running processes:
                            C:\WINDOWS\System32\smss.exe
                            C:\WINDOWS\system32\winlogon.exe
                            C:\WINDOWS\system32\services.exe
                            C:\WINDOWS\system32\lsass.exe
                            C:\WINDOWS\system32\svchost.exe
                            C:\WINDOWS\System32\svchost.exe
                            D:\Program Files\Ahead\InCD\InCDsrv.exe
                            C:\WINDOWS\Explorer.EXE
                            C:\WINDOWS\system32\ZoneLabs\vsmon.exe
                            C:\WINDOWS\system32\spoolsv.exe
                            C:\WINDOWS\SOUNDMAN.EXE
                            C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
                            C:\WINDOWS\system32\RUNDLL32.EXE
                            C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
                            C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
                            C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
                            C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
                            C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
                            C:\WINDOWS\System32\hphmon05.exe
                            C:\WINDOWS\system32\ctfmon.exe
                            C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
                            C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
                            C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
                            C:\WINDOWS\System32\GEARSec.exe
                            C:\Program Files\Norton Ghost\Agent\VProSvc.exe
                            C:\WINDOWS\System32\nvsvc32.exe
                            C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
                            C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
                            C:\WINDOWS\system32\wscntfy.exe
                            C:\Program Files\Internet Explorer\IEXPLORE.EXE
                            C:\WINDOWS\System32\svchost.exe
                            C:\Program Files\Corel\Corel Paint Shop Pro Photo XI\Corel Paint Shop Pro Photo.exe
                            D:\Applications-Utilities\HijackThis-1-9 free\HijackThis.exe

                            R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.retouchpro.com/
                            R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
                            R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
                            R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
                            R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
                            O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
                            O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
                            O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
                            O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
                            O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
                            O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
                            O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
                            O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
                            O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
                            O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
                            O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
                            O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
                            O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
                            O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
                            O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
                            O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
                            O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
                            O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
                            O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - &#37;windir%\Network Diagnostic\xpnetdiag.exe (file missing)
                            O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
                            O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                            O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                            O11 - Options group: [INTERNATIONAL] International*
                            O15 - Trusted Zone: http://www.filterforge.com
                            O15 - Trusted Zone: http://www.retouchpro.com
                            O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
                            O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1171850158937
                            O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1172812827828
                            O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
                            O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
                            O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
                            O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
                            O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
                            O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
                            O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
                            O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
                            O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
                            O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
                            O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
                            O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
                            O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
                            O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
                            O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

                            Comment


                            • #15
                              Re: Anyone know if this is a false positive?

                              HJT log's clean Craig.

                              However HJT isn't the be all and end all of diagnostics and there's a whole bunch of things it doesn't show, so lets look a little further.

                              First clear your temp files out so we have less to scan.
                              • Click Start > Run and type cleanmgr then click OK.
                              • This will bring up the Disk Cleanup window.
                              • Check the following entries.
                                • Temporary Internet Files.
                                • Recycle Bin.
                                • Temporary Files.
                              • Click OK.
                              • When a prompt pops up click Yes.


                              Next

                              Please do an online scan with Kaspersky Online Scanner

                              Note: You must be using Internet Explorer as your browser as it will be necessary to install an Active X component to your computer.

                              Important If you have previously used Kaspersky Online Scanner (before 8th Aug 2006), you will have to uninstall the old version using Add/Remove Programs in Control Panel before you can use the new version.

                              Click on Kaspersky Online Scanner

                              You will be promted to install an ActiveX component from Kaspersky, Click Yes.
                              • The program will launch and then start to download the latest definition files.
                              • Once the scanner is installed and the definitions downloaded, click Next.
                              • Now click on Scan Settings.
                              • In the scan settings make sure that the following are selected:
                                • Scan using the following Anti-Virus database:
                                  • Extended (If available otherwise Standard)
                                • Scan Options:
                                  • Scan Archives
                                  • Scan Mail Bases
                              • Click OK.
                              • Now under select a target to scan select My Computer.
                              • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
                              • Now click on the Save as Text button:
                              • Save the file to your desktop.
                              • Copy and paste that information in your next post.


                              Note: The Kaspersky online scanner is not yet fully compatible with IE7. You may get returned to a window without the Accept/Decline buttons after allowing the ActiveX control. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100&#37; to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.

                              Might as well check for "hidden" stuff as well.

                              Download GMER and unzip it to your Desktop. (It will create a folder GMER)

                              Alternate Download Site
                              • Disconnect from the Internet, and close all running programmes.
                              • There is a small chance this programme may crash your computer, so save any work you have open.
                              • Open the GMER folder, and double click gmer.exe
                              • Let the gmer.sys driver load if asked.
                              • If it gives you a warning at programme start about rootkit activity and asks if you want to run a scan ..... click OK.
                              • If no warning:
                                • Click Rootkit tab.
                                • Ensure that All the boxes to the right of the program are checked except Show All.
                                • Click Scan.
                              • Once scan is finished click Copy.
                                • Click Start > Run then type Notepad.exe then click OK.
                                • This will open a Notepad file.
                                • Hit Ctrl+V to paste log into it.
                                • Save the log to your Desktop.
                              • Reconnect to internet and post the log please.


                              Don't try and clear anything it says is a Rootkit, a lot of Firewall and Anti-Virus programmes use techniques similar to Rootkits to operate, the entries found may be related to them.

                              Post each log seperately as they can be quite long sometimes and the post size limiter might cut them off.


                              PS. Tried the IceSword technique myself, didn't work for me either. This was posted at MRU by one of the teachers there, which is why Ken posted it, I'll have to have a word with him about it.
                              Gary Richardson
                              Senior Member
                              Last edited by Gary Richardson; 06-28-2007, 02:48 AM.

                              Comment

                              Related Topics

                              Collapse

                              • memphishooter
                                file browser
                                memphishooter
                                Member
                                by memphishooter
                                I have PS7 in a new machine, with Windows, giving me 16 x 9 screen. Thing is, I like to bring files into PS7, set em up in file browser and batch rename, so the files are sequential, and the file #'s are only two digits long. I can't find the triangle that I used to see when I had this exact same program...
                                01-28-2010, 05:36 PM
                              • thomashubba19
                                Recover a Drawing File
                                thomashubba19
                                Junior Member
                                by thomashubba19
                                I have a .dwg file that i can not open.
                                I opend Autocad and did a recover and
                                still can not access the Drawing File.
                                The system does not have a saved file
                                How can I recover the bad .dwg file.????
                                02-18-2015, 02:32 AM
                              • shootphoto
                                unstuffing a file
                                shootphoto
                                Junior Member
                                by shootphoto
                                i have a photoshop file that was sent to me in a sitz format....i cant seem to get it unstuffed....

                                can anyone help?
                                01-03-2007, 07:15 PM
                              • twinkissed
                                Computer Causing Advertising Problems
                                twinkissed
                                Senior Member
                                by twinkissed
                                I hope this is the right forum for this. I wanted to share this incase anyone else runs into the same problem. I wanted to advertise with Google Adwords and Yahoo but everytime I went to the site I got a page not found. I could get there using my mother's computer and could go to pretty much any other...
                                11-04-2005, 10:01 AM
                              • Peg
                                Missing File Browser
                                Peg
                                Junior Member
                                by Peg
                                My file browser has disappeared. I click on Window, then down to File Browser and click on it. Nothing happens. It isn't in the tabs at the right or anywhere else that I can see. Any suggestions? I have PSE2.

                                Thanks
                                Peg
                                03-04-2004, 09:41 AM
                              Working...
                              X