Jump to content

C:\windows\installer\4A824.msi - Is This A False Positive?


Recommended Posts

Hello,

 

Yesterday I ran ESET NOD32 and was notified that my computer was infected with 3 files similar to C:\Windows\Installer\4a824.msi.  I was very concerned that my computer was infected, so I did a clean windows 7 install.  Now when I run ESET NOD32 I get 1 threat notification for C:\Windows\Installer\4a824.msi.  I can't imagine my computer is infected as I just did a clean windows 7 install.  Windows update downloaded almost 200 updates, is it possible that Windows Update installed infected files on my computer, or is it likely that this is a false positive?

 

I tried to submit the file to ESET but it didn't work.  It didn't clean the file, and although it said it was quarantined, it said it was unable to move the file and it still shows up as a threat when I do a scan.  Do you think I still have a problem?  Thanks in advance.

 

Steve

Link to comment
Share on other sites

  • Administrators

Unfortunately, you didn't mention what ESET detected on that file. Was it a virus, potentially unwanted or unsafe application or something else?

Link to comment
Share on other sites

Thanks for the quick reply, Marcos.

 

Yes, that would have been helpful, sorry about that.  It said:  "C:\Windows\Installer\4a824.msi » MSI » Cabs.w1.cab » CAB » WINZIPSSRegClean.exe - probably a variant of Win32/Systweak potentially unwanted application - action selection postponed until scan completion."  It wouldn't clean it and even after quarntining it, it said it was unable to move the file.  I was reluctant to let it delete the file as after researching online, this may be a necessary file for windows to operate correctly (if this is a false positive).

 

So, I did another clean install and this time I didn't download any windows updates, and NOD32 says my system is clean, so Microsoft is sending me this suspect file as part of it's normal windows update.  Is it possible that Microsoft is sending out an infected file/program?

 

Now Nod32 is telling me that my computer is at risk because there are critical windows updates that need to be installed, but I'm reluctant to let it update as I'm afraid it will infect my computer again.  I tried to submit the file to you but even after compressing, it's too big for my email system, and when I right click on the file and use the ESET submission option, it says "file not submitted," again, I suspect due to the size. 

 

Thanks again for any advice.

 

Steve

Edited by desmoface
Link to comment
Share on other sites

Hi Tomo,

I used the recovery disks that came with my computer originaly, a probook from hp, so the software is totally legit. Keep in mind, all was well till I did a windows update - after which I ran NOD32 and it said I had several threats similar to what I posted above.

I did cautiously install the critical updates for windows and NOD32 is still happy. I'm doing the important updates one at a time, then running NOD32. This will obviously take a bit of time, but hopefully I can identify the update that is causing the problems. Thanks for the reply.

Steve

Hi Desmoface,

Is Windows installation media, uhm, let's say it this way - "borrowed for education purposes"? ;)

Best regards

Tomo

Edited by desmoface
Link to comment
Share on other sites

I have a feeling that the PUA scanning has gotten somewhat more agressive in the past few days. I just sent the following to ESET:

 

Attached is the file WINZIPSSREGCLEAN.EXE, which is installed as part of WinZip 18.5 Pro.
 
This file has been on my system since at least May 2, 2014 (and earlier versions of this file prior to that) and ESET has never detected the file as a threat until the past few days (a few samples of the detection logs are below).
 
At first, I told NOD32 to take no action, but the detection reoccurred last evening. So, last evening, as an experiment, I had the file quarantined, and then restored the file. I tried submitting to VirusTotal, but ESET prevented that action. This morning, I restored the file and told ESET to ignore the file going forward, and did submit to VirusTotal (https://www.virustotal.com/en/file/02eca452990031039cf949c2856fe0335482c0f4eb6b6a5aebadc69db0022976/analysis/1409495907/).
 
Only ESET flagged the file as a potential threat.
 
Of course, that does not mean it is not a threat … but given that it appears a recent module update is a likely culprit, I do suspect a false positive. When scanning the rest of the “Utils\WzSysScan” folder, ESET did not flag any other files.
 
Please advise as soon as possible as to whether you believe this file is an actual threat.
 
Just FYI … I have never actually run this application. It comes as part of WinZip, but I do not use WinZip’s system cleaning/tuning tools.
 
I have also submitted this file twice via the NOD32 interface.
 
(As a side note … ESET has on occasion detected the WinZip-64 MSI executable/install file as a PUP when downloading from WinZip’s site in the past – see example below, but did not flag this specific file during or after the actual install process.)
 
Thank you for your attention to this matter.
 
 
As of 8/31/2014 11:12 a.m. Eastern (U.S.) time:
 
Virus signature database: 10343 (20140831)
Rapid Response module: 4663 (20140831)
Update module: 1051 (20140409)
Antivirus and antispyware scanner module: 1435 (20140820)
Advanced heuristics module: 1152 (20140724)
Archive support module: 1208 (20140728)
Cleaner module: 1099 (20140811)
Anti-Stealth support module: 1060 (20140514)
ESET SysInspector module: 1241 (20140410)
Real-time file system protection module: 1006 (20110921)
Translation support module: 1232 (20140624)
HIPS support module: 1144 (20140825)
Internet protection module: 1140 (20140806)
Database module: 1060 (20140714)
 
***
 
 
08/27/2014 6:29:15 PM  Real-time file system protection first detection, I can only assume this occurred during a regular auto background scan after an ESET auto definition/module update, as I have never actually run the program and no WinZip utilities are set to run automatically
File
C:\Program Files\WinZip\Utils\WzSysScan\WINZIPSSRegClean.exe
probably a variant of Win32/Systweak potentially unwanted application
Event occurred during an attempt to run the file by the application: C:\Windows\System32\rundll32.exe.
 
There were 8 subsequent detections noted in the NOD32 log through August 29. My system was turning off from late evening August 29 through early evening August 30. Next detection that was not triggered by my actions (below) was just after midnight today (August 31.)
 
08/27/2014 6:34:42 PM example of an attempt to download WinZip from WinZip website
Document protection
File
hxxp://download.winzip.com/winzip185-64.msi probably a variant of Win32/Systweak potentially unwanted application          
 
 
08/31/2014 12:51:10 AM
Real-time file system protection when trying to upload to VirusTotal
File
C:\Program Files\WinZip\Utils\WzSysScan\WINZIPSSREGCLEAN.EXE
probably a variant of Win32/Systweak potentially unwanted application
cleaned by deleting (after the next restart) – quarantined
Event occurred during an attempt to access the file by the application: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
08/31/2014 12:49:17 AM
Real-time file system protection when trying to upload to VirusTotal
File
C:\Program Files\WinZip\Utils\WzSysScan\WINZIPSSREGCLEAN.EXE
probably a variant of Win32/Systweak potentially unwanted application
Event occurred during an attempt to run the file by the application: C:\Windows\explorer.exe.
 
ESET responded saying that the file in question is in fact a PUA, and it is not a false detection. BUT, given that I have had WinZip, including this file in question, and ESET on my system for a significant amount of time (years, in fact) -- and the only thing that changed in this regard is ESET signature/module updates, it seems likely that something in ESET's detection sensitivity/blacklist has changed recently. I wonder if something similar is happening at your end? It is doubtful that a Windows Update would contain a PUA!
Link to comment
Share on other sites

Hi Howard,

I suspect, like you, that this file has been on my computer for quite some time - I clicked on properties for the file and it said it was last accessed about a year ago. Do you think it's possible that Microsoft is sending me an infected file as part of a windows update?

I reinstalled the critical updates and so far no threat has been detected - I'm doing important updates one at a time and then running nod 32 to I.d. the suspect update. Thanks again for the reply.

Steve

Edited by desmoface
Link to comment
Share on other sites

Steve,

 

I am not an expert in these areas (although, fairly well versed/experienced). I cannot say for certain, but I find it *highly* unlikely that Microsoft is distributing software via Windows Update (which employs a robust framework in terms of security) that should qualify as a PUA, potentially dangerous application, or outright malware.

 

I would personally feel a bit more comfortable/validated to hear something back from ESET that explains the reason as to why the file in question is now suddenly flagged as a PUA, but I can only assume it is something to do with a subtle change in the detection logic.

 

Be well,

 

Howie

Link to comment
Share on other sites

Hi Howard,

I suspect you are right, but I'd also feel a bit better with feedback from eset.

Funny, my 8 year old mac is still running like a champ, albeit a bit slow, and my year and a half old pc is having problems, LOL.

Thanks again for the info, and good luck with your issues.

Steve

Link to comment
Share on other sites

  • Administrators

Windows Update didn't install WinZIP on your computer. It's a known fact that WinZIP is bundled with potentially unwanted applications (PUA). PUA is an optional detection; if you think that the benefits of using a particular PUA outweigh the potential risks, you can exclude it from detection by unfolding advanced options in the alert window and selecting "Exclude from detection".

Link to comment
Share on other sites

I never said that Windows Updated installed WinZip, of course that is ludicrous. I installed WinZip from WinZip's website (pro/paid version FWIW).

 

What I did say -- is that I have had both ESET and WinZip on my system for years; and now, for no apparent reason, ESET is suddenly detecting an installed file (and not a newly installed file, mind you -- or a file that has actually been run) as a PUA. Therefore, something did change in a module that is causing ESET to flag a specific file in one of the WinZip directories (see my above note) during normal background scanning operations.

 

What I inferred, based on this thread, is that there may be something going on with ESET that is causing it to be slightly more aggressive than it had been before last week in terms of PUAs -- if indeed ESET is flagging MSI files that are being downloaded with Windows Update.

Edited by howardagoldberg
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...