A Virus Problem? (long)

[GrtArtiste]

More than 2 years ago, I began working from home. To do this, my employer provided a file on a thumbdrive (companyname_data_entry.exe) which when run, launches Internet Explorer and goes to the company web page. Once there, I would enter my id and password and from there would be forwarded to another web page from which I would launch the required Citrix Presentation Server client which would take me to my workspace. This has all worked flawlessly...until yesterday. Suddenly I got a warning from McAfee antivirus that it had found and removed a trojan (Generic Artemis) from the companyname_data_entry.exe file. Was I really infected? I don't know, but I had copies of the file on my hard drive and another thumbdrive and they all failed to run and prompted the same virus warning. Since my subscription to McAfee was due to run out soon anyway, I uninstalled it and installed Avira Antivir. This went without incident and I ran a full scan with Avira which said that it found and removed many infections. A repeat scan in safe mode showed no other infections. Not only did McAfee fail to stop these, but weekly scans with Superantispyware and Malwarebytes (both updated frequently) failed to turn up anything other than tracking cookies.

When I attempted to run companyname_data_entry.exe again, Avira popped up with a warning that companyname_data_entry.exe was infected with the DR/Delphi.Gen trojan. Avira also will not let companyname_data_entry.exe run, so I can no longer connect to the office and work from home on this computer (a Dell XPS400 running WinXP MCE2002 SP3). I am currently in the process of trying to get the IT folks at work off their butts and get me a replacement thumbdrive with a (hopefully) uninfected copy of the file. This will take a while, as it's not high on their list of things to do. While I wait, any suggestions on how I might possibly salvage this situation and get the file to work? I really don't know exactly what companyname_data_entry.exe is. I can only make a guess that it sets the security settings in IE that the company requires for connection to it's network.

Sorry for the length, but I was trying to provide as much info as possible. Any help is appreciated.

 

[ZZman]

Well it may or may not be an actual infection. It might have a signature similar to one.

If nothing else has changed and you are pretty sure it hasn't got infected somehow you might contact/send the file to Avira for more analysis. You could also shut it off while using the thumb drive.

 

[ZZman]

You can upload the file here to so it can be checked: http://www.virustotal.com/

 

[Volvohead]

ZZman is probably correct. There are a few legitimate programs that display virus-like attributes that will set off a good AV. Citrix may be just such a platform. We have had problems with it in the past.

Before condemning the program to quarantine or deletion, google and research the suspected file(s). If it is determined legitimate, you can add an exception to most AVs that will allow it to continue without further alarms.

No offense whatsoever to the good IT folks here, but there are quite a few corporate in-house types that can be dismissive of user requests, as they have "more important" things to do. They're also very quick to blame "remote" systems for problems. Try to find your own answers as you have.

 

[GrtArtiste]

This was the result after sending the file to virustotal.com

Current status: Loading ... queued waiting scanning finished
Result: 8/40 (20%)


Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.07.03 Heuristic.LOP
AhnLab-V3 5.0.0.2 2009.07.03 -
AntiVir 7.9.0.204 2009.07.03 DR/Delphi.Gen
Antiy-AVL 2.0.3.1 2009.07.03 -
Authentium 5.1.2.4 2009.07.02 -
Avast 4.8.1335.0 2009.07.02 Win32:Trojan-gen {Other}
AVG 8.5.0.386 2009.07.03 BackDoor.Generic11.SRR
BitDefender 7.2 2009.07.03 Backdoor.Generic.165077
CAT-QuickHeal 10.00 2009.07.03 Trojan.Agent.ATV
ClamAV 0.94.1 2009.07.03 -
Comodo 1538 2009.07.02 -
DrWeb 5.0.0.12182 2009.07.03 -
eSafe 7.0.17.0 2009.07.02 -
eTrust-Vet 31.6.6596 2009.07.03 -
F-Prot 4.4.4.56 2009.07.02 -
F-Secure 8.0.14470.0 2009.07.03 -
Fortinet 3.117.0.0 2009.07.03 -
GData 19 2009.07.03 Backdoor.Generic.165077
Ikarus T3.1.1.64.0 2009.07.03 -
Jiangmin 11.0.706 2009.07.03 -
K7AntiVirus 7.10.782 2009.07.02 -
Kaspersky 7.0.0.125 2009.07.03 -
McAfee 5664 2009.07.02 -
McAfee+Artemis 5664 2009.07.02 -
McAfee-GW-Edition 6.8.5 2009.07.03 Heuristic.LooksLike.Win32.Suspicious.I!86
Microsoft 1.4803 2009.07.03 -
NOD32 4213 2009.07.03 -
Norman 6.01.09 2009.07.03 -
nProtect 2009.1.8.0 2009.07.03 -
Panda 10.0.0.14 2009.07.02 -
Prevx 3.0 2009.07.03 -
Rising 21.36.44.00 2009.07.03 -
Sophos 4.43.0 2009.07.03 -
Sunbelt 3.2.1858.2 2009.07.02 -
Symantec 1.4.4.12 2009.07.03 -
TheHacker 6.3.4.3.360 2009.07.03 -
TrendMicro 8.950.0.1094 2009.07.03 -
VBA32 3.12.10.7 2009.07.03 -
ViRobot 2009.7.3.1818 2009.07.03 -
VirusBuster 4.6.5.0 2009.07.02 -
Additional information
File size: 4649103 bytes
MD5...: 5b62e214f05c438c6041814b4a91c33a
SHA1..: 410b0393fbe64760946927b129e59e2274d37196
SHA256: 6b8eecb4e18c6c61f520099cef35ae39f8ce592c5a39fec6b35861200515b28a
ssdeep: 98304:7uyYNRySmI8fhU1lMVwgKxbm6CKJly3Mk45FsNmfQbn:7uyARHm5YqmgKR
mb6S8Fsz
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1ed5
timedatestamp.....: 0x44224a21 (Thu Mar 23 07:11:29 2006)
machinetype.......: 0x14c (I386)

( 1 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xc000 0xb850 4.93 44aef6e456a2d0a42f0ac71d59a40cf6

( 5 imports )
> KERNEL32.dll: ExitProcess, FormatMessageA, GetLastError, SetLastError, VirtualAlloc, CloseHandle, MapViewOfFile, CreateFileMappingA, VirtualFree, GetProcAddress, VirtualProtect, LoadLibraryA, GetModuleHandleA, MultiByteToWideChar, GetModuleFileNameA, GetModuleFileNameW, GetVersionExA, VirtualQuery, SetFilePointer, ReadFile, CreateFileA, UnmapViewOfFile, WideCharToMultiByte, OpenFileMappingA, GetCurrentProcessId
> USER32.dll: MessageBoxA
> KERNEL32.dll: LoadLibraryA
> USER32.dll: MessageBoxA
> ADVAPI32.dll: RegQueryValueA

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set

Does this indicate anything useful?
-

 

[sprintman]

Download a-squared and run Deep Scan. It's the best (ask Pablo)

 

[ZZman]

It appears most see it as safe and a few as possibly an infection. However they all see it differently.

I believe it is probably safe but how it works sets it off.

Do you have Antivir detection set at high or medium?

 

[unDummy]

http://www.theregister.co.uk/2009/07/03/mcafee_false_positive_glitch/

 

[GrtArtiste]

After fighting with the IT dept. for 2 days, I was given a solution which did work. I was told to launch Internet Explorer and connect to the company web site WITHOUT using the thumbdrive file which THEY gave me. I have a suspicious nature, and I expect that they are unwilling or unable to change or correct the file so that it doesn't get flagged as a virus. So I'm back in business...at least until the next time. Thanks to all who replied.

 

[ZZman]

That makes it easier. Glad it has been partially solved.