locked
Virus in Windows 8 Metro install files?

    Question

  • I installed the preview of windows 8 and I installed Hitman Pro 3.5, Emsisoft antimalware along with Microsoft Antivirus.  I want to know based on this evidence has Microsoft installed some kind of bug tracking software? or are these alerts just false? The three programs were the only thing downloaded and installed prier to the scans and nothing else has been downloaded.

     

    Hitman Pro reports the file (wicainventory.exe) in the installation files of Windows 8 to be a Trojan.

    I did a smart scan (Not full) with Emsisoft antimalware and it gave me two alerts. The report is below…

     

     

    Emsisoft Anti-Malware - Version 6.0

    Last update: 11/3/2011 10:45:34 PM

     

    Scan settings:

     

    Scan type: Smart Scan

    Objects: Rootkits, Memory, Traces, G:\WINDOWS\, G:\Program Files\

    Scan archives: Off

    ADS Scan: On

     

    Scan start:           11/3/2011 10:45:58 PM

     

    Key: hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ntvdm.exe                 detected: Trace.Registry.virusshield2009!E1

    g:\windows\system32\bi.dll       detected: Trace.File.abetterinternet!E1

     

    Scanned               379482

    Found   2

     

    Scan end:            11/3/2011 11:17:16 PM

    Scan time:           0:31:18

    Friday, November 04, 2011 2:23 AM

Answers

All replies

  • The following is the log file from Hitman Pro. The first few lines is about cookies, followed by the Trojan which I highlighted.The rest of the report is about files that may be harmful but I cut that part off because it is to long to post. Both reports have been uploaded if you want to download them. 

    http://www.2shared.com/file/p5_pxyTf/New_Compressed__zipped__Folder.html

     

    <?xml version="1.0"?>

    -<Log filesProcessed="56195" timeSpentInSecs="273" date="2011-11-03T23:25:50" version="3.5.9.131" scan="EWS" computer="p0iuvj-PC">-<Item status="None" score="9.0" type="EWS"><File hash="B69F59779B8077FBCAF3665C46265B2740B93E71EEACDDCDE3F30D69F1055275" path="G:\Program Files\Windows Mail\WinMail.exe"/>-<Startup><Key path="HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\"/></Startup></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="G:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Cookies:atdmt.com"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="G:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Cookies:bs.serving-sys.com"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="G:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="G:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Cookies:googleads.g.doubleclick.net"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="G:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Cookies:microsoftsto.112.2o7.net"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="G:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Cookies:serving-sys.com"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="G:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Cookies:yieldmanager.net"/></Item>-<Item status="None" score="46.0" type="Suspicious"><File hash="B3170B17986DCD7BCA25245CDEB257C5FCBFF3E03EC15EF412551C7C45B5EDB7" path="G:\Users\Jeff\AppData\Local\Temp\uttA641.tmp"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="G:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\4HH33P3W.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="G:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\95CP6DJ1.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="G:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Cookies\PVM56840.txt"/></Item>-<Item status="None" score="102.0" type="Malware" malwareName="Trojan">-<Scanners><Scanner name="Trojan.MulDrop3.10451" id="DrWeb"/></Scanners><File hash="0ADA4C76597DE8940F967D7ABA71CC93312E9D8DDF9AB93AE332F34454129336" path="G:\Users\Jeff\Desktop\wicainventory.exe"/></Item>-<Item status="None" score="9.0" type="EWS"><File hash="44C85EF620457733992D5335093B49B3DAEBA815B48C4AA266F510C225ADEBA0" path="G:\WINDOWS\System32\aelupsvc.dll"/>-<Startup><Key path="HKLM\SYSTEM\CurrentControlSet\Services\AeLookupSvc\"/></Startup></Item>-<Item status="None" score="7.0" type="EWS"><File hash="1DDAC0617E34DDE02208A0735E048FD80A52443105DF6266D7E3BD9575974CDB" path="G:\WINDOWS\System32\appidsvc.dll"/>-<Startup><Key path="HKLM\SYSTEM\CurrentControlSet\Services\AppIDSvc\"/></Startup></Item>-<Item status="None" score="9.0" type="EWS"><File hash="F8605FF05C845DB15268FDA49A7D62F159DCA686BC6FA1DED3BD2092A8995D86" path="G:\WINDOWS\System32\appinfo.dll"/>-<Startup><Key path="HKLM\SYSTEM\CurrentControlSet\Services\Appinfo\"/></Startup></Item>-<Item status="None" score="-93.0" type="EWS"><File hash="D609436B1E2DB7975ED7DA48985EA26FABBF97365F67054E3B5A2F4960A5956E" path="G:\WINDOWS\System32\appmgmts.dll"/>-<Startup><Key path="HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt\"/></Startup></Item>-<Item status="None" score="11.0" type="EWS"><File hash="A58CE1650E0ABF5C50E359FAE08BF9AFF6AE952526A38DDF7AEED56A37D47C90" path="G:\WINDOWS\System32\AudioEndpointBuilder.dll"/>-<Startup><Key path="HKLM\SYSTEM\CurrentControlSet\Services\AudioEndpointBuilder\"/>

    Friday, November 04, 2011 2:45 AM
  • Did a quick scan with Malwarebytes' Anti-Malware  (updated fully) and it found one infection. Results posted below.

     

     

     

    Malwarebytes' Anti-Malware 1.51.2.1300

    www.malwarebytes.org

     

    Database version: 8081

     

    Windows 6.2.8102

    Internet Explorer 9.10.8102.0

     

    11/4/2011 12:23:20 AM

    mbam-log-2011-11-04 (00-23-15).txt

     

    Scan type: Quick scan

    Objects scanned: 171266

    Time elapsed: 3 minute(s), 23 second(s)

     

    Memory Processes Infected: 0

    Memory Modules Infected: 0

    Registry Keys Infected: 1

    Registry Values Infected: 0

    Registry Data Items Infected: 0

    Folders Infected: 0

    Files Infected: 0

     

    Memory Processes Infected:

    (No malicious items detected)

     

    Memory Modules Infected:

    (No malicious items detected)

     

    Registry Keys Infected:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NTVDM.exe (Security.Hijack) -> No action taken.

     

    Registry Values Infected:

    (No malicious items detected)

     

    Registry Data Items Infected:

    (No malicious items detected)

     

    Folders Infected:

    (No malicious items detected)

     

    Files Infected:

    (No malicious items detected)

    Friday, November 04, 2011 3:25 AM
  • If you download Windows 8 Developer Preview from Official Microsoft website, then it is safe and secure and there is no Malware or backdoor inside it. But if you download it from other website or P2P sharing, then Microsoft is not responsible for its content. Some website might download Windows 8 and put some virus there and publish it.

    If you installed from Microsoft website it is free of virus and it is false positive, since this is pre-beta version, those Anti-Virus are not compatible in this release and might show false-positive.

    Friday, November 04, 2011 10:59 AM
  • I downloaded the 32 bit from http://msdn.microsoft.com/en-us/windows/apps/br229516.aspx and no place else. But what is the chance of me getting a virus for real with windows 8? and if I remove them report files what will happen?
    Friday, November 04, 2011 1:19 PM
  • You can check suspicious files with http://www.virustotal.com/ to see how many antiviruses consider them as viruses. I'm sure it's either a false positive or your system was infected after the installation. If original iso from Microsoft had been infected, there would have been many reports by now.
    Saturday, November 05, 2011 6:10 AM
  • The source that you download it from is safe and trusted, in Windows 8 you could use Windows Defender that act as Anti-Virus and Anti-Spyware see:

    http://cyberdefend.wordpress.com/2011/10/14/anti-virus-for-windows-8-developer-preview/

    And update it and run full system scan and see if anything detect. And you could submit those files to:

    https://www.microsoft.com/security/portal/Submission/Submit.aspx

    To check if they are virus or not, there is no virus in the original source that you download Windows 8 from.

    Saturday, November 05, 2011 9:39 AM