ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Possible False Positive: CpqsetVer.exe
mnovak85


Joined: 30 Mar 2008
Posts: 2
Reply with quote
A routine scan of my system found a trojan in this file:

C:\Program Files\HPQ\Default Settings\CpqsetVer.exe Trojan.Agent - 14290 FOUND

I searched the web and can't tell if this is a real trojan or a false positive.

Any ideas?

Thanks

~Matt
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
Please scan the suspicious file online first. There is a good free service provided by www.virustotal.com. Virustotal will scan your files with different scanners, so it is easy to judge if the file is a false positive or really a virus.

If you feel that you found a virus that that is recognised by ClamWin or a false positive, you can report it using the on-line form at cgi.clamav.net/sendvirus.cgi. Please make sure that you have updated your database to the latest version before using this form.
View user's profileSend private message
mnovak85


Joined: 30 Mar 2008
Posts: 2
Reply with quote
I scanned the file on virustotal.com and 4 scanners - ClamAV, Ikarus, Panda, and Symantec found it to be tainted.

Symantec came back with Trojan.Caiijing .
Panda says it's "Generic Malware".
Ikarus says it's "Backdoor.Agent.AHJ".

So what is to be determined from this?

Thanks again for your help.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4388
Location: USA
Reply with quote
My general rule is that if four AVs find something infected, it's a real infection, but you sometimes have to look at the AVs that found it. Some AVs try to improve detection by setting their scanning heuristics/signatures on "high." Symantec does not find many false positives, but the others aren't as careful and can be subject to them. Symantec, Kaspersky, NOD32, and Sophos all do a pretty good job, so if a couple of them are among the scanners finding something, it's probably an infection, and if they all find something, it's usually a certainty! Finally, the longer a virus has been around, the more likely the signature is good.

Regards,
View user's profileSend private message
digitalinvestigation


Joined: 03 Apr 2008
Posts: 2
Reply with quote
I found this "trojan" recently too.

SHA1 of my CpqsetVer.exe is c944fb8410839c10548f439a06e97a607b0e9bdc

Looking at the metadata of this file the MAC times correspond to a date before this particular laptop had been purchased by it's user. I though initially that it was a false positive too, but from the earlier posts I wonder.

Does this mean that Compaq have been distributing a trojan with their new laptops I wonder?

Regards

Chris
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4388
Location: USA
Reply with quote
Was the Compaq recently bought--say around Christmas? I haven't heard anything about Compaq laptops coming with infections, but there have been some cases of digital picture frames coming infected from the stores--Best Buy, etc. This started last Christmas, and it was still in the news a month or so ago. Mainly Chinese online game password stealers, but there were some older viruses/malware also. So, I guess you could have picked something up if you loaded a digital screen on the laptop. I guess an installation date can be spoofed.

Regards,
View user's profileSend private message
digitalinvestigation


Joined: 03 Apr 2008
Posts: 2
Reply with quote
No the laptop is over 3 years old. I suppose the MAC times _could_ be forged.

I had the CpqsetVer.exe file scanned at virus total, but it only showed a result for ClamAV and
nothing for the other scanners. Which is at odds with those given by mnovak85.

I presume the files are different. Can the others post their SHA1 for the file so we can compare notes?

Perhaps the ball might be back in the false +ve end of the court, at least in my case.

Regards

Chris

PS. I tried looking up the SHA1 and MD5 of this file in the NSRL database. It matched no known files. But then again, it need not nessessarily be listed in the NSRL anyway.

PPS. I found this post which may be of interest http://forum.avira.com/thread.php?postid=316509

The file size is the same as mine, but the poster did not include any hash, so still not sure
is the contents are the same or not!
View user's profileSend private message
Possible False Positive: CpqsetVer.exe
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic