A routine scan of my system found a trojan in this file:

C:\Program Files\HPQ\Default Settings\CpqsetVer.exe Trojan.Agent - 14290 FOUND

I searched the web and can't tell if this is a real trojan or a false positive.

Any ideas?

Thanks

~Matt

Please scan the suspicious file online first. There is a good free service provided by www.virustotal.com. Virustotal will scan your files with different scanners, so it is easy to judge if the file is a false positive or really a virus.

If you feel that you found a virus that that is recognised by ClamWin or a false positive, you can report it using the on-line form at cgi.clamav.net/sendvirus.cgi. Please make sure that you have updated your database to the latest version before using this form.

I scanned the file on virustotal.com and 4 scanners - ClamAV, Ikarus, Panda, and Symantec found it to be tainted.

Symantec came back with Trojan.Caiijing .
Panda says it's "Generic Malware".
Ikarus says it's "Backdoor.Agent.AHJ".

So what is to be determined from this?

Thanks again for your help.

My general rule is that if four AVs find something infected, it's a real infection, but you sometimes have to look at the AVs that found it. Some AVs try to improve detection by setting their scanning heuristics/signatures on "high." Symantec does not find many false positives, but the others aren't as careful and can be subject to them. Symantec, Kaspersky, NOD32, and Sophos all do a pretty good job, so if a couple of them are among the scanners finding something, it's probably an infection, and if they all find something, it's usually a certainty! Finally, the longer a virus has been around, the more likely the signature is good.

Regards,

I found this "trojan" recently too.

SHA1 of my CpqsetVer.exe is c944fb8410839c10548f439a06e97a607b0e9bdc

Looking at the metadata of this file the MAC times correspond to a date before this particular laptop had been purchased by it's user. I though initially that it was a false positive too, but from the earlier posts I wonder.

Does this mean that Compaq have been distributing a trojan with their new laptops I wonder?

Regards

Chris

Was the Compaq recently bought--say around Christmas? I haven't heard anything about Compaq laptops coming with infections, but there have been some cases of digital picture frames coming infected from the stores--Best Buy, etc. This started last Christmas, and it was still in the news a month or so ago. Mainly Chinese online game password stealers, but there were some older viruses/malware also. So, I guess you could have picked something up if you loaded a digital screen on the laptop. I guess an installation date can be spoofed.

Regards,

No the laptop is over 3 years old. I suppose the MAC times _could_ be forged.

I had the CpqsetVer.exe file scanned at virus total, but it only showed a result for ClamAV and
nothing for the other scanners. Which is at odds with those given by mnovak85.

I presume the files are different. Can the others post their SHA1 for the file so we can compare notes?

Perhaps the ball might be back in the false +ve end of the court, at least in my case.

Regards

Chris

PS. I tried looking up the SHA1 and MD5 of this file in the NSRL database. It matched no known files. But then again, it need not nessessarily be listed in the NSRL anyway.

PPS. I found this post which may be of interest https://forum.avira.com/thread.php?postid=316509

The file size is the same as mine, but the poster did not include any hash, so still not sure
is the contents are the same or not!