Welcome Guest
« Go to Spyware Terminator Homepage Search | Active Topics | Members | Log In | Register
[FIXED] - irsetup.exe / PowerDefragmenterGUI.exe Options · View
rajeshontheweb
Posted: Saturday, September 08, 2007 1:43:05 AM

Rank: General
Groups: Beta, Member, Threat Analyzer

Joined: 3/17/2007
Posts: 3,218
Location: Qatar
i have a feeling this has been discussed a while ago, but still it shows up in this week's update.

irsetup.exe is used by PowerDefragmenterGUI (www.excessive-software.eu.tt)  , a Graphical frontend for the great Contig - (Command line defragmenting tool from systinternals.com )


rajeshontheweb attached the following image(s):
irsetupcontig.png



Secret of success: Accepting failure, but as the next ladder step towards your goal.

I have opened up a forum for general software issues Visit my forums
Tokar
Posted: Saturday, September 08, 2007 2:56:50 AM

Rank: Administration
Groups: Member

Joined: 7/10/2006
Posts: 2,907
Location: Philadelphia, PA

Please attach the relevant files.  Put them in a password protected RAR/ZIP and send the password tomef so that I can analyze the file.

Thanks.

rajeshontheweb
Posted: Saturday, September 08, 2007 4:06:15 AM

Rank: General
Groups: Beta, Member, Threat Analyzer

Joined: 3/17/2007
Posts: 3,218
Location: Qatar
the de29.exe shown in the HIPS alert

(this was in the recycle bin, as soon as i pasted it on desktop it renamed to klog.exe which was a keylogger i had downloaded lastweek to post to ST(ST already had the definitions!)

File Attachment(s):
de29.zip (453kb) downloaded 14 time(s).




Secret of success: Accepting failure, but as the next ladder step towards your goal.

I have opened up a forum for general software issues Visit my forums
dino
Posted: Saturday, September 08, 2007 4:10:35 AM

Rank: General
Groups: Member, Threat Analyzer

Joined: 2/6/2007
Posts: 2,025
Location: Huntly
rajeshontheweb wrote:
the de29.exe shown in the HIPS alert

(this was in the recycle bin, as soon as i pasted it on desktop it renamed to klog.exe which was a keylogger i had downloaded lastweek to post to ST(ST already had the definitions!)


I've tried your samples. But, that is one heck of a malware!!

Website: http://lair360.co.uk
rajeshontheweb
Posted: Saturday, September 08, 2007 4:24:44 AM

Rank: General
Groups: Beta, Member, Threat Analyzer

Joined: 3/17/2007
Posts: 3,218
Location: Qatar
the ir setup file


clean at virustotal.com

File Attachment(s):
IRSETUP.zip (328kb) downloaded 25 time(s).




Secret of success: Accepting failure, but as the next ladder step towards your goal.

I have opened up a forum for general software issues Visit my forums
rajeshontheweb
Posted: Saturday, September 08, 2007 4:31:40 AM

Rank: General
Groups: Beta, Member, Threat Analyzer

Joined: 3/17/2007
Posts: 3,218
Location: Qatar
true, that is a key logger identified by ST too.

but i dont know why hips showed de29.exe?? i have already deleted it . i was thinking if it would replicate or start process automatically but this copy of irsetup.exe was created by Power Defragmenter GUI?


Secret of success: Accepting failure, but as the next ladder step towards your goal.

I have opened up a forum for general software issues Visit my forums
Mimo
Posted: Monday, September 10, 2007 4:46:37 AM

Rank: Administration
Groups: Administration

Joined: 3/13/2007
Posts: 1,032
Location: Czech Republic
Hi,
irsetup.exe is not detected by ST. To get more info about the other file I need irsetup.dat file, maybe whole application setup to run it.
rajeshontheweb
Posted: Monday, September 10, 2007 6:37:37 AM

Rank: General
Groups: Beta, Member, Threat Analyzer

Joined: 3/17/2007
Posts: 3,218
Location: Qatar
the irsetup.dat file is not to be foudn in my pc now (i suppose ccleaner trashed it Sad already)  i will post is when i get the next alert again?  i used power defragmenter today again, with no errors?

Secret of success: Accepting failure, but as the next ladder step towards your goal.

I have opened up a forum for general software issues Visit my forums
sleepm
Posted: Monday, September 10, 2007 8:49:02 AM

Rank: General
Groups: Beta, Member

Joined: 3/6/2007
Posts: 3,322
Location: USA (State of Michigan)

I see the file was on your "E" drive.  What is that for on your computer?

Is that a CD drive or usb memory key?



Knowledge gained should be used to help others.
The World can be a bad place. Are you making it better or worse?[/color][/b]
Check out the websites I built: www.cedarstreetchurch.org, www.lojope.com and dteu.info
rajeshontheweb
Posted: Monday, September 10, 2007 11:06:18 PM

Rank: General
Groups: Beta, Member, Threat Analyzer

Joined: 3/17/2007
Posts: 3,218
Location: Qatar
thats only another partition in my hard drive, where i keep my downloaded files.

Secret of success: Accepting failure, but as the next ladder step towards your goal.

I have opened up a forum for general software issues Visit my forums
sleepm
Posted: Tuesday, September 11, 2007 7:38:42 AM

Rank: General
Groups: Beta, Member

Joined: 3/6/2007
Posts: 3,322
Location: USA (State of Michigan)
Thanks

Knowledge gained should be used to help others.
The World can be a bad place. Are you making it better or worse?[/color][/b]
Check out the websites I built: www.cedarstreetchurch.org, www.lojope.com and dteu.info
Thrill
Posted: Monday, September 17, 2007 3:07:56 PM

Rank: General
Groups: Beta, Member, Threat Analyzer

Joined: 3/3/2007
Posts: 1,489
Location: UK
Is this  FP or not?


http://www.techos.co.uk - Free PC Tech Support

dino
Posted: Tuesday, September 18, 2007 1:54:59 AM

Rank: General
Groups: Member, Threat Analyzer

Joined: 2/6/2007
Posts: 2,025
Location: Huntly
Relemar wrote:
Is this  FP or not?


Its actually.....NO.

Website: http://lair360.co.uk
rajeshontheweb
Posted: Tuesday, September 18, 2007 3:50:12 AM

Rank: General
Groups: Beta, Member, Threat Analyzer

Joined: 3/17/2007
Posts: 3,218
Location: Qatar
hmmm,

irsetup.exe / powerdefragmenterGUI.exe if detected, false positive (inmy case, irsetup.exe was detected??)

de29.exe not a false positive it is a malware but why was it associated with irsetupe.exe, i wont know

probably argus could help, can u check it out on a vm and see if this malware has any associated irsetup.dat files?

Secret of success: Accepting failure, but as the next ladder step towards your goal.

I have opened up a forum for general software issues Visit my forums
argus tuft
Posted: Tuesday, September 18, 2007 4:43:24 AM

Rank: General
Groups: Beta, Member, Threat Analyzer

Joined: 11/3/2006
Posts: 2,690
Location: Australia
Can you pm me the link to an installer? I'll give it a whirl Happy

Folding @ Home
rajeshontheweb
Posted: Tuesday, September 18, 2007 11:38:51 PM

Rank: General
Groups: Beta, Member, Threat Analyzer

Joined: 3/17/2007
Posts: 3,218
Location: Qatar
it is the de29.zip posted above, argus  - that needs testing for association with irsetup. gotta find out if it uses irsetup?

Secret of success: Accepting failure, but as the next ladder step towards your goal.

I have opened up a forum for general software issues Visit my forums
argus tuft
Posted: Friday, September 21, 2007 7:30:55 AM

Rank: General
Groups: Beta, Member, Threat Analyzer

Joined: 11/3/2006
Posts: 2,690
Location: Australia
Can you pm me the password to teh zip?

Folding @ Home
argus tuft
Posted: Saturday, September 22, 2007 12:10:46 AM

Rank: General
Groups: Beta, Member, Threat Analyzer

Joined: 11/3/2006
Posts: 2,690
Location: Australia
I can't get the irsetup file to run, when I ran it, it complained about the absence of irsetup.dat. When I created a blank file called irsetup.dat, I got a "runtime error" message. Either way, I'm stumped for now...

the other zip is a really dodgy keylogger, I mean how is this meant to unobtrusive?



the keylogger doesn't drop the file irsetup.dat anywhere...

The warning basically says that contig.exe, whose parent is irsetup.exe, is trying to access de29.exe which is infected.

This leads me to think that JR defrag was simply trying to defragment de29.exe, rather than there being any relationship between the two.

Folding @ Home
rajeshontheweb
Posted: Saturday, September 22, 2007 1:55:53 AM

Rank: General
Groups: Beta, Member, Threat Analyzer

Joined: 3/17/2007
Posts: 3,218
Location: Qatar
oops.., why did i not think of this???


i did get a similar message with JK Defrag this week but i understood it was just the defragmenter trying to access the file. but i failed to reckon this could be just a similar case!!

<<EDIT>>

concluding, this should have been a misinterpretation of a simple RTS alert.

sorry for the inconvenience guys.


Secret of success: Accepting failure, but as the next ladder step towards your goal.

I have opened up a forum for general software issues Visit my forums
Users browsing this topic
Guest

Forum Jump

Main Forum Rss Feed : RSS

Powered by Yet Another Forum.net version 1.0.0 - 2/22/2006
Copyright © 2014 Yet Another Forum.net. All rights reserved.
This page was generated in 1.889 seconds.