SuperAntiSpyware major update.

SuperAntiSpyware have updated their program with quite a few changes including a new user interface. For those using it and have not had notification check for updates.

 

Hi Plastic,

I use SUPERAntiSpyware and generally like it but it reports a particular set of files in my Windows & desktop PC as a trojan where all the other scans on the VirusTotal website say they're clean.

The following is a copy of the SUPERAntiSpyware log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/05/2014 at 07:49 PM

Application Version : 6.0.1146
Database Version : 11540

Scan type : Complete Scan
Total Scan Time : 00:23:01

Operating System Information
Windows 7 Home Premium 32-bit, Service Pack 1 (Build 6.01.7601)
UAC On - Limited User

Memory items scanned : 583
Memory threats detected : 0
Registry items scanned : 31908
Registry threats detected : 0
File items scanned : 31795
File threats detected : 6

Trojan.Agent/Gen-Buzus
C:\PROGRAM FILES\INSTALLER\INSTALLAMD64.EXE
C:\PROGRAM FILES\INSTALLER\RECOVERYENVIRONMENT\RECOVERY\FILES\APPLYAMD64.EXE
C:\PROGRAM FILES\INSTALLER\RECOVERYENVIRONMENT\RECOVERY\FILES\CAPTUREAMD64.EXE
C:\PROGRAM FILES\INSTALLER\RECOVERYENVIRONMENT\RECOVERY\RECOVERYAMD64.EXE
C:\PROGRAM FILES\INSTALLER\USERFILES\RECOVERYCREATORAMD64.EXE
C:\PROGRAM FILES\RECOVERYCREATOR\RECOVERYCREATORAMD64.EXE

============
End of Log
============

The previous scan reported the same set of files within the Backup_Repair folder with the same results in the TotalVirus website scan - I set SUPERAntiSpyware to exclude the files from future scans but it picked up the similar set within Program Files this time so I have set the program to exclude them. Apparently, setting the exclusions sends a false positive report to the developers but there has been no comeback from the original scan that was a few weeks ago.

I note that the reports only relate to the *AMD64.EXE files - as my computer is 32bit, are these files relevant on my system and could this be why SUPERAntiSpyware reports the 'problem'?

 

I will ask one of our security guys to pop in and give an opinion, they may be false positives or they may not, so best to get it checked out.

Nev.

 

Do you have the ANATHEROS RECOVERY TOOLS installed? I don't know much about them, but they appear to be the source of those files. The 64 shouldn't have to do with the detection.

-etavares

 

Hi Nev and etavares,

Thanks for your replies.

My own research suggests that AMD64 is something produced by Symantec and according to PC Pitstop, is required by certain third party software and hardware so should not be disabled.

Searching my registry shows AMD64 associated with Skydrive and Windows PE. It also appears in C:\Program Files\Windows Kits\8\Assessment Deployment Kit\ Deployment Tools and C:\Program Files\Windows Kits\8\Assessment Deployment Kit\Windows Pre-installment Environment. There is also reference to it in C:\Program Files\Recovery Creator. Overall there were 1407 registry rerferences, the biggest number by far relating to C:\Program Files\Windows Kits\8\Assessment Deployment Kit. The Skydrive references are the only ones specific to my personal user account. I do not use Skydrive but I believe it was part of the package when I installed Windows Live Essentials when I wanted to test Windows Live Mail (I no longer use Live Mail so may uninstall it soon). I don't know if it is importanta to keep Windows Deployment Tools - I am not interested in installing Windows 8 at all. Also, I don't know if it is necessary to keep Windows PE x86 and Windows PE x86 wims or if I can safely uninstall them. I explored the possibility of creating a Windows PE based restoration disc for Macrium Reflect but in the end decided to stick with the simpler Linux based disc.

I've had the computer (a Microsoft Registered Refurbisher supplied secondhand HP desktop) for about 10 months - Live Mail has probably been on the system for the last 9 months. In that time I have noticed no problems that might suggest a malware problem and, as I have said, the VirusTototal website, using 51 different malware scanners, finds that of those 51 scanners, the SUPERAntiSpyware scan is the only one to report a problem.

Etavares, I do not have ANATHEROS RECOVERY TOOLS installed.

 

It doesn't look like it's related to Symantec based on the paths you provided, unless they used some of the same files for their recovery program. It's likely related to the recovery software you played with. Anatheros Recovery Tools may be using other PE/recovery files that others also use. Your computer is likely clean if you haven't noticed anything and given all the other scans are clean.

If you want to confirm, I can take a look and ensure your computer is clean.

-etavares

 

@etavares,

Thanks for your continued interest and offer to check my computer.

I am fairly sure I don't have a malware infection and think that you are probably right in suggesting that the recovery software is responsible. As I said, the program I use is Macrium Reflect (free version) which I have found very straightforward and reliable on my older XP system. When setting Macrium Reflect up on my Windows 7 system (the system on which SUPERAntiSpyware reports the trojan), I first elected to create the bootable restore disc with the PE option rather than the Linux. Subsequently I decided I preferred the Linux option. It seems downloading all the PE files for the PE bootable restore disc was the likely cause of the AMD64 instances or certainly some of them.

That the registry check clearly relates AMD64 to Windows PE and Recovery Creator, I can now understand but I am less sure of why it is also associated with the Windows 8 Assessment Deployment Kit and Skydrive. I don't need Windows Live Essentials which includes Skydrive and I have no intention of 'upgrading' Windows 7 to Windows 8. I don't think I will use Windows PE (and anyway, if I remove it, I could get it again should I change my mind). Bearing these things in mind, my inclination is to uninstall Windows Live Essentials, Windows Deployment Tools and Windows PE (both x86 x64 and x86 x64 wims show in Revo Uninstaller). Normal I uninstall using Revo Uninstaller set in the most severe mode rather than rely on the Windows uninstaller. I would welcome any comments and advice you might have regarding these possible uninstallations before I consider going ahead.

If I go ahead with the uninstallations, I would reset SUPERAntiSpyware back to its default (i.e. remove my ignore files settings) and scan the system again to see what is reported.

For the time being, as I am sure there is no actual malware infection, I won't take you up on your kind offer to check my system - I'll see how things progress.

Thanks, regards, Kick.

 

Hi Kick,

I don't have any experience with any of those program myself, so I'd make a System Restore point as a backup, then uninstall each with Revo and you should be OK. If you need to, you can always roll back via System Restore.

-etavares

 

@etavares,

I took your advice and created a restore point and I also created an image backup of my C:\ partition. I then uninstalled the unwanted programs using Revo Uninstaller (thousands of registry items to check). Next I removed the *amd64.exe items from my allow list in SUPERAntiSpyware and ran the program again - sure enough it picked the six items up again in C:\Program Files\Installer and the similar set in C:\Backup_Repair\Program Files\Installer. I understand that although those installer files may well have been put there by one or more of the unwanted programs when they were originally installed (as my earlier registry check seemed to suggest), Revo Uninstaller would not have cleared them when it uninstalled the programs.

This time, having both a restore point and an image backup of the C:\ partition, I allowed SUPERAntiSpyware to remove the files even though I am sure they are false positives. So far, after rebooting the system, there have been no problems and everything seems to be running correctly - let's hope that lasts.

Thanks for your words of wisdom, they helped boost my confidence.

Regards, Kick.

 

Glad it seems ok now!