EXE2BIN.EXE

Discussion in 'malware problems & news' started by SWS, Jun 28, 2005.

Thread Status:
Not open for further replies.
  1. SWS

    SWS Guest

    Hope someone can help with this, as I'm stumped. This message could get a bit long, so please bear with me!

    I recently started getting loads of "undeliverable mail" messages returned to my email account supposedly from emails I've never sent. I tried a load of anti-virus products (full list below) and none of them found anything.

    I downloaded a trial version of PC Door Guard which reported the virus "EXE2BIN" in c:\windows\system32\exe2bin.exe. I tried deleting the file, but it reports the file is in use and can't be deleted. I tried re-installing Windows and with nothing else installed other than DoorGuard, the virus is still reported.

    I know exe2bin.exe is a legit Windows file, and wonder whether DoorGuard is identifying a false positive or whether my Windows file has been replaced by something malicious.

    For the record, I've scanned using full versions of Sophos, Adaware and Spybot, the free versions of AVG and AVAST and trial versions of TDS and PC Doorguard. PC Doorguard is the only one that picks anything up.

    Out of interest, I also took a copy of the file c:\Windows\System32\exe2bin.exe from 8 different PCs at work and a friend's PC. When scanning through DoorGuard, they are all reported as infected.

    I phoned the Microsoft free security helpline, but they'd never heard of the virus. I also tried emailing AstonSoft, the producers of DoorGuard. However, after 4 days, my email was returned as undeliverable because their mailbox is full.

    Is exe2bin really a virus or is it DoorGuard reporting a false positive? If it is a virus, any advice on getting rid of it would be much appreciated. I've tried everything I can think of and can't get anywhere!
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    To me, with the action you have taken, it is a False Positive.

    You can try uploading the file to: http://virusscan.jotti.org/ though I can virtually guarantee nothing will be found.

    Regarding security, you might want to take a look here. As well there are discussions on security software here and even more here.

    Hope this helps...

    Let us know how you go.

    Cheers :D
     
  3. SWS

    SWS Guest

    Cheers, tried that. The online scan found nothing, but it did give the following message which I'm not sure how to interpret. Any thoughts?

    MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.) (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
     
  4. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    I'll put my money with Blackspear and just the fact 9 copies of the same were flagged by DoorGuard would be enough for me to claim False Positive.

    As a side not....I'm not the one to ask about comparable software such as DoorGuard....but if I had a Security program in todays environment that has been almost 60 days since the last update....I'd definetly be asking users for advice in regards to a comparable program.

    AstonSoft News
    Code:
    Below is the archive of all the published news:
     
    [B]05/07/05[/B] New online trojan definitions available- 75222 entries now  
    04/25/05  New online trojan definitions available- 74808 entries now  
     
  5. SWS

    SWS Guest

    I'm certainly getting a bit suspicious about its ability to properly identify files. I did another scan yesterday and it reported another virus inside TDS3 which I'd downloaded via the DiamondCS website. Again, a couple of other virus checkers did not pick it up, so I'm hoping this is another false positive.
     
Thread Status:
Not open for further replies.