Strange detections

[Carthage]

Dear forum,
    I use Avast Free Antivirus, earlier today Avast found what it called a root kit in the file AgAppLaunch.db, which was in the windows Prefetch folder. Avast only detected this suspected root kit during a full or quick scan, when the file was scanned individually the scan came back clean. After updating the definitions, Avast no longer detects AgAppLaunch.db as a root kit during full, quick, or individual scans.
    I ran a full scan afterwards, and Avast now detects setupapi.ev1 as a root kit during the full scan. When scanned individually, setupapi.ev1 is marked as clean. I found setupapi.ev1 in: C:\Windows\inf.
    Are these detections true, or false positives? Can I safely ignore these detections? I googled AgAppLaunch.db and it appears to be a windows related file. However, I found nothing when I googled setupapi.ev1 . Any help you can give me is greatly appreciated.

Thank you,
Carthage

[Pondus]

upload suspicious file(s) to www.virustotal.com and test with 43 malware scanners
when you have the result, copy the url in the address bar and post it here for us to see

alternative
Jotti  http://virusscan.jotti.org/en
VirSCAN  http://virscan.org/

[DavidR]

This file in the prefetch folder as far as I'm aware they should only have a .pf file type other than the layout.ini file (for XP System); so I too would be a bit suspect having this AgAppLaunch.db database file in there. However, in win7 (and possibly Vista) there are lots of .db files (but not this one in my win7 system), what is your Operating system ?

Though that said a google search for the file name http://www.google.co.uk/search?q=AgAppLaunch.db shows this isn't uncommon and may be related to superfetch, ring any bells ?

Also see Microsoft Superfetch, as I also use this setting to restrict what the Superfetch actually prefetches.

I did get lots of hits for setupapi.ev1 http://www.google.co.uk/search?q=setupapi.ev1.
Also see, http://ev1.fileextensionguide.com/.


Can you recall the full malware names of these detection?

Did this happen about 8 minutes after boot, or on a routine on-demand scan ?

[Carthage]

Forum,
    I uploaded both files to VirusTotal, here are the URLs:
for setupapi.ev1:

http://www.virustotal.com/file-scan/report.html?id=d53e419b40ac5c7f81b88cccf0fffef37fdd67235b0f815fd4396a15df7dd07e-1308440758

for AgAppLaunch.db:

https://www.virustotal.com/file-scan/report.html?id=83e205df25293c3f271a8984af33eebde3be5392a155d790ad74037424a9022a-1308440567

    My operating system is Windows 7 SP1, both files were first detected during my scheduled full scan, about two hours after boot. Avast gives the file names as:
C:\Windows\inf\setupapi.ev1 and
C:\Windows\Prefetch\AgAppLaunch.db

Sincerely,
Carthage

[DavidR]

Check the C:\ProgramData\Avast Software\Avast\report (windows Vista, windows 7) folder for the full system scan.txt file. That will tell us the malware name given to this and perhaps if it was a part of the rootkit scan, which is also integral to the full system shield.

Just checked my win7 SP1 netbook system again and I do have the C:\Windows\Prefetch\AgAppLaunch.db file and no alerts. But then again it is as rare as hens teeth that I do a Full system scan, I do a weekly scheduled Quick scan which happened just under two hours ago and no alert on that file.

[Carthage]

DavidR,
    I could not find the scan.txt file you mentioned. I checked the folder (C:\ProgramData\Avast Software\Avast\report) and it was not there. However, Avast ran a full scan today, and both Prefetch\AgAppLaunch.db and setupapi.ev1 are not longer detected. Instead, C:\Windows\Prefetch\AgCx_SC1.db and C:\Windows\Prefetch\WMIADAP.EXE-369DF1Cd.pf are now detected as rootkits during a full scan, but a boot scan came up clean. VirusTotal scans show both are clean:

for AgCx_SC1.db:
http://www.virustotal.com/file-scan/report.html?id=1007017d0cfd66c80939d5cbef6bd6894551098dda242578f4bbb75c7ede87fe-1308616330

for WMIADAP.EXE-369DF1Cd.pf:
http://www.virustotal.com/file-scan/report.html?id=3fd1bb85ff6abefae11a1d35680aa18a8cc794a93ce028a4cdbcebdd5177a99b-1308616407

Sincerely,
Carthage

[DavidR]

First it is "full system scan.txt" with the spaces, importantly could you find the folder ?

It should have been there if you did a full system scan as you mentioned previously. However, one proviso is that you have to have set the Expert Settings, More Details, Settings, Report file section to Generate the report file, image1.

~~~~
The folder may be hidden in your Operating System, I don't know if this is the same but the example I'm using is from XP:
- Ensure that you have enabled the 'Show Hidden Files and Folders' option and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image2.

^^^^
Have you changed any of the default settings on the Full System Scan  ?
Are you running this every day as to be honest that is overkill, I run a scheduled Quick scan once a week. The more frequently you run scans the greater the chances of coming across this type of thing.

####
- With a resident on-access antivirus like avast, the need for frequent on-demand scans is much depreciated. For the most part the on-demand scan is going to be scanning files that would be otherwise be dormant or inert. If they were active files then the on-access file system shield would be scanning them before being created, modified, opened or executed.

I have avast set to do a scheduled weekly Quick scan, set at a time and day that I know the computer will be on. If for some reason my system wasn't on, no big deal I will catch up on the next scheduled scan.

>>>>
I suspect that these other file detection might be the same as the others, after a while they too might no longer be detected,

[Darren Tondreau]

This file ( AgAppLaunch.db ) has also been detected as a rootkit during my first full scan. However, a follow up with VirSCAN.org has not confirmed an infection:
http://virscan.org/report/3d0c316fc7a5e8df6e4c4a003e2115ff.html

I followed up with a boot-time and got two different positive results:
Java:Jade-C [Heur]
PUP: Win32: PUP-gen [PUP]

Both have been moved to chest. Is there anything else I need to do?

[Lupo the Butcher]

I seem to have the same strange thing happening, and I am also running Windows 7 (mine is 64 bit) with Avast and found:
Threat: RootKit: High Severity
Windows\inf\setupapi.ev1

I tried to apply an action when the scan finished, Avast asked to run a boot scan, it did so and found nothing but said my SAS processlist.db was corrupted, and did nothing to the infected file.

After reading what the OP did, I scanned the file individually with AVAST and Malwarebytes but it came out as clean.

I can't find the scan.txt either, I do not have a /reports folder, hidden or not.

[zsebibaba007]

Dear forum,
    I use Avast Free Antivirus, earlier today Avast found what it called a root kit in the file Ag AppLaunch.db, which was in the windows Prefetch folder. Avast only detected this suspected root kit during a full or quick scan, when the file was scanned individually the scan came back clean. After updating the definitions, Avast no longer detects Ag AppLaunch.db as a root kit during full, quick, or individual scans.
    I ran a full scan afterwards, and Avast now detects setupapi.ev1 as a root kit during the full scan. When scanned individually, setupapi.ev1 is marked as clean. I found setupapi.ev1 in: C:\Windows\inf.
    Are these detections true, or false positives? Can I safely ignore these detections? I googled Ag AppLaunch.db and it appears to be a windows related file. However, I found nothing when I googled setupapi.ev1 . Any help you can give me is greatly appreciated.

Thank you,
Carthage

HI!
I have the same problem with the file AgAppLaunch.db,but i don't have the setupapi.ev1. I use Avast Free Antivirus like Carthage and avast found a root kit in this file. It says:virus found -Root kit: system modification. I choose the repair mode on the file and I reboot the system(I've got Windows Vista on my computer).After the reboot the file was clean.
now I don't know is it infected or not?
Can anybody help me?
Sorry for my English,I'm not too good at it.
Thank for the help
Zsebi