Results 1 to 10 of 10

Thread: Win32.Autorun.Tepfer

  1. #1
    Junior Member
    Join Date
    Jul 2013
    Posts
    5

    Default Win32.Autorun.Tepfer

    SpyBot tells me I have Win32.Autorun.Tepfer
    It wants to clean on reboot - but spybot does not run on reboot

    Malware Bytes and Security Essentials shows clean.

    I cannot see Win32.Autorun.Tepfer in register with RegEdit either,

    Can this be a false positive? (running MS Security Essentials)

    Win7 pro 64byte
    Attached Images Attached Images

  2. #2
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    Hello,
    unfortunately this does not look like a false positive. It looks more like an incomplete detection.
    Please open Spybot S&D and switch into advanced mode and open Startup Tools and create a log file.
    Attach this log file in this thread.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  3. #3
    Junior Member
    Join Date
    Jul 2013
    Posts
    5

    Default

    Quote Originally Posted by Yodama View Post
    Hello,
    unfortunately this does not look like a false positive. It looks more like an incomplete detection.
    Please open Spybot S&D and switch into advanced mode and open Startup Tools and create a log file.
    Attach this log file in this thread.
    The only thing weird is the logfile is this....


    Win32.Autorun.Tepfer: [SBI $680DAD54] Autorun settings (Copy) (Registry value, nothing done)
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Copy

    Win32.Autorun.Tepfer: [SBI $680DAD54] Autorun settings (Copy) (Registry value, nothing done)
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Copy


    This is what I see in that segment of the registry

    http://themezz.com/temp/reg.jpg

  4. #4
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    This CopyAgent.exe does not look trustworthy at all, if you did not install it yourself it is very likely a Trojan horse.
    There is absolutely no reason at all for any copy software to start at system start.
    Many Trojan horses also use such generic names to make them look harmless but legit software usually use more unique namings.
    Please send in the CopyAgent.exe to detections@spybot.info for analysis.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  5. #5
    Junior Member
    Join Date
    Jul 2013
    Posts
    5

    Default

    Quote Originally Posted by Yodama View Post
    This CopyAgent.exe does not look trustworthy at all, if you did not install it yourself it is very likely a Trojan horse.
    There is absolutely no reason at all for any copy software to start at system start.
    Many Trojan horses also use such generic names to make them look harmless but legit software usually use more unique namings.
    Please send in the CopyAgent.exe to detections@spybot.info for analysis.

    Oddly enough CopyAgent.exe does not show up anywhere when I search my hard drives.

  6. #6
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    The file may be hidden. Open the Windows control panel, then go to Folder options and switch to the View tab. Now look for the settings to unhide hidden files and folders. There is also a setting to hide system files, this should also be set so that those files are visible.
    Change the settings so that all files are visible.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  7. #7
    Junior Member
    Join Date
    Jul 2013
    Posts
    5

    Default

    Quote Originally Posted by Yodama View Post
    The file may be hidden. Open the Windows control panel, then go to Folder options and switch to the View tab. Now look for the settings to unhide hidden files and folders. There is also a setting to hide system files, this should also be set so that those files are visible.
    Change the settings so that all files are visible.
    Thanks - -

    I did that and file is still not found on a search.

    I manually removed that entry with regedit and ran spybot and MS security essentials - - both reporting all clean.

    I checked by backups also which keep deleted files for 30 days and CopyAgent.* does not appear on my backup drives neither.


    Kind of weird.

  8. #8
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    It could be that the file was already remove by Microsoft or Malwarebytes, the log files may shed some light on this.

    But at least this poses no threat for the time being.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  9. #9
    Junior Member
    Join Date
    Jul 2013
    Posts
    5

    Default

    Quote Originally Posted by Yodama View Post
    It could be that the file was already remove by Microsoft or Malwarebytes, the log files may shed some light on this.

    But at least this poses no threat for the time being.
    I have confirmed that the reg entry was left behind by a Barracuda backup product when I uninstalled it.
    It uninstalls the file (harmless) but not the registry entry.
    I have advised Barracuda about this and they acknowledged me and confirmed that CopyAgent.exe is their file.

    thank you - I appreciate your time

  10. #10
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    Thank you for your additional information on this.

    Detection rules will be changed with next detection update scheduled for Wednesday 2013-07-24 to avoid this detection in the future.
    Last edited by Yodama; 2013-07-22 at 08:20.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •