FSWb.exe?

is this infected. I scaned with virus total. Results are here. So I deleate it or not.

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.08 -
AhnLab-V3 5.0.0.2 2009.05.08 -
AntiVir 7.9.0.166 2009.05.08 -
Antiy-AVL 2.0.3.1 2009.05.08 -
Authentium 5.1.2.4 2009.05.08 -
Avast 4.8.1335.0 2009.05.08 Win32:FakeAlert-BF
AVG 8.5.0.327 2009.05.08 SHeur2.ACJK
BitDefender 7.2 2009.05.08 -
CAT-QuickHeal 10.00 2009.05.08 (Suspicious) - DNAScan
ClamAV 0.94.1 2009.05.08 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.08 Trojan.MulDrop.23111
eSafe 7.0.17.0 2009.05.07 Win32.Packed
eTrust-Vet 31.6.6497 2009.05.08 -
F-Prot 4.4.4.56 2009.05.08 -
F-Secure 8.0.14470.0 2009.05.08 -
Fortinet 3.117.0.0 2009.05.08 W32/WaledPak.A
GData 19 2009.05.09 Win32:FakeAlert-BF
Ikarus T3.1.1.49.0 2009.05.08 -
K7AntiVirus 7.10.729 2009.05.08 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.05.09 -
McAfee 5609 2009.05.08 -
McAfee+Artemis 5609 2009.05.08 Artemis!01BD1FD35218
McAfee-GW-Edition 6.7.6 2009.05.08 -
Microsoft 1.4602 2009.05.08 VirTool:Win32/Obfuscator.FH
NOD32 4063 2009.05.08 -
Norman 6.01.05 2009.05.08 -
nProtect 2009.1.8.0 2009.05.08 -
Panda 10.0.0.14 2009.05.08 Trj/CI.A
PCTools 4.4.2.0 2009.05.07 -
Prevx 3.0 2009.05.09 Medium Risk Malware Dropper
Rising 21.28.41.00 2009.05.08 -
Sophos 4.41.0 2009.05.08 Mal/WaledPak-A
Sunbelt 3.2.1858.2 2009.05.08 -
Symantec 1.4.4.12 2009.05.09 Packed.Generic.221
TheHacker 6.3.4.1.323 2009.05.08 -
TrendMicro 8.950.0.1092 2009.05.08 TROJ_FAKEAV.BCJ
VBA32 3.12.10.4 2009.05.08 -
ViRobot 2009.5.8.1725 2009.05.08 -
VirusBuster 4.6.5.0 2009.05.08 -
Additional information
File size: 371712 bytes
MD5…: 01bd1fd35218857ea241c0fba5c50a18
SHA1…: 70fd1078974d18d30e6d64fe86ff374c10b78db4
SHA256: 3753f64482119c5754b31ed26b20fd167acdefa625bce17e5297cc38141dd2a7
SHA512: 842201e381aa24583503a72460943e9443df6cb9769c074d6782bab1526ce972
52ff7789a5aeb58e4e29280db50725faec5a909d35bb5c693f4598fe99e9c956
ssdeep: 6144:ktv1uIQCfsjZQhSsC5DhCblaEG6r5riP1N9SITqNBA6NK3RhjK09KiXWeAN
E6:k+1jZGc58bTG4sL9bGNiBjG0jXW3E6

PEiD…: -
TrID…: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x57223
timedatestamp…: 0x45d469a0 (Thu Feb 15 14:09:36 2007)
machinetype…: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5a000 0x5a000 7.93 e82865d37918c353eb9c2154102b0f5b
.idata 0x5b000 0x1000 0x400 4.36 00623fb318e5f27a3e56b731b058a0a7
.rsrc 0x5c000 0x1000 0x400 2.42 1cf91663a54dc7c94bada468067894ea

( 2 imports )

kernel32.dll: DebugBreak, GetComputerNameExA, SetCPGlobal, PrepareTape, LCMapStringW, TerminateProcess, lstrcpy, VirtualQuery, InitializeCriticalSectionAndSpinCount, GlobalMemoryStatusEx, SetConsoleMenuClose, PrivCopyFileExW, InterlockedPushEntrySList, GetFullPathNameW, IsProcessInJob
user32.dll: GetDlgItemInt, EnumDisplayMonitors, MessageBoxExW, QueryUserCounters, CheckMenuItem, CopyRect, SetWindowsHookA, DrawMenuBar, DeregisterShellHookWindow, OemToCharBuffA, GetClipboardData, CascadeWindows, OpenInputDesktop

( 0 exports )

I shows trojan, but wait for an evangeliest

With 15 detections, it is fairly conclusive that it is malware and you should have sent it to the chest.

Though several of these are generic or heuristic detections, which can be more prone to false positive and there are some scanners with normally good detection rates that don’t detect it, which is a surprise.

Where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe - Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log

What I’m trying to get at is, is this a file from an application you have had on your system for some time ?

There isn’t a lot of information on this file in a google search, which tends to make me suspicious, more so depending on its location (e.g. if in the system32 folder). However this one translated shows the fswb.exe file should be removed, FSWb.exe info Even though this is meant to be a translation there is lots that hasn’t but it confirms my previous suspicions and VT results.

There may possibly be other elements to this:
If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

I suggest:

  1. Clean your temporary files.
  2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
  4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
  6. Disable System Restore and then reenable it again.
  7. Immunize your system with SpywareBlaster.
  8. Check if you have insecure applications with Secunia Software Inspector.