Migrate.dll

[Bill]

Hi Guys

This morning my AVG Free full scan picked up this problem file in
C:\l386\win9xmig\eastman.
Google search seems to indicate this file is (was) used with upgrade of IE6
to 7.

Do I need to restore the file?


XP Home fully patched, IE7

Thanks

Bill

 

[David H. Lipman]

From: "Bill" <[email protected]>

| Hi Guys
|
| This morning my AVG Free full scan picked up this problem file in
| C:\l386\win9xmig\eastman.
| Google search seems to indicate this file is (was) used with upgrade of IE6
| to 7.
|
| Do I need to restore the file?
|
| XP Home fully patched, IE7
|
| Thanks
|
| Bill
|

Bill:

Assuming it was, did you slip-stream the i386 folder for IE7 ?
If you did not specifically slip-stream the i386 folder then this can't be true.
Aditionally, this file is specifiocally for Eastmakn Kodak software and has NOTHING to to do
with IE.

This is why Google is NOT the place to search. Too many faux answers.

My file...

1.2.0.9025 // WorkFolder Migration DLL // Copyright © 1996-1998 Kodak.
8/4/04 68KB

{ BTW: I see this is the SAME file supplied as on my Win2K i386 folder }

I submitted my file copy to Virus Total and guess what, it was a falsely declared as
"Generic2.LNI" by AVG !

Complete scanning result of "MIGRATE.DLL", processed in VirusTotal at 12/09/2006 00:34:20
(CET).

[ file data ]
* name: MIGRATE.DLL
* size: 69632
* md5.: 90e527cd3cf686abce52d1a6d41a217d
* sha1: c7b48c8488124c82b964b603c487219415752a0c

[ scan result ]
AntiVir 7.2.0.49/20061208 found nothing
Authentium 4.93.8/20061208 found nothing
Avast 4.7.892.0/20061208 found nothing
AVG 386/20061208 found [Generic2.LNI]
BitDefender 7.2/20061209 found nothing
CAT-QuickHeal 8.00/20061208 found nothing
ClamAV devel-20060426/20061208 found nothing
DrWeb 4.33/20061208 found nothing
eSafe 7.0.14.0/20061207 found nothing
eTrust-InoculateIT 23.73.80/20061208 found nothing
eTrust-Vet 30.3.3238/20061208 found nothing
Ewido 4.0/20061208 found nothing
F-Prot 3.16f/20061208 found nothing
F-Prot4 4.2.1.29/20061208 found nothing
Fortinet 2.82.0.0/20061208 found nothing
Ikarus T3.1.0.26/20061207 found nothing
Kaspersky 4.0.2.24/20061208 found nothing
McAfee 4914/20061208 found nothing
Microsoft 1.1804/20061208 found nothing
NOD32v2 1911/20061208 found nothing
Norman 5.80.02/20061208 found nothing
Panda 9.0.0.4/20061209 found nothing
Prevx1 V2/20061209 found nothing
Sophos 4.12.0/20061208 found nothing
Sunbelt 2.2.907.0/20061130 found nothing
TheHacker 6.0.3.130/20061206 found nothing
UNA 1.83/20061208 found nothing
VBA32 3.11.1/20061208 found nothing
VirusBuster 4.3.15:9/20061208 found nothing

 

[David H. Lipman]

From: "Bill" <[email protected]>

| Hi Guys
|
| This morning my AVG Free full scan picked up this problem file in
| C:\l386\win9xmig\eastman.
| Google search seems to indicate this file is (was) used with upgrade of IE6
| to 7.
|
| Do I need to restore the file?
|
| XP Home fully patched, IE7
|
| Thanks
|
| Bill
|

False Positive reported to Grisoft.

 

[Bill]

: From: "Bill" <[email protected]>
:
: | Hi Guys
: |
: | This morning my AVG Free full scan picked up this problem file in
: | C:\l386\win9xmig\eastman.
: | Google search seems to indicate this file is (was) used with upgrade of
IE6
: | to 7.
: |
: | Do I need to restore the file?
: |
: | XP Home fully patched, IE7
: |
: | Thanks
: |
: | Bill
: |
:
: Bill:
:
: Assuming it was, did you slip-stream the i386 folder for IE7 ?

No.


: If you did not specifically slip-stream the i386 folder then this can't be
true.
: Aditionally, this file is specifiocally for Eastmakn Kodak software and
has NOTHING to to do
: with IE.

Thought the folder seemed strange, since I only use Canon cameras.

:
: This is why Google is NOT the place to search. Too many faux answers.
:
: My file...
:
: 1.2.0.9025 // WorkFolder Migration DLL // Copyright © 1996-1998 Kodak.
: 8/4/04 68KB
:
: { BTW: I see this is the SAME file supplied as on my Win2K i386 folder }
:
: I submitted my file copy to Virus Total and guess what, it was a falsely
declared as
: "Generic2.LNI" by AVG !
:
: Complete scanning result of "MIGRATE.DLL", processed in VirusTotal at
12/09/2006 00:34:20
: (CET).
:
: [ file data ]
: * name: MIGRATE.DLL
: * size: 69632
: * md5.: 90e527cd3cf686abce52d1a6d41a217d
: * sha1: c7b48c8488124c82b964b603c487219415752a0c
:
: [ scan result ]
: AntiVir 7.2.0.49/20061208 found nothing
: Authentium 4.93.8/20061208 found nothing
: Avast 4.7.892.0/20061208 found nothing
: AVG 386/20061208 found [Generic2.LNI]
: BitDefender 7.2/20061209 found nothing
: CAT-QuickHeal 8.00/20061208 found nothing
: ClamAV devel-20060426/20061208 found nothing
: DrWeb 4.33/20061208 found nothing
: eSafe 7.0.14.0/20061207 found nothing
: eTrust-InoculateIT 23.73.80/20061208 found nothing
: eTrust-Vet 30.3.3238/20061208 found nothing
: Ewido 4.0/20061208 found nothing
: F-Prot 3.16f/20061208 found nothing
: F-Prot4 4.2.1.29/20061208 found nothing
: Fortinet 2.82.0.0/20061208 found nothing
: Ikarus T3.1.0.26/20061207 found nothing
: Kaspersky 4.0.2.24/20061208 found nothing
: McAfee 4914/20061208 found nothing
: Microsoft 1.1804/20061208 found nothing
: NOD32v2 1911/20061208 found nothing
: Norman 5.80.02/20061208 found nothing
: Panda 9.0.0.4/20061209 found nothing
: Prevx1 V2/20061209 found nothing
: Sophos 4.12.0/20061208 found nothing
: Sunbelt 2.2.907.0/20061130 found nothing
: TheHacker 6.0.3.130/20061206 found nothing
: UNA 1.83/20061208 found nothing
: VBA32 3.11.1/20061208 found nothing
: VirusBuster 4.3.15:9/20061208 found nothing
:
: --
: Dave
: http://www.claymania.com/removal-trojan-adware.html
: http://www.ik-cs.com/got-a-virus.htm
:
:
Dave

See inline responses also,

In light of my non-use of Kodak I take it there is no point in restoring the
file.

BTW I am using AVG Free 7.5.432 Virus Base: 268.15.15/580 Release Date
12/8/2006 12:53PM and am updated each morning, so the 'error' must have been
in this morning's update.

Thanks for your speedy assistance.

Bill

 

[David H. Lipman]

From: "Bill" <[email protected]>


|
| See inline responses also,
|
| In light of my non-use of Kodak I take it there is no point in restoring the
| file.
|
| BTW I am using AVG Free 7.5.432 Virus Base: 268.15.15/580 Release Date
| 12/8/2006 12:53PM and am updated each morning, so the 'error' must have been
| in this morning's update.
|
| Thanks for your speedy assistance.
|
| Bill
|

Bill:

It is on the original distribution CDROM and is quite available for restoration. However,
this file is used but once. It is only used it a situation where you are upgrading Win9x/ME
to WinXP (or Win9x to Win2K) and is using the Eastman Kodak software distributed with the
Win9x OS.

So the answer is that "MIGRATE.DLL" is no longer needed once the OS is already installed.

 

[cenoxo]

I had the same MIGRATE.DLL file detected tonight (Friday) during a scan
with:

AVG Free
Version: 7.1.409
Virus database: 2.15.15/580
Release date: 12/8/2006 12:53:00 PM

AVG's Complete Test result reads as follows:

File: MIGRATE.DLL
Result/infection: Trojan horse Generic2.LNI
Path: C:\I386\WIN9XMIG\EASTMAN\MIGRATE.DLL

How do you know for certain that it's actually a false positive?

 

[cenoxo]

The VirusTotal <http://www.virustotal.com/en/indexf.html> scan of my
MIGRATE.DLL file also came up empty:

- - -
STATUS: FINISHED Complete scanning result of "MIGRATE.DLL", received in
VirusTotal at 12.09.2006, 09:17:52 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.49 12.08.2006 no virus found
Authentium 4.93.8 12.08.2006 no virus found
Avast 4.7.892.0 12.08.2006 no virus found
AVG 386 12.08.2006 no virus found
BitDefender 7.2 12.09.2006 no virus found
CAT-QuickHeal 8.00 12.08.2006 no virus found
ClamAV devel-20060426 12.09.2006 no virus found
DrWeb 4.33 12.08.2006 no virus found
eSafe 7.0.14.0 12.07.2006 no virus found
eTrust-InoculateIT 23.73.81 12.09.2006 no virus found
eTrust-Vet 30.3.3238 12.08.2006 no virus found
Ewido 4.0 12.08.2006 no virus found
Fortinet 2.82.0.0 12.09.2006 no virus found
F-Prot 3.16f 12.08.2006 no virus found
F-Prot4 4.2.1.29 12.08.2006 no virus found
Ikarus T3.1.0.26 12.07.2006 no virus found
Kaspersky 4.0.2.24 12.09.2006 no virus found
McAfee 4914 12.08.2006 no virus found
Microsoft 1.1804 12.09.2006 no virus found
NOD32v2 1912 12.09.2006 no virus found
Norman 5.80.02 12.08.2006 no virus found
Panda 9.0.0.4 12.09.2006 no virus found
Prevx1 V2 12.09.2006 no virus found
Sophos 4.12.0 12.08.2006 no virus found
Sunbelt 2.2.907.0 11.30.2006 no virus found
TheHacker 6.0.3.130 12.06.2006 no virus found
UNA 1.83 12.08.2006 no virus found
VBA32 3.11.1 12.08.2006 no virus found
VirusBuster 4.3.15:9 12.08.2006 no virus found
- - -

 

[David H. Lipman]

From: "cenoxo" <[email protected]>

| I had the same MIGRATE.DLL file detected tonight (Friday) during a scan
| with:
|
| AVG Free
| Version: 7.1.409
| Virus database: 2.15.15/580
| Release date: 12/8/2006 12:53:00 PM
|
| AVG's Complete Test result reads as follows:
|
| File: MIGRATE.DLL
| Result/infection: Trojan horse Generic2.LNI
| Path: C:\I386\WIN9XMIG\EASTMAN\MIGRATE.DLL
|
| How do you know for certain that it's actually a false positive?
|
It is the same file in w\my Win2K distribition set as in the WinXP distribution set.

It is part of the WinNT 5.x distribution file set and goes back many years. If this was
truly malware it would have been detected long ago and would be dtected across the board.
As you may have seen in my Virus Total report, AVG was the ONLY scanner with a detection.
Ergo, a False Positive declaration.

 

[David H. Lipman]

From: "cenoxo" <[email protected]>

| The VirusTotal <http://www.virustotal.com/en/indexf.html> scan of my
| MIGRATE.DLL file also came up empty:
|
| - - -
| STATUS: FINISHED Complete scanning result of "MIGRATE.DLL", received in
| VirusTotal at 12.09.2006, 09:17:52 (CET).
|
| Antivirus Version Update Result
| AntiVir 7.2.0.49 12.08.2006 no virus found
| Authentium 4.93.8 12.08.2006 no virus found
| Avast 4.7.892.0 12.08.2006 no virus found
| AVG 386 12.08.2006 no virus found
| BitDefender 7.2 12.09.2006 no virus found
| CAT-QuickHeal 8.00 12.08.2006 no virus found
| ClamAV devel-20060426 12.09.2006 no virus found
| DrWeb 4.33 12.08.2006 no virus found
| eSafe 7.0.14.0 12.07.2006 no virus found
| eTrust-InoculateIT 23.73.81 12.09.2006 no virus found
| eTrust-Vet 30.3.3238 12.08.2006 no virus found
| Ewido 4.0 12.08.2006 no virus found
| Fortinet 2.82.0.0 12.09.2006 no virus found
| F-Prot 3.16f 12.08.2006 no virus found
| F-Prot4 4.2.1.29 12.08.2006 no virus found
| Ikarus T3.1.0.26 12.07.2006 no virus found
| Kaspersky 4.0.2.24 12.09.2006 no virus found
| McAfee 4914 12.08.2006 no virus found
| Microsoft 1.1804 12.09.2006 no virus found
| NOD32v2 1912 12.09.2006 no virus found
| Norman 5.80.02 12.08.2006 no virus found
| Panda 9.0.0.4 12.09.2006 no virus found
| Prevx1 V2 12.09.2006 no virus found
| Sophos 4.12.0 12.08.2006 no virus found
| Sunbelt 2.2.907.0 11.30.2006 no virus found
| TheHacker 6.0.3.130 12.06.2006 no virus found
| UNA 1.83 12.08.2006 no virus found
| VBA32 3.11.1 12.08.2006 no virus found
| VirusBuster 4.3.15:9 12.08.2006 no virus found
| - - -

Like I said, I submitted this as a False Positive to Grisoft last night.
I'm glad to see they updated their signatures quickly.

 

[Bill]

: From: "Bill" <[email protected]>
:
: | Hi Guys
: |
: | This morning my AVG Free full scan picked up this problem file in
: | C:\l386\win9xmig\eastman.
: | Google search seems to indicate this file is (was) used with upgrade of
IE6
: | to 7.
: |
: | Do I need to restore the file?
: |
: | XP Home fully patched, IE7
: |
: | Thanks
: |
: | Bill
: |
:
: False Positive reported to Grisoft.
:
: --
: Dave
: http://www.claymania.com/removal-trojan-adware.html
: http://www.ik-cs.com/got-a-virus.htm
:
:
Dave

FWIW I restored the file and this morning after the latest update there was
no problem.

Congrats on having it fixed so promptly.

Suppose that the problem in running these programs daily - those who didn't
live on blissfully!

Bill

 

[cenoxo]

Also updated AVG Free database to 268.15.15/581, released 12/9/2006

 

[cenoxo]

Make that:

Also updated AVG Free database to 268.15.15/581, released 12/9/2006
3:41:00 PM.

Rescanned C:\I386\WIN9XMIG\EASTMAN\MIGRATE.DLL directly, and no virus
detected.

Thanks for the quick fix, Grisoft.

 

[Lofty.]

: From: "Bill" <[email protected]>
:
: | Hi Guys
: |
: | This morning my AVG Free full scan picked up this problem file in
: | C:\l386\win9xmig\eastman.
: | Google search seems to indicate this file is (was) used with
upgrade of
IE6
: | to 7.
: |
: | Do I need to restore the file?
: |
: | XP Home fully patched, IE7
: |
: | Thanks
: |
: | Bill
: |
:
: False Positive reported to Grisoft.
:
: --
: Dave
: http://www.claymania.com/removal-trojan-adware.html
: http://www.ik-cs.com/got-a-virus.htm
:
:
Dave

FWIW I restored the file and this morning after the latest update
there was
no problem.

Congrats on having it fixed so promptly.

Suppose that the problem in running these programs daily - those who
didn't
live on blissfully!

Bill

Yeah! I was unusually quick off the mark when I got this! {(
So to re-cap, it IS part of IE and I should get back into virus vault
and restore everything there relating to this episode?

 

[David H. Lipman]

From: "Lofty." <[email protected]>


| Yeah! I was unusually quick off the mark when I got this! {(
| So to re-cap, it IS part of IE and I should get back into virus vault
| and restore everything there relating to this episode?

Huh ?

This MIGRATE.DLL file is NOT part of IE !

 

[Ant]

From: "Lofty." <[email protected]>
| Yeah! I was unusually quick off the mark when I got this! {(
| So to re-cap, it IS part of IE and I should get back into virus vault
| and restore everything there relating to this episode?

Huh ?

This MIGRATE.DLL file is NOT part of IE !

This might not, but his could be. On my W2k CD there are several files
with this name in the subdirectories of win9xmig. They are different
sizes, and contain different vendor names in the properties. One of
them has this: "Internet Explorer Migration DLL for Windows 2000".

Lofty posted the same report about AVG detecting the migrate dll in
our ISP's help group. The path given was "C:\1386\WIN9{X}v...", where
the dots presumably indicate a truncation in the display. I don't
understand why the directory name is not the same, and can't tell
which subdirectory it was found in. Note also that for both posters
the main directory is "1386" (the first character is "one"), but mine
is the usual "I386" (capital "i").

 

[David H. Lipman]

From: "Ant" <[email protected]>


|
| This might not, but his could be. On my W2k CD there are several files
| with this name in the subdirectories of win9xmig. They are different
| sizes, and contain different vendor names in the properties. One of
| them has this: "Internet Explorer Migration DLL for Windows 2000".
|
| Lofty posted the same report about AVG detecting the migrate dll in
| our ISP's help group. The path given was "C:\1386\WIN9{X}v...", where
| the dots presumably indicate a truncation in the display. I don't
| understand why the directory name is not the same, and can't tell
| which subdirectory it was found in. Note also that for both posters
| the main directory is "1386" (the first character is "one"), but mine
| is the usual "I386" (capital "i").
|

Ant:

Bill specifically posted... .\l386\win9xmig\eastman\migrate.dll
I examined my Win2K and WinXP folders and found the file version to be thae same,
v1.2.0.9025, [ WorkFolder Migration DLL, Copyright © 1996-1998 Kodak. , Eastman Software New
York ]and the fact that it is in the 'eastman' folder clinches it.

I searched for MIGRATE.DLL on my Win2K .\i386 folder and found 27 files named MIGRATE.DLL
and each one was in its OWN folder. They would have to be to be of the same name. Of these
27 files only a few are teh same size. Therefore I can NOT conclude that one MIGRATE.DLL
for Eastman Kodak can be falsely declared by AVG as well as another for IE migration.

I don't know what Lofty posted and I don't have a fully qualified name and path to
corraborate like I did for Bill.

 

[Ant]

[...] Therefore I can NOT conclude that one MIGRATE.DLL
for Eastman Kodak can be falsely declared by AVG as well as another for IE migration.

Fair enough. I was just trying to figure out how IE came to be mentioned.

I don't know what Lofty posted and I don't have a fully qualified name and path to
corraborate like I did for Bill.

It turns out that Lofty can't type! His was in fact the Eastman-Kodak
migrate.dll -- so all's well.

 

[David H. Lipman]

From: "Ant" <[email protected]>

| "David H. Lipman" wrote:
|

[...] Therefore I can NOT conclude that one MIGRATE.DLL
for Eastman Kodak can be falsely declared by AVG as well as another for IE migration.

|
| Fair enough. I was just trying to figure out how IE came to be mentioned.
||
| It turns out that Lofty can't type! His was in fact the Eastman-Kodak
| migrate.dll -- so all's well.
|

Thanx Ant. Which os proof that one needs to state the fully qulaified name and path to a
file and not just a file name.

BTW: That site where you decoded the PHP for me, it is a server for a spam bot network.
The file WIN.EXE changes periodically. Sometimes its is the same file but now using new
compression and sometimes it is a completely different file. I have continued to track the
server and the variations of the file and submitted all variations to the anti malware
vendors. I wonder if XOD, the author of the PHP, is the author of the WIN.EXE file as well.

Yesterday the file was 9KB and Today it is 13KB.

Complete scanning result of "win.exe", processed in VirusTotal at 12/12/2006 03:39:32 (CET).

[ file data ]
* name: win.exe
* size: 13312
* md5.: 1ab44030d29a0b6131413fa2bdc195bd
* sha1: d1d35d9172ea30bc2380485124edacdad26a10a3

[ scan result ]
AntiVir 7.2.0.49/20061211 found nothing
Authentium 4.93.8/20061211 found [Possibly a new variant of
W32/SecRisk-ProcessPatcher-Sml-based!Maximus]
Avast 4.7.892.0/20061211 found nothing
AVG 386/20061211 found nothing
BitDefender 7.2/20061212 found nothing
CAT-QuickHeal 8.00/20061211 found [(Suspicious) - DNAScan]
ClamAV devel-20060426/20061211 found nothing
DrWeb 4.33/20061211 found [MULDROP.Trojan packed by BINARYRES]
eSafe 7.0.14.0/20061211 found nothing
eTrust-InoculateIT 23.73.83/20061212 found nothing
eTrust-Vet 30.3.3244/20061211 found nothing
Ewido 4.0/20061211 found nothing
F-Prot 3.16f/20061211 found [Possibly a new variant of
W32/SecRisk-ProcessPatcher-Sml-based!Maximus]
F-Prot4 4.2.1.29/20061211 found [W32/SecRisk-ProcessPatcher-Sml-based!Maximus]
Fortinet 2.82.0.0/20061211 found nothing
Ikarus T3.1.0.26/20061211 found nothing
Kaspersky 4.0.2.24/20061212 found nothing
McAfee 4916/20061211 found nothing
Microsoft 1.1804/20061212 found nothing
NOD32v2 1915/20061212 found [a variant of Win32/TrojanDownloader.Tiny.NBP]
Norman 5.80.02/20061211 found [W32/Tiny.MQ.dropper]
Panda 9.0.0.4/20061212 found [Suspicious file]
Prevx1 V2/20061212 found nothing
Sophos 4.12.0/20061210 found nothing
Sunbelt 2.2.907.0/20061130 found nothing
TheHacker 6.0.3.131/20061210 found nothing
UNA 1.83/20061211 found nothing
VBA32 3.11.1/20061211 found [suspected of Embedded.Trojan.DownLoader.15213]
VirusBuster 4.3.15:9/20061211 found nothing

[ notes ]
packers: BINARYRES
packers: embedded
norman sandbox: [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: (e-mail address removed) - REMEMBER TO ENCRYPT
IT (E.G. ZIP WITH PASSWORD)**.
* File length: 13312 bytes.

[ Changes to filesystem ]
* Deletes file winntdll.exe.
* Creates file C:\WINDOWS\winntdll.exe.
* Deletes file C:\WINDOWS\gg.dll.
* Creates file C:\WINDOWS\gg.dll.

[ Process/window information ]
* Creates a mutex [t~t~t~t~t~t~t].
* Enumerates running processes.

[ Signature Scanning ]
* C:\WINDOWS\winntdll.exe (2560 bytes) : W32/Tiny.MQ.



BTW: I really think you did great in decoding the PHP file !

 

[Ant]

BTW: That site where you decoded the PHP for me, it is a server for a spam bot network.

Certainly appears so from the info I found in the new 13k exe.

The file WIN.EXE changes periodically. Sometimes its is the same file but now using new
compression and sometimes it is a completely different file. I have continued to track the
server and the variations of the file and submitted all variations to the anti malware
vendors.

I occasionally download the latest variant to see if I can find out
what it's up to. This 13k one revealed a bit more.

I wonder if XOD, the author of the PHP, is the author of the WIN.EXE file as well.

There's an embedded URL (the "debvmlpkitm" one) in this exe which
leads via a frameset to another site hosting the same encoded PHP, but
without the XOD ascii art.

Yesterday the file was 9KB and Today it is 13KB.

Complete scanning result of "win.exe", processed in VirusTotal at 12/12/2006 03:39:32 (CET).
[...]
W32/SecRisk-ProcessPatcher-Sml-based!Maximus]

Looks nasty!

packers: BINARYRES
packers: embedded

Part of the file is not packed, which got me poking around.

* Creates file C:\WINDOWS\winntdll.exe.
* Creates file C:\WINDOWS\gg.dll.
* Creates a mutex [t~t~t~t~t~t~t].

Those names are visible in the exe, together with "gg.exe" and
"botdll.dll". I also frequently see the string "gadu-gadu" in these
files, and this time I was able to uncover a complete URL.

Using wget to download:
h--p://appmsg.gadu-gadu.pl/appsvc/appmsg4.asp?fmnumber=0
retrieves this string:
0 0 217.17.41.88:8074 217.17.41.88

If the "fmnumber" parameter is changed to 1, 2, etc, a different IP
address is returned. Also, the string "217.17.45.143:8074" is hard
coded into the exe. Telnetting to that IP on port 8074 gives a prompt
of gibberish, so I don't know what service is running on it. However,
it does all smell of bot command and control.

BTW: I really think you did great in decoding the PHP file !

Cheers!