strange wgasetup.exe ?

I dual boot, using GRUB, between XP SP3 and PCLinuxOS.
My PC has 2 internal disks, 80Gb and 250GB. XP is installed on the
80Gb disk, and PCLinuxOS is installed on the 250Gb disk.
When running Windows, the 80Gb disk is recognised as C: and the 250Gb
disk is recognised as D:, naturally not showing the Linux partitions.
In my Windows I have installed Ashampoo Uninstaller 3, which sets an
installation watcher to start at boot to pick up any installation
programs and let me know. Suddenly, when I boot into Windows I receive
a message from the installation watcher that
D:\e4661ea49d09a930252000402\wgasetup.exe is trying to run, with the
usual do I want to allow this, do I want to monitor the installation
etc.
I then have difficulty doing anything, since if I open a program the
focus switches back to the dialog asking if I want to allow
installation.
wgasetup.exe is usually the Windows Genuine Advantage tool setup, as I
am sure you all know, but what concerns me is the folder name,
e4661ea49d09a930252000402.
dir on the D: drive does not show this folder, even when told to show
hidden folders. Booting into PCLinuxOS also does not show this folder
through NTFS_3G. Even booting from CD and running solely from cd does
not show this folder.
Can anyone inform me how to find out if this is in fact a legit
wgasetup or if I have some form of malware.
I run Avast!, MalwareBytes, SpyBot S&D, SuperAntiSpyware ( the legit
one, not one of the iffy ones)
TIA
Stuart

Sounds like you got a MS update for Windows Genuine Advantage.

Yes,that is what I thought, but the folder name made me a little
suspicious.

Microsoft updates open use temporary folders of such names in the root.
Sometimes they do not get deleted after the update has been installed.

Description of the Windows Genuine Advantage Notifications application:
http://support.microsoft.com/kb/905474

Hello Stuart:

It does appear a bit intriguing and, if you've allowed WGA in an
otherwise legitimate system, one might be lead to believe a post install
might have cleaned this out. It also seems odd that the D: partition
was picked instead of the C:

As an extra check, please upload to VirusTotal and cut/paste the
analysis to a reply here

Thanks for the replies.
When you say upload to VirusTotal, what do I upload ?
As I said in my original post I cannot find either the folder or the
file wgasetup.exe on the D: drive.
The only wgasetup.exe I have on my system is in
C:\windows\system32\KB905474\wgasetup.exe dated 10/03/2009, which is
over 3 weeks ago, and I assume that this has already been run and
installed.

Windows Updates routinely install from local disks other than the C: drive.
But why it should be running if it doesn't otherwise appear to exist -
assuming not just hidden folders, but protected operating system files are
also unhidden - would seem a little strange.

There should be a record of it if it's genuine (be ironic if it's not!). If
not in "windows update.log" then at Windows Update in installation history.
Or somewhere! As for me, I don't install that unless there's something else
I want I can't get without it - which almost never seems to be the case. And
I never install from Automatic Updates. So, looking at my own hidden updates
at Windows Update, KB905474 is dated the 24th. So presumably it's been
updated, and if you have them install automatically - which it looks like
you do - you will have a more recent version. I presume the KB no. remains
the same no matter how often its updated. The Malicious Software Removal
Tool always retains the same KB no.

Have you also got 'protected operating system files' unhidden - because
there're plenty that you still won't see if you've only got 'hidden folders'
unhidden. I expect MS call the WGA stuff 'protected os files', just like
they call the updates 'Critical'.

Thanks for all of the replies.
Since I am doing all searching for the files from my PCLinuxOS
installation or from a Linux live CD, I would assume that it does not
matter whether my Windows preferences for showing/hiding files would
have any affect, I would just see all files on the Windows partition.

jen - thanks for the pointer to Description of the Windows Genuine
Advantage Notifications application, but I am afraid that that does
not help.

All I would like to know, if possible, is where this
D:\e4661ea49d09a930252000402\wgasetup.exe file identification comes
from, and if I am justified in being suspicious.

Maybe not. PCLinuxOS is one of the few I'm not familiar with. I know that a
backup (imaging) system I've been using many years - and for instance
backing up openSUSE or Vista from within XP - doesn't work in Windows 7 (it
just backs up empty folders!). I should think it comes down to the file
system and the Linux driver for it. But I was figuring you were talking
about unhidden folders in Windows. Because if there is nothing there
anymore, you shouldn't be being asked to run it still. If you're saying you
were asked whether to allow it, and you clicked 'OK' or 'Cancel' -
whichever - it should have either run then self deleted, or not run and self
deleted, which is what generally happens with Windows Updates.

Like I said - look in "windows update.log" and/or your Update History at
Windows Update. Read my post again.

Shane

This is what will be in "windows update.log" if that's where it came from:

http://download.windowsupdate.com/ms...6ecafbb56f.exe

Note the filename:
windowsxp-kb905474-enu-x86_de6cd4d37729f6079366b53cc3cdaa6ecafbb56f.exe -
with "_de6cd4d37729f6079366b53cc3cdaa6ecafbb56f" inserted at the end. All
updates from Windows Update have such characters added, which you're not
supposed to see. And usually if another partition is available they install
from that rather than from anywhere on C: So, given that a new KB905474 was
released on the 24th, that doesn't look suspicious, really, does it?

Shane

Thanks for all of the advice.
I have now fired up windows and when asked about the installation told
it to go ahead.
Looks as if my suspicions were unfounded.

remove fred before emailing