Strange Findings

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View


I ran Avast, SuperAntispyware, and MalwareAnti-Malware.  All three programs
indicated my computer being clean......no infections.  I then run Windows
Defender, and picked up these two.  Trojan Downloader:Win32/ZLOB.ANN, and
Program:Win32/Antivirus 2008.  Both were then deleted with Windows Defender.
Why would they show up here, and not in the other three?



Re: Strange Findings




| I ran Avast, SuperAntispyware, and MalwareAnti-Malware.  All three programs
| indicated my computer being clean......no infections.  I then run Windows
| Defender, and picked up these two.  Trojan Downloader:Win32/ZLOB.ANN, and
| Program:Win32/Antivirus 2008.  Both were then deleted with Windows Defender.
| Why would they show up here, and not in the other three?


Good question.

It would help if you could post the fully qualified names and paths to the files
deemed
infected and removed.

A Windows Defender log extract would help.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Strange Findings



On Wed, 24 Sep 2008 18:47:05 -0400, "David H. Lipman"


Quoted text here. Click to load it

Useless. The files can be known by any number of names depending upon
what the AV vendor wants to name it. Having the name posted here
serves no purpose and doesn't answer his question.

Quoted text here. Click to load it


Again, useless.

Re: Strange Findings




| On Wed, 24 Sep 2008 18:47:05 -0400, "David H. Lipman"


Quoted text here. Click to load it

| Useless. The files can be known by any number of names depending upon
| what the AV vendor wants to name it. Having the name posted here
| serves no purpose and doesn't answer his question.

Quoted text here. Click to load it


| Again, useless.

Maybe to YOU...


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Strange Findings


Quoted text here. Click to load it

I couldn't copy and paste from Windows Defender, but here is what I found in
the log.
Trojan Downloader:
file:
C:\Documents\Ben xxxxx\My Documents\My Received Files\Setup.exe->(UPX)
container file:
C:\Documents and Settings\Ben xxxxx\My Documents\My Received Files\Setup.exe

Program : Win32/Antivirus 2008
Resources:
file:
C:\System Volume
Information\_restore\rp2961\A0162570.exe->(UPX)->(RarSfx)->sav1.dat
file:
Same as the above, except it ended with   ->sav0.dat

Maybe this will help you.



Re: Strange Findings




Quoted text here. Click to load it







| I couldn't copy and paste from Windows Defender, but here is what I found in
| the log.
| Trojan Downloader:
| file:
| C:\Documents\Ben xxxxx\My Documents\My Received Files\Setup.exe->(UPX)
| container file:
| C:\Documents and Settings\Ben xxxxx\My Documents\My Received Files\Setup.exe

| Program : Win32/Antivirus 2008
| Resources:
| file:
| C:\System Volume
|
Information\_restore\rp2961\A0162570.exe->(UPX)->(
| RarSfx)->sav1.dat
| file:
| Same as the above, except it ended with   ->sav0.dat

| Maybe this will help you.



Yes, yes it does.

the sav0.dat and sav1.dat are related to SAV.EXE and SAV.CPL which are all found
in a Self
Extracting archive file that is download by a Zlob trojan downloader.  The self
extractor
is named like;  5493.exe and when executed, you get...  sav0.dat, sav1.dat,
SAV.EXE,
SAV.CPL and a BAT file.  The BAT file installes the other files and then deletes
the self
extractor;  5493.exe (file name can vary).

The file;  Setup.exe  was the 'Trojan Downloader:Win32/ZLOB.ANN' that caused the
self
extracing archive file to get downloaded.  I can't speak for why Avast,
SuperAntispyware
and Malware-Bytes Anti-Malware missed the Zlob Downloader trojan.  It is
unfortuante that
this trojan downloader missed them.  I will also note that this is a donloader
that
downloads multiple files.  Not just a file named such as;  5493.exe   It may
have also
downloaded a file such as; video0.cfg which is really a EXE file and logo.gif
which is
also really a EXE file.  thes *may* have been caught by the above anti malware
scanners.
SAV.EXE and SAV.CPL are well recognized by the vast majority as seen on Virus
Total.
However  video0.cfg and logo.gif are not  :-(

The DAT files are harmless.  The location where they were found were in the
System Restore
cache and they were safe there unless you restored the system to a previous
restore point
that had those infected files.  Otherwise they would eventually cache-out.

The question is...
Are you still infected ?

Do you have any lasting symptoms or anomalies ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Strange Findings


Quoted text here. Click to load it
Information\_restore\rp2961\A0162570.exe->(UPX)->(
Quoted text here. Click to load it
I have run all my Anti---programs, and there were no infections.  Everything
seems to be running normal.  I can't imagine where I picked these up.  I
don't go to the "trashy" web sites.
Thanks for your information.



Re: Strange Findings



| I have run all my Anti---programs, and there were no infections.  Everything
| seems to be running normal.  I can't imagine where I picked these up.  I
| don't go to the "trashy" web sites.
| Thanks for your information.

It could have been a drive-by download or you may have fallen for the old
CODEC/Video
ActiveX video scam.

One of the latest I have seen that does this is;  zcodec.XXXX.exe  where XXXX is
a number
such as; 1104

Doesn't it suck that Windows Defender can't provide a proper log that you can
copy & paste
from ?

This also holds true (from the last time I tested it) with Microsoft's Windows
Live
OneCare.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Strange Findings

with this jewel:
Quoted text here. Click to load it

Still,WD seems to have worked in this case. Perhaps it has been given a bad
rap by some. I use it on my w2k box too.
--
Virus Removal http://max.shplink.com/removal.html
Block Spam! http://improve-usenet.org/index.html
Change nomail.afraid.org to gmail.com to reply to me by email.
nomail.afraid.org is for use in USENET-feel free to use it yourself.



Re: Strange Findings


| with this jewel:


Quoted text here. Click to load it





| Still,WD seems to have worked in this case. Perhaps it has been given a bad
| rap by some. I use it on my w2k box too.

Yes.  In this case.

I will also admit that over the pat 18 months or so I have seen a vast
improvement of the
catch rate of live OneCare.  However, I still do not suggest its use.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Strange Findings

David H. Lipman wrote:
Quoted text here. Click to load it

David,

If the files are still around wouldn't it make sense to upload to
virustotal, and or some of the online sandboxes?

John

Re: Strange Findings





| David,

| If the files are still around wouldn't it make sense to upload to
| virustotal, and or some of the online sandboxes?

| John

Y E S  !

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Strange Findings



David H. Lipman wrote:
Quoted text here. Click to load it

Guess I should have put some links in there

<http://www.virustotal.com/
<http://www.threatexpert.com/submit.aspx
<http://research.sunbelt-software.com/submit.aspx
<http://uploads.malwarebytes.org/
<http://www.norman.com/microsites/nsic/Submit/en-us


Any you would add to the list?


John


Re: Strange Findings




| David H. Lipman wrote:


Quoted text here. Click to load it





| Guess I should have put some links in there

| <http://www.virustotal.com/
| <http://www.threatexpert.com/submit.aspx
| <http://research.sunbelt-software.com/submit.aspx
| <http://uploads.malwarebytes.org/
| <http://www.norman.com/microsites/nsic/Submit/en-us


| Any you would add to the list?

| John

Jotti -- http://virusscan.jotti.org /
VirScan -- http://www.virscan.org /

VirScan is from China and is realatively new.  It has anti malware scanners that
are NOT
on Virus Total, albeit it shares some of the same vendors.  VirScan also has an
excellent
one-click method to copy the report to the ClipBoard.

Sample VirScan report

VirSCAN.org Scanned Report :
Scanned time   : 2008/09/24 22:11:03 (EDT)
Scanner results: 28% Scanner(10/36) found malware!
File Name      : scan.exe
File Size      : 186880 byte
File Type      : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5            : 4d22bcbd865ab769e238d8a8a9baec0e
SHA1           : fe3a1ea14d22e55c110dc496be747131745b24fd
Online report  : http://virscan.org/report/482667ee17f4df5e05664343a971b769.html

Scanner        Engine Ver      Sig Ver           Sig Date    Time   Scan result
a-squared      4.0.0.14        2008.09.24        2008-09-24  1.49   -
AhnLab V3      2008.09.25.00   2008.09.25        2008-09-25  1.92   -
AntiVir        7.8.1.34        7.0.6.207         2008-09-24  2.33   -
Arcavir        1.0.5           200809241305      2008-09-24  1.24   -
AVAST!         3.0.1           080924-1          2008-09-24  0.03   -
AVG            7.5.52.442      270.7.2/1689      2008-09-24  1.81   -
BitDefender    7.60825.1805609 7.21022           2008-09-25  3.11  
Trojan.FakeAlert.AGK
CA (VET)       9.0.0.143       31.6.6105         2008-09-24  5.31   -
ClamAV         0.94            8326              2008-09-25  0.04   -
Comodo         2.11            2.0.0.656         2008-09-24  0.42   -
CP Secure      1.1.0.715       2008.09.25        2008-09-25  5.90   -
Dr.Web         4.44.0.9170     2008.09.24        2008-09-24  3.21   -
ewido          4.0.0.2         2008.09.24        2008-09-24  2.99   -
F-Prot         4.4.4.56        20080924          2008-09-24  1.04   -
F-Secure       5.51.6100       2008.09.24.14     2008-09-24  3.40
Trojan-Downloader.Win32.Small.adsi [AVP]
Fortinet       2.81-3.113      9.580             2008-09-23  0.23   Suspicious
ViRobot        20080924        2008.09.24        2008-09-24  0.63   -
Ikarus         T3.1.01.34      2008.09.24.71523  2008-09-24  4.08   -
JiangMin       11.0.706        2008.09.24        2008-09-24  1.23   -
Kaspersky      5.5.10          2008.09.24        2008-09-24  0.03
Trojan-Downloader.Win32.Small.adsi
KingSoft       2008.1.14.15    2008.9.25.10      2008-09-25  0.71   -
McAfee         5.3.00          5391              2008-09-24  1.99   -
Microsoft      1.3903          2008.09.24        2008-09-24  3.99
TrojanDownloader:Win32/Renos.gen!AU
mks_vir        2.01            2008.09.25        2008-09-25  2.66   -
Norman         5.93.01         5.93.00           2008-09-18  5.58   -
Panda          9.05.01         2008.09.24        2008-09-24  2.13   -
Trend Micro    8.700-1004      5.564.08          2008-09-24  0.03  
TROJ_FAKEAV.QR
Quick Heal     9.50            2008.09.24        2008-09-24  1.80   Suspicious -
DNAScan
Rising         20.0            20.63.22.00       2008-09-24  0.82   -
Sophos         2.78.0          4.33              2008-09-25  2.02   Mal/EncPk-CZ
Sunbelt        3.1.1668.1      2256              2008-09-24  0.59   -
Symantec       1.3.0.24        20080924.003      2008-09-24  0.10  
Packed.Generic.188
nProtect       2008-09-25.00   2167424           2008-09-25  4.40  
Trojan.FakeAlert.AGK
The Hacker     6.3.0.9         v00093            2008-09-24  0.43   -
VBA32          3.12.8.6        20080924.1354     2008-09-24  5.00   -
VirusBuster    4.5.11.10       10.88.6/635732    2008-09-24  0.88   -

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Strange Findings




Quoted text here. Click to load it
I guess I'm a little slow, I understand Virscan is not a working scanner.  I
see at the bottom of there Home Page, "Last File Scanned".  Where do these
come from?  Is cut and past the protocol to use in their Suspicious files to
scan?  Sorry for being so dense.



Re: Strange Findings





| I guess I'm a little slow, I understand Virscan is not a working scanner.  I
| see at the bottom of there Home Page, "Last File Scanned".  Where do these
| come from?  Is cut and past the protocol to use in their Suspicious files to
| scan?  Sorry for being so dense.

VirScan is the Chinese equavalent to Spain's Virus Total.

You submit a questionable file to VirScan and it waill scan the submission with
36 AV scan
engies.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Strange Findings





Ben wrote:
Quoted text here. Click to load it

When you use the VirusTotal site, you can just find the file on your HDD by
using the Browse feature shown on the VirusTotal homepage and locate the
file in question and it will then be submitted.
Just go to the VirusTotal homepage and it will become clear.
Buffalo



Re: Strange Findings



David H. Lipman wrote:
Quoted text here. Click to load it



I would also add Bit9 fileadvisor if you're trying to identify a file

<http://fileadvisor.bit9.com/services/search.aspx


John


Re: Strange Findings



wrote:

Quoted text here. Click to load it


Two possibilities.

A: Windows Defender was able to detect malware that the others
weren't.

B: Windows Defender is giving false positives.

The only way to know for sure would be to send the files to a
reputable lab such as Kaspersky for analysis.

Re: Strange Findings




Quoted text here. Click to load it

Or to us. :) Or even to virustotal. However, based on his logs, and the
contents, it wasn't too likely to be a false alarm.
 



--
Regards,
Dustin Cook,  Author of BugHunter
BugHunter - http://bughunter.it-mate.co.uk
MalwareBytes - http://www.malwarebytes.org
  


Site Timeline