Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Spy.Agent.PZ trojan - false positive?


  • Please log in to reply
8 replies to this topic

#1 number9dream

number9dream

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 11 October 2008 - 01:21 PM

Hi,

Before I start explaining the problem:
I am running a legit copy of Windows XP SP3, I have NOD32 as my main anti-virus.

Yesterday before going to sleep I started a trend micro housecall scan (I'm using a trial version of NOD32 for my main anti-virus, along with malwarebytes, superantispyware, adaware and spybot s&d). When I woke up NOD was telling it had detected "Win32/Spy.Agent.PZ trojan".

My NOD32 is in swedish but here's a translation of the relevant info from the log:
The file was detected in C:\DOCUME~1\JONATH~1\LOKALA~1\Temp\VS14AHU6.40S and is "a variant of Win32/Spy.Agent.PZ trojan", and it was quarantined and then removed.
It "Was created by the program c\program\internet explorer\iexplore.exe" (I use firefox normally, but housecall doesn't seem to work as well with that browser for me).

Not sure the translation is perfect but hopefully fine. Anyway, as the scan had finished long before I woke up, the active-x plugin had expired and I had to refresh the page.. and thus losing the scan results, so I restarted it - and about 5-10 minutes into the scan I recieved the same popup about the trojan (and have done so everytime I run the scan, 4/4 times) which makes me think that it's a false positive, probably caused by something installed by housecall? Is there anyway I can be sure tho? For whatever it's worth, I've ran a NOD scan since and it found nothing, and a housecall scan which found some minor things (ie tracking cookie type stuff mostly) but nothing related to the trojan iirc.

Maybe the fact that it's only appeared when I run housecall and so far is 4 out of 4 at that, is enough evidence of it being a false positive but I'm feeling a bit paranoid. Had a detection in some flash game a few weeks ago (actually, my AV at the time, Avira antivir, found nothing, but on a whim I uploaded it to two of those multi-scanner sites, ie virus-total, and 1/36 scanners found something - VBA32, Win32.BrokenEmbeddedPattern on paranoid heuristics, but only on one of the two sites - however after running every other scanner I had, changing to NOD32 and running hijackthis I decided it was probably nothing :thumbsup:

One thing that worried me was that upon rebooting my computer and going to one of the sites I regularly visit it said "this account logged in from another browser" at the login box.. However I seem to recall this happening before when rebooting/emptying cookies etc.. Although I'm not sure.

Hopefully this was not too rambly and thanks for any help in making sure it's a false positive, you can provide.

BC AdBot (Login to Remove)

 


#2 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 11 October 2008 - 02:24 PM

suggest you try a scan with malawarebytes and post the resultant log for review?
fresh instructions are here.....
http://www.bleepingcomputer.com/forums/ind...st&p=959453

#3 number9dream

number9dream
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 11 October 2008 - 03:25 PM

Hi, thanks, here's the log:

Malwarebytes' Anti-Malware 1.28
Database version: 1258
Windows 5.1.2600 Service Pack 3

10/11/2008 10:25:15 PM
mbam-log-2008-10-11 (22-25-15).txt

Scan type: Quick Scan
Objects scanned: 50713
Time elapsed: 4 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 11 October 2008 - 03:35 PM

try superantispyware next
http://www.bleepingcomputer.com/forums/ind...st&p=959604





ruby1 edit; occurs to me you may wish to print out those instructions as you will NOT have access to the internet or this page while in safe mode

Edited by ruby1, 11 October 2008 - 03:47 PM.


#5 number9dream

number9dream
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 11 October 2008 - 04:18 PM

In the Scanning Control tab, most of the boxes are checked by default. The instructions say to leave the "other boxes unchecked", does that mean I should just let them be or should I manually uncheck everything except the 3 he listed?

#6 number9dream

number9dream
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 11 October 2008 - 06:08 PM

When I booted in safemode I was given the option of running windows as Admin or as my normal (and only profile for the computer) userprofile, choose admin (which led to superanti-spyware not keeping a log of the event but I retrieved it manually by rebooting in safemode), hopefully this doesn't change anything..

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/12/2008 at 00:53 AM

Application Version : 4.21.1004

Core Rules Database Version : 3469
Trace Rules Database Version: 1460

Scan type : Complete Scan
Total Scan Time : 01:16:45

Memory items scanned : 172
Memory threats detected : 0
Registry items scanned : 5051
Registry threats detected : 0
File items scanned : 38617
File threats detected : 2

Adware.Tracking Cookie
C:\Documents and Settings\Jonathan Walsh\Cookies\jonathan_walsh@server.iad.liveperson[1].txt

Adware.Casino Games (Golden Palace Casino)
C:\POKER\POKER CARDOZA\CASINO.EXE

Casino.exe is from a pokersite I used to play on, fairly certain it's not harmful but as I don't play there anymore I removed it anyway.

#7 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 12 October 2008 - 09:42 AM

What do you mean by a

I'm using a trial version of NOD32 for my main anti-virus


Is it giving you temporary cover for a certain period of time ?

I think if you run superantispyware again you will run clear; I tend to run it on a FULL deep scan just to be on the safe side as why run a scan if you do NOT do a deep full one !!


You could also try Asquared free
which you can download from HERE
A guide on how to run it is HERE

I tend to run this one too on a full deep scan but please be aware that this tool tends to flag up all kinds of stuff that is really unimportant ; let us know how you get on with it?

#8 number9dream

number9dream
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 12 October 2008 - 09:59 AM

Yeah, 30 days trial, I'll probably buy it by the time the trial is up. I ran Superantispyware in full scan the first time, should I do it again anyway? Also, when you run superantispyware do you have to run it in safe-mode for it to be effective?

Thanks for all your help!

Edited by number9dream, 12 October 2008 - 10:48 AM.


#9 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 12 October 2008 - 10:09 AM

I suggest you check for updates; reboot and rerun superantispyware again in safe mode and on a full deep scan ; I for one see little point in running the scan on only selected parts of the computer; Sods Law states that a bug WIILL be in the part you do NOT scan :flowers:

Do also run the asquared scan when you have time :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users