Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan/Spy.ZBot.jf and Trojan/Spy.ZBot.yw found by The Hacker: false positive?


  • This topic is locked This topic is locked
9 replies to this topic

#1 Hendyskitoodigger

Hendyskitoodigger

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North India
  • Local time:10:00 PM

Posted 26 February 2013 - 07:26 PM

I use an assembled desktop with an 1.5 Tb Western Digital hard drive,Intel Core i3 3.2Ghz processor and 4 Gb RAM running Windows XP SP3.

Antivirus and anti-spyware: Symantec Endpoint Protection 11; Spybot Search and Destroy;Zonealarm Free Firewall;Microsoft Security Essentials.

 

I used to have Ad-Aware Free ver.9 and in mid January 2013 it identified the tcpip.sys file as being infected with a trojan which it called Win32.Trojan.Agent. I scanned the file with Virustotal where 5/46 programmes identfied a Trojan:

eSafe    Win32.Trojan    
Ikarus    Trojan-Downloader.Win32.Agenttiny
nProtect    Trojan/W32.Agent.361600.B
TheHacker    Trojan/Spy.Zbot.jf    
TrendMicro-HouseCall    TROJ_GEN.F47V1205    
 

2. I replaced the system image with an earlier version but the Virustotal result was identical. Thereafter I replaced tcpip.sys from a Windows XP CD and scanned again with Virustotal. The Hacker identified it as Trojan/Spy.Zbot.yw. Earlier it had identified tcpip.sys as Trojan/Spy.Zbot.jf.The four other programmes which had positives earlier, viz. eSafe, Ikarus,nProtect,TrendMicro-Housecall found nothing. Virusscan.Jotti found nothing. However The Hacker in Virscan.org found Trojan/Spy.Zbot.yw just as it had in Virustotal.

 

3. I used online/downloadable scanners from TrendMicro-Housecall, nProtect, E-set smart security F-Secure, Microsoft Safety Scanner and Kaspersky without a positive finding. I uploaded tcpip.sys to the virus analysis centres of Fortinet, Kaspersky and Avira all without a positive finding for malicious code.

As I found Ver. 10 of Ad-Aware intrusive, I did not install it again to check tcpip.sys. I am coming around to the view that The Hacker found a false positive. Yet, as Trojan/Spy.Zbot.yw is dangerous, I would like additional confirmation and await your advice.

Hendyskitoodigger
 



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:30 PM

Posted 27 February 2013 - 12:33 AM

Hello, it may be in your temp files.

Please download [url="http://oldtimer.geekstogo.com/TFC.exe"]TFC[/url] (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link

  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
  • Important!
  • If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.

 

 

Also try disabling MSE as the two antivirus may be conflicting. It is not good to have 2 active AV's.

 

Now scan again.


Edited by boopme, 27 February 2013 - 12:35 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Hendyskitoodigger

Hendyskitoodigger
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North India
  • Local time:10:00 PM

Posted 27 February 2013 - 07:42 AM

I used TFC.exe to clean the temporary files.

Could you pl. suggest which programme I should use for scanning again?. Symantec and MSE found nothing earlier. The only programmme which found and continues to find Trojan/Spy.Zbot.yw in tcpip.sys was The Hacker when the file was uploaded to Virustotal and Virscan.org.

Thanks. 

__________________________________

Hello, it may be in your temp files.

Please download TFC.exe to run it......

Now scan again.



#4 Hendyskitoodigger

Hendyskitoodigger
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North India
  • Local time:10:00 PM

Posted 27 February 2013 - 04:42 PM

I used TFC.exe to clean the temporary files.

Could you pl. suggest which programme I should use for scanning again?. Symantec and MSE found nothing earlier. The only programmme which found and continues to find Trojan/Spy.Zbot.yw in tcpip.sys was The Hacker when the file was uploaded to Virustotal and Virscan.org.

Thanks. 

__________________________________

Hello, it may be in your temp files.

Please download TFC.exe to run it......

Now scan again.

After using TFC.exe to clean the temporary file I scanned with  Symantec Endpoint Protection 11 which again found nothing. However, Trojan/Spy.Zbot.yw in tcpip.sys was again found by The Hacker when the file was uploaded to Virustotal and Virscan.org.

Thanks



#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:30 PM

Posted 27 February 2013 - 09:12 PM

I agree with you about it is a dangerous malware if it is NOT an FP. So you rplace tcip.sys.. Then ran TFC and Norton and if you still upload the file only the Hacker finds it.

 

Lets do another scan as I know ESET will remove Trojan/Spy.Zbot.yw. f present

 

 

Now I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the   button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

NOTE:Sometimes if ESET finds no infections it will not create a log.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Hendyskitoodigger

Hendyskitoodigger
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North India
  • Local time:10:00 PM

Posted 28 February 2013 - 03:32 PM

Actually, I replaced tcpip.sys, then scanned with online scanners from TrendMicro-Housecall, nProtect, E-set smart security, F-Secure, Microsoft Safety Scanner and Kaspersky without a positive. Then I contacted Bleeping Computer, replaced tcpip.sys again and, on your very welcome advice, scanned with TFC, Symantec Endpoint Security and Eset. Except Eset, neither of the other two programmes found a positive. In Virustotal, The Hacker continued to find Trojan/Spy.Zbot.yw as before. Here is the result of the latest Eset scan in bold letters:

D:\Progsetters\zlsSetup_70_483_000_en.exe    a variant of Win32/AdInstaller application    cleaned by deleting - quarantined

 

2. Progsetters is the name of a folder created by me. I do not insist that The Hacker is getting a false positive as I really do not know. I look forward to your comments. Many thanks.

 

 

________________________________________________________________________________________________________________

I agree with you about it is a dangerous malware if it is NOT an FP. So you rplace tcip.sys.. Then ran TFC and Norton and if you still upload the file only the Hacker finds it.

 

Lets do another scan as I know ESET will remove Trojan/Spy.Zbot.yw. f present

 

 

Now I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png  button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png
       icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

 

NOTE:Sometimes if ESET finds no infections it will not create a log.



#7 Hendyskitoodigger

Hendyskitoodigger
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North India
  • Local time:10:00 PM

Posted 01 March 2013 - 01:57 PM

ctually, I replaced tcpip.sys, then scanned with online scanners from
TrendMicro-Housecall, nProtect, E-set smart security, F-Secure,
Microsoft Safety Scanner and Kaspersky without a positive. Then I
contacted Bleeping Computer, replaced tcpip.sys again and, on your very
welcome advice, scanned with TFC, Symantec Endpoint Security and Eset.
Except Eset, neither of the other two programmes found a positive. In
Virustotal, The Hacker continued to find Trojan/Spy.Zbot.yw as before. Here is the result of the latest Eset scan in bold letters:

D:\Progsetters\zlsSetup_70_483_000_en.exe    a variant of Win32/AdInstaller application    cleaned by deleting - quarantined

 

2.
Progsetters is the name of a folder created by me. I do not insist that
The Hacker is getting a false positive as I really do not know. I look
forward to your comments. Many thanks.

 


 

e advice, scanned with TFC, Symantec Endpoint Security and Eset. Except Eset, neither of the other two programmes found a positive. In Virustotal, The Hacker continued to find Trojan/Spy.Zbot.yw as before. Here is the result of the latest Eset scan in bold letters:

D:\Progsetters\zlsSetup_70_483_000_en.exe    a variant of Win32/AdInstaller application    cleaned by deleting - quarantined

 

2. Progsetters is the name of a folder created by me. I do not insist that The Hacker is getting a false positive as I really do not know. I look forward to your comments. Many thanks.

 

________________________________________________________________________________________________________________

I agree with you about it is a dangerous malware if it is NOT an FP. So you rplace tcip.sys.. Then ran TFC and Norton and if you still upload the file only the Hacker finds it.

 

Lets do another scan as I know ESET will remove Trojan/Spy.Zbot.yw. f present

 

 

Now I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png  button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png
       icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

 

NOTE:Sometimes if ESET finds no infections it will not create a log.



#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:30 PM

Posted 01 March 2013 - 05:06 PM

To be sure of what is here or not... I think we should get a deeper look. Please follow this Preparation Guide and post in a new topic.
Let me know if all went well.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Hendyskitoodigger

Hendyskitoodigger
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North India
  • Local time:10:00 PM

Posted 03 March 2013 - 09:47 AM

To be sure of what is here or not... I think we should get a deeper look. Please follow this Preparation Guide and post in a new topic.
Let me know if all went well.

 

I have follwed the steps in the Preparation Guide and have posted the log from DDS.com in Virus, Trojan, Spyware, and Malware Removal Logs.

That's what I was told to do in the Preparation Guide.



#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:30 PM

Posted 03 March 2013 - 09:27 PM

That's correct.. a person we've trained to analyze these will reply with the next process.

 

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.

The current wait time is 1 - 2 days and ALL logs are answered.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users