Jump to content
SpiritedTreasure

False Positives? Java Ra trojan.zbot and spyware.password for Adobe Air and Nero

Recommended Posts

Greetings.

I have posted at Bleeping computer.

http://www.bleepingcomputer.com/forums/topic469658.html

Hi.

I'm wondering if these results could possibly be a false positive. This is a brand new computer. (about 2 months old)

Windows 7. I had done a full scan with Malwarebytes earlier and then again. I also scanned with webroot both times. Then again after.

I didn't think Adobe Air or Nero were viruses or malware. There is almost nothing out about this .. I searched dogpile.

Here are the first results from earlier which showed nothing:

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.23.05

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Spirit :: SPIRIT-PC [administrator]

9/23/2012 1:49:46 PM

mbam-log-2012-09-23 (13-49-46).txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 354403

Time elapsed: 19 minute(s), 14 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

==================

Later on I scanned again:

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.23.08

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Spirit :: SPIRIT-PC [administrator]

9/23/2012 6:29:44 PM

mbam-log-2012-09-23 (18-29-44).txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 354076

Time elapsed: 17 minute(s), 13 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\OEM\Preload\Autorun\APP\Nero 10 Essentials Acer Edition\ISSetupPrerequisites\{4C6E12E5-5905-4aa5-B462-E7DFC4BD75E5}\LSDriveDetect.exe (Spyware.Password) -> Quarantined and deleted successfully.

C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\template.exe (Spyware.Password) -> Quarantined and deleted successfully.

(end)

=========================

Then again after rebooting

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.23.08

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Spirit :: SPIRIT-PC [administrator]

9/23/2012 6:50:14 PM

mbam-log-2012-09-23 (18-50-14).txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 353875

Time elapsed: 20 minute(s), 2 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

==================

I'm not having any issues and I did not notice anything different happening.

Please advise. Thank you.

I'm bookmarking this topic so I can watch for someone to respond.

===================

In addition I scan with Malwarebytes and Webroot every single day. Sometimes more than once a day. Also the files listed here were not present and they were not in the items that Malwarebytes quarantined.

http://forums.malwarebytes.org/index.php?showtopic=4556

I shut my computer all the way off and ran another full scan for Malwarebytes and Webroot.

Webroot is not seeing anything at any time.

After leaving my computer off for about 20 or 25 minutes this is the latest scan which shows nothing.

====================

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.23.08

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Spirit :: SPIRIT-PC [administrator]

9/23/2012 8:38:13 PM

mbam-log-2012-09-23 (20-38-13).txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 354208

Time elapsed: 17 minute(s), 19 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

==================

-edit-

Sept. 24, 2012

It appears that it was indeed a false positive, according to this post.

http://forums.malwarebytes.org/index.php?showtopic=116362

Now this morning I got up and started the computer to do another full scan and it detected trojan.zbot in my JavaRa program that I had copied from the old computer to this one. Now that old computer was also scanned every single day, As well as this one being scanned, and not only that but multiple scans yesterday. Odd that it did not show up yesterday but this morning after having the computer off and unplugged for the entire night it suddenly shows up?

I'm doubting the usefulness of this program at this point. Never have had this happen before. Not only that but scanning the JavaRa.zip showed nothing.

here are the logs from this morning:

===================================

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.24.04

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Spirit :: SPIRIT-PC [administrator]

9/24/2012 7:21:18 AM

mbam-log-2012-09-24 (07-21-18).txt

Scan type: Full scan (C:\|D:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 354039

Time elapsed: 20 minute(s), 24 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Users\Spirit\Documents\external\BackedJuly_2012\My documents\program downloads\JavaRa.exe (Trojan.Zbot) -> Quarantined and deleted successfully.

(end)

==============================

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.24.04

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Spirit :: SPIRIT-PC [administrator]

9/24/2012 7:48:17 AM

mbam-log-2012-09-24 (07-48-17).txt

Scan type: Custom scan (C:\Users\Spirit\Documents\external\BackedJuly_2012\My documents\program downloads\JavaRa.zip|)

Scan options enabled: File System | Heuristics/Shuriken | PUP | PUM

Scan options disabled: Memory | Startup | Registry | Heuristics/Extra | P2P

Objects scanned: 1

Time elapsed: 2 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

===============================

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.24.05

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Spirit :: SPIRIT-PC [administrator]

9/24/2012 7:53:10 AM

mbam-log-2012-09-24 (07-53-10).txt

Scan type: Full scan (C:\|D:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 354288

Time elapsed: 18 minute(s), 35 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

====================================

I also need to know what to do about these quarantined files that were not actually infected.

Thank you

This appears to be your developers log.. Somehow I thought it would look different.

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.24.05

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Spirit :: SPIRIT-PC [administrator]

9/24/2012 8:19:14 AM

mbam-log-2012-09-24 (08-19-14).txt

Scan type: Full scan (C:\|D:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 354288

Time elapsed: 16 minute(s), 29 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

mbam-log-2012-09-24 (08-19-14).txt

Share this post


Link to post
Share on other sites

See post in this forum titled: LSDriveDetect.exe and \Adobe AIR\Versions\1.0\Resources\template.exe

This should answer your question.

Share this post


Link to post
Share on other sites

SkipperL New Member:

That post does not mention this:

Java Ra -Trojan.Zbot

Java Ra is a helpfull little program that clears off the extra leftovers that the programmers sloppily did not clean up. I will be very sad if such supposed helps were really a virus in disguise. I did not click it on this computer. I did not touch it. It simply got transferred with the rest of my stuff.

Share this post


Link to post
Share on other sites

Thankyou for the report SpiritedTreasure anmd confirmed they are False Positives.

They are no longer being detected for me so i believe this has been fixed in a database update overnight.

Please can you restore those items from your quarantine and comfirm that is the case.

Thanks in advance :)

Share this post


Link to post
Share on other sites

Are you speaking of the spyware.password or the trojan.zbot or both?

All 3 files that you have reported.

Share this post


Link to post
Share on other sites

I have now released those from quarantine. I then used Virus Total to scan each one.

I am angry now and creeped out by the result on the Java Ra which has been deleted and recycle bin emptied.

I also did another full scan with Malwarebytes and webroot. I never did click that Java Ra on this computer. That does not make me feel any safer or better.

Now what? Once again I am finding almost nothing about this particular virus. What next? I also need to post some update for the people at Bleeping computer. I don't want an infected computer.

=======================================

ByteHero Virus.Win32.Part.j 20120918

SHA256: e30c1196ed72fd6cea663f73bd24328e11dca8c9854078ee47146ad84e2b1ff5

File name: JavaRa.exe

Detection ratio: 1 / 42

Analysis date: 2012-09-25 15:36:49 UTC ( 1 minute ago )

=============================================

SHA256: f89b7c45fa1665b59b5240ae4ce3bafe4bb3f4e74deb794b7a40d48c52af6801

File name: LSDriveDetect.exe

Detection ratio: 0 / 43

Analysis date: 2012-09-25 15:42:12 UTC ( 0 minutes ago )

=============================================

SHA256: 84e79025eff5fffe580ad264de57a29c9123258b9da522271402fa8e6ad4fda2

File name: template.exe

Detection ratio: 0 / 43

Analysis date: 2012-09-25 15:56:06 UTC ( 1 minute ago )

===============================

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.25.09

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Spirit :: SPIRIT-PC [administrator]

9/25/2012 11:00:50 AM

mbam-log-2012-09-25 (11-00-50).txt

Scan type: Full scan (C:\|D:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 354467

Time elapsed: 18 minute(s), 12 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Share this post


Link to post
Share on other sites

Hi,

The JavaRa.exe from your quarantine is not infected nor malicous.

JavaRa is open source software >> http://raproducts.org/wordpress/

We have removed the signature(s) from our database that detected this file by accident (False positive)..

We apologize for any anxiety this has caused you but i can confirm once again the files you have submitted from your quarantine in this topic are clean and we have removed or changed the signatures that caused their unintentional detection overnight.

Share this post


Link to post
Share on other sites

Thank you.

I just used ESET Online Virus Scanner and It found nothing..

What a relief..

Thank you.

I'm the little old lady with her face pressed to the windscreen. This computer was a gift and I want it to stay pristine. As pristine as possible.

post-118524-0-72031600-1348594454.jpg

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.