Quinny

Trojan.zbot FP?

Recommended Posts

Almost sure this is an FP,as a few other posters have had it flagged.

But would like know for sure.Here's the log.

Malwarebytes Anti-Malware (PRO) 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.01.07

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Neil :: NEIL-PC [administrator]

Protection: Enabled

01/11/2012 22:21:13

mbam-log-2012-11-01 (22-21-13).txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 518485

Time elapsed: 1 hour(s), 2 minute(s), 22 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\Windows\System32\InstallShield\_isdel.exe (Trojan.Zbot) -> Quarantined and deleted successfully.

C:\Windows\winsxs\wow64_microsoft-windows-i..llshield-wow64-main_31bf3856ad364e35_6.1.7600.16385_none_ca61f601a4548b8e\_isdel.exe (Trojan.Zbot) -> Quarantined and deleted successfully.

(end)

Share this post


Link to post
Share on other sites

I also had MB flag this file, though on my computer it is in a different location (a deep sub-folder of "Norton Bootable Recovery Disk". File properities show it to be copyrigted by InstallShield and it has been on my computer for about 2 years. FP?

Share this post


Link to post
Share on other sites

Hi,

Can anyone please attach the file that is being detected? Because without the file or developers log, we cannot know what we should fix.

Thanks!

Share this post


Link to post
Share on other sites

Malwarebytes Anti-Malware 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.01.07

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 8.0.7601.17514

Decade :: DECADE-PC [administrator]

11/2/2012 2:03:35 AM

mbam-log-2012-11-02 (02-03-35).txt

Scan type: Full scan (C:\|D:\|F:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 620754

Time elapsed: 52 minute(s), 46 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\Windows\System32\InstallShield\_isdel.exe (Trojan.Zbot) -> Quarantined and deleted successfully.

C:\Windows\winsxs\wow64_microsoft-windows-i..llshield-wow64-main_31bf3856ad364e35_6.1.7600.16385_none_ca61f601a4548b8e\_isdel.exe (Trojan.Zbot) -> Quarantined and deleted successfully.

(end)

MB also flagged the same two files on my computer, and after i looked around on the internet for a bit, I tried restoring the files but only the first one in the installshield folder was able to be restored. The second one simply couldn't be restored from the quarantine vault on MB and i accidentally deleted it. I updated MB after i restored it and did a full scan but nothing came up. I also could not find the file or folder on my computer for some reason, but i was able to select the file on the upload section of virustotal. https://www.virustotal.com/file/1e97eca81395d1bd5e627debfdb02828bd3655d68c8f7296395d574781faa32e/analysis/1351862445/ I hope this helps.

I can also find the file in the attach files option on this forum but i cannot put it in a zip or rar file.

Share this post


Link to post
Share on other sites

I was also have this FP detection.Unfortunetly i was delete files completely.Is this files important?

Share this post


Link to post
Share on other sites

I was simply puzzled by the fact that I couldn't locate the file on windows explorer but yet could find them on virustotal and here, will there be any problems?

Share this post


Link to post
Share on other sites

You can restore the file from quarantine. It's fine if only the one from C:\Windows\System32\InstallShield\ is restored.

Share this post


Link to post
Share on other sites

I did restore the file, it's not showing up in windows explorer though, I only found it in the pop up window for file upload to virustotal and the attach file option here.

Share this post


Link to post
Share on other sites

Hi,

Can you attach the detected file to your post please?

Sorry i'm unable to attach the the two files because i removed them

straight after detection,which in hindsight was a silly thing to do.

So now i'm left wondering have i done any damage to my laptop

by removing these two files.

Any info.

Cheers.

Share this post


Link to post
Share on other sites

Hi,

I tried to restore these files that my mbam also detected (same files as CCy3686) so I could send them to you guys for inspection.

Only the file in my System32 removed itself from mbam's quarantine list when I tried to restore it. However, it does not show up in my C:\WINDOWS\System32 directory. In fact, the entire InstallShield dir is missing from the System32 directory. I thought this was because it was hidden, but when I adjusted my Folders View in the Control Panel to show hidden files and folders, the InstallShield dir still did not show up.

Now, I am in a situation where I have tried to restore the file, C:\WINDOWS\System32\InstallShield\_isdel.exe, but it does not show up in explorer, nor does the InstallShield dir itself even show up. This file also is no longer listed in my quarantine list in mbam.

What should I do now?

I could run another full scan with mbam to see if the file somehow gets detected again, but unfortunately, I do not have the same database anymore. Before getting to this forum, I updated my signatures database this morning. The signatures database I used when these files were detected as "Trojan.Zbot" is Database version: v2012.11.01.07. The signature database I have now is Database version: v2012.11.02.08.

I don't know if this file is actually a trojan or not, and now it seems that I can neither send you a copy of it for inspection, nor can I find it on my hard drive after the failed restore.

Again, given my situation, please advise me on what I should do next. I will refrain from doing anything more until I here your advice.

Thanks in advance.

Share this post


Link to post
Share on other sites

All i want to know is that after removing these two FP's will i be getting

any malfunctions on my laptop, and if so how do i fix it.

:wacko:

Share this post


Link to post
Share on other sites

I have attached a copy of the '_isdel.exe' which was falsely detected. For those who may have inadvertently lost their copies, please replace using the attachment.

Share this post


Link to post
Share on other sites

Actually, here is a condensed copy of my log:

Malwarebytes Anti-Malware 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.01.07

Windows Vista Service Pack 2 x64 NTFS

Internet Explorer 9.0.8112.16421

...

11/1/2012 6:53:17 PM

mbam-log-2012-11-01 (21-39-17).txt

Scan type: Full scan (C:\|D:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 414355

Time elapsed: 1 hour(s), 5 minute(s), 51 second(s)

...

Files Detected: 2

C:\WINDOWS\System32\InstallShield\_isdel.exe (Trojan.Zbot) -> No action taken.

C:\WINDOWS\winsxs\wow64_microsoft-windows-i..llshield-wow64-main_31bf3856ad364e35_6.0.6000.16386_none_c854dde24615e549\_isdel.exe (Trojan.Zbot) -> No action taken.

(end)

I quarantined the files after saving this log.

Anyway, as you can see, I am actually running Windows Vista Home Premium, SP2 x64...

Will the replacement _isdel.exe file you provided also work for my version of Windows?

Thanks (and sorry I wasn't more precise in my earlier description of my problem.)

Share this post


Link to post
Share on other sites
Files Detected: 2

C:\WINDOWS\System32\InstallShield\_isdel.exe (Trojan.Zbot) -> No action taken.

C:\WINDOWS\winsxs\wow64_microsoft-windows-i..llshield-wow64-main_31bf3856ad364e35_6.0.6000.16386_none_c854dde24615e549\_isdel.exe (Trojan.Zbot) -> No action taken.

I have Vista SP2x64 and the file is exactly the same as the one from Windows 7 and even Windows 8.

Share this post


Link to post
Share on other sites

I have Vista SP2x64 and the file is exactly the same as the one from Windows 7 and even Windows 8.

Yes. I'm running Windows 8 x64. After almost an heart attack, i manually inspect the files... Same MD5, SHA1 as listed in National Software Reference Library.

Nothing malicious or new in the code.

_isdel.exe SHA256: 1e97eca81395d1bd5e627debfdb02828bd3655d68c8f7296395d574781faa32e SHA1: 0e7bb331d398be694a92a823de839fefdf464dfd MD5: 9d4ec4b71fd189a0b2c4dbd6aade16bf

Share this post


Link to post
Share on other sites

I have downloaded the '_isdel.exe' file. Do I simply paste it to: wow64_microsoft-windows-i..llshield-wow64-main_31bf3856ad364e35_6.1.7600.16385_none_ca61f601a4548b8e ?

Share this post


Link to post
Share on other sites

This FP appears to be fixed already since yesterday. :)

Indeed, after updating the virus definitions MB no longer flags the file _ISDel.exe in any way. Thanks for the quick fix!

Share this post


Link to post
Share on other sites

What happens if i deleted those files? will my system not work properly? and where do i put that file that sUbs posted?

Share this post


Link to post
Share on other sites

What happens if i deleted those files? will my system not work properly? and where do i put that file that sUbs posted?

i restored the file in malwarebytes but its not where to be found....

Share this post


Link to post
Share on other sites

i restored the file in malwarebytes but its not where to be found....

Hi robotman5,

For some reason the folder in system32 called InstallShield is invisible

to Windows explorer,but if you go into system32 via https://www.virustotal.com/

you will see the folder InstallShield which you will be able to open and look inside.

Hope this helps.

Share this post


Link to post
Share on other sites

The installshield folder isn't actually present in system32 on 64bits, what you see is the syswow64 folder instead when viewed via 32bit apps (is done via the emulator/redirect). So when you're on 64 bit, you need to put the file into the Windows\syswow64\installshield folder

Share this post


Link to post
Share on other sites

I have another FP for the same file but in different location:

C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\drivers\dot4\wrapper\_isdel.exe

VirusTotal scan detects nothing.

File attached.

_isdel.zip

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.