Jump to content

Trojan.zbot FP?


Quinny

Recommended Posts

Almost sure this is an FP,as a few other posters have had it flagged.

But would like know for sure.Here's the log.

Malwarebytes Anti-Malware (PRO) 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.01.07

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Neil :: NEIL-PC [administrator]

Protection: Enabled

01/11/2012 22:21:13

mbam-log-2012-11-01 (22-21-13).txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 518485

Time elapsed: 1 hour(s), 2 minute(s), 22 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\Windows\System32\InstallShield\_isdel.exe (Trojan.Zbot) -> Quarantined and deleted successfully.

C:\Windows\winsxs\wow64_microsoft-windows-i..llshield-wow64-main_31bf3856ad364e35_6.1.7600.16385_none_ca61f601a4548b8e\_isdel.exe (Trojan.Zbot) -> Quarantined and deleted successfully.

(end)

Link to post
Share on other sites

I also had MB flag this file, though on my computer it is in a different location (a deep sub-folder of "Norton Bootable Recovery Disk". File properities show it to be copyrigted by InstallShield and it has been on my computer for about 2 years. FP?

Link to post
Share on other sites

Malwarebytes Anti-Malware 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.01.07

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 8.0.7601.17514

Decade :: DECADE-PC [administrator]

11/2/2012 2:03:35 AM

mbam-log-2012-11-02 (02-03-35).txt

Scan type: Full scan (C:\|D:\|F:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 620754

Time elapsed: 52 minute(s), 46 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\Windows\System32\InstallShield\_isdel.exe (Trojan.Zbot) -> Quarantined and deleted successfully.

C:\Windows\winsxs\wow64_microsoft-windows-i..llshield-wow64-main_31bf3856ad364e35_6.1.7600.16385_none_ca61f601a4548b8e\_isdel.exe (Trojan.Zbot) -> Quarantined and deleted successfully.

(end)

MB also flagged the same two files on my computer, and after i looked around on the internet for a bit, I tried restoring the files but only the first one in the installshield folder was able to be restored. The second one simply couldn't be restored from the quarantine vault on MB and i accidentally deleted it. I updated MB after i restored it and did a full scan but nothing came up. I also could not find the file or folder on my computer for some reason, but i was able to select the file on the upload section of virustotal. https://www.virustotal.com/file/1e97eca81395d1bd5e627debfdb02828bd3655d68c8f7296395d574781faa32e/analysis/1351862445/ I hope this helps.

I can also find the file in the attach files option on this forum but i cannot put it in a zip or rar file.

Link to post
Share on other sites

Hi,

Can you attach the detected file to your post please?

Sorry i'm unable to attach the the two files because i removed them

straight after detection,which in hindsight was a silly thing to do.

So now i'm left wondering have i done any damage to my laptop

by removing these two files.

Any info.

Cheers.

Link to post
Share on other sites

Hi,

I tried to restore these files that my mbam also detected (same files as CCy3686) so I could send them to you guys for inspection.

Only the file in my System32 removed itself from mbam's quarantine list when I tried to restore it. However, it does not show up in my C:\WINDOWS\System32 directory. In fact, the entire InstallShield dir is missing from the System32 directory. I thought this was because it was hidden, but when I adjusted my Folders View in the Control Panel to show hidden files and folders, the InstallShield dir still did not show up.

Now, I am in a situation where I have tried to restore the file, C:\WINDOWS\System32\InstallShield\_isdel.exe, but it does not show up in explorer, nor does the InstallShield dir itself even show up. This file also is no longer listed in my quarantine list in mbam.

What should I do now?

I could run another full scan with mbam to see if the file somehow gets detected again, but unfortunately, I do not have the same database anymore. Before getting to this forum, I updated my signatures database this morning. The signatures database I used when these files were detected as "Trojan.Zbot" is Database version: v2012.11.01.07. The signature database I have now is Database version: v2012.11.02.08.

I don't know if this file is actually a trojan or not, and now it seems that I can neither send you a copy of it for inspection, nor can I find it on my hard drive after the failed restore.

Again, given my situation, please advise me on what I should do next. I will refrain from doing anything more until I here your advice.

Thanks in advance.

Link to post
Share on other sites

All i want to know is that after removing these two FP's will i be getting

any malfunctions on my laptop, and if so how do i fix it.

:wacko:

Link to post
Share on other sites

Actually, here is a condensed copy of my log:

Malwarebytes Anti-Malware 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.01.07

Windows Vista Service Pack 2 x64 NTFS

Internet Explorer 9.0.8112.16421

...

11/1/2012 6:53:17 PM

mbam-log-2012-11-01 (21-39-17).txt

Scan type: Full scan (C:\|D:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 414355

Time elapsed: 1 hour(s), 5 minute(s), 51 second(s)

...

Files Detected: 2

C:\WINDOWS\System32\InstallShield\_isdel.exe (Trojan.Zbot) -> No action taken.

C:\WINDOWS\winsxs\wow64_microsoft-windows-i..llshield-wow64-main_31bf3856ad364e35_6.0.6000.16386_none_c854dde24615e549\_isdel.exe (Trojan.Zbot) -> No action taken.

(end)

I quarantined the files after saving this log.

Anyway, as you can see, I am actually running Windows Vista Home Premium, SP2 x64...

Will the replacement _isdel.exe file you provided also work for my version of Windows?

Thanks (and sorry I wasn't more precise in my earlier description of my problem.)

Link to post
Share on other sites
Files Detected: 2

C:\WINDOWS\System32\InstallShield\_isdel.exe (Trojan.Zbot) -> No action taken.

C:\WINDOWS\winsxs\wow64_microsoft-windows-i..llshield-wow64-main_31bf3856ad364e35_6.0.6000.16386_none_c854dde24615e549\_isdel.exe (Trojan.Zbot) -> No action taken.

I have Vista SP2x64 and the file is exactly the same as the one from Windows 7 and even Windows 8.

Link to post
Share on other sites

I have Vista SP2x64 and the file is exactly the same as the one from Windows 7 and even Windows 8.

Yes. I'm running Windows 8 x64. After almost an heart attack, i manually inspect the files... Same MD5, SHA1 as listed in National Software Reference Library.

Nothing malicious or new in the code.

_isdel.exe SHA256: 1e97eca81395d1bd5e627debfdb02828bd3655d68c8f7296395d574781faa32e SHA1: 0e7bb331d398be694a92a823de839fefdf464dfd MD5: 9d4ec4b71fd189a0b2c4dbd6aade16bf

Link to post
Share on other sites

i restored the file in malwarebytes but its not where to be found....

Hi robotman5,

For some reason the folder in system32 called InstallShield is invisible

to Windows explorer,but if you go into system32 via https://www.virustotal.com/

you will see the folder InstallShield which you will be able to open and look inside.

Hope this helps.

Link to post
Share on other sites

The installshield folder isn't actually present in system32 on 64bits, what you see is the syswow64 folder instead when viewed via 32bit apps (is done via the emulator/redirect). So when you're on 64 bit, you need to put the file into the Windows\syswow64\installshield folder

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.