Win32 Trojan-How to verify?

Discussion in 'ESET NOD32 Antivirus' started by Pink Lodestar, Jul 11, 2008.

Thread Status:
Not open for further replies.
  1. Pink Lodestar

    Pink Lodestar Registered Member

    Joined:
    Jul 3, 2008
    Posts:
    11
    Just finished a manual scan with NOD32. Report clean. SpyZooka scan found a Win32.Trojan.Rbot-ALP. This is the second trojan/worm in a week. A few days ago it was Win32 DromMalware. It has been suggested in this forum the results may be false positives. How can one verify this? At present, the file [Trojan Horse] has only been quarantined. Apparently the Trojan located in a screen saver if my interpretation is correct. How is this possible? I have not downloaded a single screensaver ever on my pc? :doubt: C:WINDOWS\system32\logon.scr How does one send a sample to ESET? I have tried but there is no confirmation popup that the attempt was successful. Used the "Submit Suspicious File" window.
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    If you highlight that file in quarantine and right click, there should be a selection to submit for analysis.
     
  3. Pink Lodestar

    Pink Lodestar Registered Member

    Joined:
    Jul 3, 2008
    Posts:
    11
    Thank you kindly for the prompt response Bubba. :D however NOD32 missed this one too in the scan. I have since removed it after a second scan using SpyZooka. The file was sent to ESET support. I only hope I did it correctly. As I've only had this version of AV for a week I'm not used to the new setup. In NOD32 v.3 clicked "Set Antivirus & Antispyware" Selected "Tools" and selected "Submit file for analysis" in the menu. It was browsing to the WINDOWS\system32\logon.scr file which was tricky. Did locate it finally locate it though and sent it. I'm still a neophyte when it comes to navigating through my pc. :(
     
  4. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Since there is a legit logon.scr contained in the Sys32 folder digitally signed by Microsoft, did you by chance check the properties of that file before assuming Spyzooka was correct in it's find ?

    If you haven't already tried, perhaps you could use the backup copy of logon.scr and place it in the Sys32 folder. Then run Spyzooka again and see what if anything it finds. If you are XP, there should be a copy in your C:\WINDOWS\ServicePackFiles\i386 folder.
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,375
    Any suspicious files you may come across should be compressed and sent in an archive protected with the password "infected" to samples[at]eset.com.

    C:\Windows\System32\logon.scr is a legit file. If it was identified as Rbot (trojan, not a file infector), it's most likely a false positive. You can submit the file to VirusTotal as well as to ESET per the aforementioned instructions.
     
  6. Pink Lodestar

    Pink Lodestar Registered Member

    Joined:
    Jul 3, 2008
    Posts:
    11
    Thank you Bubba and Marcus. I am inclined to agree that this was a false positive too. The file is still there inside System 32 folder so I'm hoping my lack of prudence won't cause any damage. SpyZooka has not found it again. Until my confidence builds in this app. I don't think it is going into the startup services in the System Configuration Utility. I have an external hardware firewall called Alphashield from Vancouver Canada; it blocks all 65536 ports. Only the website I open has access to this pc. Windows firewall is on too so it is hard to understand how worms and trojans could be secretly installing themselves. An automatic update from Windows with the Malicious Software Removal Tool and Adobe Reader update was all that I downloaded this week.

    Thank you both again for your assistance. In future, I'll simply quarantine anything which doesn't make sense before "assuming" the scan finding was real. :ouch: Learning a little bit every day.
     
  7. Pink Lodestar

    Pink Lodestar Registered Member

    Joined:
    Jul 3, 2008
    Posts:
    11
    Bubba: A couple of weeks ago Windows XP Pro SP2 was installed on a new hard drive. Cannot locate the i386 folder nor the ServicePackFiles folder for that matter. I have not updated to SP3 as yet.

    What would you suggest? SpyZooka found this trojan yet again. The suspicious file has already been sent to ESET once; no point in sending it again, particularly as it has been signed by Microsoft. Yes, Bubba, this time I double-checked.:gack:
     
  8. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    I would suggest you follow the appropriate procedure, whatever that may be, for reporting False Positives to the Spyzooka folks.

    Personally, I know of a number of like programs I would suggest and Spyzooka would never be one of them due to their past history. Beings that is more than off topic to this forums intended purpose, it 's best that any further Spyzooka or like discussions be taken to our other anti-malware software forum.

    Bubba
     
  9. Banger696

    Banger696 Registered Member

    Joined:
    Sep 6, 2006
    Posts:
    274
    You could also upload the file to virustotal as Marcos suggested for another opinion. :)
     
Thread Status:
Not open for further replies.