Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Unable to remove Win32.Trojan.Dropper.Agent.sjb

  1. #1
    leebm Guest

    Default Unable to remove Win32.Trojan.Dropper.Agent.sjb

    Zone Alarm
    Security Suite identified Win32.Trojan.Dropper.Agent.sjb during a recent automatic scan.
    I picked the recommended "delete" option and rebooted.
    I immediately rescanned and it found the above trojan again.
    I also have tried quarantine, but it continues to find the trojan.
    ZA identifies a file in the Windows/Temp directory which is a hidden file.

    I've tried booting into safe mode and manually deleting the file.
    I've also tried booting into safe mode and running Zone Alarm to remove the file.
    While I a rescan after Zone Alarm deleted in the file in safe mode was successful, each time I boot normally, the file reappears.
    C:\WINDOWS\Temp\pdk-SYSYTEM\5f4010392d26de2972604a5df777f946\perl58.dl l

    Does anyone have any suggestions on how to remove this file or if I have a false-positive?



    Operating System:Windows XP Pro
    Software Version:7.0
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    fjk Guest

    Default Re: Unable to remove Win32.Trojan.Dropper.Agent.sjb

    Its even worse, then you posted.
    I have
    been able to determine the
    following:
    1. There are over 40
      dll files
      that ZoneAlarm does not find.
      They are located in the same local settings/pdk-%user directory.
      While they can be deleted in safemode (along with the perl file) they are automatically recreated when you reboot in normal mode.
    2. The program takes control of your USB keyboard (and possibly mouse) preventing you from booting into safe mode
      (by hitting F8)
      or booting from a CD unless you change your bios settings to have the keyboard and mouse to be controlled by the bios and not the OS.
    3. The program reports the windows installation CD is actually another CD (in my case it displayed the icon and info for my graphics card CD).
    4. The program appears to prevent you from installing another anti-virus product (even from safemode).

      I tried Trend-AntiVirus.
    5. It may do something to the partition table.
      After changing the keyboard bios I ran the windows installation disk in repair mode and ran the partion check.
      It reported that it may be corrupted.
    6. Trend Anti-virus's Housecall online scanning product does not find the virus (or at least does not report finding it).


    I also tried calling ZoneAlarms premium support on Monday 8/18 and the technician I spoke with said he would need to do more research before taking action.
    I am still waiting on feedback.

  3. #3
    pipspeak Guest

    Default Re: Unable to remove Win32.Trojan.Dropper.Agent.sjb

    I have recently started getting this alert, too, and also wonder if it's a false positive. The perl58.dll file you mention is a legit Windows file AFAIK. The "Trojan" in my case was in my Documents and Settings folder. I deleted it yesterday and rescanned after start-up today and it seems to be gone, but yesterdays was the second alert I've had in the past week.

  4. #4
    timw Guest

    Default Re: Unable to remove Win32.Trojan.Dropper.Agent.sjb

    I also am affected by this. Zone Alarm's been detecting it from the 18th August (although I didn't scan for a few days prior to that).

    Is it a coincidence we're being affected at the same time?

  5. #5
    fjk Guest

    Default I think the detection is new but the malware is older - perhaps months older.

    Please check your local settings temp directory and look for directories of the format PDK-user name-nnnn where nnnn is a random number.
    The date of the oldest directory with that format will probably be the date of you were either infected or the malware activated.

  6. #6
    pipspeak Guest

    Default Re: I think the detection is new but the malware is older - perhaps months older.

    I have a basic PDK file in the local settings temp directory but no random number attached to it. I also have countless PDK-System folders in the Windows temp directory, some dating back to when I first got the computer last year. I have no idea what the PDK application is used by (assuming it's perl developer kit) but I suspect it might be Office 2007 or some other legit application.
    Anyone
    else have any idea how to separate the PDK wheat from the chaff, so to speak?!

  7. #7
    pipspeak Guest

    Default OK, it is a false positive

    I finally figured my problem out. Hopefully it'll apply to others.
    The numbered PDK folder and perl58.dll that ZA tags in the temp directory or local settings is created by my SlimServer application and is not a trojan (in my case)
    I
    just rescanned and ZA tagged the Trojan again. I quarantined
    it (perl58.dll) and deleted the now empty PDK folder then started up slimserver,
    et voila... the
    folder and perl58.dll file were instantly created again as I watched. Now, unless Slimserver has mysteriously been hijacked (which none of my other security programs suggest) then this is a false positive by ZA. FYI, Slimserver uses a MySQL database to keep track of the tracks in a music library, hence its need for perl.
    Just reported this as a false positive to ZA

    Message Edited by pipspeak on 08-21-2008 03:54 PM

  8. #8
    fjk Guest

    Default I hope you are right. I also have slimserver installed.

    I won't have time to test until this weekend, but this should be easy to verify.
    If we delete the files and stop the automatic restart of slim server we should stop seeing the recreation of the new pdk-file-user-xxx
    directories every time you boot.
    The perl file should also be able to be deleted and not recreated.
    Have you installed any of the third party slim programs like the drivers for iTunes?
    Perhaps one of them might be infected.
    It might be worth posting on the slim server board to see if they can confirm the expected behavior of their program.
    Creating files the way this system does is very strange.

  9. #9
    pipspeak Guest

    Default Re: I hope you are right. I also have slimserver installed.

    Exactly what I did... except I let ZA delete the perl58.dll file (I was able to delete it myself yesterday, too). I had windows explorer open and as soon as I started SlimServer the perl58.dll file appeared again, as if by magic!
    This was on the local settings/temp folder, which ZA tagged. In my Windows temp folder I have dozens of Slim-related PDK folders containing various XML files plus one with the perl58.dll file. Delete those and I think you'll have to rescan your music library with Slim.
    FYI... I only have SlimServer (6.5.3) and MediaMonkey on my machine (both for over a year) with no other third-party, music-related plugins. I dumped iTunes years ago due to its parasitic bloatware characteristics

  10. #10
    leebm Guest

    Default Re: OK, it is a false positive

    Interesting and hopefully reassuring as I also have Slimserver installed. I'll have to disable slimserver and see what happens as you have. Thanks for the feedback. I'll keep you informed if the slimserver does not seem to be the culprit.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •