Results 1 to 4 of 4

Thread: ZIS found Rootkit.Win32.TDSS.eyj on my PC

  1. #1
    jmendel Guest

    Default ZIS found Rootkit.Win32.TDSS.eyj on my PC

    Win XP Home SP3, cable connection, using latest ZISS.
    Have a router.
    I am a beginner to intermediate.
    Relatively new to this website so need basic info, too.
    Have used ZISS for more than 2 years.
    No attacks that weren't blocked until now.
    Don't understand how these got through...
    On 1/26, Trojan.Win32.Obfuscated.aack was found in C:\WINDOWS\system32\BSZIP.DLL on 1/26/2009 22:20:58
    On 1/29, 4 instances of Rootkit.Win32.TDSS.eyj were found and quarantined by ZISS.
    ZISS quarantined all instances.
    Weird though.
    When I look at ZISS alerts and logs, it does not mention the Obfuscated.aack entry now.
    Believe Rookit.Win32.TDSS.eyj may be a false positive as it it showing up in a very old program.
    Also found references to this on the web.
    ZISS "learn more" doesn't show anything about this file.
    Worried about what's going on with my system and ZISS not blocking these things.
    Found Guru Fax's steps to perform a full antivirus/antispyware scan and will do it tonight.
    Thank you Guru Fax.
    Since ZISS quarantined these files, how do I upload them to Virustotal to have them checked out?
    I can't find them on my pc when
    I search for them.
    Any other suggestions appreciated.
    Thank you for your help/advice



    Operating System:Windows XP Home Edition
    Software Version:8.0
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,287

    Default Re: ZIS found Rootkit.Win32.TDSS.eyj on my PC

    Hi!first you should set the antivirus to "Alert me - do not treat automatically" (advanced options of the AV/AS tab, automatic treatment).Then under the quaratine tab (virus section) first look to the 'path' column then 'restore' the quarantine. The file will be put back to the place originally indicated in the 'path' column.Remember to set the AV back to default settings for automatic treatment of malware once you have uploaded the files to virustotal and confirmed it was a false positive.See here below how to report false positives:http://forum.zonelabs.org/zonelabs/b....id=3780#M3780Cheers,Fax

    Message Edited by fax on 02-02-2009 08:08 PM

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  3. #3
    jmendel Guest

    Default Re: ZIS found Rootkit.Win32.TDSS.eyj on my PC

    Hello, Fax:
    Thank you for responding so quickly.
    Sorry I couldn't get back to you until now.
    Did a lot of research and scans.
    Did as you advised.
    Unquarantined the two ZISS positives, Rootkit.Win32.TDss.eyj and Trojan.Win32.obfuscated.aack and sent the suspect files to VirusTotal.
    Only 1 of the 39 viruscheckers flagged these files as virsuses.
    eSafe for Trojan... file "Virus in password protected archive" and F-Secure -- Result "Rootkit.Win32.TDSS.eyj".

    My concern here is how do I interpret these results?
    If only 1 of 39 virus checkers thought there was a problem, what happened to the other 38?
    Is even one "hit" significant?
    Do I consider this a false positive with a 1/39 and ZISS found it?
    The trojan was found in a .dll file.
    path C:\Windows\System32\---.dll.
    Not sure if I should name complete path here?...

    The rootkit was found in a program file.
    A very old program that came with my now very old PC.
    I ran a deep scan of ZISS after the VirusTotal info came back and neither file came up.


    I checked the log file in ZISS and was surprised to see that I could only see a few days' history!!!
    I set entries all the way to 999 and no change in what it allowed me to view in the log file!

    I had saved a print screen when I realized there was no way to print a log for the Rootkit, but didn't do one for the Trojan.
    Am I correct or did I just miss how to print the log file???


    I seem to remember it saying that repair had failed.
    I also found your instructions for disabling system restore, setting ZISS to deep scan and running it in Safe Mode With Networking.
    ZISS didn't find anything.

    I then ran malwarebytes and other scanners and each one found something.
    None captured all or even close to the combined number of positives.
    I can't begin to express how frustrating this is!

    Almost 20 yrs of computers and never had this happen before.
    If ZISS has quarantined important files because they are infected and not repaired, what do I do about it?
    So, where do I go from here?

    I've underlined my questions so it's easier for
    anyone reading this.

    I have a lot of questions regarding ZISS.
    I was falsely secure just using ZISS and Ad-Aware once in a while and having a router.
    Will go to other area in forum to post them.
    Thank you so much for help.

  4. #4
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,287

    Default Re: ZIS found Rootkit.Win32.TDSS.eyj on my PC

    Hi!well, it was a false positive since at least Kaspersky (engine in ZA) should have detected it.I guess also ZA now will not detect it, an update have fixed the false detection.Remove ad-aware from the system and check with MBAM from time to time and drive safely... Cheers,Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •