Results 1 to 9 of 9

Thread: ZoneAlarm does not clean this trojan: GLxxx.tmp, Trojan.Droppers.Temp.A. Screen shots.

  1. #1
    futurepower Guest

    Default ZoneAlarm does not clean this trojan: GLxxx.tmp, Trojan.Droppers.Temp.A. Screen shots.

    We are having MAJOR problems with zaSuiteSetup_61_737_000_en.exe. It is giving us pop-messages that won't go away. Something is putting GLxxx.tmp files in the TEMP folder (cd %user%).

    We have 5 infected computers. This report concerns our work with only one.

    Here are copies of the screen showing 3 different ZoneAlarm messages:

    http://futurepower.net/GLB1.tmp_give..._USER.EXE_.JPG

    http://futurepower.net/LSA_Shell_(Export_Version)_comm_with_GLB5D.tmp_.JP G

    http://futurepower.net/LSA_Shell_(Export_Version)_comm_with_vsmon.JPG

    Note that, in the font that ZoneLabs uses in the screen copy just above, a bold capital I is identical to a bold lower case L. LSASS.EXE is a normal Windows component. ISASS.EXE is a trojan and keylogger. Whoever wrote that malware took advantage of ZoneLab's choice of fonts. However, we found no ISASS.EXE on the infected computer that we checked.

    From looking at the behavior it is evident that ZoneAlarm does not see the entire infection. Since it comes back again and again even after files have been quarantined, it is obvious that the real infection is not being eliminated.

    When the GLxxx.tmp files are deleted, they return after the next re-start. The GLxxx.tmp files have many dates, even though they have been newly created.

    ZoneAlarm reports again and again that "BroadCastPC" and "Virtual Bouncer" have been quarantined.

    Here are some of the files in the temp folder. (To go to the temp folder, in DOS do CD %user% and press the ENTER key.)

    __________________________________________________ ______________

    Directory of C:\DOCUME~1\CashReg\LOCALS~1\Temp

    01/13/2006 12:43 AM 16,384 ~DF1047.tmp
    01/13/2006 01:18 AM 32,768 ~DF3454.tmp
    01/13/2006 01:18 AM 16,384 ~DF58B9.tmp
    01/13/2006 12:42 AM 32,768 ~DF9BFB.tmp
    01/13/2006 01:45 AM 32,768 ~DFC009.tmp
    01/13/2006 01:46 AM 16,384 ~DFDDB.tmp
    01/13/2006 12:43 AM 165,376 GLC2.tmp
    01/13/2006 01:46 AM 165,376 GLC3.tmp
    01/13/2006 01:18 AM 165,376 GLCE.tmp
    07/26/2002 04:02 PM 10,752 GLF12.tmp
    04/19/2004 11:15 PM 17,979 GLF13.tmp
    07/26/2002 04:02 PM 10,752 GLF6.tmp
    04/19/2004 11:15 PM 17,979 GLF7.tmp
    07/26/2002 04:02 PM 10,752 GLF8.tmp
    04/19/2004 11:15 PM 17,979 GLF9.tmp
    01/13/2006 01:18 AM 384 GLG11.tmp
    01/13/2006 12:51 AM 384 GLG5.tmp
    01/13/2006 01:49 AM 384 GLG6.tmp
    01/13/2006 12:43 AM 34,304 GLK3.tmp
    01/13/2006 01:46 AM 34,304 GLK4.tmp
    01/13/2006 01:18 AM 34,304 GLKF.tmp
    21 File(s) 833,841 bytes
    __________________________________________________ ______________


    Prevx1 has some information that seems accurate:
    http://virusinfo.prevx.com/pxparall....C=3f7210442538

    Prevx1 calls this infection "Trojan.Droppers.Temp.A".

    This part of a sentence from the Prevx1 web page accurately describes our experience:

    "This [.TMP] File Type uses the file names GLB1.TMP and GLB6B.TMP and at least 65 other file names, the latest we have seen is GLB8B.TMP. It has a file size of 71,680 bytes and is found in the folder [%TEMP%\]"

    In the file list above, the malware is not active, apparently, and there is no file with a size of 71,680 bytes. Note that not all the files have the same date, even though they were created within minutes of each other.

    The actual operation of the malware seems to occur only under one user name, one which in this case has extremely limited rights. The malware does not seem active when logged in under a user name with Administrator rights.

    We used the excellent free SysInternals FileMon.exe File activity monitoring utility to log some of the GLxxx.tmp activity:
    http://futurepower.net/GLxxx.tmp_file_activity.html

    FileMon is available at:
    http://www.sysinternals.com/Utilities/Filemon.html

    However, at that time the malware did not seem particularly active, and there was no file with the size 71,680 bytes in the

    C:\Documents and Settings\UserNamexx\Local Settings\temp

    folder. The short form of that folder is

    C:\DOCUME~1\UserNamexx\LOCALS~1\temp

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Internet Security Suite
    Software Version:6.0

  2. #2
    futurepower Guest

    Default Web Page: ZoneAlarm does not clean this trojan: GLxxx.tmp, Trojan.Droppers.Temp.A. Screen shots.

    See this web page for the same report with better formatting:

    http://futurepower.net/ZoneAlarm_trojan_problem.html

  3. #3
    tactful_player Guest

    Default Re: ZoneAlarm does not clean this trojan: GLxxx.tmp, Trojan.Droppers.Temp.A. Screen shots.

    If I were you I would contact their support email address and give them a full eport as you've done hereI would put up the address but this site **Bleeps** it out so I have to take alternate measureslike so:the address is support at zonelabs dot comunless a guru or administation takes out this post(don't know why they would) just as I can'tfigure out why no URL's are allowed on a zone lab forumthis post should stay as is,generic support address and all Best Of Luck(sounds like you need it) tactful

    Message Edited by tactful_player on 01-13-2006 06:23 PM

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Pro
    Software Version:6.0


    Message Edited by tactful_player on 01-13-2006 06:24 PM

  4. #4
    tactful_player Guest

    Default Re: Web Page: ZoneAlarm does not clean this trojan: GLxxx.tmp, Trojan.Droppers.Temp.A. Screen shots.

    went to that wepage and it appears there is a problen alrightanswer me this if you wouldhave you both scanned manually on the main board as well as doing the udatessometimes even with Pro 2006 that has to be donewe'll be looking at Black Ice next year to see what they offer in the way of both AV and firewall protect if you cannot get any satisfaction from the support site listed on the other post herejust a PS here following my own advice just a minute ago did a manual scan and 42 spies and/ortrojans were removed/deleted X-(

    Message Edited by tactful_player on 01-13-2006 07:35 PM

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Pro
    Software Version:6.0


    Message Edited by tactful_player on 01-18-2006 12:47 AM

  5. #5
    futurepower Guest

    Default Zone Labs Technical Support gave a generic, unhelpful reply.

    I contacted Zone Labs Technical Support, and got a completely generic reply. Below is my message to them, and, below that their message to me.

    Notice that when you download ZoneAlarm Security Suite, you get a different file every time, with a different MD5 checksum, although the number of bytes is the same. Therefore, there is no way to verify that you have a good download.

    ______________________________________

    My message to Zone Labs Tech. Support:
    ______________________________________

    Two questions. The second question is the primary one:

    1) What is the MD5 or SHA1 checksum of zaSuiteSetup_61_737_000_en.exe?

    We wonder if we have an infected copy. Every time we download zaSuiteSetup_61_737_000_en.exe we get a file with a different MD5.

    2) We are having severe problems with 6 computers at customer sites. This web page tells all we have discovered. Please help us with this:

    http://futurepower.net/ZoneAlarm_trojan_problem.html

    Apparently ZoneAlarm is not able to clean or even fully detect that trojan.

    Michael Jennings
    Futurepower
    Computer Systems

    ____________________________________

    The reply from Zone Labs is generic,
    and doesn't bother to answer the
    questions:
    ____________________________________

    Hello ,

    Thank you for contacting Zone Labs Technical Support.

    I understand that you are concerned that you have an infected copy of
    ZoneAlarm Security Suite. From the information that you have sent us it is
    possible that it is not infected but a corrupted download. To avoid this, do
    not download using a download manager/accelerator. Also, disable any
    Anti-Virus program that is running when downloading.

    As for your second question, the Droppers Trojan can be caught by our
    product as long as it is a known virus and our program does does
    recognize many variants for the droppers trojan. If it is a new variant, it is
    possible until new information is sent to us that we may not be able to
    block it but can stop it from doing any damage to your system.

    If my answer did not resolve your issue, or you would like further
    assistance on this issue, please reply to this email. By replying, and
    leaving the subject line intact, your response will come directly to me. If
    you have a separate issue you would like assistance with, please submit a
    new request using the website at http://www.zonelabs.com/tsform .

    Thank you for choosing Zone Labs Security!

    Troy
    Technical Support
    Zone Labs
    A Check Point Company

  6. #6
    futurepower Guest

    Default I did the online scan.

    I did the online scan at:
    http://www.zonelabs.com/store/conten...d=home_scanner

    It seems like a toy to me. It "scanned" for less than a minute, and reported no infections on the two computers I tested. Also, it loads a ZoneLabs ActiveX control. That bothers me. There are instructions for removing it, and I will.

  7. #7
    futurepower Guest

    Default WEB PAGE FOR: Zone Labs Technical Support gave a generic, unhelpful reply.

    This web page has better formatting:

    http://futurepower.net/Generic_Reply...l_Support.html

  8. #8
    tactful_player Guest

    Default Re: Zone Labs Technical Support gave a generic, unhelpful reply.

    I'm glad you got a reply from them even if it seemed useless that is their standard procedurereply above the line and if their answer doesn't solve the problem reply directly to oneperson handling the case but trust me there are teams working on all kinds of thingsmaybe just maybe if you gave them your worst problem first and not all at once theymay come up with a better answer and solution for itthen lay the other one on themkeep in mind that when two questions are asked both go to different departmentsand more often than not muddy the waters to resolve the worst problem firstcaught your other response tooare you sure you want to do that? remove all protection,unless you have another course of action totake like an immediate program to replace itI wouldn't advise it however if you have somethinglined up like say Trend Micro then you may be just fine but look into that as well as itmight not be for your company although many companires already have it in placelike computer software companies as well as some that repair them.I mean Microsoft uses itamong other thingsso what does that tell youif things stay status quo and no improvements are made as I mentioned beforewe'll be looking into Black Ice- Not touting another program but doing what's best - bottom lineuntill then give ZA support a chance I have and have not been sorry as of yet best of luck whatever you decide tactful

    Message Edited by tactful_player on 01-13-2006 10:19 PM

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Pro
    Software Version:6.0


    Message Edited by tactful_player on 01-13-2006 10:21 PM

    Message Edited by tactful_player on 01-15-2006 01:07 AM

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Pro
    Software Version:6.0

  9. #9
    tactful_player Guest

    Default Re: I did the online scan.

    why did you have to go there to scan?onmain panel if you click icon in tray - on left it reads anti spyware which encompasses everythingfrom adware,spyware,malware and yes even trojans or wormsthat scan does delete said problems,I believe I said it deleted 42 of them when I ran itmanually but did follow up with updating the software(another option there)

    Message Edited by tactful_player on 01-13-2006 10:39 PM

    Message Edited by tactful_player on 06-12-2006 10:48 PM

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Pro
    Software Version:6.1

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •