Results 1 to 9 of 9

Thread: [SOLVED] Virus in my archived zaSuiteSetup_101_079_000.exe --> false positive

  1. #1
    Join Date
    Jul 2005
    Posts
    43

    Default [SOLVED] Virus in my archived zaSuiteSetup_101_079_000.exe --> false positive

    I have this and other installers, documents and stuff in a partition of my HD set aside for that. I also record the contents of this partition to rewritable DVDs from time to time. All of this for backup purposes.

    A manual scan performed some hours ago detected Trojan-Downloader.Win32.Banload.btbm in the HD copy of this file. The file was quarantined automaticly and I suspected it could be a false positive, so I waited.

    A while ago I thought that I could scan a copy burnt to RW-DVD. I have two of them, recorded on January 1st and January 18th this year (I use 3 sets of DVDs cyclically, the other was recorded in November 28th 2011 and the zaSuite installer stored in them is older; if it matters it has icon unlike the 10.1.079 ones). The file was downloaded to my HD in December 28th, installed in my OS's, and recorded to DVDs in the said dates. I scanned the January 1st copy and turned out clean, so I decided to delete the quarantined copy and redownload the file.

    The redownloaded file has the same virus! There's also a file size discrepancy between the copies in my DVDs (both have 351,298,472 bytes) and the redownloaded one (351,305,440 bytes, 6968 bytes more). Unfortunately I didn't make a note of the exact size of the firstly quarantined and deleted copy.

    Just in case it matters, yesterday an infected shortcut (with Exploit.Win32.CVE-2010-2568.gen) was detected in my desktop (and quarantined) while booting up Windows XP (likely by the on-access scanning, although the shortcut isn't supposed to run) and today I've deleted it, and Windows Vista is unable to do automatic updates since February 15th because it detects an 8024402f error, what I have tried to fix several ways w/o success yet (it could be malware, but I haven't detected any infection under Vista yet).

    Concrete questions:

    - Does the currently downloadable zaSuiteSetup_101_079_000.exe have exactly 351,305,440 bytes like my "infected" copy (possibly false positive), 351,298,472 bytes like my "good" one, or none of them?

    - Can files of the same product (ZA Security Suite) same version (10.1.079.000) be different at different dates (Dec 28th and Feb 22nd)?

    - Could I be infected by malware that appends the additional 6968 bytes?

    - Could it have caused the other XP infection and/or the Vista Automatic Updates malfunction too?

    -----------------------------------------------------------
    ZoneAlarm Security Suite version: 10.1.079.000
    vsmon version: 10.1.079.000
    Driver version: 10.1.079.000
    Anti-virus engine version: 8.1.8.79
    Anti-virus signature DAT file version: 1079380640
    AntiSpam version: 6.3.1.4971
    ZoneAlarm Browser Security: 1.5.350.0
    ZoneAlarm ForceField Spyware Scanner: 1.5.53.235
    ZoneAlarm ForceField Anti-Phishing Database: 1.2.104.0
    ZoneAlarm ForceField Spyware Sites Database: 04.155

    Windows XP SP3
    Windows Vista SP2
    (multiboot in separate partitions, any is C: when booted, any is visible as D: by the other OS)
    Last edited by factor; February 21st, 2012 at 05:29 PM. Reason: specs added

  2. #2
    Join Date
    Jun 2006
    Location
    The 3rd Coast - South Central Texas
    Posts
    10,465

    Default Re: Virus in my archived zaSuiteSetup_101_079_000.exe . Redownloaded file has it too!

    Hi;

    I have installed "ZASPSetup_101_079_000.exe" on three of my Win7 computers and "zaSuiteSetup_101_079_000.exe"
    on my Windows XP Home SP3 computer with no problems..

    It sound to me like your computer was infected some time ago,
    and since then everything that you burned to DVD's and Backed up
    were probably infected before you saved them to DVD's or Backed up..

    my best advice is for you to follow all the steps in the following two links..

    xyz was not detected what I should do:
    http://forums.zonealarm.com/showthread.php?t=72918

    and for cleaning Malware off your system click here:
    http://forums.zonealarm.com/showthread.php?t=70448

    You also need to be on ZA version 10 to perform the above steps, if not please update to it.


    NOTE: If you followed all the directions in other posts then there is only one option left that MIGHT work but is very drastic.

    1. Format your hard drive
    2. Reinstall your Windows OS
    3. Download all Microsoft Service packs and Critical and non-critical updates from Microsoft.
    4. Don't install any other software/drivers.
    5. Download and install latest version of ZA 10.1.079.000
    without touching any default settings, and Do Not Restore Save Settings from the old install.


    ZA Installers can be found here:
    Looking for the latest version?
    Last edited by GeorgeV; February 22nd, 2012 at 05:31 PM. Reason: update
    GeorgeV
    ZoneAlarm® Extreme Security


    Click here for ZA Support
    Monday-Saturday__ 6am to 10pm Central time
    Closed Sundays and Holidays

  3. #3
    Join Date
    Dec 2002
    Location
    San Carlos, California
    Posts
    1,636

    Default Re: Virus in my archived zaSuiteSetup_101_079_000.exe . Redownloaded file has it too!

    We also have MD5 checksum values for our download links from the support knowledge base area only. You can compare the md5 of what you download from these links to the posted value then you know your getting a good download.

    You need to get yourself a md5 checksum program on the internet somewhere also to do the comparison.

    http://server.iad.liveperson.net/hc/...10&action=view


    Forum Moderator
    Click here for ZA Support
    Monday-Saturday__ 6am to 10pm Central time
    Closed Sundays and Holidays

  4. #4
    tradehound Guest

    Default Re: Virus in my archived zaSuiteSetup_101_079_000.exe . Redownloaded file has it too!

    I am getting the same thing on Extreme Security:
    I downloaded ZASPSetup_101_079_000.exe on 1/18/2012 and ran a manual scan on that file only, it was clean that day. I tried to install it that day, 1/18/2012, but it didn't work, I forget why.

    I couldn't look at it anymore until today, 2/22/2012. So I ran another manual scan on that file (ZASPSetup_101_079_000.exe) and ZA said it was infected with:
    Trojan-Downloader.Win32.Banload.btbm
    and ZA quarantined it. Also ZA said there were 2 files scanned but I only selected the one file. I noticed in the quarantine it says:
    c:\...ZASPSetup_101_079_000.exe/ZAFFSetup-zass-de-1001.exe//data0044
    So it looks like Force Field is embedded in there, but I don't know, maybe that's why ZA says it scanned 2 files?

    Then, just for a test, I scanned an older setup file:
    ZASPSetup_101_065_000.exe
    And it was infected also! The exact same thing. But I scanned that one too a long time ago and in fact, used it to install my current ZA.

    I also just downloaded a fresh copy of ZASPSetup_101_079_000.exe, scanned it, but I get the exact same thing.

    Oh and I also ran the Update right before scanning these each time to have a fresh update.

    So are these false positives? It seems that something in the latest update is causing ZA to think its own setup file is infected!

    ---------------------------

    ZoneAlarm Extreme Security version: 10.1.065.000
    vsmon version: 10.1.065.000
    Driver version: 10.1.065.000
    Anti-virus engine version: 8.1.8.79
    Anti-virus signature DAT file version: 1079407840
    AntiSpam version: 6.3.1.4971
    ZoneAlarm Browser Security: 1.5.350.0
    ZoneAlarm ForceField Spyware Scanner: 1.5.53.235
    ZoneAlarm ForceField Anti-Phishing Database: 1.2.104.0
    ZoneAlarm ForceField Spyware Sites Database: 04.155

    Windows XP
    Media Center Edition
    Version 2002
    Service Pack 3
    Last edited by tradehound; February 23rd, 2012 at 07:31 AM.

  5. #5
    Join Date
    Jul 2005
    Posts
    43

    Default Re: Virus in my archived zaSuiteSetup_101_079_000.exe . Redownloaded file has it too!

    I'll have to consider a lot of things and methods and I'll post progresses if there're any, but this isn't simple nor quick. I think that I haven't explained clearly my backup strategy and its consequences though. This is a chronology of the problem:

    - December 28: file #1 downloaded to my HD (copy #0).
    - in between : file #1 copy #0 installed to my OS's.
    - January 1: file #1 copy #0 recorded to DVD #1 (copy #1). DVD #1 is not used again until February 21.
    - January 18: file #1 copy #0 recorded to DVD #2 (copy #2). DVD #2 is not used again until February 21.
    - February 15: Vista Automatic Updates stops working with persistent 8024402F errors (supposing it has to do with malware or with this problem, but this is actually my most serious problem at the moment).
    - February 19: virus #2 found in another file (file #2).
    - February 21: virus #1 found in file #1 copy #0, but not in the externally stored copies #1 or #2 of the same file (*).
    - February 22: "infected" file #1 copy #0 and file #2 deleted.
    - February 22: file #1 downloaded to my HD (copy #3).
    - February 22: scan reported the same virus #1 as deleted copy #0 had, and unlike "clean" copies #1 and #2. Copy #3 is also 6869 bytes bigger. At the moment it's quarantined.

    I cannot check a false positive in a 350MB file at virustotal dot com and it's probably impossible sending it as e-mail to Kaspersky, so I was hoping that I could get info from the exact size. That was the sense of my first two "concrete questions" above.

    If it helps, the quarantined item has "F:\zaSuiteSetup_101_079_000.exe/ZAFFSetup-lthr-de-1001.exe/data0044" as path (F: is my HD partition for archiving and backup), and the file was downloaded from download dot zonealarm dot com slash bin slash free slash information slash zass slash releaseHistory dot html .

    PS: I'll check MD5 values .


    (*) I must stress that it's physically impossible that these DVDs have caught viruses while stored since January 1st and January 18th respectively.

    I don't consider possible either that they can catch them while simply being read, because this media is extremely little flexible for writing, unlike an HD, and I must stress that this isn't an artificial or software limitation. They are DVD±RW, not DVD-RAM or like USB memory sticks or similar media either. They're of random access for reading, but not for writing. Rewriting them involves rewriting the whole disc from scratch (in fact the first step is erasing the previous contents, so if one finds that one of the files is wrong, missing etc in error or for malicious purposes, the only option is rewriting again the whole disc with all its files, that must be available outside the disc). If it's near to full as my discs are, it takes over 4GB of files and about 8 minutes for an X8 disc and 10 minutes for an X6 one, during which the drive does noise and its LED blinks (by inner hardware). The drive I use preferently for reading is a DVD reader that cannot write or rewrite in any shape or form.

  6. #6
    Join Date
    Jul 2005
    Posts
    43

    Default Re: Virus in my archived zaSuiteSetup_101_079_000.exe . Redownloaded file has it too!

    I got MD5Checker 3.3. First thing I did is to check it. Fine.

    My quarantined copy of zaSuiteSetup_101_079_000.exe is in its HD location now. Un-quarantined? It could be as I have checked "Rescan when new signatures are received. Auto roll back if scans are negative", but not exactly. The quarantine list has it listed too and I've been able to rename the visible item and manually restore the quarantined one. I had already noticed this behaviour with the infected desktop shortcut that ZA detected days ago (is there anything wrong in my install or is this a bug?)

    Both files pass the ZA scan now (no viruses), both are identical (compared with FC) and both have the same MD5, although it doesn't match the one listed in the download link of post #3.

    I redownload it again. It's remarkably bigger than previous copies (339 vs 335MB; the d/l page still lists 335 MB, maybe it needs update). Initial scan says safe (green window). Manual AV scan passed too. MD5 matches. So it seems that we've got a known good file at last! Recording it to a spare rewritable CD. Recorded copy is identical to HD copy and conserves the good MD5.

    To tradehound: remove your license key!!

  7. #7
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,286

    Default Re: Virus in my archived zaSuiteSetup_101_079_000.exe . Redownloaded file has it too!

    Excellent. This means Kaspersky has fixed the false positive.

    I will revise the thread title to reflect this and soon closing it since the issue is resolved.
    Last edited by fax; February 22nd, 2012 at 09:02 PM.

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  8. #8
    tradehound Guest

    Default Re: Virus in my archived zaSuiteSetup_101_079_000.exe . Redownloaded file has it too!

    Thank you Factor. I just now had the same thing happen to me:
    I updated and it "UNquarantined" those files (I noticed that I also had "Rescan when new signatures are received. Auto roll back if scans are negative" checked).

    Then I downloaded a fresh copy of ZASPSetup_101_079_000.exe, scanned it and ZA said it was clean.

    So I guess ZA must have had a false positive in some update between Jan. and yesterday.

    Now I need to install it. I hope it really is clean and I don't load malware on my computer :/

    Thank you again Factor for posting and following up with your results.

  9. #9
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,286

    Default Re: [SOLVED] Virus in my archived zaSuiteSetup_101_079_000.exe --> false positive

    The ZA installers are digitally signed, any modification will break the integrity of the file and the certificate thus not allowing the running of the installer. Just ensure you are downloading the file directly from ZA and you should be fine.

    I am closing this thread since the issue is resolved.

    You have exposed your license key to a public forum read by thousands of users and search robot. The license may be compromised. In case of problems you should contact ZA customer support to replace the license.

    Thanks,
    Fax
    Last edited by fax; February 23rd, 2012 at 11:21 AM.

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [SOLVED] ZA ISS missed a trojan --> False Positive
    By ZATop2 in forum ZoneAlarm Anti-virus & Anti-spyware
    Replies: 9
    Last Post: April 12th, 2011, 07:47 AM
  2. [SOLVED] False Positive: ffmpeg.exe --> Report to Kaspersky
    By benreffell in forum ZoneAlarm Anti-virus & Anti-spyware
    Replies: 1
    Last Post: February 12th, 2011, 06:22 AM
  3. [SOLVED] Trojan-Spy.Win32.Agent.bloy possible false positive
    By factor in forum Malware Discussion
    Replies: 7
    Last Post: November 21st, 2010, 11:04 PM
  4. [SOLVED] False-Positive for Trojan Backdoor.Win32.Rbot.amhq
    By mirra508 in forum ZoneAlarm Anti-virus & Anti-spyware
    Replies: 0
    Last Post: September 14th, 2010, 05:09 AM
  5. [SOLVED] Cant get helpsvc.exe out of quarantine --> False positive
    By rinda in forum ZoneAlarm Configuration
    Replies: 3
    Last Post: August 6th, 2010, 05:51 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •