Author Topic: ZeusDecoder and false positives (RESOLVED)  (Read 5558 times)

0 Members and 1 Guest are viewing this topic.

Offline Tanya

  • Jr. Member
  • **
  • Posts: 68
  • I'm NOT a llama!
ZeusDecoder and false positives (RESOLVED)
« on: September 18, 2010, 08:59:23 AM »
This program gave me:

Code: [Select]
Process "MsMpEng.exe", heap page: [0x0ad67000 - 0x0b043000]
Found signature for ZeuS 1.x

Process "MsMpEng.exe", heap page: [0x0b155000 - 0x0b38b000]
Found signature for ZeuS 1.x

Process "MsMpEng.exe", heap page: [0x0b3aa000 - 0x0b801000]
Found signature for ZeuS 1.x

Process "AAWService.exe", heap page: [0x0b3a5000 - 0x0b3bd000]
Found signature for ZeuS 1.x

Process "AAWService.exe", heap page: [0x11bc2000 - 0x11bed000]
Found signature for ZeuS 1.x

But thats just the AV/AntiSpyware detections?

Don't tell me I'm fuxed please! Altho I never use bankingstuff, but it's false positive yeah?
« Last Edit: September 20, 2010, 12:46:33 PM by Tanya »
XP Pro, Avast! Free AV 5.0. 677, ZA, loads of scan-programs, 1024MB RAM, NVIDIA...what else you wanna know?

Offline SafeSurf

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5203
Re: ZeusDecoder and false positives
« Reply #1 on: September 18, 2010, 10:05:13 AM »
Did you update prior to running the scan and did SAS quarantine anything?

Check this link out: http://www.malwarehelp.org/find-and-remove-zeus-zbot-banking-trojan-2009.html

I know you've also been on the other link in the Worms and Virus section: http://forum.avast.com/index.php?topic=64011.15.

The suggested scanner over SAS is MBAM, which I posted in my original thread: http://forum.avast.com/index.php?topic=64000.0 - Post #8 for directions.  Update MBAM first; quarantine anything that comes up positive (do NOT delete). Please cut and paste your log here for us to analyze.  Thank you.

NOTE:  If you tend to visit risky sites, you may want to do a one time life-time purchase of MBAM Pro (resident) and it will not conflict with other security software for added protection, however you still need to update it prior to running scans.
Mac 10.9.4 /Safari and Firefox (NoScript/AdBlockPlus/BetterPrivacy/Ghostey)/
Vista Home Prem (same add-on's)/Avast Free/Online Armor Premium Firewall/MBAM Premium)/ Mobile MBAM.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 81804
  • No support PMs thanks
Re: ZeusDecoder and false positives
« Reply #2 on: September 18, 2010, 05:54:35 PM »
@ tanya

Since these are detections in Memory - My guess is that you are doing a Custom scan in which you have elected to scan Memory and that all these detections are in memory or are listings of files that can't be scanned. Since they aren't physical files they can't be moved to the chest, deleted, etc. so there is no action that can be taken, hence the Apply button being greyed out.

The detections in memory are frequently other security applications loading unencrypted virus signatures into memory. Having set off a scan of memory by an antivirus application looking for virus signatures, don't be too surprised if it finds some in memory.

The detections aren't on the file names shown, just that they are the process responsible for loading it into memory.

The other security applications you have installed are the cause, Windows Defender and AdAware loading unencrypted signatures into memory and being detected as I would expect from a scan looking for virus signatures. So it isn't a false positive, but you aren't infected.

You have several options, a)don't select a memory scan in the custom scan, b) ignore those entries associated with the two programs, c) remove one or more of those programs or d) disable the resident element of both as avast also has anti-spyware built in.

~~~~
Personally I wouldn't give AdAware hard disk space as it is a much depreciated application now with WD installed you don't really need it and there are better application should you want to replace it, MBAM and SAS.
« Last Edit: September 18, 2010, 06:57:30 PM by DavidR »
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.7.2388 (build: 19.7.4674.494)/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline Tanya

  • Jr. Member
  • **
  • Posts: 68
  • I'm NOT a llama!
Re: ZeusDecoder and false positives
« Reply #3 on: September 18, 2010, 06:40:40 PM »
Greetings, you're great people! Did you see the program I posted tho? It basicly just give "analyse" and a report text. So thats the log.

I don't get the shortnames you use (whats SaS?), but I got Avast! Adaware, Windows Defender, SpyBot, CCleaner that I use and ZA as a firewall. Then I tweaked my OS pretty good (shutted off a lot of not needed services) so I'm fine I think, nothing but one or another suspicious cookie here and there sometimes.

I used MalwareBytes Anti-Malware (updated and all) and found:



Code: [Select]
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

17.09.2010 13:48:19
mbam-log-2010-09-17 (13-48-19).txt

Scan type: Full scan (A:\|C:\|D:\|E:\|)
Objects scanned: 210136
Time elapsed: 37 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

But a quick internetsearch found that this is just a harmless leftover. Afaik it was a temporary internet file that Avast! aborted a long time ago.

There is no sign of Zeus on my computer, other than what seems to be the ZeusDecoder detection of what my security-programs does. Which is probably not a real virus infection If I am correct? Thats what I wanted to ask from the experts. :)

Hehe, Zone Alarm and ZeusDecoder managed to scare me now!
« Last Edit: September 18, 2010, 06:45:59 PM by tanya »
XP Pro, Avast! Free AV 5.0. 677, ZA, loads of scan-programs, 1024MB RAM, NVIDIA...what else you wanna know?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 81804
  • No support PMs thanks
Re: ZeusDecoder and false positives
« Reply #4 on: September 18, 2010, 06:57:00 PM »
SAS is SuperAntiSpyware.

RE: MBAM log:
It is an old registry entry, but without associated files inert, but best got rid of anyway.

This should have answered you question "Which is probably not a real virus infection If I am correct?"
Quote from: Extract from my last post
The other security applications you have installed are the cause, Windows Defender and AdAware loading unencrypted signatures into memory and being detected as I would expect from a scan looking for virus signatures. So it isn't a false positive, but you aren't infected.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.7.2388 (build: 19.7.4674.494)/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline Tanya

  • Jr. Member
  • **
  • Posts: 68
  • I'm NOT a llama!
Re: ZeusDecoder and false positives
« Reply #5 on: September 18, 2010, 07:08:55 PM »
Ok thanks, apreciate it. :)

SAS is SuperAntiSpyware.

Sure, I can download it and peek a little. I'll be like a fortress ;D

XP Pro, Avast! Free AV 5.0. 677, ZA, loads of scan-programs, 1024MB RAM, NVIDIA...what else you wanna know?

Offline YoKenny

  • Serious Graphoman
  • **
  • Posts: 8788
Re: ZeusDecoder and false positives
« Reply #6 on: September 18, 2010, 07:20:15 PM »
Want to be like a fortress then take DavidR's advice.
E5200 2.5GHZ, 4GB RAM, 320GB HD, Windows 7 Home Premium 64bit, avast! V9.0 Free, IE10
P4 2.8GHZ, 1.5GB RAM, 40GB HD, XP Pro SP3 32bit, avast! V9.0 Free, Google Chrome
with hpHosts, MVPS HOSTS files, SpeedFan, WinPatrol PLUS

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 81804
  • No support PMs thanks
Re: ZeusDecoder and false positives
« Reply #7 on: September 18, 2010, 07:55:55 PM »
Ok thanks, apreciate it. :)

SAS is SuperAntiSpyware.

Sure, I can download it and peek a little. I'll be like a fortress ;D

You're welcome.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.7.2388 (build: 19.7.4674.494)/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline SafeSurf

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5203
Re: ZeusDecoder and false positives
« Reply #8 on: September 20, 2010, 01:03:45 AM »
Tayna,

It's good to layer your security software for defense, but don't over do it is what we are trying to say.  Out dated or obsolete software you can get rid of. 

In addition, keep your current software up to date by using something like free Secunia Software Inspector http://secunia.com/vulnerability_scanning/personal/ and scan your machine weekly; direct vendor downloads are provided if needed.  Many of us use it since software is constantly changing.

Also check to make sure your browser (browser will be checked with Secunia) and any add-on's are current, and use safe browsing practices.

Keep your AV up to date.  Find a solid FW that you trust.

If you feel that your issue is now resolved/fixed, please go back to the first open post in this topic, click the modify button in that Post and change the title/subject, add [Resolved] to the beginning of the title so this thread can be closed. 

Feel free to come back any time you need help, to learn something new, or just to ask questions.  We are here 24/7 for your convenience. 

Thank you for allowing us to assist  you. :)
Mac 10.9.4 /Safari and Firefox (NoScript/AdBlockPlus/BetterPrivacy/Ghostey)/
Vista Home Prem (same add-on's)/Avast Free/Online Armor Premium Firewall/MBAM Premium)/ Mobile MBAM.

Offline Tanya

  • Jr. Member
  • **
  • Posts: 68
  • I'm NOT a llama!
Re: ZeusDecoder and false positives
« Reply #9 on: September 20, 2010, 12:52:30 PM »
Thank you, modified it.

Always checking this forum for intresting links and info :)

Find a solid FW that you trust.

Hehehe, I have actually forgiven ZA... for now ;D
XP Pro, Avast! Free AV 5.0. 677, ZA, loads of scan-programs, 1024MB RAM, NVIDIA...what else you wanna know?