Closed - Potential false positive with ZoneAlarm file

[ken_turbine]

Carrying out a full scan this morning, I got a positive as a rootkit on the following file

C:\WINDOWS\system32\ZoneLabs\Updates\unpacked==FFUPDATE=ffupdate_10_tcwlist_x86.zip\UpdZAEX.exe

Avast could not remove the errant file and seemed not able to find it either when told to remove or chest it.
I downloaded the Sophos free rootkit remover, and did a full scan which found nothing apparently significant, although it threw up some 'hidden files'on old IE5 cookies (I currently have loaded IE8, but tend to use Firefox), overchecked with a full scan using the latest Malwarebytes A-M and got nothing .

Chasing the filename it led to one of the update files for ZA of November 2010

C:\WINDOWS\system32\ZoneLabs\Updates\FFUPDATE\ffupdate_10_tcwlist_x86.zip\

This has never previously been detected and I have carried out regular scans with Avast, and as it is a file inside a zip folder I do not believe that I can put a copy onto one of the internet file scanners.

Using the Search facility on the Avast Forum I can find no similar references to this, but i admit to being poor at using the searching, so if this has been covered I apologise in advance.

Does anyone have any advice, as my instinct is to ignore this due to the clean bill of health from the other two scans?

ken turbine

[SafeSurf]

When you refer to ZA, are you talking about their firewall?

[ken_turbine]

Safesurf,
       Apologies, I forget ZA is more than just the free firewall.
       Yes, it is the free Firewall I am referring to.

Ken Turbine

[SafeSurf]

No problem.  What other security software do you have on your machine?

Please do an Avast boot scan, making sure your definitions are up to date first.  Report back on your report.

If you still have problems, check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0. 

Follow the directions for obtaining the OTS logs (save them as ANSI and not Unicode).  Post the OTS log as an attachment (Additional Options > Attach > Post).  Depending on the results, we may need to get our Certified Malware Removal Expert involved.

***Please do not make any further changes to your machine after you have provided the logs.***

IMPORTANT: If you are on a home network, disconnect the affected machine from the network.  Do not share a USB/flash drive with this affected machine.  Do not use this machine unless instructed do to malware removal instructions; use a different machine to check email, sync your phone, etc. if possible.

Let us know if you have any questions.  Thank you.

[ken_turbine]

Unfortunately I have to log off for a while, but will carry through the instructions later, and use the closedown to set up the boot scan.

FYI
System bespoke on a Foxconn motherboard, AMD Athlon 7750 dual processor, 4Gb Ram
Win XP-H SP3
Firefox 3.6 (NoScript + AdBlockPlus)
ZoneAlarm Free Firewall
Avast Free 6.0.1125
MBAM (not running just available)
SuperAnti-Spyware (also just available not running)
All kept up to date (FireFox - I am waiting for 4.0 to be tested to destruction by the community as a whole before installing)

[Asyn]

Carrying out a full scan this morning, I got a positive as a rootkit on the following file

C:\WINDOWS\system32\ZoneLabs\Updates\unpacked==FFUPDATE=ffupdate_10_tcwlist_x86.zip\UpdZAEX.exe

Upload it to VT and post the results.

[ken_turbine]

No problem.  What other security software do you have on your machine?

Please do an Avast boot scan, making sure your definitions are up to date first.  Report back on your report.

Safesurf,
        The boot scan gave a clean bill of health, i.e. 'No virus found'.
        Is it reasonable to now assume that the initial report was flawed and that the system, now cleared by Avast boot scan, Sophos rootkit scan and MBAM, is clean in terms of virus/rootkits?

Ken Turbine

[ken_turbine]

Carrying out a full scan this morning, I got a positive as a rootkit on the following file

C:\WINDOWS\system32\ZoneLabs\Updates\unpacked==FFUPDATE=ffupdate_10_tcwlist_x86.zip\UpdZAEX.exe

Upload it to VT and post the results.

Asyn,
     As I stated earlier, the actual file reported by Avast does not exist as an independent entity, it is part of a ZIP folder: do you mean that I should extract the file using 7-Zip and then put the extracted file to VT?
P.S. what is VT ?

Ken Turbine

[Pondus]

Asyn,
     As I stated earlier, the actual file reported by Avast does not exist as an independent entity, it is part of a ZIP folder: do you mean that I should extract the file using 7-Zip and then put the extracted file to VT?

Yes

P.S. what is VT ?

Upload suspicious file(s) to www.virustotal.com and test with 43 malware scanners
when you have the result, copy tha URL in the address bar and post it here for us to see


alternatives
Jottis malware scan  http://virusscan.jotti.org/en
VIRScan  www.virscan.org

[ken_turbine]

Upload suspicious file(s) to www.virustotal.com and test with 43 malware scanners
when you have the result, copy tha URL in the address bar and post it here for us to see


alternatives
Jottis malware scan  http://virusscan.jotti.org/en
VIRScan  www.virscan.org

Pondus, How long should VT take as I have uploaded the file (approx 250k) and the loading screen reappears but there it seems to stop?

Ken

[ken_turbine]

Upload suspicious file(s) to www.virustotal.com and test with 43 malware scanners
when you have the result, copy tha URL in the address bar and post it here for us to see


alternatives
Jottis malware scan  http://virusscan.jotti.org/en
VIRScan  www.virscan.org

As I was unable to get a response from VT I used Jotti. This gave a response with a URL of

http://virusscan.jotti.org/en/scanresult/3e96ffe0dbc52e41f3f55ed6c00e62078ac6dfec

This gave a clean response of  'Found nothing'  from all 19 of the available scanners.   

Ken

[Pondus]

Pondus, How long should VT take as I have uploaded the file (approx 250k) and the loading screen reappears but there it seems to stop?

a minute or two....unless high server load

[Asyn]

@OP: You can report a FP here: http://www.avast.com/contact-form.php?loadStyles

[ken_turbine]

@OP: You can report a FP here: http://www.avast.com/contact-form.php?loadStyles

Asyn,
     I will do that then,
     Thanks to you, Pondus and Safesurf for your help

 

Ken

[ken_turbine]

Thanks again everyone, reported and closed