Hi YoKenny,
This may be the background for this FP: Reported as the CLICKER.LE TROJAN by Panda Anti-Virus. Do not confuse this with the IBM/XPoint Rapid Restore file which is generally located in the PROGRAM FILESXPOINTAGENT folder…
Then consider this information here: http://www.bleepingcomputer.com/startups/xpagent.exe-6979.html
The malware finds relate to:
Description: Xpagent.exe is located in a subfolder of “C:\Program Files” or sometimes in a subfolder of C:. The file size on Windows XP is 98304 bytes.
There is no information about the maker of the file. The program is not visible. Xpagent.exe is not a Windows system file. The process uses ports to connect to LAN or Internet. Xpagent.exe is able to hide itself, monitor applications. Therefore the technical security rating is 71% dangerous.
Recommended: Identify Xpagent.exe related errors
If Xpagent.exe is located in the folder C:\Windows\System32 then the security rating is 83% dangerous. File size is 146488 bytes (45% of all occurrence), 147000 bytes, 146487 bytes, 146999 bytes, 146489 bytes. The program has no file description. The program is not visible. File Xpagent.exe is located in the Windows folder, but it is not a Windows core file. Program starts upon Windows startup (see Registry key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run). The file is not a Windows system file.
And for the legit and safe versions see these characteristics:
http://www.spywaredata.com/spyware/malware/xpagent.exe.php
So if your version is “IBM/XPoint Rapid Restore file-related” you have nothing to worry about, and it has been falsely flagged, else it could well be malware. Again trzA.tmp could be bad:
http://www.prevx.com/filenames/X719906623101032549-2117797993/TRZA2ETMP.html,
but again not necessarily. For the malware component:
-
COVERT ANALYSIS OF: TRZA.TMP
- File Names Used: 26
- Paths Used: 34
- Common File Name: TRZA.TMP
- Common Path: %WINDIR%\
- Vendor Information: No Vendor details specified
- TRZA.TMP may use 26 or more path and file names, these are the most common:
- 1 :%honeypotroot%\4974C16929009786DE8424CA69C4…pmw
- 2 :%WINDIR%\TRZ157.TMP
- 3 :%WINDIR%\TRZ35.TMP
- 4 :%WINDIR%\TRZ3F.TMP
- 5 :%WINDIR%\TRZA.TMP
- 6 :%WINDIR%\TRZE9.TMP
- 7 :%windir%\ugqe\ipiiuaaoyy-\XQAMHG7.QXQ
- 8 :?:\A00000000
- 9 :?:\program files1\drweb\infected.!!!\RAVMONE (1).EXE
- 10:?:\program files1\drweb\infected.!!!\RAVMONE (2).EXE
- 11:?:\TRZA.TMP.EXE
- File Name Structure: Normal
- File and Path Structure: Suspicious, unusually high number of file and path combinations
-
RELATIONSHIP ANALYSIS OF: TRZA.TMP
- Malicious Objects Created: 9 objects
- Malicious Creators: 3
- Malware Run Keys: Creates registry run keys for known malware objects
- Self Persists: Yes, creates copies of itself
- Antivirus Detection: No third party antivirus detection observed
- Anti-Spyware Detection: No third party anti-spyware detection observed
-
ACTIVITY ANALYSIS OF: TRZA.TMP
- The following behaviors have been observed for this object:
- Installs programs.
- Deletes programs.
- Invokes dll components.
- Creates Run Keys.
- Runs other programs.
- Communicates with web sites using httpout protocols.
- Changes file execution mappings.
- Hijacks running processes.
- Has outbound communications.
- Inspects email address books.
- Creates registry entries.
- Creates run keys for known malware.
- Creates known malware.
- Creates copies of itself.
-
PROPAGATION ANALYSIS OF: TRZA.TMP
- Malware Group Propagation Rate: Moderate (spreading)
- Malware Group: Trojan RavMonE
- Copyright Prevx Limited 2005, 2006
Other versions of TRZA.TMP
And this is part of Trojan.NetMon/DNSChange
C:\SYSTEM VOLUME INFORMATION_RESTORE{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP99\A0007991.EXE
So delve into it, and see what it is, FP for the first one, OK Eddy may be right there, but the other two were rightfully removed, I assume,
This was all the analysis I could give you, some may learn from it to be more discriminate in their evaluation of legit software versus malware,
polonus