false positive?

Quick scan just moved to virus chest:
C:\SWSetup\HPPhoto\setup\HPZpsco1.exe as a severe threat…I cannot find anything about this.
Is there anything to do or check further?
I have AIS, SAS paid, MBAM paid, Webroot,Windows XP Pro, IE8, all is current and constantly updated. No other scans picked this up.
Thanks

You can send suspicious file to virustotal.

Here it is found secure: http://www.online-armor.com/oasis2/file/hewlett_packard/hpzpsc01_exe/hpzpsc01_exe/7646
&
http://exefile.submitfile.com/HPZpsc01.exe.html
Re:
Product: ICE *1
Company: Hewlett-Packard
Description: ICE Pre-Scrubber plug-in *1
Version: 7.0.0.71 *1
MD5: 8E39A63B3780A290E3B728E015A2503B *1
Size: 1028096 *1
Directory: %TEMP%\7zS060B\Setup\HPZpsc01.exe *1
Operating System: Windows XP

polonus

Thank you Polonus; I have an HP 5610 All in One so this makes sense.

However, the full scan later on picked up:
C:\System Volume Information_restore…A0227143.exe and
C:\WINDOWS\MEMORY.DMP identified as Win32:Trojan-Gen and Win32:Fake Alert+NF{Trj} respectively.
Then later on, IE shut down unexpectedly; the Blue Screen said Bad_Pool_Header, IE recovered, and then directed me to MS knowledge base that said I may have two antivirus software installed.
I do not have two antivirus installed.

I ran a full MBAM and a full SAS; nothing at all. Webroot log says it is corrupted and needs to be reinstalled; I uninstalled it, but will wait to reinstall.

Are you able to advise of further action? I’m older and without tech expertise; I’d appreciate any further advice you may have.
Thank you.

You do have two antivirus as Webroot is one,and Avast the other.

Hi,
Had webroot spysweeper on my machine and is very bad at consuming resourses. If it is the version with a antivirus it will conflict and do damage to the op system. Only use 1 antivirus! and run avast boot scan without webroot installed.
You must have a malware process going off as your system restore point is infected as malware is common to infect system restore points. After malware removal you need to clear all your restore points as these will be more than likly infected.

Update malware bytes IMPORTANT DO a full scan in safe mode and clear what it finds. Malware will not run in safe mode.

Update malware bytes IMPORTANT DO a full scan in safe mode and clear what it finds. Malware will not run in safe mode.
not necessary to do as the quick scan will find and remove 99% of what MBAM is able to detect Malwarebytes can be run in safemode but is designed to work best in normal mode

http://forums.malwarebytes.org/index.php?showtopic=5590

http://forums.malwarebytes.org/index.php?showtopic=8914&st=20&p=43831&#entry43831
http://forums.malwarebytes.org/index.php?showtopic=10405&st=0&p=141646&#entry141646
http://forums.malwarebytes.org/index.php?showtopic=8710&st=0&p=41633&#entry41633

The product is Webroot Spy Sweeper only; I do not want and do not have any antivirus product from Webroot. I apologize for an incomplete description.

You can report a FP here: http://www.avast.com/contact-form.php?loadStyles

Thanks for the input; finally got a link to submit the FP.

This morning, mbam will not open up even though the popups showing automatic updates keep coming and the icon is in the taskbar; it is saying “runtime error 0”, “runtime error 440/automation” and once I got “vb Accelerator SGrid II Control”. Have emailed support at mbam but no response yet.

Another note: yesterday the AIS boot time scan showed nothing and this was before the bad pool header shutdown; also mbam will not open up in safe mode this morning (same error messages)and SpySweeper (it has NO av features) is not installed.

Hi riobio,

Workaround for you:

Fire up command prompt, type in following commands:

regsvr32 mbamext.dll regsvr32 ssubtmr6.dll regsvr32 vbalsgrid6.ocx regsvr32 zlib.dll

Give in the commands the last one may do the trick,

polonus

Hi,
Run hijack this from trend micro and post the log to read? Sure a malware process is running!

MBAM support sent a link to get mbam back up; it is OK now, quick scan shows nothing.

I am clueless here, so you win bobo1–here is the trend micro hijack this log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:10:54 PM, on 6/12/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVAST Software\Avast\afwServ.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\jcb.PC272393594253\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\trend micro\HiJackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://apod.nasa.gov/apod/astropix.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4A

Sorry bobo1, but HijackThis is a busted flush now, it hasn’t had any development for probably over 18 months and it just isn’t up to the task any longer. It doesn’t even look in the areas that modern malware hides, this is why specialist analysis tools have come to the fore like OTS as you will see mentioned in the forums.

David R, you’re saying the hijack this is useless? If so, do you have a suggestion? Just finished deleting all system restore points, making a new one, doing a full mbam scan which shows zero “0” infections. Am I done, or is there something else?

The hjt logfile seems OK, but there is new rogue av malware that sometimes installs on:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
-http://apod.nasa.gov/apod/astropix.html

Do you get popups with fake av or do you get redirected to fake sites?

Maybe essexboy may have a cleansing routine for you, a run with TDSSKiller.exe and OTL log analysis, wait untill he appears,

polonus

I have NOT had any popups with fake av, and there has not been any redirects.

No further problems would suggest that MBAM killed whatever it was ;D

Thanks to all; I truly appreciate your assistance.
riobio

Pretty much so, any security application that hasn’t had development in over a year, really isn’t keeping up with developments.

Any suggestions would be dependant on the circumstances, e.g. if you were still getting symptoms and other general removal tools haven’t resolved it, which doesn’t appear to be the case. But as I mentioned in the quoted text OTS, but that is a specialist tool that requires specialist analysis (essexboy, etc.), so it isn’t a tool that you jump straight in and run without it being requested.