Anyone know what tools to use to find the file related to this virus message:
“avast (VPS 090121-0, 21/01/2009) found virus Win32:Zbot-AVH [trj] in file Process 900, memory block 0x06070000, block size 262144 (using task Daily Quick Scan)”
Any tips for cleaning this up?
Thank you.
It is in memory and avast I believe would have suggested a boot-time scan, did it and more importantly did you do that ?
Check the Task Manager, and see if there is a Process with the PID (process identifier) of 900 and report ?
Thanks for the help. This is an interesting one!
Virus being detected in the same process:
22/01/2009 21:30:02 1232659802 SYSTEM 1796 Sign of “VBS:Obfuscated-gen [trj]” has been found in “*PROCESS\340\5370000\40000” file.
22/01/2009 21:30:06 1232659806 SYSTEM 1796 Sign of “Win32:Small-HUF [trj]” has been found in “*PROCESS\340\53d0000\40000” file.
22/01/2009 21:30:08 1232659808 SYSTEM 1796 Sign of “Win32:Small-gen2 [trj]” has been found in “*PROCESS\340\5420000\40000” file.
22/01/2009 21:30:10 1232659810 SYSTEM 1796 Sign of “Win32:Zbot-AVH [trj]” has been found in “*PROCESS\340\6070000\40000” file.
Done the following so far:
Boot time scan found nothing.
Traced the PID to the Windows Defender Service.
Stopping the Windows Defender Service and reran the scan. Nothing detected.
Restarted the Windows Defender Service without starting the Windows Defender GUI. Virus alerts generated.
Checked the properties of the Windows Defender files to ensure they hadn’t be tampered with. Everyone was signed appropriately.
Checked the Windows Defender Service file (MpSvc.dll) on VirusTotal.com. Only VBA found a virus in this file: http://www.virustotal.com/analisis/5d6b9113fbeb44261d5564ceef3c12a6
What other checks can I do?
How do we fix this problem?
Could it be a false positive?
I don’t use windows defender so I can’t be a great deal of practical help.
However, I think it may load its signatures into memory this speeds scans now these may be encrypted, hence the obfuscated-gen one
Were you doing a WD scan (or an update) at the time ?
The detection in VT - suspected of Win32.BrokenEmbeddedSignature (paranoid heuristics) - that too could be pointing to what I suggested encrypted signatures but hard to say for sure.
Windows Defender is NOT scanning while Avast is doing its scan that detects the viruses.
This is Windows Vista Home Premium so Windows Defender comes with it. It is a low overhead that occasionally catches some nasties so it is worth keeping, but only if this issue can be resolved.
Thanks for all the assistance.
You’re welcome, sorry I can’t be of more help with WD, never used it.
I’ve got a clean install of XP with SP3 and all updates.
I got all the same things on a memory scan. I can’t move them to the chest, delete them… or anything.
These are false positives but I can’t pinpoint which of the MANY Windows updates would have done it and if Windows Defender is responsible for all of it.
Boot-time scan doesn’t change anything.
Is anyone else seeing this??
Thanks