help with trojan please Win32:Zlob-CGP [Trj]

Viruses and worms
1

Hey,

I just booted my computer and got an Avast popup with the message that I have a trojan :o

location:

C:\Program Files\SetPoint\LBTWiz.exe
Win32:Zlob-CGP [trj]

I opened WinWord and copied this info, and when I hit enter in Word the Avast popup disappeared off my screen. Duh!

I had only read part of the message that said “try to…” and that’s as far as I got. I can’t figure out how to get the message back.

I’m still looking around in Avast, but I don’t have the slightest idea what to do.

Can someone help me, please?

thanks,
Liz

2

Update…

I came back here and found the pinned instructions at the top of the forum (what I could understand of it :P). I googled the trojan and came up with only one link (that wasn’t in Chinese) http://www.aladdin.com/csrt/valerts2.aspx?virus_no=29834

This site says this is ‘low threat’.

I couldn’t get back to the Avast trojan warning through the icon in the tray, so I opened Avast in programs and it gave me another notice about the trojan being in my memory. I couldn’t figure out a way to try to repair etc. and it the Avast box had a message recommending moving it to the chest, so I did that. The avast program also asked me if I wanted to shut down and do a scan, so I did, and it gave me another message saying I have the trojan in the same location. It gave me a list of options. When I asked it to ‘repair’ it gave me Error 42060 ‘file not repaired’. So next I told it to move it to the chest (which I had actually already done as stated above). It gave me another error ‘object name not found’.

Btw, I am running Vista sp1 with all updates except for the ones that just came out this week. And ‘setpoint’ where the trojan is located is my bluetooth keyboard and mouse program

3

Please upload the file to VirusTotal for analysis.

If necessary, export the file to the desktop from the chest, temporarily disable avast! and submit the file to VirusTotal from there.

Post the results here.

4

THANKS! :slight_smile:

Just to be sure I scanned the right file, in my chest I found two copies of this file with the full name and url. In properties of one file it said ‘file id 6’ and the other ‘file id 7’. When I browsed from VirusTotal it showed only files that said ‘00000006’ (and one like that that ended in 7) so I assumed these were them. I scanned both of them and got the following result for both.

File 00000007 received on 07.12.2008 19:16:25 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED

Result: 0/33 (0%)

(just to be clear, I did not disable Avast! when I did this procedure, assumed that was just for uploading from the desktop?)

5

I think you’ll need to export the file from the chest to the desktop, then disable avast! while you submit it to VirusTotal.

6

OK, did that. Different results!

File trzC87D.tmp received on 07.12.2008 19:51:53 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED

Result: 2/33 (6.07%)

Avast 4.8.1195.0 2008.07.12 Win32:Zlob-CGP
GData 2.0.7306.1023 2008.07.12 Win32:Zlob-CGP

Additional information
File size: 53248 bytes
MD5…: 4ebe44488e5a25560adc7fd99b7ceae3
SHA1…: f13598c0977710141d845d2873bde96384a0f824
SHA256: f4c0d70173b0ea20508bfc32a6da0136baec32be536bc4c9dc4692bb605b4dd9
SHA512: 6cb014c3a62e6be243567061ca9c3a9469612a5e37c5b046c381f07fe11b1ed2
46f4a0f3804fb1c2ab3552b941a9298e44e7d05c4f9d72ff4408b0ba02a0f4c0
PEiD…: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4014ba
timedatestamp…: 0x45db6f12 (Tue Feb 20 21:58:42 2007)
machinetype…: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x63aa 0x7000 6.21 7c734af162a2694bec75acb1ebca9670
.rdata 0x8000 0x1bec 0x2000 5.10 6c8820a0e300eb7d1f911eec7fdaef95
.data 0xa000 0x187c 0x1000 2.12 3fea0b2caeacd8565461c0f30b3d3d16
.rsrc 0xc000 0x1144 0x2000 4.35 ee7a82c031a2668ca5746cf76765e05e

( 1 imports )

KERNEL32.dll: CloseHandle, FreeLibrary, WaitForMultipleObjects, GetProcAddress, LoadLibraryA, ResetEvent, Sleep, SetEvent, CreateEventA, GetCommandLineA, HeapFree, GetVersionExA, HeapAlloc, GetProcessHeap, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleA, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetLastError, GetEnvironmentStringsW, SetHandleCount, GetFileType, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, HeapDestroy, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, GetCPInfo, GetACP, GetOEMCP, VirtualAlloc, HeapReAlloc, RtlUnwind, HeapSize, MultiByteToWideChar, GetLocaleInfoA, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW

( 0 exports )

7

PS: I deleted the extracted trojan file from my desktop and then emptied my recycle bin. Hope that was ok! The file still shows in the chest.

8

The report should look something like this:

http://forum.avast.com/index.php?topic=36842.msg308671#msg308671

Is the file still in the original location?

C:\Program Files\SetPoint\LBTWiz.exe

9

My result did look like that, I just copied and pasted the two positive results, the rest of the scans showed nothing:

Result: 2/33 (6.07%)

Avast 4.8.1195.0 2008.07.12 Win32:Zlob-CGP
GData 2.0.7306.1023 2008.07.12 Win32:Zlob-CGP

I did not see anywhere on the results that it gave the location of the file on my computer, only that these two programs found this virus/trojan (whatever it is).

I started Avast! again and let it run the memory and startup test (which found the virus before) and it did not show the virus. I then ran my Avast! program on the setpoint file and it did not show the virus still there (it is in the chest only I presume?). Not sure if I’m answering this question, am I missing soemthing?

10

GData uses avast engine (with Kaspersky also), so a clear false positive…
Hope they correct this soon (again).

11

THANK YOU, freewheelinfrank for all of your very valuable help!

Hi Tech, thanks for the reply. Two questions:

I take it that ‘false positive’ means this really isn’t a virus/trojan at all? And if so, do I just delete this from the chest?

Also, when you said hope ‘they’ correct this soon, again, you mean Avast!? (as in remove this from their list of virus files? I ask because I did a search for this file on this message board before I posted to see if it had been discussed before and didn’t find anything.

thank you!

12

You can send it to virus[at]avast.com in a password protected archive (e.g. ZIP file) mentioning the password and the fact that it’s a false positive in the body of the email.

You’ll need to restore the file to its original location, or you may find you have problems with your keyboard or mouse.

You can in exclude the files from scans in the time it takes to correct the false positive.

13

I don’t have a zip program, unfortunately. It is my understanding that Vista Home Premium doesn’t encrypt (I guess that means the same as ‘zip’–you have to get the Pro version). I don’t have a third party program.

You'll need to restore the file to its original location, or you may find you have problems with your keyboard or mouse.

Hmmm…when I moved the file to the chest, I thought I was just moving the virus (false positive) itself, not the whole program file? Can you clarify?

You can in exclude the files from scans in the time it takes to correct the false positive.

I’m confused again, sorry I’m not much of a techie–not sure which files you mean to exclude. And if I moved the virus files to the chest, I won’t get another notice, will I?

thanks!

14

A little clarifcation, if it makes a difference. So far my mouse and keyboard are working fine.

15

Could be.

On contrary, keep it there.
If you really check it as being a false positive, you can restore the file.

Yes, they correct the false detection.

Yes.

16

Thanks, but I’m still confused a bit.

I don’t know what you mean 'if I ‘really’ check it as being a false positive? I thought your earlier post said it was a ‘clear false positive’ and Avast needed to change this?? Maybe you mean I should go ahead and send it to Avast?

As Frank has not responded yet, about emailing the file to Avast!, he gave me an email address and said to zip it and apply a password (I assume he meant using my regular email and a third party zip program). Can I do that through the Chest (when I click to email it from there it gives me a box to type info in, but doesn’t say anything about hwo to go about creating and applying a password, so I was afraid to proceed with that.

Also, would someone answer my question above, please, which was–when I moved the virus/trojan to the chest, was I moving just the virus/trojan or did I move an entire file (setpoint file, which is for my mouse and keyboard)? I thought it was just the virus, so don’t understand what I would be ‘restoring’. (I think I’m confused because when I run my spyware program and find unwanted files I just delete them :stuck_out_tongue:

[quote="Liz post:11, topic:620538"] Also, when you said hope 'they' correct this soon, again, you mean Avast!? [/quote] Yes, they correct the false detection.

Yes.

thanks

17

To clarify, I asked about the zipping and password part because I don’t have a zip program (Vista doesn’t have one except maybe in Pro as i understand) to email with, so I have to use the Chest email but don’t know how to add the password.

18

You can also send the file from the chest, yes, that might be easier.

7-Zip and ZipGenius will encrypt an archive (=put a password on a ZIP file).

http://www.snapfiles.com/Freeware/downloader/fwzip.html

Info on adding exclusions here:

http://forum.avast.com/index.php?board=2;action=display;threadid=7779

EDIT: Typo

19

false positive alert fixed in VPS 080713-0

20

Thank you, everyone!

Would you tell me how to check for this in Avast!? (if that’s how you got the info)

I was unable to email from the Chest…kept saying the program couldn’t use email.

I installed ZipGenius and worked with it for two hours without being able to figure it out, partly because some of the program won’t let me access it because of the Vista (the administrator control thingie, even though I am the administrator!).

But I went back to it later and was able to get the file to zip and compress to a czip file with a password, so I sent it to Avast!

thanks everyone again, you’re great!