Trojan? or False Positive?

Hey all. Well I did a virus scan with avast nothing as usual :slight_smile: Then I did a CounterSpy scan same thing. Adaware had only two little cookies there, then ZoneAlarm did an Automatic scan and it found two Trojans… Yeah… anyways I download Spybot Search and Destroy and did a scan nothing came up just two little cookies. Here is the names of the “Trojans” I did a google search on both of them by their name and nothing came up

Win32.ProcessKill File: C:\System Volume Information_restore{8CF4D3C9-A44D-4F6E-8C86-DBA5BFC36BC5}\RP23\A0000965.dll
File: C:\Documents and Settings\Logan\Local Settings\Temp\nseE.tmp
Directory: C:\Documents and Settings\Logan\Local Settings\Temp\nseE.tmp

and Win32.Dialer.Fotosex (This was interesting seeing how I don’t look up porn or anything like that)
RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CONNECT

Is this a Trojan? or is it just Zone Alarm acting weird? Also I heard that Trojans gather Info and are kind of in a grayish area betwean virus and Spyware. Should I go through the hassle of Reconfiguring my computer if I do find a Trojan? or is that just being paranoid? Thanks in advance

P.S I posted here as well as the Zone Alarm forums but it seems people here know a little more about worms and such

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can’t do this with the file in the chest, you will need to move it out.

You can’t do much about the one in C:\System Volume Information_restore as this is windows protected storage, a part of system restore. The only way to clean infected _restore points is to disable system restore and reboot. This will clear ALL _restore points. Once you have disabled system restore, reboot, scan your PC again and if clear enable system restore.

Win XP-ME - How to disable System Restore

I did remove the files and it did not re-detect them. But is my computer now screwed? Will I need to Reconfig?

:slight_smile: Hi Logan :

  SPECIFICALLY, what Zone Alarm product was used ?
  AND was it an online scan ?

There is no way to tell if you have got rid of them, deletion is never a good first option.

However, since the majority were to be found in the Temp folders I would think not, you can do a google search for nseE.tmp and see if it brings up anything. There is only one hit that mentions Patchmaker.

Having two resident anti-virus scanners and I’m assuming that the ZA anti-virus is resident (active) ?

No I did not use an Online scanner I used Avast :slight_smile: Also I’m using Zone Alarm Pro.

Follow David’s advice.
Do a boot time scanning with avast (or a thorough scanning).
Enable System Restore only after that :wink:

Oh, using ewido and/or a-squared scanning is a good thing too :wink:

well I reconfigured my computer, Downloaded all my security software and updated it. Then I installed my drivers. I then scanned with Zone Alarm and the same two “Trojans” came up. This leads me to the belief that this is a False Positive. Dose this sound correct?

Well I did a scan with Ewido and no “Trojan” came up just a few little cookies. So is this a False Positive? and if so how do I got about reporting it? Thanks for all your help guys

As I said:

Having two resident anti-virus scanners and I'm assuming that the ZA anti-virus is resident (active) ?

Perhaps it is decision time as to which resident AV you have installed. Ewido and a-squared can be run as on-demand (non resident scanners and they aren’t AVs).

I use Avast Anit-Virus this is the only Anti-Virus I use. It’s home edition by the way

So where did this come from then ?

[b]then ZoneAlarm did an Automatic scan [/b]and it found two Trojans...

And this

well I reconfigured my computer, Downloaded all my security software and updated it. Then I installed my drivers. [b]I then scanned with Zone Alarm [/b]and the same two "Trojans" came up. This leads me to the belief that this is a False Positive. Dose this sound correct?

Because Zone Alarm Pro uses Anti-Spyware scan. Trojans are recognized by bother Virus and Spyware scans on average. Avast is a Virus scanner Zone alarm is a Spyware scanner

I was concerned that it might have been the ZA security Suite which includes anti-virus.

My firewall Outpost Pro also has a resident anti-spyware plugin but I disabled it as I have other on-demand anti-spyware AdAware, Spybot, SpywareBlaster and Ewido and I can run those if I fel I need a second opinion rather than have a resident anti-spyware runing. This could slow boot as it wil have an interaction with avast as for each file that ZA wants to scan avast will also scan, this duplication slowed my boot considerably.

That’s interesting… I have noticed that my boot time is slow and viewing webpages… Could Avast and Zone Alarm Pro working together slow down webviewing as well?

I don’t know what ZA’s anti-spyware checks, if it checks web content then it is entirely possible due to duplication of scanning. I also have the Content and Active Content plug-ins disabled in my firewall. I want it to concentrate on being a firewall and let me take care of the rest.

What I meant was that if your version of ZA included an active anti-virus avast could conflict with another resident AV, which as you have now clarified by saying it is an anti-spyware function. Your understanding of what ZA does (especially the Pro version) is likely to be greater than mine, it is over three years since last used it (free version) and you have it for reference on your system.

What should I expect from ZA? I’m not so happy with it sometimes sometimes I think it’s a great firewall other times… Not so much. Anyways I re-Reconfigured and still found one of them I didn’t find the other one though which is good. (it was the Fotosex one) I’m not going to Re-re-reconfigur though because well… That just over kill lol.

P.S I let Zone Alarm Pro Deal with it as I talked with one of their staff members and they said it will get rid of it just to rescan to make sure I got it all.

Sorry I can’t help you with ZA and what you should expect I haven’t used it in over 3 years and that was the free version.

Reconfiguring wouldn’t change any detections, unless when they were detected you selected ignore if that option existed but, you should only choose that option if you absolutely know the detection is incorrect.

Personally I prefer to use other dedicated anti-spyware products in an on-demand scan function, rather than have a unknown bolt-on/plug-in solution incorporated in my firewall (as I said let it get on with being a firewall). This way I update the signatures and run a weekly scan or by monitoring the << Updates >> Topic on the General forum you can see when updates are reported for your anti-spyware, I download the signature update and then I run a scan.

Now if something is detected that previously hasn’t been I don’t take it at face value, I check what is being detected and investigate, google, etc. only if what is being detected is serious, not tracking cookies, etc. Before I would allow a deletion, file or registry entry I check and double check. If it isn’t serious and/or I’m not convinced it is a positive detection then I ignore it and frequently the following week a false positive detection has been corrected and it isn’t detected again.

well I did delete the file. :frowning: what’s an On-Demand? and also would my computer be clean now? I googled the virus name and nothing came up

:slight_smile: Hi Logan :

 "On Demand" means the User initiates ( "starts" ) the
   scan, NOT some "automatic" started by a program.
  Zone Alarm is known NOT to have a very good
  anti-SPYWARE program; would be better using FREE
  products, like Ad-Aware, Ewido, a-squared, and/or the
 "Free" version of "SUPERantispyware" .