Zbot-K Not sure if false-positive?

When I run a custom Avast scan (which includes memory, auto-start programs and rootkits) I get the following results:

http://imageshack.com/a/img199/9710/1sve.jpg

These threats are detected while scanning the memory. There are no options to move them to the virus chest or to delete them.
When I run a standard Avast Full System Scan and a Boot-time scan I get a clean bill-of-health (no threats). Microsoft Windows Malicious Software removal tool also gives a clean report.

The last time I ran the custom scan was on 21 Feb with a clean report. The only thing that has changed on my PC since that date was that I replaced my DSL modem/router. The only websites accessed since the last custom scan were reputable sites such as IMDb, IGN, Facebook, Gmail etc.

Any help or advice would be appreciated - thanks!

Please follow this guide and attach logs from Malwarebytes, Otl and aswMBR(Not Under Win 8/8.1)

http://forum.avast.com/index.php?topic=53253.0

These threats are detected while scanning the memory. [b]There are no options to move them to the virus chest or to delete them[/b].
because they are not files that can be deleted/moved but a process loaded in memory

however you have as many others before you experienced what happens when you play with the scan settings…and selected scan memory
DO NOT use the scan memory setting as this will give some weird scan results…unless you are a computer geek and know what you are doing, but then i guess you would not post this

i recomend using avast default scan settings for a problem free avast operation…avast team have played with malware 24/7 for 20 years so there is a reson why the settings are as they are :wink:

also detection in memory / memory scan is this forums second most frequently asked question…Nr. 1 is “some files could not be scanned” so there is plenty info if you forum search

When I run a custom Avast scan (which includes memory, auto-start programs and[b] rootkits[/b]) I get the following results:
avast does a rootkit scan 8min after boot ;)

Cheers Steven, I downloaded Malwarebytes, updated it and ran a quick-scan. All clear!

We’ll hopefully I’m not a complete noob either! I’ve been using Avast for about 10 years now and the fact that this is the first time I’ve had any problems should be a good testament to it’s effectiveness. I’ve also been regularly using the same custom scan for about 3 years now and never had any problems before. Just weird that this is just happening out the blue right now… ???

Just weird that this is just happening out the blue right now...
if you want a check...attach OTL / aswMBR logs

I’ve got the exact same virus happening on a Windows XP machine, with iertutil.dll showing up as infected in memory. I’ve thrown every antivirus/antirootkit/antimalware utility I could find at it and nothing detected it. I tried both the avast! boot scan that you set off via the UI, and the avast! Rescue Disk, and neither of them found it.

The only place avast! detects it is in memory, and when I use Process Explorer to find the location of the DLL, it points to c:\windows\system32\iertutil.dll. Scanning that file directly shows no infection whatsoever. In order to figure out what that DLL is all about, I used WinDbg with sos.dll to dump the memory-resident iertutil.dll to disk. avast! immediately detects and blocks it from being written to disk, so the only way to dump it to disk is to disable the avast! shields temporarily. Once I dumped it to disk, I compared metadata and file byte sizes between the version dumped from memory and the one at c:\windows\system32\iertutil.dll and found them to be identical in those metrics. I used FCIV to compare the MD5 checksums of the two files and only then did they reveal differences. Opening them in Notepad++ and running the Compare plugin yielded differences in rows 3-6 if I remember correctly, but otherwise identical.

How can I submit this file to avast! for analysis?

Sent the file in a password protected archive to virus@avst.com Subject: missed sample

Sorry, my post may have been confusing. Only avast! manual scan finds it in memory, and it cannot remove it. Moreover, nothing from avast! finds it at or before boot. Would I still e-mail it to that address?

I am also having very similar scan results from a custom scan which included: System drive, Rootkits (full scan), Memory, Auto-start program, Auto-start programs (all users), top-to-bottom in that order.
Avast! reported the presence of “Threat: Sf:Zbot-K [Trj]” in various processes including firefox.exe, dllhost.exe svchost.exe, explorer.exe, reflextservice.exe, jusched.exe etc. And the “infected” memory block is always 0x000000003D3F0000, block size 2015232 (iertutil.dll). And this happens on 2 of my machines, both XP SP3. On my other Win7 and Win8.1 machines, nothing is detected.

The weird thing is that if I perform another custom scan with only Rootkits (full scan), Memory, Auto-start programs, Auto-start programs (all users) then it will report: No Threats Detected. (redoing the other custom scan again will give back the same list of ZBot-K threats in memory. So it is not something transient.)

FYI, I’ve also scanned the machines with mbam, anti-rootkits-beta, awsMBR but nothing has been found by them.

Pondus is probably, and most hopefully, correct that it is another case of “Stay Away From Memory Scans” but how are users suppose to know that memory scans should not be performed? And why is the inclusion/exclusion of the scanning of system drive affecting the memory scan results?

Hi,

basically, Avast! thinks it’s caught a virus. It’s a False Positive that I’m sure Avast! is working on. If you are worried, attach MBAM, OTL and aswMBR reports so we can have a look.

I initially thought it was a false positive as well, until I pulled the file from memory using WinDbg and compared it to the file it purported to be on disk. Something is either loading a substitute file into memory when iertutil.dll is called, or modifying iertutil.dll in memory directly. None of the utilities you mention find anything abnormal, so whatever this is, it’s doing a damned good job of hiding itself from usermode utilities. Not sure how avast! manages to find it in memory, but it finds nothing on disk, even from the avast! Rescue Disk.

Either avast! knows something nobody else does, or you’re right about this being a false positive:

https://www.virustotal.com/en/file/0c8a6787af4bd4e62d1a5c7fb534d99c2b7259db287e9caf3b650b3643f23fc8/analysis/1393899953/

That’s the analysis of the file I pulled from memory. This doesn’t really explain the discrepancy between the file on disk and the file in memory, though. Here are the relevant MD5 checksums:

C:\windows\system32\iertutil.dll: ac21aab649e781b067db56cfff303cc7

Dumped from memory using WinDbg: 6ffaa0f124d1df5e40bcc4c251256623

I’ll try to get those logs pulled soon. Thanks for your help.

Iver wrote:
I initially thought it was a false positive as well, until I pulled the file from memory using WinDbg and compared it to the file it purported to be on disk.

You are making me worried. Since you have managed to dump that modified iertutil.dll file onto you HD, could you try to run MBAM or other virus scanners on that file to see if the virus signatures in it are indeed recognized by other scanners as well?

Check out the virustotal.com link I pasted above. It scans an uploaded file against a huge list of antivirus suites. Only avast! showed this as an infected file, so there’s a pretty good chance it’s a false positive. That or everyone else is asleep at the wheel.

How can I submit this file to avast! for analysis?

send file to avast lab, using one of these options

You can upload files and report issues to avast here : http://www.avast.com/contact-form.php (select subject according to Your case)

You can use mail
send to virus@avast.com in a password protected zip file
mail subject: False Positive / undetected sample (select subject according to your case)
zip password: infected

or you can send files from avast chest
how to use the chest. http://www.avast.com/faq.php?article=AVKB21

and see my first post above about using the “scan memory” setting

Pondus, it’s VT. The file was already sent to all the vendors.

can you upload that file and send me a DL link so I can do a malwr.com anaylsis?

Pondus, it's VT. The file was already sent to all the vendors.
and that is why i gave him all the [b]how to send to avast lab[/b] options. ;)

VT give this file info

Copyright© Microsoft Corporation. All rights reserved. Publisher Microsoft Corporation Product Windows® Internet Explorer Original name IeRtUtil.dll Internal name IeRtUtil.dll File version 8.00.6001.23562 (longhorn_ie8_ldr_escrow.140131-1840) Description Run time utility for Internet Explorer

same problem here on windows XP pro as well no option to move or delete, no problem with windows that is obvious. am not that experienced so to be able to find where it is

attaching screenie

same problem here on windows XP pro as well [b]no option to move or delete,[/b]
see my first reply in this topic......

Uploaded to Malwr: https://malwr.com/analysis/OTgzMGQ4ZjIxNTQyNDBhMjgyOTk2NDM4MGE0ZDMwZTQ/