Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Trojan.VB.VZO


25 Jul 2009   #21

ultimate 64 sp1
 
 

Quote   Quote: Originally Posted by DJG View Post
Well, I have been reluctant to do anything that might remotely trigger the potential malware, not even opening the archive with Winzip (I actually have a license, how anal is that!) until I have a better handle on the sitch.
very understandable, DJG. one thing i don't understand is why people still use winzip? i gave it up years ago ever since windows (was it xp) starting supporting zip's 'out of the box'.

don't get me wrong, i'm not criticising you using it, just wondering what advantages winzip has over windows explorer in dealing with zip files.

My System SpecsSystem Spec
.

25 Jul 2009   #22

Windows 7 Ult x64(x2), HomePrem x32(x4), Server 08 (+VM), 08 R2 (VM) , SuSe 11.2 (VM), XP 32 (VM)
 
 

Quote   Quote: Originally Posted by DJG View Post
Well, I have been reluctant to do anything that might remotely trigger the potential malware, not even opening the archive with Winzip (I actually have a license, how anal is that!) until I have a better handle on the sitch.
ok there shouldnt be any problem extracting the file...
Quote:
And unfortunately it appears my false positive gone experience wasn't quite true. What happened is I did a file-specific right-click / Scan for malware, and apparently that works different, or possible doesn't work as expected in Win 7 which is still in beta trim for this release. I just did another full system scan and they (I have two copies currently) showed up again.
hmm interesting
Quote:
The good news? The same sig showed up this time three times, the two zip archives, and an OCX in my 7232 partition's SysWOW64, mswinsck.ocx which is a skimpy 106KB. And it matches what might have been installed by that installation ZIP. I'll send that and see what happens now.

BTW, the right-click / Scan for malware gives positive on the OCX file, but not on the ZIP that seems to contain it.

since its a OCX file its not executable by default...
it should be fine...
once great way to check whether its a false positive is to see whether it has a valid signature...
if it does then all means its a false positive...
My System SpecsSystem Spec
25 Jul 2009   #23
DJG

 

Quote   Quote: Originally Posted by mickey megabyte View Post
very understandable, DJG. one thing i don't understand is why people still use winzip? i gave it up years ago ever since windows (was it xp) starting supporting zip's 'out of the box'.

don't get me wrong, i'm not criticising you using it, just wondering what advantages winzip has over windows explorer in dealing with zip files.
I actually like the interface better, and I got the license the year before it got integrated into Win Explorer . Also I prefer to explicitly deal with the archive environment separately from the filesystem. I think I did one upgrade, to v10. It does have nicer functionality, but if I didn't have that original license I just might be using the Win Explorer integration too. I'm just showing my age .

OK, I went through all sorts of hoops to try and get a hold of the mswinsck.ocx file to send it to Agnitum but security would not let me do anything with it, saying I needed permissions, it said it couldn't display the owner when I tried to take ownership, bla, bla. I started to get worried as it looked like they'd made the file untouchable. Then I realized it might be the AV trying to protect me. Bingo. I momentarily disabled protection and was able to submit it as a suspect infection with a brief history. Well, I really can't complain even if it turns out to be a false (I'm hoping), it seems to be doing its job.

Plus it forced me to do a clean install of 385 instead of the upgraded 384, which will make many people in this forum happy . It was coming once I got comfy but now I'm there a bit sooner. Minus my lovely Brit Lass voice to croon to me . Let's see if I get a response from Agnitum.
My System SpecsSystem Spec
.


25 Jul 2009   #24
DJG

 

Quote   Quote: Originally Posted by darkassain View Post
ok there shouldnt be any problem extracting the file...
... into somebody else's PC

Quote   Quote: Originally Posted by darkassain View Post
since its a OCX file its not executable by default...
it should be fine...
Paranoia often makes you take little for granted and assumptions for what they are

Quote   Quote: Originally Posted by darkassain View Post
once great way to check whether its a false positive is to see whether it has a valid signature...
if it does then all means its a false positive...
Good point on the sig, but again, I trust very little at this point until (if) I hear from Agnitum. Here's that for you. Whadda ya think?


Attached Images
 
My System SpecsSystem Spec
25 Jul 2009   #25

Windows 7 Ult x64(x2), HomePrem x32(x4), Server 08 (+VM), 08 R2 (VM) , SuSe 11.2 (VM), XP 32 (VM)
 
 

Quote   Quote: Originally Posted by DJG View Post
Good point on the sig, but again, I trust very little at this point until (if) I hear from Agnitum. Here's that for you. Whadda ya think?
click on the sig itself and the click the details button...
Trojan.VB.VZO-details.png
if the the sig checks out the there is NO way (emphasis on "no way"...) its malware...
if this the rtm mswinsck file send the zip file (i dont know how Agnitum handles FP) since this is a very important file..
if it does not then there might be tampering going on...


My System SpecsSystem Spec
25 Jul 2009   #26
DJG

 

You are of course right, I'm getting over my initial paranoia attack . Between that and my still-somewhat-there tooth ache, and my PITA neighbor complaining about some fronds that slightly tilt over her side of the fence, it was just getting too overwhelming at once .

And actually everything looks rather kosher from the sig end. I'm breathing much easier now :


Attached Images
  
My System SpecsSystem Spec
25 Jul 2009   #27
DJG

 

Quote   Quote: Originally Posted by darkassain View Post
click on the sig itself and the click the details button...
Attachment 19845
if the the sig checks out the there is NO way (emphasis on "no way"...) its malware...
if this the rtm mswinsck file send the zip file (i dont know how Agnitum handles FP) since this is a very important file..
if it does not then there might be tampering going on...
Actually this is not a core file - it's not part of the MS distribution. It doesn't show up in my current 7600 install since I haven't installed the ZIP file this time around. There's a similarly named DLL that is though, mswsock.dll.
My System SpecsSystem Spec
25 Jul 2009   #28

Windows 7 Ult x64(x2), HomePrem x32(x4), Server 08 (+VM), 08 R2 (VM) , SuSe 11.2 (VM), XP 32 (VM)
 
 

Quote   Quote: Originally Posted by DJG View Post
Actually this is not a core file - it's not part of the MS distribution. It doesn't show up in my current 7600 install since I haven't installed the ZIP file this time around. There's a similarly named DLL that is though, mswsock.dll.
rightly noted DJG....
you are correct of course, the dll is the critical one not the ocx (got the two files mixed up....)...
My System SpecsSystem Spec
25 Jul 2009   #29
DJG

 

And a very important file it is. Sock management is very important. Socks keep your feet warm in the winter, and your shoes from getting smelly. Managing Win sockets is also very important .

BTW, I've been trying to fathom "In a ... lazy eight portal?

And FYI, I believe Marie Antoinette did - or at least so I've been told. Might want to check it out, though I think she's out in France somewhere, and probably doesn't even visit the forum ... most likely not something you'd want to lose your head over.
My System SpecsSystem Spec
25 Jul 2009   #30

Windows 7 32bit RTM
 
 

I'd say change your AV o.O;
My System SpecsSystem Spec
Reply

 Trojan.VB.VZO




Thread Tools



Similar help and support threads for2: Trojan.VB.VZO
Thread Forum
Solved Need some help got a trojan System Security
Is that a Trojan? System Security
trojan BSOD Help and Support
Trojan:Win32/FakeSpypro & Trojan:JS/FakeSpypro System Security
Solved Trojan, Please HELP!!! System Security
Trojan System Security
New trojan System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 07:39 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33