ID: 1 Posted November 2, 2012 Almost sure this is an FP,as a few other posters have had it flagged.But would like know for sure.Here's the log.Malwarebytes Anti-Malware (PRO) 1.65.1.1000www.malwarebytes.orgDatabase version: v2012.11.01.07Windows 7 Service Pack 1 x64 NTFSInternet Explorer 9.0.8112.16421Neil :: NEIL-PC [administrator]Protection: Enabled01/11/2012 22:21:13mbam-log-2012-11-01 (22-21-13).txtScan type: Full scan (C:\|)Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2PScan options disabled:Objects scanned: 518485Time elapsed: 1 hour(s), 2 minute(s), 22 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 2C:\Windows\System32\InstallShield\_isdel.exe (Trojan.Zbot) -> Quarantined and deleted successfully.C:\Windows\winsxs\wow64_microsoft-windows-i..llshield-wow64-main_31bf3856ad364e35_6.1.7600.16385_none_ca61f601a4548b8e\_isdel.exe (Trojan.Zbot) -> Quarantined and deleted successfully.(end) Share this post Link to post Share on other sites
ID: 2 Posted November 2, 2012 Hi,Can you attach the detected file to your post please? Share this post Link to post Share on other sites
ID: 3 Posted November 2, 2012 I also had MB flag this file, though on my computer it is in a different location (a deep sub-folder of "Norton Bootable Recovery Disk". File properities show it to be copyrigted by InstallShield and it has been on my computer for about 2 years. FP? Share this post Link to post Share on other sites
ID: 4 Posted November 2, 2012 Hi,Can anyone please attach the file that is being detected? Because without the file or developers log, we cannot know what we should fix.Thanks! Share this post Link to post Share on other sites
ID: 5 Posted November 2, 2012 Malwarebytes Anti-Malware 1.65.1.1000www.malwarebytes.orgDatabase version: v2012.11.01.07Windows 7 Service Pack 1 x64 NTFSInternet Explorer 8.0.7601.17514Decade :: DECADE-PC [administrator]11/2/2012 2:03:35 AMmbam-log-2012-11-02 (02-03-35).txtScan type: Full scan (C:\|D:\|F:\|)Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 620754Time elapsed: 52 minute(s), 46 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 2C:\Windows\System32\InstallShield\_isdel.exe (Trojan.Zbot) -> Quarantined and deleted successfully.C:\Windows\winsxs\wow64_microsoft-windows-i..llshield-wow64-main_31bf3856ad364e35_6.1.7600.16385_none_ca61f601a4548b8e\_isdel.exe (Trojan.Zbot) -> Quarantined and deleted successfully.(end)MB also flagged the same two files on my computer, and after i looked around on the internet for a bit, I tried restoring the files but only the first one in the installshield folder was able to be restored. The second one simply couldn't be restored from the quarantine vault on MB and i accidentally deleted it. I updated MB after i restored it and did a full scan but nothing came up. I also could not find the file or folder on my computer for some reason, but i was able to select the file on the upload section of virustotal. https://www.virustotal.com/file/1e97eca81395d1bd5e627debfdb02828bd3655d68c8f7296395d574781faa32e/analysis/1351862445/ I hope this helps.I can also find the file in the attach files option on this forum but i cannot put it in a zip or rar file. Share this post Link to post Share on other sites
ID: 6 Posted November 2, 2012 This FP appears to be fixed already since yesterday. Share this post Link to post Share on other sites
ID: 7 Posted November 2, 2012 I was also have this FP detection.Unfortunetly i was delete files completely.Is this files important? Share this post Link to post Share on other sites
ID: 8 Posted November 2, 2012 I was simply puzzled by the fact that I couldn't locate the file on windows explorer but yet could find them on virustotal and here, will there be any problems? Share this post Link to post Share on other sites
ID: 9 Posted November 2, 2012 You can restore the file from quarantine. It's fine if only the one from C:\Windows\System32\InstallShield\ is restored. Share this post Link to post Share on other sites
ID: 10 Posted November 2, 2012 I did restore the file, it's not showing up in windows explorer though, I only found it in the pop up window for file upload to virustotal and the attach file option here. Share this post Link to post Share on other sites
ID: 11 Posted November 2, 2012 Hi,Can you attach the detected file to your post please?Sorry i'm unable to attach the the two files because i removed themstraight after detection,which in hindsight was a silly thing to do.So now i'm left wondering have i done any damage to my laptopby removing these two files.Any info.Cheers. Share this post Link to post Share on other sites
ID: 12 Posted November 2, 2012 Hi,I tried to restore these files that my mbam also detected (same files as CCy3686) so I could send them to you guys for inspection.Only the file in my System32 removed itself from mbam's quarantine list when I tried to restore it. However, it does not show up in my C:\WINDOWS\System32 directory. In fact, the entire InstallShield dir is missing from the System32 directory. I thought this was because it was hidden, but when I adjusted my Folders View in the Control Panel to show hidden files and folders, the InstallShield dir still did not show up.Now, I am in a situation where I have tried to restore the file, C:\WINDOWS\System32\InstallShield\_isdel.exe, but it does not show up in explorer, nor does the InstallShield dir itself even show up. This file also is no longer listed in my quarantine list in mbam.What should I do now? I could run another full scan with mbam to see if the file somehow gets detected again, but unfortunately, I do not have the same database anymore. Before getting to this forum, I updated my signatures database this morning. The signatures database I used when these files were detected as "Trojan.Zbot" is Database version: v2012.11.01.07. The signature database I have now is Database version: v2012.11.02.08.I don't know if this file is actually a trojan or not, and now it seems that I can neither send you a copy of it for inspection, nor can I find it on my hard drive after the failed restore.Again, given my situation, please advise me on what I should do next. I will refrain from doing anything more until I here your advice.Thanks in advance. Share this post Link to post Share on other sites
ID: 13 Posted November 2, 2012 All i want to know is that after removing these two FP's will i be gettingany malfunctions on my laptop, and if so how do i fix it. Share this post Link to post Share on other sites
ID: 14 Posted November 2, 2012 I have attached a copy of the '_isdel.exe' which was falsely detected. For those who may have inadvertently lost their copies, please replace using the attachment. Share this post Link to post Share on other sites
ID: 15 Posted November 2, 2012 Actually, here is a condensed copy of my log:Malwarebytes Anti-Malware 1.65.1.1000www.malwarebytes.orgDatabase version: v2012.11.01.07Windows Vista Service Pack 2 x64 NTFSInternet Explorer 9.0.8112.16421...11/1/2012 6:53:17 PMmbam-log-2012-11-01 (21-39-17).txtScan type: Full scan (C:\|D:\|)Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2PScan options disabled:Objects scanned: 414355Time elapsed: 1 hour(s), 5 minute(s), 51 second(s)...Files Detected: 2C:\WINDOWS\System32\InstallShield\_isdel.exe (Trojan.Zbot) -> No action taken.C:\WINDOWS\winsxs\wow64_microsoft-windows-i..llshield-wow64-main_31bf3856ad364e35_6.0.6000.16386_none_c854dde24615e549\_isdel.exe (Trojan.Zbot) -> No action taken.(end)I quarantined the files after saving this log.Anyway, as you can see, I am actually running Windows Vista Home Premium, SP2 x64...Will the replacement _isdel.exe file you provided also work for my version of Windows?Thanks (and sorry I wasn't more precise in my earlier description of my problem.) Share this post Link to post Share on other sites
ID: 16 Posted November 2, 2012 Files Detected: 2C:\WINDOWS\System32\InstallShield\_isdel.exe (Trojan.Zbot) -> No action taken.C:\WINDOWS\winsxs\wow64_microsoft-windows-i..llshield-wow64-main_31bf3856ad364e35_6.0.6000.16386_none_c854dde24615e549\_isdel.exe (Trojan.Zbot) -> No action taken.I have Vista SP2x64 and the file is exactly the same as the one from Windows 7 and even Windows 8. Share this post Link to post Share on other sites
ID: 17 Posted November 2, 2012 I have Vista SP2x64 and the file is exactly the same as the one from Windows 7 and even Windows 8.Yes. I'm running Windows 8 x64. After almost an heart attack, i manually inspect the files... Same MD5, SHA1 as listed in National Software Reference Library.Nothing malicious or new in the code._isdel.exe SHA256: 1e97eca81395d1bd5e627debfdb02828bd3655d68c8f7296395d574781faa32e SHA1: 0e7bb331d398be694a92a823de839fefdf464dfd MD5: 9d4ec4b71fd189a0b2c4dbd6aade16bf Share this post Link to post Share on other sites
ID: 18 Posted November 2, 2012 I have downloaded the '_isdel.exe' file. Do I simply paste it to: wow64_microsoft-windows-i..llshield-wow64-main_31bf3856ad364e35_6.1.7600.16385_none_ca61f601a4548b8e ? Share this post Link to post Share on other sites
ID: 19 Posted November 2, 2012 This FP appears to be fixed already since yesterday. Indeed, after updating the virus definitions MB no longer flags the file _ISDel.exe in any way. Thanks for the quick fix! Share this post Link to post Share on other sites
ID: 20 Posted November 2, 2012 What happens if i deleted those files? will my system not work properly? and where do i put that file that sUbs posted? Share this post Link to post Share on other sites
ID: 21 Posted November 2, 2012 What happens if i deleted those files? will my system not work properly? and where do i put that file that sUbs posted?i restored the file in malwarebytes but its not where to be found.... Share this post Link to post Share on other sites
ID: 22 Posted November 2, 2012 i restored the file in malwarebytes but its not where to be found....Hi robotman5,For some reason the folder in system32 called InstallShield is invisibleto Windows explorer,but if you go into system32 via https://www.virustotal.com/you will see the folder InstallShield which you will be able to open and look inside.Hope this helps. Share this post Link to post Share on other sites
ID: 23 Posted November 2, 2012 The installshield folder isn't actually present in system32 on 64bits, what you see is the syswow64 folder instead when viewed via 32bit apps (is done via the emulator/redirect). So when you're on 64 bit, you need to put the file into the Windows\syswow64\installshield folder Share this post Link to post Share on other sites
ID: 24 Posted November 2, 2012 I have another FP for the same file but in different location:C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\drivers\dot4\wrapper\_isdel.exeVirusTotal scan detects nothing.File attached._isdel.zip Share this post Link to post Share on other sites
ID: 25 Posted November 2, 2012 My windows copies from my windows folders I was able to get back via system restore. That's probably the safest way. Share this post Link to post Share on other sites
