Trojan:JS/Flagrab.A and others detected in Microsoft Backup .zip files only

LilBambi

LilBambi

BSOD Kernel Dump Senior Analyst
Joined
Apr 17, 2012
Posts
292
Location
Virgina, USA
Trojan:JS/Flagrab.A and others detected in VHD in backup only

Windows 7 64-bit ENU SP1, updates current (except language packs)
MSE without custom exlusions, weekly full scans

Security Essentials Version: 2.1.1116.0, Antimalware Client Version: 3.0.8402.0, Engine Version: 1.1.7702.0, Antivirus definition: 1.113.753.0, Antispyware definition: 1.113.753.0, Network Inspection System Engine Version: 2.0.5854.0, Network Inspection System Definition Version: 9.315.0.0

I keep getting detections for several threats within my Windows XP Mode VHD file in the Windows Backup ZIP-files, but not for the actual VHD file (not running), nor by running MSE in the virtual machine itself.
I use Windows XP Mode only occasionally to run programs for a USB-device with only a 32-bit driver. I don't recall browsing any web sites there apart from Windows Update.
Click to expand...

Has anyone seen this before? This may be a scenario I am dealing with for a client. The only place MSE finds any malware is within the backup zips in the backup sets. It doesn't really say which file other than the date and backup.zip. That is noted in this conversation as well when you go to the site and read it and the answer.


However, I've already done the suggestions noted before I even found that page today.


I even removed all the backup sets, it still found it (in old backup sets that were no longer even there!). I turned off the schedule, and deleted all the sets, and went to the folder on the external hard drive and deleted the folder named for the computer.


Then rebooted and ran the full MSE scan again, and there was nothing there. This was a few days ago. Today the full scan found them again. And it is finding files that were in the set for this week but before we started the backup set by two days. Phantoms coming back? or what?


Because it's in the zip file in the backups, I am thinking maybe it's a false positive in the VHD file. There are about 20 of them just like they say for that Microsoft Answers article.


I thought originally that it was something to do with temporary spaces or something so I went through and made sure to remove all the temporary spaces from all the user account areas that are in the backup.


I may go back and remove the VHD from the backup and see if that stops it.

Just wanted to put this out there to see if anyone else was having issues. The computer comes up totally clean and has been scanned by ESET online scanner with a clean bill of health as well as from Malwarebytes. Even MSE gives the computer itself a clean bill of health despite what it finds ONLY in the backups.


It's weird!
 
It sounds like a f/p. Is it the same name as in the title of the thread: Trojan:JS/Flagrab.A?
 
It looks very much like f/p to me too after reading that one, and there were 20 of them like there was for those folks.

I am wondering if we should just move fully to ESET NOD32 for them and skip using MSE entirely in their case if it is gonna have repeated f/p like that - for weeks now. It's freaking out the lady when she scans. And I really can't blame her.
 
I can't stop the backup from backing up the XP Mode. They need that backed up. The only thing I could do is to disallow MSE from scanning the backups at all.
 
Corrine said:
Can you submit the file(s), checking the "I believe this file should not be detected as malware" box? Include a link to here, which includes your documentation as well as the same issue at Microsoft Community.

https://www.microsoft.com/security/portal/submission/submit.aspx
Click to expand...

I have a feeling they will not want me to do that since it will likely be quite big and could be their entire XP Mode VHD file for all I know and that is over 20GB. Also, the .zip file is within the backup day, within the backup set.
Once you expand it, then it would no longer be a zip - BUT and this is key, I have no idea what file(s) are even in this particularly .zip file that it finds it in because it just doesn't specify any files in the results on MSE. It just says, the 'date' set 'date' of the backup and then backup.zip.

Very odd.
 
If it comes back, I might be able to find it in the Quarantine folder for MSE on the C drive.

I just thought of something. What if it is just seeing it's own MSE definitions within XP Mode that is also running MSE...

XP Mode is connected to the web to get updates, but they do not surf the web in the XP Mode. Only in Windows 7.
 
Since neither Microsoft Security Essentials nor the ESET Online scan found anything in the "computer" but continually in new backups, it has to be a f/p. I agree that disabling the MSE scan of the backups makes sense and is the best step to take. If I learn more, I'll let you know.

What I found interesting in the MMPC Encyclopedia entry was that Prevention section wasn't updated to include Windows 7. The last update was in 2011. Encyclopedia entry: Trojan:JS/Flagrab.A
 
Wow, very interesting, Corrine.

I will see if I can create a custom scan for her to do that will keep clear of the backups on the external hard drive. That should take care of the problem. Or at least do an exception regardless of the scan she does so it steers clear of the backups.

Thanks Corrine. Much appreciated.

I would look forward to hearing if there anything further comes to light on this.
 
I asked a friend about this. First a couple questions -- Has the VM itself every been infected? Has there been a full scan within the VM?

If there hasn't been a full scan within the VM, I suggest doing that first to see if specific files can be found. However, if nothing is found, let's use the Disk Cleanup tool clear all but the most recent System Restore point.

First, create a fresh restore point:

1. Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore.
2. Click Create a Restore Point, and then click Next.
3. Name your restore point. (i.e., clean)
4. Click the Create button.
5. When the new restore point has been created, click Close.

Now select the files to be removed as well as all but the new restore points:
  • Click start-->Run and type cleanmgr into the run box and then click "OK".
  • Select the drive where Windows is installed (if you have more than one drive) and click "OK".
  • When the scan completes, check/uncheck desired boxes.
  • Next, please click the More Options tab at the top.
  • Click the "Clean up..." button under the System Restore section at the bottom.
  • Answer Yes to the question "Are you sure you want to delete all but the most recent restore point?".
  • Click OK and answer Yes again.
The disk clean up utility will remove the selected items. When it completes, please restart the computer to properly record the changes made to the hard disk.

Rescan and see if that solves the problem.
 
I thought of this last night as I was stewing about it ... that I really need to scan the VM to be sure that's not the issue. Especially since the computer did have an infection just before Christmas that was cleaned up right away. They called me as soon as it happened and I cleaned it up with no issues afterwards reported except somewhere in the backup.zip in the backups...

I may also want to create a new system restore and remove the old ones especially after the issue before Christmas. So there could be something there in the older system restore files, maybe.

That gives me a couple items to do this morning.

Thanks Corrine! And thanks for asking your friend too! Much appreciated.
 
You're welcome, LilBambi.

BTW, I realized I provided Disk Cleanup instructions for Windows XP, not Windows 7. Although I realize you know how to run it, for completeness, I'll provide the instructions for Windows Vista and Windows 7:
  • Click start, type Disk Cleanup in the search box
  • Right-Click Disk Cleanup and select "Run as Administrator" and accept the UAC elevation prompt.
  • Select the drive where Windows is installed (if you have more than one drive) and click "OK".
  • When the scan completes, check/uncheck desired boxes.
  • Next, please click the More Options tab at the top.
  • Click the "Clean up..." button under the "System Restore and Shadow Copies" section at the bottom.
  • Click Delete in response to the question "Are you sure you want to delete all but the most recent restore point?", click OK and answer Yes again.
  • The disk clean up utility will remove the selected items. When it completes, please restart the computer to properly record the changes made to the hard disk.
 
No worries. It's good for the record to have both here since both OSes are involved.

I will not be able to work with her on this until likely tomorrow evening or Saturday morning.

But we will get it done.

As always thanks! And I will report back after I know something more definitive.
 
Checked XP Mode VHD with ESET Online Scanner and Malwarebytes and MSE and all clean.


Turned off the Backup Schedule, removed all backups. Turned off System Restore and removed all Restore Points.


After that I re-enabled System Restore, changed settings for the backup to set the schedule again, and did a backup.


I also, put in exclusions for System Volume and the PC Backup folder on the external hard drive in MSE to make sure it didn't try to scan those areas again.


After the backup finishes, client will run a full scan again, and I am expecting her not to see any more of that problem.


Keeping fingers crossed.


Thanks to Corrine and a friend for their input in the solution.
 
Agreed. It was really acting like phantom items because of the dates it was finding being dates already removed from the backup sets.

Thanks so much to you and to your friend who helped flesh it out.

It is too early to totally celebrate (many a slip from cup to lip) but I will be seriously surprised if she finds anything now.
 
You must log in or register to reply here.

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top