Assigned Zemana Found a worm in gatherNetworkInfo.vbs which i'm baffled by

This thread is being handled by a member of the staff.
Status
Not open for further replies.
pneuma1985

pneuma1985

Level 4
Thread author
Verified
Aug 30, 2015
189
Well i schedule zemana b/c I use at as on demand scanner and It popped up with this tonight.
gatherNetworkInfo.vbs
Status : Scanned
Object : %systemroot%\system32\gathernetworkinfo.vbs
MD5 : 2AE808CB0D9A667B0CF41EA74B3B9BAC
Publisher : -
Size : 40552
Version : -
Detection : Worm:VBS/Akuza!Es
Cleaning Action : Repair
Traces :
File - %systemroot%\system32\gathernetworkinfo.vbs

And God I hate worms. I have not downloaded any malware in some time b/c I did a clean slate on my workstation about a month ago. Its not running and risky software at all everything that could possibly be exploited is in a VM... I don't get it hopefully someone can point me in the right direction on removing this?
 
  • Like
Reactions: Deleted Member 333v73x and upnorth
pneuma1985

pneuma1985

Level 4
Thread author
Verified
Aug 30, 2015
189
pneuma1985 said:
Well i schedule zemana b/c I use at as on demand scanner and It popped up with this tonight.
gatherNetworkInfo.vbs
Status : Scanned
Object : %systemroot%\system32\gathernetworkinfo.vbs
MD5 : 2AE808CB0D9A667B0CF41EA74B3B9BAC
Publisher : -
Size : 40552
Version : -
Detection : Worm:VBS/Akuza!Es
Cleaning Action : Repair
Traces :
File - %systemroot%\system32\gathernetworkinfo.vbs

And God I hate worms. I have not downloaded any malware in some time b/c I did a clean slate on my workstation about a month ago. Its not running and risky software at all everything that could possibly be exploited is in a VM... I don't get it hopefully someone can point me in the right direction on removing this?
Click to expand...
This is killing me I either caught a persistent backdoor or I keep getting pwned one or the other.
 
pneuma1985

pneuma1985

Level 4
Thread author
Verified
Aug 30, 2015
189
I am about to dban my drives seriously its pissing me off I have to be root kitted there's no other way since I don't even download things on my host machine just necessary security config and acronis and cyberfox everything else is done in my VM secondary os BC I develop in it... Driving me insane two infections in two weeks! Need help with rootkits removal and actually finding it BC tdskiller didnt and its an ssd drive so I'm limited in the tools I can use some are HDD only.
 
OokamiCreed

OokamiCreed

Level 18
Verified
Honorary Member
Top Poster
Well-known
May 8, 2015
881
It's a false positive. I've checked the code of my own vbs script in the same exact location and it checked out fine. VirusTotal gives no detection with all 54 engines. I've scanned it with Zemana and it detected it the same as yours.

screenshot_143.png


There is no private information in this file. My MD5 hash is: 2AE808CB0D9A667B0CF41EA74B3B9BAC

This hash matches yours. They are the same exact file. If I'm not mistaken, Zemana has it's own engine. That is probably what is detecting it.
 
  • Like
Reactions: upnorth, Cats-4_Owners-2, Jack and 4 others
RmG152

RmG152

Level 12
Verified
Jan 22, 2014
577
Klipsh said:
The gathernetworkinfo.vbs script comes by default with every Windows 7 installation and is located within the C:\Windows\System32\ folder.

The script does collect various networking information about the Windows 7 system and its configuration and dumps the information into the C:\Windows\System32\Config folder, but it is not a worm.

The GatherNetworkinfo.vbs Script
Click to expand...

frogboy said:
Well thanks @Klipsh that explains why it showed up on my W7 machine but not my W10 machine. ;)
Click to expand...

I have a clean installation of Windows 10 and I have this script, but with different hash (and not detected by zemana)

MD5 0fee8db559981d7f06e26042ecd8d671
SHA1 aa5de05b7c5265cb17551930f33981c078680515
SHA256 e4265c3c486938566f6c95e43a2db4f4383cfa3e6ca8197727e0e8df97a9cfb5
 
  • Like
Reactions: Cats-4_Owners-2, OokamiCreed, LabZero and 2 others
jamescv7

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
It detects as worm because of the nature where the file is made on script and usually there are some codes that nearly same behavior on suspicious, if you didn't mess something and the sample is valid to be on system32 hence it can be a false positive unless you know some situation where manipulation may occur.
 
  • Like
Reactions: frogboy and Cats-4_Owners-2
pneuma1985

pneuma1985

Level 4
Thread author
Verified
Aug 30, 2015
189
Just reimaged my pc and now it doesnt show up as malware! Just saying...Oh and it has a different md5 sum!

Hypothetically speaking it is possible that file is a new target for a worm we can't know if its an unknown in the wild script modifying that file?
 
Last edited:
  • Like
Reactions: Deleted Member 333v73x
Status
Not open for further replies.

Similar threads

B
  • Locked
Opened by accident a hacked email and noticed a new process in task manager
Replies
3
Views
3,840
Windows Malware Removal Help & Support
nasdaq
nasdaq
A
  • Locked
I have a personal computer but chrome says "managed by your organisation"
Replies
3
Views
2,567
Windows Malware Removal Help & Support
struppigel
struppigel
DDE_Server
    • Like
  • Locked
Assigned Zemana caught XDM as Trojan
Replies
12
Views
2,824
Other security for Windows, Mac, Linux
AriDfoix
A

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top