Pinging all the experts here -->Zone Alarm anti-spyware just found 2 trojans that Avast/Ad-Aware/Spy

Discussion in 'Spyware' started by bettersurfing, Aug 1, 2006.

  1. I usually run an Avast bootscan along with Ad-Aware and Spybot once a week.
    Today I did all three PLUS ran a Zone Alarm full system scan:

    Here's what Zone Alarm just quarantined and the other three missed:

    Win32.YOK.SuperSearch Trojan

    RegistryKey-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Component Categories
    \{00021494-0000-0000-C000-000000000046}

    Backdoor.Win32.mIRC. based Trojan

    RegistryKey-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.cha


    The last one is interesting since I haven't installed Mirc or any internet
    chat programs. I'm wondering if it was installed by any "spyware free"
    freeware or the akamaitechnologies.com IP address I kept seeing in TCPview?


    I also have the MVPS HOSTS file loaded and take alot of precautions (I have
    all the Avast shields running + MS Defender).

    It may be time for the MULTI-AV scan.
     
    bettersurfing, Aug 1, 2006
    #1
    1. Advertisements

  2. has brought this to us :
    bettersurfing,

    I updated ad-aware today and it stops running after one or two seconds.
    I have webroot's spy sweeper running all the time, and it just now
    seems ad-aware no longer runs, without shutting down webroot's spy
    sweeper.

    I run ad-aware free, because it finds numerous things that webroot does
    not deem important or can't locate... On the other side, webroot's spy
    sweeper finds things that ad-aware does not locate... And it has
    tripped several Trojans during scans that AVG does not discover...

    This is the first time ad-aware and spy sweeper will not co-exist...
    Something has changed it appears...

    JR the postman
     
    Postman delivers, Aug 1, 2006
    #2
    1. Advertisements

  3. Check the recent threads on Spy Sweeper - if you "upgraded" to version 5.0
    there might be some "issues"...
     
    Lukas Mariman, Aug 1, 2006
    #3
  4. From: <>

    | I usually run an Avast bootscan along with Ad-Aware and Spybot once a week.
    | Today I did all three PLUS ran a Zone Alarm full system scan:
    |
    | Here's what Zone Alarm just quarantined and the other three missed:
    |
    | Win32.YOK.SuperSearch Trojan
    |
    | RegistryKey-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Component Categories
    | \{00021494-0000-0000-C000-000000000046}
    |
    | Backdoor.Win32.mIRC. based Trojan
    |
    | RegistryKey-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.cha
    |
    | The last one is interesting since I haven't installed Mirc or any internet
    | chat programs. I'm wondering if it was installed by any "spyware free"
    | freeware or the akamaitechnologies.com IP address I kept seeing in TCPview?
    |
    | I also have the MVPS HOSTS file loaded and take alot of precautions (I have
    | all the Avast shields running + MS Defender).
    |
    | It may be time for the MULTI-AV scan.
    |

    Give the Multi AV Scanning Tool and try and let us know the results.
     
    David H. Lipman, Aug 1, 2006
    #4
  5. bettersurfing

    Guest Guest

    Will do. I just ran SuperAntispyware and asquared and so far all is
    clean.
    I'm going to run my trial version of Spy Sweeper (and use the requisite
    99% of CPU power required by Spy Sweeper - LOL).


    The question is - is it better to run Anti-spyware programs to catch
    Trojans or AV programs? In addition, should I shut down my Avast shields
    when running anti-spyware programs and disconnect from the net if I'm not
    running them in safe mode?
     
    Guest, Aug 1, 2006
    #5
  6. From: <>


    | Will do. I just ran SuperAntispyware and asquared and so far all is
    | clean.
    | I'm going to run my trial version of Spy Sweeper (and use the requisite
    | 99% of CPU power required by Spy Sweeper - LOL).
    |
    | The question is - is it better to run Anti-spyware programs to catch
    | Trojans or AV programs? In addition, should I shut down my Avast shields
    | when running anti-spyware programs and disconnect from the net if I'm not
    | running them in safe mode?
    |

    If you get infected -- both !

    Prevention is always better than cure.
     
    David H. Lipman, Aug 1, 2006
    #6
  7. Very interesting - these people in the Zone Alarm forums state the ZA
    Anti-Spyware found the same two trojans and there seems to be no info
    about them. Could they be false positives? I'll try to follow up if
    and when ZA ever responds. For a highly rated product, ZA moderators
    sure take their sweet time to respond (and many posts are never answered
    there):


    http://forum.zonelabs.org/zonelabs/board/mes
    sage?board.id=Antivirus&message.id=13092


    Win32.YOK.SuperSearch
    Park
    New Member
    Registered: 12-09-2005




    Situation: During my DAILY spyware scan, on 8/1/2006, ZoneAlarm detected
    Win32.YOK.SuperSearch

    which ZA said was a high risk trojan.

    Questions:
    1) Am I now to assume that, during the many hours that I was online
    between my daily scans, a program which "enables user access to your
    entire computer and everything on it" could have **bleep**ed very
    important info from my computer &/or made other major changes to my
    system?
    2) Where is any information that might aid me in finding out when and
    exactly how I acquired this spyware?
    3) Why does Win32.YOK.SuperSearch not appear on the list in "SmartDefense
    Research Center/ Spyware Information" at
    http://smartdefense.zonelabs.com/tmpl/SpywareArticle?
    action=letterSearch&SPY_LETTER=w?
    4) Why am I unable to find any detailed info at ZA about this program or
    any info at all about it at any other site (such as Spysweeper or
    Symantec/Norton)?
    5) Last, but hardly least, how can I detect such nasties BEFORE they have
    a chance to mess with my computer?

    Thanks,
    Park






    http://forum.zonelabs.org/zonelabs/board/message?
    board.id=Antivirus&message.id=13100


    ZA Pro scans and picks this up:
    RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.cha

    *** Backdoor.Win32.mIRC.based ***

    Status "Quarantined" for now.

    The following great programs do not detect this:
    * Spybot Search and Destroy
    * Ad-Aware SE
    * AVG
    * ewido

    All four are up to date with current sigs.

    Why does ZAPro and not the others??

    Anyone care to elaborate please and thanks?
    Operating System: Windows XP Home
    Product Name: ZoneAlarm Pro
    Software Version: 6.5

    by RKnee
     
    bettersurfing, Aug 3, 2006
    #7
  8. It appears (from rechecking the Zone Alarm url's) that the
    yok.supersearch is not a trojan but adware and may be legit (but my
    computer had none of the yok.* files listed in the Zone Alarm forum other
    than the registry setting that Zone Alarm removed).

    The Backdoor.Win32.mIRC.based trojan was a false positive that Zone Alarm
    corrected with a future definition update.

    Just great - Zone Alarm made me waste about 4 hours checking the net and
    rerunning several anti-spyware programs plus an Avast bootscan and normal
    start-up virus scan.

    I almost did a Multi-AV scan, too!
     
    bettersurfing, Aug 4, 2006
    #8
  9. From: <>

    | It appears (from rechecking the Zone Alarm url's) that the
    | yok.supersearch is not a trojan but adware and may be legit (but my
    | computer had none of the yok.* files listed in the Zone Alarm forum other
    | than the registry setting that Zone Alarm removed).
    |
    | The Backdoor.Win32.mIRC.based trojan was a false positive that Zone Alarm
    | corrected with a future definition update.
    |
    | Just great - Zone Alarm made me waste about 4 hours checking the net and
    | rerunning several anti-spyware programs plus an Avast bootscan and normal
    | start-up virus scan.
    |
    | I almost did a Multi-AV scan, too!


    Thanx for updating the thread.

    Good Luck !
     
    David H. Lipman, Aug 5, 2006
    #9
  10. bettersurfing

    Virus Guy Guest

    As I've said before, software firewalls are a useless waste of time
    and computer resources.

    Get a NAT router (to act as an incoming firewall) and be done with
    it. The incremental benefit of an outgoing software-firewall is
    none-existant.

    When are you people gonna learn that?
     
    Virus Guy, Aug 5, 2006
    #10
  11. bettersurfing

    Ernie B. Guest

    When things like Real Player quit trying to call home.
     
    Ernie B., Aug 5, 2006
    #11
  12. bettersurfing

    kurt wismer Guest

    usually this is said because malware can (though it doesn't always
    bother) disable the software firewall or find some other way to bypass it...

    unfortunately that ignores the fact that a) not all malware does and b)
    there's plenty of more or less legitimate software that tries to make
    outgoing connections that i don't want it to make...
    definitely agree about getting a nat router, but as above, not about
    dumping the software firewall... at the very least the redundant system
    is useful for fault tolerance ('hey my connection stopped working, maybe
    the router's broken, i'll have to try connecting without it to see')...
    also, some software firewalls include features that are outside the
    scope of a firewall but are useful none-the-less (such as the
    application launch whitelisting functionality in kerio)...
    "you people"? probably not the best way to sway opinion...
     
    kurt wismer, Aug 5, 2006
    #12
  13. bettersurfing

    kurt wismer Guest

    psst - real alternative (http://www.codecguide.com/)...
     
    kurt wismer, Aug 5, 2006
    #13
  14. bettersurfing

    Ernie B. Guest

    Yeah I've got it, thanks. I used Real Player as an infamous example, there
    are others also.
     
    Ernie B., Aug 5, 2006
    #14
  15. Actually, I do it not only for the benefit of future surfers, but for
    myself, too. In the future, I'll be able to do Google newsgroup searches
    and see the ZA threads.

    I was amazed at how little there was on the net and in the newsgroups
    regarding these two bits of spyware.

    All the AV and anti-spyware companies (especially the one I use - Avast)
    give precious little info on trojans and spyware. Sure they may block it
    at the point of impact, but it would be nice to see what files or registry
    strings they plant, so we could do a file or reg search just to be sure.
     
    bettersurfing, Aug 5, 2006
    #15
  16. My Netgear RP614v3 says it gives SPI and NAT protection and I don't see it
    blocking the trojans and spyware that Avast or ZA catches.
     
    bettersurfing, Aug 5, 2006
    #16
  17. like Windows Media Player doesn't?

    We all use and recommend Media Player Classic intead with Real Alternative
    and QT alternative, but do we really know the entire program structure?
     
    bettersurfing, Aug 5, 2006
    #17
  18. bettersurfing

    Ernie B. Guest

    Sure it does, when I allow it to.
    No. I have ZA set to 'ask' on everything except my web browsers, news and
    mail clients and AV update. The object of the game is to be aware, and in
    control, of what the computer is doing when it's on line.
     
    Ernie B., Aug 5, 2006
    #18
  19. bettersurfing

    Virus Guy Guest

    Get "Real Alternative".

    http://www.free-codecs.com/download/Real_Alternative.htm
     
    Virus Guy, Aug 5, 2006
    #19
  20. bettersurfing

    Virus Guy Guest

    Your software firewall won't "catch" it either when it first comes
    into and installs itself on your system. And the nasty stuff, like
    root kits, will bypass your firewall like it wasn't even there.

    Where do you surf? Geeze, I never get fun stuff like that.

    You must not us a hosts file, or adaware/spybot/spyware blaster, or
    update your Java, or maybe you're still running XP-SP1 (or XP-gold).
     
    Virus Guy, Aug 5, 2006
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.