Pinging all the experts here -->Zone Alarm anti-spyware ju..

"Postman delivers" <JR_the_postman.RemoveThis@xyzahoo.com> schreef in bericht
news:mn.0b3b7d68fd1ce147.49378@xyzahoo.com...
> bettersurfing.RemoveThis@usersnospam.org has brought this to us :
>> I usually run an Avast bootscan along with Ad-Aware and Spybot once a
>> week.
>> Today I did all three PLUS ran a Zone Alarm full system scan:
>>
>> Here's what Zone Alarm just quarantined and the other three missed:
>>
>> Win32.YOK.SuperSearch Trojan
>>
>> RegistryKey-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Component Categories
>> \{00021494-0000-0000-C000-000000000046}
>>
>> Backdoor.Win32.mIRC. based Trojan
>>
>> RegistryKey-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.cha
>>
>>
>> The last one is interesting since I haven't installed Mirc or any
>> internet chat programs. I'm wondering if it was installed by any
>> "spyware free" freeware or the akamaitechnologies.com IP address I kept
>> seeing in TCPview?
>>
>>
>> I also have the MVPS HOSTS file loaded and take alot of precautions (I
>> have all the Avast shields running + MS Defender).
>>
>> It may be time for the MULTI-AV scan.
>
> bettersurfing,
>
> I updated ad-aware today and it stops running after one or two seconds. I
> have webroot's spy sweeper running all the time, and it just now seems
> ad-aware no longer runs, without shutting down webroot's spy sweeper.
>
> I run ad-aware free, because it finds numerous things that webroot does
> not deem important or can't locate... On the other side, webroot's spy
> sweeper finds things that ad-aware does not locate... And it has tripped
> several Trojans during scans that AVG does not discover...
>
> This is the first time ad-aware and spy sweeper will not co-exist...
> Something has changed it appears...
>
> JR the postman

Check the recent threads on Spy Sweeper - if you "upgraded" to version 5.0
there might be some "issues"...
 >> Stay informed about: Pinging all the experts here --&gt;Zone Alarm anti-spyware ju.. 

From: <bettersurfing DeleteThis @usersnospam.org>

| I usually run an Avast bootscan along with Ad-Aware and Spybot once a week.
| Today I did all three PLUS ran a Zone Alarm full system scan:
|
| Here's what Zone Alarm just quarantined and the other three missed:
|
| Win32.YOK.SuperSearch Trojan
|
| RegistryKey-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Component Categories
| \{00021494-0000-0000-C000-000000000046}
|
| Backdoor.Win32.mIRC. based Trojan
|
| RegistryKey-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.cha
|
| The last one is interesting since I haven't installed Mirc or any internet
| chat programs. I'm wondering if it was installed by any "spyware free"
| freeware or the akamaitechnologies.com IP address I kept seeing in TCPview?
|
| I also have the MVPS HOSTS file loaded and take alot of precautions (I have
| all the Avast shields running + MS Defender).
|
| It may be time for the MULTI-AV scan.
|

Give the Multi AV Scanning Tool and try and let us know the results.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
 >> Stay informed about: Pinging all the experts here --&gt;Zone Alarm anti-spyware ju.. 

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:asPzg.4215$cj7.2542@trnddc01:

> From: <bettersurfing RemoveThis @usersnospam.org>
>
>| I usually run an Avast bootscan along with Ad-Aware and Spybot once a
>| week. Today I did all three PLUS ran a Zone Alarm full system scan:
>|
>| Here's what Zone Alarm just quarantined and the other three missed:
>|
>| Win32.YOK.SuperSearch Trojan
>|
>| RegistryKey-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Component Categories
>| \{00021494-0000-0000-C000-000000000046}
>|
>| Backdoor.Win32.mIRC. based Trojan
>|
>| RegistryKey-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.cha
>|
>| The last one is interesting since I haven't installed Mirc or any
>| internet chat programs. I'm wondering if it was installed by any
>| "spyware free" freeware or the akamaitechnologies.com IP address I
>| kept seeing in TCPview?
>|
>| I also have the MVPS HOSTS file loaded and take alot of precautions
>| (I have all the Avast shields running + MS Defender).
>|
>| It may be time for the MULTI-AV scan.
>|
>
> Give the Multi AV Scanning Tool and try and let us know the results.
>

Will do. I just ran SuperAntispyware and asquared and so far all is
clean.
I'm going to run my trial version of Spy Sweeper (and use the requisite
99% of CPU power required by Spy Sweeper - LOL).


The question is - is it better to run Anti-spyware programs to catch
Trojans or AV programs? In addition, should I shut down my Avast shields
when running anti-spyware programs and disconnect from the net if I'm not
running them in safe mode?
 >> Stay informed about: Pinging all the experts here --&gt;Zone Alarm anti-spyware ju.. 

From: <bettersurfing DeleteThis @usersnospam.org>


| Will do. I just ran SuperAntispyware and asquared and so far all is
| clean.
| I'm going to run my trial version of Spy Sweeper (and use the requisite
| 99% of CPU power required by Spy Sweeper - LOL).
|
| The question is - is it better to run Anti-spyware programs to catch
| Trojans or AV programs? In addition, should I shut down my Avast shields
| when running anti-spyware programs and disconnect from the net if I'm not
| running them in safe mode?
|

If you get infected -- both !

Prevention is always better than cure.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
 >> Stay informed about: Pinging all the experts here --&gt;Zone Alarm anti-spyware ju.. 

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:sJQzg.4232$cj7.2318@trnddc01:

> From: <bettersurfing.DeleteThis@usersnospam.org>
>
>
>| Will do. I just ran SuperAntispyware and asquared and so far all is
>| clean.
>| I'm going to run my trial version of Spy Sweeper (and use the
>| requisite 99% of CPU power required by Spy Sweeper - LOL).
>|
>| The question is - is it better to run Anti-spyware programs to catch
>| Trojans or AV programs? In addition, should I shut down my Avast
>| shields when running anti-spyware programs and disconnect from the
>| net if I'm not running them in safe mode?
>|
>
> If you get infected -- both !
>
> Prevention is always better than cure.
>

Very interesting - these people in the Zone Alarm forums state the ZA
Anti-Spyware found the same two trojans and there seems to be no info
about them. Could they be false positives? I'll try to follow up if
and when ZA ever responds. For a highly rated product, ZA moderators
sure take their sweet time to respond (and many posts are never answered
there):


http://forum.zonelabs.org/zonelabs/board/mes
sage?board.id=Antivirus&message.id=13092


Win32.YOK.SuperSearch
Park
New Member
Registered: 12-09-2005




Situation: During my DAILY spyware scan, on 8/1/2006, ZoneAlarm detected
Win32.YOK.SuperSearch

which ZA said was a high risk trojan.

Questions:
1) Am I now to assume that, during the many hours that I was online
between my daily scans, a program which "enables user access to your
entire computer and everything on it" could have **bleep**ed very
important info from my computer &/or made other major changes to my
system?
2) Where is any information that might aid me in finding out when and
exactly how I acquired this spyware?
3) Why does Win32.YOK.SuperSearch not appear on the list in "SmartDefense
Research Center/ Spyware Information" at
http://smartdefense.zonelabs.com/tmpl/SpywareArticle?
action=letterSearch&SPY_LETTER=w?
4) Why am I unable to find any detailed info at ZA about this program or
any info at all about it at any other site (such as Spysweeper or
Symantec/Norton)?
5) Last, but hardly least, how can I detect such nasties BEFORE they have
a chance to mess with my computer?

Thanks,
Park






http://forum.zonelabs.org/zonelabs/board/message?
board.id=Antivirus&message.id=13100


ZA Pro scans and picks this up:
RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.cha

*** Backdoor.Win32.mIRC.based ***

Status "Quarantined" for now.

The following great programs do not detect this:
* Spybot Search and Destroy
* Ad-Aware SE
* AVG
* ewido

All four are up to date with current sigs.

Why does ZAPro and not the others??

Anyone care to elaborate please and thanks?
Operating System: Windows XP Home
Product Name: ZoneAlarm Pro
Software Version: 6.5

by RKnee
 >> Stay informed about: Pinging all the experts here --&gt;Zone Alarm anti-spyware ju.. 

It appears (from rechecking the Zone Alarm url's) that the
yok.supersearch is not a trojan but adware and may be legit (but my
computer had none of the yok.* files listed in the Zone Alarm forum other
than the registry setting that Zone Alarm removed).

The Backdoor.Win32.mIRC.based trojan was a false positive that Zone Alarm
corrected with a future definition update.

Just great - Zone Alarm made me waste about 4 hours checking the net and
rerunning several anti-spyware programs plus an Avast bootscan and normal
start-up virus scan.

I almost did a Multi-AV scan, too!


news:2rqdneG7_NL9EEzZnZ2dnUVZ_vednZ2d@giganews.com:

> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
> news:sJQzg.4232$cj7.2318@trnddc01:
>
>> From: <bettersurfing.TakeThisOut@usersnospam.org>
>>
>>
>>| Will do. I just ran SuperAntispyware and asquared and so far all is
>>| clean.
>>| I'm going to run my trial version of Spy Sweeper (and use the
>>| requisite 99% of CPU power required by Spy Sweeper - LOL).
>>|
>>| The question is - is it better to run Anti-spyware programs to catch
>>| Trojans or AV programs? In addition, should I shut down my Avast
>>| shields when running anti-spyware programs and disconnect from the
>>| net if I'm not running them in safe mode?
>>|
>>
>> If you get infected -- both !
>>
>> Prevention is always better than cure.
>>
>
> Very interesting - these people in the Zone Alarm forums state the ZA
> Anti-Spyware found the same two trojans and there seems to be no info
> about them. Could they be false positives? I'll try to follow up if
> and when ZA ever responds. For a highly rated product, ZA moderators
> sure take their sweet time to respond (and many posts are never
> answered there):
>
>
> http://forum.zonelabs.org/zonelabs/board/mes
> sage?board.id=Antivirus&message.id=13092
>
>
> Win32.YOK.SuperSearch
> Park
> New Member
> Registered: 12-09-2005
>
>
>
>
> Situation: During my DAILY spyware scan, on 8/1/2006, ZoneAlarm
> detected
> Win32.YOK.SuperSearch
>
> which ZA said was a high risk trojan.
>
> Questions:
> 1) Am I now to assume that, during the many hours that I was online
> between my daily scans, a program which "enables user access to your
> entire computer and everything on it" could have **bleep**ed very
> important info from my computer &/or made other major changes to my
> system?
> 2) Where is any information that might aid me in finding out when and
> exactly how I acquired this spyware?
> 3) Why does Win32.YOK.SuperSearch not appear on the list in
> "SmartDefense Research Center/ Spyware Information" at
> http://smartdefense.zonelabs.com/tmpl/SpywareArticle?
> action=letterSearch&SPY_LETTER=w?
> 4) Why am I unable to find any detailed info at ZA about this program
> or any info at all about it at any other site (such as Spysweeper or
> Symantec/Norton)?
> 5) Last, but hardly least, how can I detect such nasties BEFORE they
> have a chance to mess with my computer?
>
> Thanks,
> Park
>
>
>
>
>
>
> http://forum.zonelabs.org/zonelabs/board/message?
> board.id=Antivirus&message.id=13100
>
>
> ZA Pro scans and picks this up:
> RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.cha
>
> *** Backdoor.Win32.mIRC.based ***
>
> Status "Quarantined" for now.
>
> The following great programs do not detect this:
> * Spybot Search and Destroy
> * Ad-Aware SE
> * AVG
> * ewido
>
> All four are up to date with current sigs.
>
> Why does ZAPro and not the others??
>
> Anyone care to elaborate please and thanks?
> Operating System: Windows XP Home
> Product Name: ZoneAlarm Pro
> Software Version: 6.5
>
> by RKnee
>
>
>
 >> Stay informed about: Pinging all the experts here --&gt;Zone Alarm anti-spyware ju.. 

From: <bettersurfing.TakeThisOut@usersnospam.org>

| It appears (from rechecking the Zone Alarm url's) that the
| yok.supersearch is not a trojan but adware and may be legit (but my
| computer had none of the yok.* files listed in the Zone Alarm forum other
| than the registry setting that Zone Alarm removed).
|
| The Backdoor.Win32.mIRC.based trojan was a false positive that Zone Alarm
| corrected with a future definition update.
|
| Just great - Zone Alarm made me waste about 4 hours checking the net and
| rerunning several anti-spyware programs plus an Avast bootscan and normal
| start-up virus scan.
|
| I almost did a Multi-AV scan, too!


Thanx for updating the thread.

Good Luck !

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
 >> Stay informed about: Pinging all the experts here --&gt;Zone Alarm anti-spyware ju.. 

bettersurfing RemoveThis @usersnospam.org wrote:

> Just great - Zone Alarm made me waste about 4 hours ...

As I've said before, software firewalls are a useless waste of time
and computer resources.

Get a NAT router (to act as an incoming firewall) and be done with
it. The incremental benefit of an outgoing software-firewall is
none-existant.

When are you people gonna learn that?
 >> Stay informed about: Pinging all the experts here --&gt;Zone Alarm anti-spyware ju.. 

This message is not archived
 >> Stay informed about: Pinging all the experts here --&gt;Zone Alarm anti-spyware ju.. 

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:MCQAg.127$rd1.107@trnddc01:

> From: <bettersurfing.DeleteThis@usersnospam.org>
>
>| It appears (from rechecking the Zone Alarm url's) that the
>| yok.supersearch is not a trojan but adware and may be legit (but my
>| computer had none of the yok.* files listed in the Zone Alarm forum
>| other than the registry setting that Zone Alarm removed).
>|
>| The Backdoor.Win32.mIRC.based trojan was a false positive that Zone
>| Alarm corrected with a future definition update.
>|
>| Just great - Zone Alarm made me waste about 4 hours checking the net
>| and rerunning several anti-spyware programs plus an Avast bootscan
>| and normal start-up virus scan.
>|
>| I almost did a Multi-AV scan, too!
>
>
> Thanx for updating the thread.
>
> Good Luck !
>

Actually, I do it not only for the benefit of future surfers, but for
myself, too. In the future, I'll be able to do Google newsgroup searches
and see the ZA threads.

I was amazed at how little there was on the net and in the newsgroups
regarding these two bits of spyware.

All the AV and anti-spyware companies (especially the one I use - Avast)
give precious little info on trojans and spyware. Sure they may block it
at the point of impact, but it would be nice to see what files or registry
strings they plant, so we could do a file or reg search just to be sure.
 >> Stay informed about: Pinging all the experts here --&gt;Zone Alarm anti-spyware ju.. 

Virus Guy <Virus DeleteThis @Guy.com> wrote in news:44D4D184.D38996E9@Guy.com:

> Get a NAT router (to act as an incoming firewall) and be done with
> it. The incremental benefit of an outgoing software-firewall is
> none-existant.
>
> When are you people gonna learn that?

My Netgear RP614v3 says it gives SPI and NAT protection and I don't see it
blocking the trojans and spyware that Avast or ZA catches.
 >> Stay informed about: Pinging all the experts here --&gt;Zone Alarm anti-spyware ju.. 

Ernie B. <ebaresch_REMOVE_ RemoveThis @cox._THIS_net> wrote in
news:MPG.1f3eba92451860a898adb7@127.0.0.1:

> Yeah I've got it, thanks. I used Real Player as an infamous example,
> there are others also.

like Windows Media Player doesn't?

We all use and recommend Media Player Classic intead with Real Alternative
and QT alternative, but do we really know the entire program structure?
 >> Stay informed about: Pinging all the experts here --&gt;Zone Alarm anti-spyware ju.. 

Virus Guy wrote:
> bettersurfing.RemoveThis@usersnospam.org wrote:
>
>> Just great - Zone Alarm made me waste about 4 hours ...
>
> As I've said before, software firewalls are a useless waste of time
> and computer resources.

usually this is said because malware can (though it doesn't always
bother) disable the software firewall or find some other way to bypass it...

unfortunately that ignores the fact that a) not all malware does and b)
there's plenty of more or less legitimate software that tries to make
outgoing connections that i don't want it to make...

> Get a NAT router (to act as an incoming firewall) and be done with
> it. The incremental benefit of an outgoing software-firewall is
> none-existant.

definitely agree about getting a nat router, but as above, not about
dumping the software firewall... at the very least the redundant system
is useful for fault tolerance ('hey my connection stopped working, maybe
the router's broken, i'll have to try connecting without it to see')...
also, some software firewalls include features that are outside the
scope of a firewall but are useful none-the-less (such as the
application launch whitelisting functionality in kerio)...

> When are you people gonna learn that?

"you people"? probably not the best way to sway opinion...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"
 >> Stay informed about: Pinging all the experts here --&gt;Zone Alarm anti-spyware ju..