Pinging all the experts here -->Zone Alarm anti-spyware just found 2 trojans that Avast/Ad-Aware/Spy

bettersurfing · Aug 1, 2006

I usually run an Avast bootscan along with Ad-Aware and Spybot once a week.
Today I did all three PLUS ran a Zone Alarm full system scan:

Here's what Zone Alarm just quarantined and the other three missed:

Win32.YOK.SuperSearch Trojan

RegistryKey-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Component Categories
\{00021494-0000-0000-C000-000000000046}

Backdoor.Win32.mIRC. based Trojan

RegistryKey-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.cha

The last one is interesting since I haven't installed Mirc or any internet
chat programs. I'm wondering if it was installed by any "spyware free"
freeware or the akamaitechnologies.com IP address I kept seeing in TCPview?

I also have the MVPS HOSTS file loaded and take alot of precautions (I have
all the Avast shields running + MS Defender).

It may be time for the MULTI-AV scan.

Postman delivers · Aug 1, 2006

(e-mail address removed) has brought this to us :

I usually run an Avast bootscan along with Ad-Aware and Spybot once a week.
Today I did all three PLUS ran a Zone Alarm full system scan:

Here's what Zone Alarm just quarantined and the other three missed:

Win32.YOK.SuperSearch Trojan

RegistryKey-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Component Categories
\{00021494-0000-0000-C000-000000000046}

Backdoor.Win32.mIRC. based Trojan

RegistryKey-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.cha

The last one is interesting since I haven't installed Mirc or any internet
chat programs. I'm wondering if it was installed by any "spyware free"
freeware or the akamaitechnologies.com IP address I kept seeing in TCPview?

I also have the MVPS HOSTS file loaded and take alot of precautions (I have
all the Avast shields running + MS Defender).

It may be time for the MULTI-AV scan.

bettersurfing,

I updated ad-aware today and it stops running after one or two seconds.
I have webroot's spy sweeper running all the time, and it just now
seems ad-aware no longer runs, without shutting down webroot's spy
sweeper.

I run ad-aware free, because it finds numerous things that webroot does
not deem important or can't locate... On the other side, webroot's spy
sweeper finds things that ad-aware does not locate... And it has
tripped several Trojans during scans that AVG does not discover...

This is the first time ad-aware and spy sweeper will not co-exist...
Something has changed it appears...

JR the postman

Lukas Mariman · Aug 1, 2006

Postman delivers said:
(e-mail address removed) has brought this to us :

bettersurfing,

I updated ad-aware today and it stops running after one or two seconds. I
have webroot's spy sweeper running all the time, and it just now seems
ad-aware no longer runs, without shutting down webroot's spy sweeper.

I run ad-aware free, because it finds numerous things that webroot does
not deem important or can't locate... On the other side, webroot's spy
sweeper finds things that ad-aware does not locate... And it has tripped
several Trojans during scans that AVG does not discover...

This is the first time ad-aware and spy sweeper will not co-exist...
Something has changed it appears...

JR the postman

Check the recent threads on Spy Sweeper - if you "upgraded" to version 5.0
there might be some "issues"...

David H. Lipman · Aug 1, 2006

From: <[email protected]>

| I usually run an Avast bootscan along with Ad-Aware and Spybot once a week.
| Today I did all three PLUS ran a Zone Alarm full system scan:
|
| Here's what Zone Alarm just quarantined and the other three missed:
|
| Win32.YOK.SuperSearch Trojan
|
| RegistryKey-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Component Categories
| \{00021494-0000-0000-C000-000000000046}
|
| Backdoor.Win32.mIRC. based Trojan
|
| RegistryKey-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.cha
|
| The last one is interesting since I haven't installed Mirc or any internet
| chat programs. I'm wondering if it was installed by any "spyware free"
| freeware or the akamaitechnologies.com IP address I kept seeing in TCPview?
|
| I also have the MVPS HOSTS file loaded and take alot of precautions (I have
| all the Avast shields running + MS Defender).
|
| It may be time for the MULTI-AV scan.
|

Give the Multi AV Scanning Tool and try and let us know the results.

Guest · Aug 1, 2006

From: <[email protected]>

| I usually run an Avast bootscan along with Ad-Aware and Spybot once a
| week. Today I did all three PLUS ran a Zone Alarm full system scan:
|
| Here's what Zone Alarm just quarantined and the other three missed:
|
| Win32.YOK.SuperSearch Trojan
|
| RegistryKey-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Component Categories
| \{00021494-0000-0000-C000-000000000046}
|
| Backdoor.Win32.mIRC. based Trojan
|
| RegistryKey-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.cha
|
| The last one is interesting since I haven't installed Mirc or any
| internet chat programs. I'm wondering if it was installed by any
| "spyware free" freeware or the akamaitechnologies.com IP address I
| kept seeing in TCPview?
|
| I also have the MVPS HOSTS file loaded and take alot of precautions
| (I have all the Avast shields running + MS Defender).
|
| It may be time for the MULTI-AV scan.
|

Give the Multi AV Scanning Tool and try and let us know the results.

Will do. I just ran SuperAntispyware and asquared and so far all is
clean.
I'm going to run my trial version of Spy Sweeper (and use the requisite
99% of CPU power required by Spy Sweeper - LOL).

The question is - is it better to run Anti-spyware programs to catch
Trojans or AV programs? In addition, should I shut down my Avast shields
when running anti-spyware programs and disconnect from the net if I'm not
running them in safe mode?

David H. Lipman · Aug 1, 2006

From: <[email protected]>

| Will do. I just ran SuperAntispyware and asquared and so far all is
| clean.
| I'm going to run my trial version of Spy Sweeper (and use the requisite
| 99% of CPU power required by Spy Sweeper - LOL).
|
| The question is - is it better to run Anti-spyware programs to catch
| Trojans or AV programs? In addition, should I shut down my Avast shields
| when running anti-spyware programs and disconnect from the net if I'm not
| running them in safe mode?
|

If you get infected -- both !

Prevention is always better than cure.

bettersurfing · Aug 3, 2006

From: <[email protected]>

| Will do. I just ran SuperAntispyware and asquared and so far all is
| clean.
| I'm going to run my trial version of Spy Sweeper (and use the
| requisite 99% of CPU power required by Spy Sweeper - LOL).
|
| The question is - is it better to run Anti-spyware programs to catch
| Trojans or AV programs? In addition, should I shut down my Avast
| shields when running anti-spyware programs and disconnect from the
| net if I'm not running them in safe mode?
|

If you get infected -- both !

Prevention is always better than cure.

Very interesting - these people in the Zone Alarm forums state the ZA
Anti-Spyware found the same two trojans and there seems to be no info
about them. Could they be false positives? I'll try to follow up if
and when ZA ever responds. For a highly rated product, ZA moderators
sure take their sweet time to respond (and many posts are never answered
there):

http://forum.zonelabs.org/zonelabs/board/mes
sage?board.id=Antivirus&message.id=13092

Win32.YOK.SuperSearch
Park
New Member
Registered: 12-09-2005

Situation: During my DAILY spyware scan, on 8/1/2006, ZoneAlarm detected
Win32.YOK.SuperSearch

which ZA said was a high risk trojan.

Questions:
1) Am I now to assume that, during the many hours that I was online
between my daily scans, a program which "enables user access to your
entire computer and everything on it" could have **bleep**ed very
important info from my computer &/or made other major changes to my
system?
2) Where is any information that might aid me in finding out when and
exactly how I acquired this spyware?
3) Why does Win32.YOK.SuperSearch not appear on the list in "SmartDefense
Research Center/ Spyware Information" at
http://smartdefense.zonelabs.com/tmpl/SpywareArticle?
action=letterSearch&SPY_LETTER=w?
4) Why am I unable to find any detailed info at ZA about this program or
any info at all about it at any other site (such as Spysweeper or
Symantec/Norton)?
5) Last, but hardly least, how can I detect such nasties BEFORE they have
a chance to mess with my computer?

Thanks,
Park

http://forum.zonelabs.org/zonelabs/board/message?
board.id=Antivirus&message.id=13100

ZA Pro scans and picks this up:
RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.cha

*** Backdoor.Win32.mIRC.based ***

Status "Quarantined" for now.

The following great programs do not detect this:
* Spybot Search and Destroy
* Ad-Aware SE
* AVG
* ewido

All four are up to date with current sigs.

Why does ZAPro and not the others??

Anyone care to elaborate please and thanks?
Operating System: Windows XP Home
Product Name: ZoneAlarm Pro
Software Version: 6.5

by RKnee

bettersurfing · Aug 4, 2006

It appears (from rechecking the Zone Alarm url's) that the
yok.supersearch is not a trojan but adware and may be legit (but my
computer had none of the yok.* files listed in the Zone Alarm forum other
than the registry setting that Zone Alarm removed).

The Backdoor.Win32.mIRC.based trojan was a false positive that Zone Alarm
corrected with a future definition update.

Just great - Zone Alarm made me waste about 4 hours checking the net and
rerunning several anti-spyware programs plus an Avast bootscan and normal
start-up virus scan.

I almost did a Multi-AV scan, too!

David H. Lipman · Aug 5, 2006

From: <[email protected]>

| It appears (from rechecking the Zone Alarm url's) that the
| yok.supersearch is not a trojan but adware and may be legit (but my
| computer had none of the yok.* files listed in the Zone Alarm forum other
| than the registry setting that Zone Alarm removed).
|
| The Backdoor.Win32.mIRC.based trojan was a false positive that Zone Alarm
| corrected with a future definition update.
|
| Just great - Zone Alarm made me waste about 4 hours checking the net and
| rerunning several anti-spyware programs plus an Avast bootscan and normal
| start-up virus scan.
|
| I almost did a Multi-AV scan, too!

Thanx for updating the thread.

Good Luck !

Virus Guy · Aug 5, 2006

Just great - Zone Alarm made me waste about 4 hours ...

As I've said before, software firewalls are a useless waste of time
and computer resources.

Get a NAT router (to act as an incoming firewall) and be done with
it. The incremental benefit of an outgoing software-firewall is
none-existant.

When are you people gonna learn that?

Ernie B. · Aug 5, 2006

As I've said before, software firewalls are a useless waste of time
and computer resources.

Get a NAT router (to act as an incoming firewall) and be done with
it. The incremental benefit of an outgoing software-firewall is
none-existant.

When are you people gonna learn that?

When things like Real Player quit trying to call home.

kurt wismer · Aug 5, 2006

Virus said:
As I've said before, software firewalls are a useless waste of time
and computer resources.

usually this is said because malware can (though it doesn't always
bother) disable the software firewall or find some other way to bypass it...

unfortunately that ignores the fact that a) not all malware does and b)
there's plenty of more or less legitimate software that tries to make
outgoing connections that i don't want it to make...

Get a NAT router (to act as an incoming firewall) and be done with
it. The incremental benefit of an outgoing software-firewall is
none-existant.

definitely agree about getting a nat router, but as above, not about
dumping the software firewall... at the very least the redundant system
is useful for fault tolerance ('hey my connection stopped working, maybe
the router's broken, i'll have to try connecting without it to see')...
also, some software firewalls include features that are outside the
scope of a firewall but are useful none-the-less (such as the
application launch whitelisting functionality in kerio)...

When are you people gonna learn that?

"you people"? probably not the best way to sway opinion...

kurt wismer · Aug 5, 2006

Ernie said:
When things like Real Player quit trying to call home.

psst - real alternative (http://www.codecguide.com/)...

Ernie B. · Aug 5, 2006

psst - real alternative (http://www.codecguide.com/)...

Yeah I've got it, thanks. I used Real Player as an infamous example, there
are others also.

bettersurfing · Aug 5, 2006

From: <[email protected]>

| It appears (from rechecking the Zone Alarm url's) that the
| yok.supersearch is not a trojan but adware and may be legit (but my
| computer had none of the yok.* files listed in the Zone Alarm forum
| other than the registry setting that Zone Alarm removed).
|
| The Backdoor.Win32.mIRC.based trojan was a false positive that Zone
| Alarm corrected with a future definition update.
|
| Just great - Zone Alarm made me waste about 4 hours checking the net
| and rerunning several anti-spyware programs plus an Avast bootscan
| and normal start-up virus scan.
|
| I almost did a Multi-AV scan, too!

Thanx for updating the thread.

Good Luck !

Actually, I do it not only for the benefit of future surfers, but for
myself, too. In the future, I'll be able to do Google newsgroup searches
and see the ZA threads.

I was amazed at how little there was on the net and in the newsgroups
regarding these two bits of spyware.

All the AV and anti-spyware companies (especially the one I use - Avast)
give precious little info on trojans and spyware. Sure they may block it
at the point of impact, but it would be nice to see what files or registry
strings they plant, so we could do a file or reg search just to be sure.

bettersurfing · Aug 5, 2006

Virus Guy said:
Get a NAT router (to act as an incoming firewall) and be done with
it. The incremental benefit of an outgoing software-firewall is
none-existant.

When are you people gonna learn that?

My Netgear RP614v3 says it gives SPI and NAT protection and I don't see it
blocking the trojans and spyware that Avast or ZA catches.

bettersurfing · Aug 5, 2006

Yeah I've got it, thanks. I used Real Player as an infamous example,
there are others also.

like Windows Media Player doesn't?

We all use and recommend Media Player Classic intead with Real Alternative
and QT alternative, but do we really know the entire program structure?

Ernie B. · Aug 5, 2006

like Windows Media Player doesn't?

Sure it does, when I allow it to.

We all use and recommend Media Player Classic intead with Real Alternative
and QT alternative, but do we really know the entire program structure?

No. I have ZA set to 'ask' on everything except my web browsers, news and
mail clients and AV update. The object of the game is to be aware, and in
control, of what the computer is doing when it's on line.

Virus Guy · Aug 5, 2006

Ernie B. said:
When things like Real Player quit trying to call home.

Get "Real Alternative".

http://www.free-codecs.com/download/Real_Alternative.htm

Virus Guy · Aug 5, 2006

My Netgear RP614v3 says it gives SPI and NAT protection and I
don't see it blocking the trojans and spyware that Avast or ZA
catches.

Your software firewall won't "catch" it either when it first comes
into and installs itself on your system. And the nasty stuff, like
root kits, will bypass your firewall like it wasn't even there.

Where do you surf? Geeze, I never get fun stuff like that.

You must not us a hosts file, or adaware/spybot/spyware blaster, or
update your Java, or maybe you're still running XP-SP1 (or XP-gold).

Pinging all the experts here -->Zone Alarm anti-spyware just found 2 trojans that Avast/Ad-Aware/Spy

bettersurfing

Postman delivers

Lukas Mariman

David H. Lipman

Guest

David H. Lipman

bettersurfing

bettersurfing

David H. Lipman

Virus Guy

Ernie B.

kurt wismer

kurt wismer

Ernie B.

bettersurfing

bettersurfing

bettersurfing

Ernie B.

Virus Guy

Virus Guy