Results 1 to 3 of 3

Thread: Win32.Askyaya found- Adware , Trojan or False Positive

  1. #1
    tamba Guest

    Default Win32.Askyaya found- Adware , Trojan or False Positive

    Win32.Askyaya found- Adware , Trojan or False Positive

    Hi

    I am hoping someone can help as I am very confused as to what to do next...

    my Firewall is Zonealarm Security Suite - Paid and my Antivirus protection is AVG Free

    Today my ZA Scanner found Win32.Askyaya, which it has been labelled as a trojan ..

    There is a long log re this "Win.32Askyaya" in this forum most of which seems to imply it's a false positive ... the last entry the person ran tests and gives details as to why they think its a false positive and ZA suport were notified according to one of the entries.. ( that was in Sept this year) http://forums.zonelabs.com/zonelabs/...message.id=298

    I am confused now that we are in November as to why this problem is still appearing...

    Am I right to believe it is a False positive or Do i have an infection and need to do something ?

    Also when I look up Askyaya on Counterspy
    http://research.sunbelt-software.com...threatid=46373

    The info shows it is Adware as opposed to a Trojan

    I look forward to your replies

    tamba1

    Operating System:
    Windows XP Pro
    Product Name:
    ZoneAlarm Internet Security Suite
    Software Version:
    6.1

    Message Edited by tamba on 11-24-200603:58 AM

  2. #2
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Win32.Askyaya found- Adware , Trojan or False Positive

    HI

    using these result from the scan I have this information.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A2B7A0F0-B697-4A71-8D91-43443F57D7BB}

    using the "A2B7A0F0-B697-4A71-8D91-43443F57D7BB}" and I found this.

    http://www.castlecops.com/tk30113-estAlive_dll.html

    using the two links given from CastleCops, I found these two>

    http://research.sunbelt-software.com...threatid=46373

    http://www3.ca.com/securityadvisor/p...x?id=453099221


    Using the Sunbelt info, the next step is to look for the files that are associated with their info>

    %appdata%\microsoft\iehelper\2225ask11.exe
    %appdata%\microsoft\iehelper\iehelper_4511.dll
    %program_files%\intern~1\hmapi.dll
    %program_files%\intern~1\ssl.dll
    %PROGRAM_FILES%\internet explorer\connection wizard\iccon.dll
    %PROGRAM_FILES%\internet explorer\hmapi.dll
    %PROGRAM_FILES%\internet explorer\ssl.dll
    %windows%\estalive.dll
    %windows%\ieyhelper.dll
    1079.exe
    C:\Documents and Settings\All Users\Application Data\Microsoft\IEHelper\IEHelper_5001.dll
    caefb6d0d11e54eb8c0fac6146d88ea6.DLL

    and using the CA info, the next step is to look for the files that are associated with their info>

    %profile%\application data\microsoft\iehelper\2225ask03.exe

    %windows%\ieyhelper.dll
    %windows%\estalive.dll
    %profile%\application data\microsoft\iehelper\iehelper_4663.dll

    2225ask03.exe
    estalive.dll
    iehelper_4663.dll
    %profile%\application data\microsoft\iehelper\2225ask03.exe
    %profile%\application data\microsoft\iehelper\iehelper_4663.dll
    %windows%\estalive.dll
    %windows%\ieyhelper.dll
    %windows%\sysskip.srg

    plus the registry keys>

    HKEY_CLASSES_ROOT\clsid\{16a770a0-0e87-4278-b748-2460d64a8386}
    HKEY_CLASSES_ROOT\clsid\{16a770a0-0e87-4278-b748-2460d64a8386}\inprocserver32
    HKEY_CLASSES_ROOT\clsid\{16a770a0-0e87-4278-b748-2460d64a8386}\inprocserver32 threadingmodel
    HKEY_CLASSES_ROOT\clsid\{16a770a0-0e87-4278-b748-2460d64a8386}\progid
    HKEY_CLASSES_ROOT\clsid\{16a770a0-0e87-4278-b748-2460d64a8386}\typelib
    HKEY_CLASSES_ROOT\clsid\{16a770a0-0e87-4278-b748-2460d64a8386}\versionindependentprogid
    HKEY_CLASSES_ROOT\clsid\{a2b7a0f0-b697-4a71-8d91-43443f57d7bb}
    HKEY_CLASSES_ROOT\clsid\{a2b7a0f0-b697-4a71-8d91-43443f57d7bb}\inprocserver32
    HKEY_CLASSES_ROOT\clsid\{a2b7a0f0-b697-4a71-8d91-43443f57d7bb}\inprocserver32 threadingmodel
    HKEY_CLASSES_ROOT\clsid\{a2b7a0f0-b697-4a71-8d91-43443f57d7bb}\progid
    HKEY_CLASSES_ROOT\clsid\{a2b7a0f0-b697-4a71-8d91-43443f57d7bb}\versionindependentprogid
    HKEY_CLASSES_ROOT\clsid\{a927c078-e82f-471b-83f5-3d1504f7d01b}
    HKEY_CLASSES_ROOT\clsid\{a927c078-e82f-471b-83f5-3d1504f7d01b}\inprocserver32
    HKEY_CLASSES_ROOT\clsid\{a927c078-e82f-471b-83f5-3d1504f7d01b}\inprocserver32 threadingmodel
    HKEY_CLASSES_ROOT\clsid\{a927c078-e82f-471b-83f5-3d1504f7d01b}\miscstatus
    HKEY_CLASSES_ROOT\clsid\{a927c078-e82f-471b-83f5-3d1504f7d01b}\miscstatus\1
    HKEY_CLASSES_ROOT\clsid\{a927c078-e82f-471b-83f5-3d1504f7d01b}\progid
    HKEY_CLASSES_ROOT\clsid\{a927c078-e82f-471b-83f5-3d1504f7d01b}\toolboxbitmap32
    HKEY_CLASSES_ROOT\clsid\{a927c078-e82f-471b-83f5-3d1504f7d01b}\typelib
    HKEY_CLASSES_ROOT\clsid\{a927c078-e82f-471b-83f5-3d1504f7d01b}\version
    HKEY_CLASSES_ROOT\clsid\{a927c078-e82f-471b-83f5-3d1504f7d01b}\versionindependentprogid
    HKEY_CLASSES_ROOT\estalive.estaliveobj
    HKEY_CLASSES_ROOT\estalive.estaliveobj.1
    HKEY_CLASSES_ROOT\estalive.estaliveobj.1\clsid
    HKEY_CLASSES_ROOT\estalive.estaliveobj\clsid
    HKEY_CLASSES_ROOT\estalive.estaliveobj\curver
    HKEY_CLASSES_ROOT\estalive.estinsobj
    HKEY_CLASSES_ROOT\estalive.estinsobj.1
    HKEY_CLASSES_ROOT\estalive.estinsobj.1\clsid
    HKEY_CLASSES_ROOT\estalive.estinsobj\clsid
    HKEY_CLASSES_ROOT\estalive.estinsobj\curver
    HKEY_CLASSES_ROOT\iehelper.myiehelper
    HKEY_CLASSES_ROOT\iehelper.myiehelper.1
    HKEY_CLASSES_ROOT\iehelper.myiehelper.1\clsid
    HKEY_CLASSES_ROOT\iehelper.myiehelper\clsid
    HKEY_CLASSES_ROOT\iehelper.myiehelper\curver
    HKEY_CLASSES_ROOT\interface\{3772bf4b-0bf0-4dbc-9ecf-7d624609fe23}
    HKEY_CLASSES_ROOT\interface\{3772bf4b-0bf0-4dbc-9ecf-7d624609fe23}\proxystubclsid
    HKEY_CLASSES_ROOT\interface\{3772bf4b-0bf0-4dbc-9ecf-7d624609fe23}\proxystubclsid32
    HKEY_CLASSES_ROOT\interface\{3772bf4b-0bf0-4dbc-9ecf-7d624609fe23}\typelib
    HKEY_CLASSES_ROOT\interface\{3772bf4b-0bf0-4dbc-9ecf-7d624609fe23}\typelib version
    HKEY_CLASSES_ROOT\interface\{a4bc2506-c00c-4d2e-b47f-0bb4c2c74ccf}
    HKEY_CLASSES_ROOT\interface\{a4bc2506-c00c-4d2e-b47f-0bb4c2c74ccf}\proxystubclsid
    HKEY_CLASSES_ROOT\interface\{a4bc2506-c00c-4d2e-b47f-0bb4c2c74ccf}\proxystubclsid32
    HKEY_CLASSES_ROOT\interface\{a4bc2506-c00c-4d2e-b47f-0bb4c2c74ccf}\typelib
    HKEY_CLASSES_ROOT\interface\{a4bc2506-c00c-4d2e-b47f-0bb4c2c74ccf}\typelib version
    HKEY_CLASSES_ROOT\interface\{eed86703-463c-41fe-8163-d44a778841b5}
    HKEY_CLASSES_ROOT\interface\{eed86703-463c-41fe-8163-d44a778841b5}\proxystubclsid
    HKEY_CLASSES_ROOT\interface\{eed86703-463c-41fe-8163-d44a778841b5}\proxystubclsid32
    HKEY_CLASSES_ROOT\interface\{eed86703-463c-41fe-8163-d44a778841b5}\typelib
    HKEY_CLASSES_ROOT\interface\{eed86703-463c-41fe-8163-d44a778841b5}\typelib version
    HKEY_CLASSES_ROOT\typelib\{2511de40-34a3-4c6a-b1b2-c5c92a2f00be}
    HKEY_CLASSES_ROOT\typelib\{2511de40-34a3-4c6a-b1b2-c5c92a2f00be}\1.0
    HKEY_CLASSES_ROOT\typelib\{2511de40-34a3-4c6a-b1b2-c5c92a2f00be}\1.0\0
    HKEY_CLASSES_ROOT\typelib\{2511de40-34a3-4c6a-b1b2-c5c92a2f00be}\1.0\0\win32
    HKEY_CLASSES_ROOT\typelib\{2511de40-34a3-4c6a-b1b2-c5c92a2f00be}\1.0\flags
    HKEY_CLASSES_ROOT\typelib\{2511de40-34a3-4c6a-b1b2-c5c92a2f00be}\1.0\helpdir
    HKEY_CLASSES_ROOT\typelib\{668a536f-359d-4699-9c2b-2c70893e1a8c}
    HKEY_CLASSES_ROOT\typelib\{668a536f-359d-4699-9c2b-2c70893e1a8c}\1.0
    HKEY_CLASSES_ROOT\typelib\{668a536f-359d-4699-9c2b-2c70893e1a8c}\1.0\0
    HKEY_CLASSES_ROOT\typelib\{668a536f-359d-4699-9c2b-2c70893e1a8c}\1.0\0\win32
    HKEY_CLASSES_ROOT\typelib\{668a536f-359d-4699-9c2b-2c70893e1a8c}\1.0\flags
    HKEY_CLASSES_ROOT\typelib\{668a536f-359d-4699-9c2b-2c70893e1a8c}\1.0\helpdir
    HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\activex compatibility\{a2b7a0f0-b697-4a71-8d91-43443f57d7bb}
    HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\activex compatibility\{a2b7a0f0-b697-4a71-8d91-43443f57d7bb} compatibility flags
    HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\browser helper objects {a2b7a0f0-b697-4a71-8d91-43443f57d7bb}
    HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\browser helper objects\{16a770a0-0e87-4278-b748-2460d64a8386}
    HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\browser helper objects\{a2b7a0f0-b697-4a71-8d91-43443f57d7bb}


    If there is no trace of any of these files and registry keys that are listed in the Sunbelt and CA pages, then I would assume that the Askyaya is a false positive.


    To give some assurance, I would suggest some free online scans. Use the IE and go to>

    http://www.bitdefender.com/scan8/ie.html

    http://www.ewido.net/en/onlinescan/


    http://housecall.trendmicro.com/


    http://www.trendmicro.com/spyware-scan/

    If you would like to, use the freeware CCleaner for some file/registry cleaning>

    http://www.majorgeeks.com/CCleaner_S...ish_d4191.html

    If this is a false positive, then the best thing is to report this to Zone labs>

    http://www.zonelabs.com/store/conten...are_report.jsp

    Take care and have a nice thanksgiving.

    Oldsod
    Best regards.
    oldsod

  3. #3
    tamba Guest

    Default Re: Win32.Askyaya found- Adware , Trojan or False Positive

    Hi Oldsod

    WOW thanks so much for taking the time to look it up and provide all that info .. Now I have some more investigating to do and scans to run...

    Re reporting a false positive to ZA team, I was under the impression this had been done some time ago , which is why I was suprised to see the same problem cropping up sev months later...

    I have not had too many encounters with false positives but ironically this week having sought advice it turned out I might have one with DRWebscureit scanner result. I reported it to them , sent them the "suspicious file" and they confirmed it was a false positive and updated their scanner.. Ran the scan again and the file was not found :-)

    Am I being naieve in thinking that ZA labs would not have done the same when the askyaya prop was reported a while back?

    Once again thanks for your help

    Hope you had a great Thanksgiving too
    tamba

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •