Results 1 to 10 of 10

Thread: I have a virus/spyware Zonealarm Internet Security can't find it.

  1. #1
    rbl Guest

    Default I have a virus/spyware Zonealarm Internet Security can't find it.

    To be fair Zonealarm's Internet Security was turned off when the virus arrived via a MSN link.
    Within minutes, if not seconds of it's arrival the LAN cable was pulled (physically) to ensure minimum effects of the rest of the LAN and prevent information being removed from the PC.
    The symptoms are:
    <ul>[*]A
    program %windows%\system32\vwklerax\lsass.exe tries to access the internet each time the pc starts (ZASS asks if it should).
    This program is 75 Kbytes long as opposed to %windows%\system32\lsass.exe which is 13 Kbytes long.[*]The %windows\system32\drivers\etc\hosts file has been raided and all access to anti-virus web sites have been blocked.[*]Zonelabs Internet Security's &quot;Load ZoneAlarm Security Suite at startup&quot; becomes
    unchecked so that next time I boot no protection is given.[*]Windows Explorer options to show hidden and system files becomes switch off
    so that you can't see the rogue folder vwklerax or the rogue lsass.exe (not even with a search for hidden files and folders).[/list]

    BUT when I run a byte scan of the whole disk and even the rogue lsass.exe file ZASS does not complain.

    Is this a new virus or doesn't ZASS work?

    Any suggestions?




    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Internet Security Suite
    Software Version:6.5

  2. #2
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,289

    Default Re: I have a virus/spyware Zonealarm Internet Security can't find it.

    Hi!first of all you are still using an old version of ZASS, you should update it to 7 (new powerful AV/AS has been implemented).But before you should get rid of the virus...Try fist with the free Dr.Web cure it:http://www.freedrweb.com/You have to run it in SAFE MODEas follow:1. Disable system restore;2. Reboot in SAFE MODE3. run Dr. Web cure it4. Reboot in Normal Mode5. Ensable System restoreIf the above fails you may want to try Ewido online scan at: http://www.ewido.net/en/onlinescan/and also download, update and scan with superantispyware FREE:http://www.superantispyware.com/download.htmlNext remove ZASS 6.5 (keep note of your license)To clean UNinstall you need to follow this procedure:http://www2.nohold.net/noHoldCust542...n_install.htmlRun a registry/system cleaner. ccleaner is quite good utility (http://www.ccleaner.com/download/downloadpage.aspx?f=3) Re-download the installer from here (and do NOT use any download managers):http://www.zonelabs.com/zasuitedownload/ Install with default settings, do not alter them....Once rebooted manual update the antivirus/antispyware signature ('update now' under the antivirus/antispyware tab)After the update perform a full antivirus/antispyware scan.Cheers,Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  3. #3
    rbl Guest

    Default Re: I have a virus/spyware Zonealarm Internet Security can't find it.

    Hello Fax
    Thanks for the advice.
    Do you know the name of the virus that I've got?
    Does your solution require the infected PC to have access to the internet.
    I'm reluctant to reconnect the PC in case it passes personal data to its masters or infects some of my contacts PCs.
    I note that you suggest using non-ZA products to cure my problem which raises questions in my mind. (e.g. If ZASS can't see it and ZASS can't remove it, would it have stopped it if it had been switched on when it arrived).
    Having been a ZA advocate for many years this is probably the end.
    The license for the PC on which the infection has arrived is due to run out in 7 days and unless things look better than they do right now I probably won't renew it or the other 4 PCs I have for my work.
    Therefore, I may use this &quot;real virus&quot; to test the abilities of the competition.
    It's late here in the UK so I'll have another go with what you suggest tomorrow.

  4. #4
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,289

    Default Re: I have a virus/spyware Zonealarm Internet Security can't find it.

    Hi!well, protecting from viruses is different than cleaning. You should have not disabled ZASS.Please also update to ZASS 7. It has a new AV/AS engine by Kaspersky. One of the best on the market right now.Yes, you need internet access to download Dr.Web, you could use another PC.We are all users here, no ZA staff is monitoring this board. If you would like to change your product you can do it... up to you.Please come back with your results....Cheers,Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  5. #5
    rbl Guest

    Default Re: I have a virus/spyware Zonealarm Internet Security can't find it.

    Hello Fax
    This is the first ever virus infection on one of my PC's (I've been using
    PC's since before virus's had met PCs), so I don't want to let this one go until I have gotten the most out of it.
    My intention is to erase the infected PC's hard disk and re-install everything but only after I have used this infection to decide on what protection I will trust in the future.
    I have copied the rogue lsass.exe onto a floppy and put the floppy into a PC running ZASS 6.1 and scanned it but nothing was found.
    So I did the same on a PC running F-Secure and it found the trojan win32.vb.bbd.
    As an aside, the infected PC has started running a new program (Mac Cool)
    for which ZASS (6.5) asks whether I want to allow access to the internet.
    I think my next move will to be either do a clean uninstall of ZASS 6.5 from the infected PC and install ZASS 7 to see it if finds the trojan, or I will set up ZASS 7 on a clean PC and see if it sees the trojan on the floppy.
    I'll try to keep this thread updated while I am playing.
    All the best


  6. #6
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,289

    Default Re: I have a virus/spyware Zonealarm Internet Security can't find it.

    Hi!you can simply upload the file to www.virustotal.com and see if Kaspersky will detect it (ZASS engine)...By the way F-Secure also use Kaspersky engine... so, it should detect the same.ZASS 6.X uses CA engine, very weak on trojans and spyware.Cheers,Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  7. #7
    rbl Guest

    Default Re: I have a virus/spyware Zonealarm Internet Security can't find it.

    Hi Fax
    I have loaded ZASS 7 onto a clean PC
    and scanned the floppy disk with the rogue lsass.exe on it and, yes, you guessed it, ZASS 7 found it.
    This leaves me with a decision to make.
    ZASS 7 won't allow my PCs to access Netgear's SC101 network storage (used for daily backups)
    but is obviously better than ZASS 6.1 !!!
    So either I give up on Netgear's SC101 or Zone Labs!!!!
    All the best



  8. #8
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,289

    Default Re: I have a virus/spyware Zonealarm Internet Security can't find it.


    <BLOCKQUOTE><HR>RBL wrote:
    Hi FaxI have loaded ZASS 7 onto a clean PC and scanned the floppy disk with the rogue lsass.exe on it and, yes, you guessed it, ZASS 7 found it. This leaves me with a decision to make.ZASS 7 won't allow my PCs to access Netgear's SC101 network storage (used for daily backups)but is obviously better than ZASS 6.1 !!! So either I give up on Netgear's SC101 or Zone Labs!!!!All the best
    <HR></BLOCKQUOTE>Hi!did you tried to contact ZA technical support on Netgear's SC101 network storage?ZA technical support: www.zonelabs.com/tsform Also you could try to create an expert rule for allowing UDP port 20001 (firewall)Fax


    Message Edited by fax on 06-10-2007 09:16 AM

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  9. #9
    rbl Guest

    Default Re: I have a virus/spyware Zonealarm Internet Security can't find it.

    Hello Fax
    I know it is tempting fate but I thought I should let you know what I have achieved today.
    I took the brave decision to try ZASS 7 one more time before I gave up.
    I loaded ZASS 7
    AND it allowed me to use my Netgear SC101.
    I don't know if this is something to do with the latest ZASS 7 (7.0.337.000) or how I un-installed version 6.1 of ZASS.
    I think it must be the latest version because
    I had previously tried ZASS 7
    on a different clean PC (no previous installs of anything much except drivers) and it hadn't worked.
    If I can use the SC101 and ZASS I
    will be
    a happy bunny but I will have to wait for a few days before I can be really confident.
    Thanks for your help.
    p.s. I shall update the following link with how I un-installed ZASS 6.1 and installed ZASS 7 since it is where I have been talking about the SC101
    http://forums.zonealarm.com/zonelabs...ssage.id=39407
    Thanks again, All the best

  10. #10
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,289

    Default Re: I have a virus/spyware Zonealarm Internet Security can't find it.

    You're welcome!(though didn't do anything...)Glad to hear it finally works.Cheers,Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •