The latest ZAP 61_737_000 is a nice piece of work and I've felt more confident with it than with other Windows firewalls, except, perhaps the now defunct kerio-pf-2.1.5.

But recently a problem has surfaced that I'm forced to believe must be associated with a corrupted ZA installation package. The CAUSE of that corruption is a big question mark. Did it come in that way?

Recently, after updating to the 61_737_000 version of ZA and downloading Windows updates I began experiencing difficulties at log out. Each time I clicked to log out of a user account a ZAP-generated window appeared advising that an 'end program' was being initiated. Now, why in the world would ZoneAlarm need to run an end program? Isn't that the job of Task Manager? It never specified WHAT, if any, program was hanging. From my perspective ALL PROGRAMS were closed and the work saved. (??)

As well, in the non-admin account a Notepad window was appearing at login, bearing a couple lines of script. What it boiled down to was the Windows shell script for Desktop. After trying repeatedly to find a way to prevent the window from loading, I gave up.

It also came to my attention that the end program action resulted in restoration of all PREVIOUS settings in Firefox and the ZAP Programs list back to original default. That wiped out all entries made since each session's start, so that with each login I was having to reset Firefox as default browser and restore all bookmarks! Thats a nell of a hote.

I ran anti-spyware scans in ZA and Ad-Aware, but they came up with nothing; and I was unable to nail any bad entries in the registry, including Commonname, which, rest assured, has been fully cleaned via manual techniques. CN isn't coming back if I can help it.

So, what the heck was causing ZoneAlarm to run end program scripts at every logout?

I have a recent version of CWShredder (on CD) so I ran a scan in Clean Boot (Safe Boot) mode with that (I tried it in Windows but it was unable to find anything) -- and it "removed" one exmple of CWS.MsConfig (or so it claimed). Since CWShredder neither offers information as to the name of the infected folder nor its location, there's little choice but to take the author's word. Wouldn't it be nice if programs that actually FIND SPYWARE provided info on CLSIDs and location of hidden components? Ad-Aware does all that stuff. It just seldom finds anything (in my computers).

Then, after restoring standard boot options in the msconfig utility I did a restart and logged back into the admin account, then logged back out again. Same thing; ZoneAlarm still ran the end program action. Grrrr.

I then uninstalled and reinstalled ZAP 61_737_000 after running a search for and deleting all previous entries, both in Windows and the registry. It was a clean install as opposed to an upgrade. Still, NO CHANGE!

I'd suspected this was coming but just didn't want to accept it, especially after all the time spent at dialup speed downloading the 10 some-odd MBs of the new version. But drastic consequences call for drastic measures, LOL, as the White House dictator asserts in his plethora of lies; so I uninstalled ZoneAlarm a second time; again searched for and removed all previous entries; deleted the installer package where it was stored in My Documents and reinstalled the most previous version (stored on CD), ZAP 60_667_000.

Sunny beaches! Now everything works like a charm once again. Gone is the 'end program' nuisance at every login, along with the consequent loss of all settings. But will it stay that way??

What went wrong? Why does the previous ZA work where the newer and supposedly more stable version seems fraught with problems? Will the old version soon get whammied by whatever hit its successor? For a while, the new version worked just fine; then after downloading a gaggle of critical security updates from Microsoft my 'end program' fun and games began.

Could Microsoft be incorporating code in one or more recent updates that causes such anomalies? Or did someone manage to hack into my system during the long download sequence from Windows Update and inject the ZAP 61_737_000 package with bad medicine?

I guess I'll never know; but it HAS happened B4.

Yet one thing is certain... The WinXP Hm Ed media my system is installed from... a CD that I'd ordered recently from the Microsoft Replacement Center to supercede an OEM/bundled predecessor that's infected with Commonname... places the latter on the drive even better, LOL, than the CD it was to replace. So, seeing as how there is such deep-pockets hanky panky going on at Microsoft in the way those boys and girls are playing fast and loose with OUR PRICACY... could it be that unca Billy would stoop low enough to incorporate a CWS component? -- Because no matter how often I reinstall Windows, CWShredder always seems to detect (each time I scan from Clean Boot mode)... an instance of CWS.MSConfig. This informs that CWShredder is not really doing the trick as far as removal; it's merely playing around, deleting, perhaps, a registry entry that gets restored at next startup.

Opening programs like CWShredder for inspection in Macintosh is easy; but the problem is that everything's in the parent software company's assembly language, in pre-execution state. You can't determine WHAT is going to be installed from assembly gibberish without special equipment. Besides, when a Windows executable is opened in a non-standard format like Unix there are so many aberrations when the code attempts to execute that it's impossible to determine if spyware is set to install.

Not so with Microsoft install media. All the APIs and other installation files; .DLLs; .INFs and .SIFs etc., are present as separate units containing tell-tale CLSIDs, and can be opened to fully reveal contents. That was how I first got proof that Microsoft Corporation was operating a gigantic scam in the Commonname department, shipping infected replacement media out of the Ohio factory. All who report lost or damaged (or, as in my case... infected) OEM/bundled media and request replacement will receive media infected with the CN parasite. On a positive note, it's free. Such a deal.

To determne if YOUR media is infected, place the CD in the CD-Rom and go to Windows Search. Enable advanced options and type this CLSID into the BOTTOM box: {00000000-0000-0000-0000-000000000000}. Make sure you set the search parameter for CD-ROM, whatever that drive letter happens to be. In SP2 versions of Windows there will be 10 files that install CN to your drive. In SP1 versions, nine. Allow at least 5 minutes for the search, possibly more. Quite often the results you dread will come at the last minute. It's like the old saw about lost things always turning up in the last place you look. Give the scan a chance.

Have you ever seen a list of CWS CLSIDs? Have you ever been able to find even ONE confirmed CLSID for CWS? I've seen lots of posted 'maybes' -- but not one single sure thing. Why do you suppose that is? $$. Who posts the maybes? Ans.: people like you and me. Who's NOT POSTING sure things? Ans.: Those who provide the market with spyware and spyware removers. Again, itz the $$. Good cop; bad cop. Capone's old racket with a new cybertwist.

But back to the chase... with all ZA anti-spyware and Ad-Aware SE scans coming up clean I begin to realize that circumstances have actually changed very little in Windoz-world since B4 SP1. Yeah. The spyware removers still don't work. Or, would it be more correct to say that CWS still does?

In addition, I've read the literature posted at Computer Associates' site regarding location and identification of various CWS versions, and have manually searched where and for what the information specifies, with NO RESULTS! Why, then, is CWShredder 'finding' something, if 'something' is not there?

Could my machine be infected with a version of CWS that escapes detection (wouldn't be the first time for that...) and that is capable of penetrating and corrupting installer packages?

Admittedly, following the most recent format job I went back on my own policy, failing to armor-coat a ZAP 61_737_000 package saved for the proverbial rainy day; usually I stash valuables within .zip archives, but hadn't done so this go-around. From what I know of CWS a .zip shell probably wouldn't have prevented penetration; yet zipping packages B4 storing them in Windows does provide an additional layer of protection, just as a warm outer shell provides you and me protection when we go outside.

Last night I downloaded a new copy of ZAP 61_737_000, which, haha, I may or may not use to upgrade the old version again. :-) Once burned, twice shy.

And then, too, in my trusty CD case there's still a copy of Kerio's old and best firewall to fall back on, the 2.1.5. Hmm.

I would appreciate any comments.

BTW, fight shy of East-Tec Eraser. It's spyware and I can prove it.

SS