Thread: False Positives?

  1. #1
    john_the_fast Guest

    Unhappy False Positives?

    Hey everyone....
    I did a definition update and this is what zone alarm tells me i have.
    if i quarantine these files the winlogon registry entry gets deleted and windows has problems logging me in and out.
    My question is are these false positives? or is my version of zone alarm unsupported?
    Zonealarm version - 8.0.298..035
    True Vector Version - ^ same as above.
    Driver Version - ^
    Anti virus engine -
    Anti Spyware engine -
    OS - XP PRO SP3 . all windows updates installed.

    trojan 1 - win32.worm.socks.BY
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ***\{4D36E965-E325-11CE-BFC1-08002BE10318}\0005

    Trojan 2 - win32.worm.socks.BW
    RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost

    Trojan 3 -
    File: C:\Program Files\K-Lite Codec Pack\Filters\
    File: M:\Program Files (x86)\K-Lite Codec Pack\Filters\
    File: C:\Program Files\K-Lite Codec Pack\Filters\
    File: M:\Program Files (x86)\K-Lite Codec Pack\Filters\
    File: C:\Program Files\K-Lite Codec Pack\Filters\
    File: M:\Program Files (x86)\K-Lite Codec Pack\Filters\
    Directory: C:\Program Files\K-Lite Codec Pack\Filters

    Trojan 4 -
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ***\{4D36E965-E325-11CE-BFC1-08002BE10318}\0003\DigitalAudio
    RegistryKey: HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\P references\VideoSettings
    RegistryKey: HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General\ActiveLatchSet
    RegistryKey: HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

    Trojan 5 - win32.1sass
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ***\{4D36E965-E325-11CE-BFC1-08002BE10318}\0006
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ***\{4D36E965-E325-11CE-BFC1-08002BE10318}\0007
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0005
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0006
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0007
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_BITS
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\B ITS\Enum
    Directory: C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5
    Directory: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader
    RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\BITS
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Se curityProviders\SCHANNEL\Ciphers\DES 56/56
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Se curityProviders\SCHANNEL\Ciphers\NULL
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Se curityProviders\SCHANNEL\Ciphers\RC2 128/128
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Se curityProviders\SCHANNEL\Ciphers\RC2 40/128
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Se curityProviders\SCHANNEL\Ciphers\RC2 56/128
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Se curityProviders\SCHANNEL\Ciphers\RC4 128/128
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Se curityProviders\SCHANNEL\Ciphers\RC4 40/128
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Se curityProviders\SCHANNEL\Ciphers\RC4 56/128
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Se curityProviders\SCHANNEL\Ciphers\Triple DES 168/168
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Se curityProviders\SCHANNEL\KeyExchangeAlgorithms\Dif fie-Hellman
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Se curityProviders\SCHANNEL\KeyExchangeAlgorithms\PKC S
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Ciphers\DES 56/56
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Ciphers\NULL
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms \Diffie-Hellman
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms \PKCS
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\BITS\Enum

    6. - Cant remember location.

    Any comments or solutions appreciated...
    Last edited by GeorgeV; May 26th, 2010 at 03:38 AM.

  2. #2
    Join Date
    Nov 2004

    Default Re: False Positives?

    update to the latest version of ZA and check again. ZA 8 is not supported anymore moreover its antispyware engine has been phased out and replaced in ZA 9.


    Click here for ZA Support
    Monday-Saturday 24x6 Pacific time
    Closed Sundays and Holidays

  3. #3
    john_the_fast Guest

    Post Re: False Positives?

    Yeah.. i asked the live tech support and got told that it is no longer supported and will not have the issue fixed unless i update.

    Thanks for the help.
    (that one that deletes the windows logon registry entry is a pain in the backside.)

  4. #4
    Join Date
    Dec 2002
    San Carlos, California

    Default Re: False Positives?


    Even though Anti-Spyware in version 8.x and below is no longer supported we reported this issue to Development.

    We don't know if it will get fixed or not.

    If you have a valid paid subscription you can upgrade to 9.x free of charge and then you will have a supported AV and AS package.

    FYI 9.x users didn't have this false positive occur in the new AV/AS engine.

    Forum Moderator
    Click here for ZA Support
    Monday-Saturday__ 24x6
    Closed Sundays and Holidays PST

  5. #5
    john_the_fast Guest

    Default Re: False Positives?

    Ah hey.
    5 of the false positives got fixed over night. go zone alarm customer support...

    unfortunately 2 false positives left on my system.. one of them new

    File: C:\Documents and Settings\Adam\Local Settings\Temp\nslB4.tmp\LangDLL.dll
    File: C:\Program Files\K-Lite Codec Pack\Filters\
    File: M:\Program Files (x86)\K-Lite Codec Pack\Filters\
    File: C:\Program Files\K-Lite Codec Pack\Filters\
    File: M:\Program Files (x86)\K-Lite Codec Pack\Filters\
    File: C:\Program Files\K-Lite Codec Pack\Filters\
    File: M:\Program Files (x86)\K-Lite Codec Pack\Filters\
    Directory: C:\Program Files\K-Lite Codec Pack\Filters

    Scanned both 'trojans' with virus total and both are completely clean not even one 'paranoid hit'

    Thanks for your time.
    Last edited by john_the_fast; May 26th, 2010 at 05:25 PM.

