Results 1 to 5 of 5

Thread: False Positives?

  1. #1
    john_the_fast Guest

    Unhappy False Positives?

    Hey everyone....
    I did a definition update and this is what zone alarm tells me i have.
    if i quarantine these files the winlogon registry entry gets deleted and windows has problems logging me in and out.
    My question is are these false positives? or is my version of zone alarm unsupported?
    Zonealarm version - 8.0.298..035
    True Vector Version - ^ same as above.
    Driver Version - ^
    Anti virus engine - 6.0.2.678
    Anti Spyware engine - 5.0.209.0
    OS - XP PRO SP3 . all windows updates installed.

    trojan 1 - win32.worm.socks.BY
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ***\{4D36E965-E325-11CE-BFC1-08002BE10318}\0005

    Trojan 2 - win32.worm.socks.BW
    RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost

    Trojan 3 - win32.download.fraud.load.gkh
    File: C:\Program Files\K-Lite Codec Pack\Filters\vp7dec.ax
    File: M:\Program Files (x86)\K-Lite Codec Pack\Filters\vp7dec.ax
    File: C:\Program Files\K-Lite Codec Pack\Filters\CoreVorbis.ax
    File: M:\Program Files (x86)\K-Lite Codec Pack\Filters\CoreVorbis.ax
    File: C:\Program Files\K-Lite Codec Pack\Filters\DCBassSource.ax
    File: M:\Program Files (x86)\K-Lite Codec Pack\Filters\DCBassSource.ax
    Directory: C:\Program Files\K-Lite Codec Pack\Filters

    Trojan 4 - win32.a-ymoj.mail15.su
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ***\{4D36E965-E325-11CE-BFC1-08002BE10318}\0003\DigitalAudio
    RegistryKey: HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\P references\VideoSettings
    RegistryKey: HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General\ActiveLatchSet
    RegistryKey: HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

    Trojan 5 - win32.1sass
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ***\{4D36E965-E325-11CE-BFC1-08002BE10318}\0006
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ***\{4D36E965-E325-11CE-BFC1-08002BE10318}\0007
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0005
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0006
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0007
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_BITS
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\B ITS\Enum
    Directory: C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5
    Directory: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader
    RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\BITS
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Se curityProviders\SCHANNEL\Ciphers\DES 56/56
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Se curityProviders\SCHANNEL\Ciphers\NULL
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Se curityProviders\SCHANNEL\Ciphers\RC2 128/128
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Se curityProviders\SCHANNEL\Ciphers\RC2 40/128
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Se curityProviders\SCHANNEL\Ciphers\RC2 56/128
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Se curityProviders\SCHANNEL\Ciphers\RC4 128/128
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Se curityProviders\SCHANNEL\Ciphers\RC4 40/128
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Se curityProviders\SCHANNEL\Ciphers\RC4 56/128
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Se curityProviders\SCHANNEL\Ciphers\Triple DES 168/168
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Se curityProviders\SCHANNEL\KeyExchangeAlgorithms\Dif fie-Hellman
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Se curityProviders\SCHANNEL\KeyExchangeAlgorithms\PKC S
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Ciphers\DES 56/56
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Ciphers\NULL
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms \Diffie-Hellman
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms \PKCS
    RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\BITS\Enum

    6. win32.services - Cant remember location.


    Any comments or solutions appreciated...
    Thanks
    John
    Last edited by GeorgeV; May 26th, 2010 at 03:38 AM.

  2. #2
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,289

    Default Re: False Positives?

    Hi!
    update to the latest version of ZA and check again. ZA 8 is not supported anymore moreover its antispyware engine has been phased out and replaced in ZA 9.

    Cheers,
    Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  3. #3
    john_the_fast Guest

    Post Re: False Positives?

    Yeah.. i asked the live tech support and got told that it is no longer supported and will not have the issue fixed unless i update.

    Thanks for the help.
    (that one that deletes the windows logon registry entry is a pain in the backside.)
    John

  4. #4
    Join Date
    Dec 2002
    Location
    San Carlos, California
    Posts
    1,636

    Default Re: False Positives?

    Hello,

    Even though Anti-Spyware in version 8.x and below is no longer supported we reported this issue to Development.

    We don't know if it will get fixed or not.

    If you have a valid paid subscription you can upgrade to 9.x free of charge and then you will have a supported AV and AS package.

    FYI 9.x users didn't have this false positive occur in the new AV/AS engine.


    Forum Moderator
    Click here for ZA Support
    Monday-Saturday__ 6am to 10pm Central time
    Closed Sundays and Holidays

  5. #5
    john_the_fast Guest

    Default Re: False Positives?

    Ah hey.
    5 of the false positives got fixed over night. go zone alarm customer support...

    unfortunately 2 false positives left on my system.. one of them new

    File: C:\Documents and Settings\Adam\Local Settings\Temp\nslB4.tmp\LangDLL.dll
    win32.adware.flvdirect.a
    and
    win32.downloader.fraudload.gkh
    File: C:\Program Files\K-Lite Codec Pack\Filters\vp7dec.ax
    File: M:\Program Files (x86)\K-Lite Codec Pack\Filters\vp7dec.ax
    File: C:\Program Files\K-Lite Codec Pack\Filters\CoreVorbis.ax
    File: M:\Program Files (x86)\K-Lite Codec Pack\Filters\CoreVorbis.ax
    File: C:\Program Files\K-Lite Codec Pack\Filters\DCBassSource.ax
    File: M:\Program Files (x86)\K-Lite Codec Pack\Filters\DCBassSource.ax
    Directory: C:\Program Files\K-Lite Codec Pack\Filters

    Scanned both 'trojans' with virus total and both are completely clean not even one 'paranoid hit'
    http://www.virustotal.com/analisis/2...ac0-1274922778
    http://www.virustotal.com/analisis/1...b9c-1274923039
    http://www.virustotal.com/analisis/d...c35-1274923076
    http://www.virustotal.com/analisis/d...96d-1274923060

    Thanks for your time.
    John
    Last edited by john_the_fast; May 26th, 2010 at 05:25 PM.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Considering all the false positives...
    By amethyst in forum Malware Discussion
    Replies: 5
    Last Post: February 1st, 2008, 08:40 PM
  2. What to do about false positives?
    By phoenixgtr in forum Malware Discussion
    Replies: 3
    Last Post: May 18th, 2007, 10:59 PM
  3. JS.Feeb - false positives?
    By froggett in forum Malware Discussion
    Replies: 3
    Last Post: December 15th, 2006, 11:12 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •