Sign in with
Sign up | Sign in
Your question
Solved

Hey all, trojan problem.

Last response: in Windows XP
Share
May 9, 2010 12:19:31 AM

Hey. i am running Zonealarm Extreme Security Suite version 8.0.298.035 and it recently updated its definitions and picked up this LIST of trojans.

I had scanned my computer the night before without anything being detected and now all of this.
I have also scanned with malware bytes anti malware and it detected nothing.

I quarantined all of these 'trojans' and my computer would not shut down afterwards and on boot it loaded to a 'windows 2000' style login box rather then my normal XP welcome screen....

My question is! are these real viruses or did zonealarm just delete some critical files? ^_^

(Operating system: Win XP SP3 All updates done. klite codec pack latest update... windows media player 10 (thought might be relevant since the 'trojans' are there. ) )


trojan 1 - win32.worm.socks.BY
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0005

Trojan 2 - win32.worm.socks.BW
RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost

Trojan 3 - win32.download.fraud.load.gkh
File: C:\Program Files\K-Lite Codec Pack\Filters\vp7dec.ax
File: M:\Program Files (x86)\K-Lite Codec Pack\Filters\vp7dec.ax
File: C:\Program Files\K-Lite Codec Pack\Filters\CoreVorbis.ax
File: M:\Program Files (x86)\K-Lite Codec Pack\Filters\CoreVorbis.ax
File: C:\Program Files\K-Lite Codec Pack\Filters\DCBassSource.ax
File: M:\Program Files (x86)\K-Lite Codec Pack\Filters\DCBassSource.ax
Directory: C:\Program Files\K-Lite Codec Pack\Filters

Trojan 4 - win32.a-ymoj.mail15.su
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0003\DigitalAudio
RegistryKey: HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\VideoSettings
RegistryKey: HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General\ActiveLatchSet
RegistryKey: HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Trojan 5 - win32.1sass
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0006
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0007
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0005
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0006
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0007
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BITS
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS\Enum
Directory: C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5
Directory: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader
RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\NULL
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum


More about : hey trojan problem

Best solution

a b 8 Security
May 9, 2010 12:57:00 AM
Share

win32.worm.socks.bw

THIS IS A FALSE POSITIVE!

ZONE ALARM MISTAKE!
a b 8 Security
May 9, 2010 1:01:01 AM

Are you using zone alarm version 8!
Related resources
May 9, 2010 1:01:22 AM

Thats what im after ^_^ do you recognize any others?
and yes zonealarm version 8.3
a b 8 Security
May 9, 2010 1:03:13 AM

These are false positives!That version of zone alarm is not supported anymore!Some of the last few updates of this old version were wrecking peoples logins!
May 9, 2010 1:03:53 AM

all of them are? and yes it did change my login
a b 8 Security
May 9, 2010 1:05:06 AM

Your computer was fine,that's why malewarebyes came up with nothing!
May 9, 2010 1:05:52 AM

thought as much..stupid zone false positives. well unquarantining... brb
a b 8 Security
May 9, 2010 1:06:48 AM

Get rid of that old version because it had a lot of issues with false positives!

If this helps please vote best answer!

Anymore questions please ask!
a b 8 Security
May 9, 2010 1:08:44 AM

With the latest update, ZoneAlarm detects logonui.exe as win32.worm.socks.bw

This is the false positive that zone alarm was reporting as a trojan!

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
May 9, 2010 1:10:06 AM

Well. that 'old' version is the only protection on my pc bar malware bytes/windows defender so ill just deal with false positives as they come.

But.

I recently dual booted XP and Win 7, it was XP and Vista i formatted vista and wacked 7 on in its place.
now this worked perfectly with the help of Easy BCD and IReboot.

Only problem is. ever since win XP has slowed to a crawl on booting and doesnt function properly after extended time (being on for 24 hrs + )

any ideas?

I ran Disk Defrag, Disk Clean up, registry cleans etc etc etc and only got a small amount of speed back.
May 9, 2010 1:13:28 AM

Ah. Windows 7 works fine and speedy as all hell * ^
a b 8 Security
May 9, 2010 1:13:41 AM

http://www.free-av.com/

Use this instead of zone alarm, but keep your malewarebytes!This is a great free antivirus and spyware protection suite.link is above!
a b 8 Security
May 9, 2010 1:14:46 AM

Oh first uninstall zone alarm!

IF my info helped please click best answer and have a great weekend!
May 15, 2010 2:42:47 PM

don't blame ZA, if you didn't upgrade because you have a pirated copy, stick to it.. just remember from time to time you'll have 'bug' like this..

To fix the problem the original poster had, do the following..


run regedit, go to:


HKY_LOCAL_MACHINE
SOFTWARE
Microsoft
Windows NT
CurrentVersion
Winlogon


if you don't see an entry 'UIHost'.. enter in a new string value by right click once while the mouse pointer in in the left pane of the registry editor, select 'NEW' then select 'String Value' ... name the New Value #1 entry into 'UIHost' ... highlight UIHost then right mouse click on it once then select 'Modify' ... in the 'Value Data' area type in the following 'logonui.exe'

reboot
May 16, 2010 1:16:38 AM

PetterrPan said:
don't blame ZA, if you didn't upgrade because you have a pirated copy, stick to it.. just remember from time to time you'll have 'bug' like this..

To fix the problem the original poster had, do the following..


run regedit, go to:


HKY_LOCAL_MACHINE
SOFTWARE
Microsoft
Windows NT
CurrentVersion
Winlogon


if you don't see an entry 'UIHost'.. enter in a new string value by right click once while the mouse pointer in in the left pane of the registry editor, select 'NEW' then select 'String Value' ... name the New Value #1 entry into 'UIHost' ... highlight UIHost then right mouse click on it once then select 'Modify' ... in the 'Value Data' area type in the following 'logonui.exe'

reboot


Hey thanks. that fixed the logon issue.
Although i still am getting all of those 'false positives' does anyone know if any of them are real? just still a little concerned..... as my computer is still having issues where some programs are freezing and it takes an eternity to shut down because they arent responding
Anonymous
a b 8 Security
May 23, 2010 9:51:30 PM

PetterrPan said:
don't blame ZA, if you didn't upgrade because you have a pirated copy, stick to it.. just remember from time to time you'll have 'bug' like this..

To fix the problem the original poster had, do the following..


run regedit, go to:


HKY_LOCAL_MACHINE
SOFTWARE
Microsoft
Windows NT
CurrentVersion
Winlogon


if you don't see an entry 'UIHost'.. enter in a new string value by right click once while the mouse pointer in in the left pane of the registry editor, select 'NEW' then select 'String Value' ... name the New Value #1 entry into 'UIHost' ... highlight UIHost then right mouse click on it once then select 'Modify' ... in the 'Value Data' area type in the following 'logonui.exe'

reboot


having had this problem as well i have done as you suggest and the log-on now works as before. whoever you are i owe you a pint :D 

now all i have to do is sort out the slow boot sequence and im set!!
July 7, 2010 10:42:06 PM

Best answer selected by buwish.
October 1, 2010 4:07:50 PM

I encountered the same issues after "updating" ZoneAlarm's Anti-Spyware. This is what I did to restore the correct log-in screens.

1.-Start Windows in Safe Mode.
2.-Do a system restore.
3.-That's all

A Safe Mode is necessary because a system restore will not work when this "false positive" pops up and the files are "Quarantine" by ZoneAlarm.

Disclaimer: This is not my idea. I read about this several months ago somewhere in cyberspase.
!