Solved

Hey all, trojan problem.

Hey. i am running Zonealarm Extreme Security Suite version 8.0.298.035 and it recently updated its definitions and picked up this LIST of trojans.

I had scanned my computer the night before without anything being detected and now all of this.
I have also scanned with malware bytes anti malware and it detected nothing.

I quarantined all of these 'trojans' and my computer would not shut down afterwards and on boot it loaded to a 'windows 2000' style login box rather then my normal XP welcome screen....

My question is! are these real viruses or did zonealarm just delete some critical files? ^_^

(Operating system: Win XP SP3 All updates done. klite codec pack latest update... windows media player 10 (thought might be relevant since the 'trojans' are there. ) )


trojan 1 - win32.worm.socks.BY
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0005

Trojan 2 - win32.worm.socks.BW
RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost

Trojan 3 - win32.download.fraud.load.gkh
File: C:\Program Files\K-Lite Codec Pack\Filters\vp7dec.ax
File: M:\Program Files (x86)\K-Lite Codec Pack\Filters\vp7dec.ax
File: C:\Program Files\K-Lite Codec Pack\Filters\CoreVorbis.ax
File: M:\Program Files (x86)\K-Lite Codec Pack\Filters\CoreVorbis.ax
File: C:\Program Files\K-Lite Codec Pack\Filters\DCBassSource.ax
File: M:\Program Files (x86)\K-Lite Codec Pack\Filters\DCBassSource.ax
Directory: C:\Program Files\K-Lite Codec Pack\Filters

Trojan 4 - win32.a-ymoj.mail15.su
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0003\DigitalAudio
RegistryKey: HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\VideoSettings
RegistryKey: HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General\ActiveLatchSet
RegistryKey: HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Trojan 5 - win32.1sass
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0006
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0007
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0005
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0006
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\0007
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BITS
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS\Enum
Directory: C:\Documents and Settings\Adam\Local Settings\Temporary Internet Files\Content.IE5
Directory: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader
RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\NULL
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS
RegistryKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum
18 answers Last reply Best Answer
More about trojan problem
  1. Best answer
    win32.worm.socks.bw

    THIS IS A FALSE POSITIVE!

    ZONE ALARM MISTAKE!
  2. Are you using zone alarm version 8!
  3. Thats what im after ^_^ do you recognize any others?
    and yes zonealarm version 8.3
  4. These are false positives!That version of zone alarm is not supported anymore!Some of the last few updates of this old version were wrecking peoples logins!
  5. all of them are? and yes it did change my login
  6. Your computer was fine,that's why malewarebyes came up with nothing!
  7. thought as much..stupid zone false positives. well unquarantining... brb
  8. Get rid of that old version because it had a lot of issues with false positives!

    If this helps please vote best answer!

    Anymore questions please ask!
  9. With the latest update, ZoneAlarm detects logonui.exe as win32.worm.socks.bw

    This is the false positive that zone alarm was reporting as a trojan!

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
  10. Well. that 'old' version is the only protection on my pc bar malware bytes/windows defender so ill just deal with false positives as they come.

    But.

    I recently dual booted XP and Win 7, it was XP and Vista i formatted vista and wacked 7 on in its place.
    now this worked perfectly with the help of Easy BCD and IReboot.

    Only problem is. ever since win XP has slowed to a crawl on booting and doesnt function properly after extended time (being on for 24 hrs + )

    any ideas?

    I ran Disk Defrag, Disk Clean up, registry cleans etc etc etc and only got a small amount of speed back.
  11. Ah. Windows 7 works fine and speedy as all hell * ^
  12. http://www.free-av.com/

    Use this instead of zone alarm, but keep your malewarebytes!This is a great free antivirus and spyware protection suite.link is above!
  13. Oh first uninstall zone alarm!

    IF my info helped please click best answer and have a great weekend!
  14. don't blame ZA, if you didn't upgrade because you have a pirated copy, stick to it.. just remember from time to time you'll have 'bug' like this..

    To fix the problem the original poster had, do the following..


    run regedit, go to:


    HKY_LOCAL_MACHINE
    SOFTWARE
    Microsoft
    Windows NT
    CurrentVersion
    Winlogon


    if you don't see an entry 'UIHost'.. enter in a new string value by right click once while the mouse pointer in in the left pane of the registry editor, select 'NEW' then select 'String Value' ... name the New Value #1 entry into 'UIHost' ... highlight UIHost then right mouse click on it once then select 'Modify' ... in the 'Value Data' area type in the following 'logonui.exe'

    reboot
  15. PetterrPan said:
    don't blame ZA, if you didn't upgrade because you have a pirated copy, stick to it.. just remember from time to time you'll have 'bug' like this..

    To fix the problem the original poster had, do the following..


    run regedit, go to:


    HKY_LOCAL_MACHINE
    SOFTWARE
    Microsoft
    Windows NT
    CurrentVersion
    Winlogon


    if you don't see an entry 'UIHost'.. enter in a new string value by right click once while the mouse pointer in in the left pane of the registry editor, select 'NEW' then select 'String Value' ... name the New Value #1 entry into 'UIHost' ... highlight UIHost then right mouse click on it once then select 'Modify' ... in the 'Value Data' area type in the following 'logonui.exe'

    reboot


    Hey thanks. that fixed the logon issue.
    Although i still am getting all of those 'false positives' does anyone know if any of them are real? just still a little concerned..... as my computer is still having issues where some programs are freezing and it takes an eternity to shut down because they arent responding
  16. PetterrPan said:
    don't blame ZA, if you didn't upgrade because you have a pirated copy, stick to it.. just remember from time to time you'll have 'bug' like this..

    To fix the problem the original poster had, do the following..


    run regedit, go to:


    HKY_LOCAL_MACHINE
    SOFTWARE
    Microsoft
    Windows NT
    CurrentVersion
    Winlogon


    if you don't see an entry 'UIHost'.. enter in a new string value by right click once while the mouse pointer in in the left pane of the registry editor, select 'NEW' then select 'String Value' ... name the New Value #1 entry into 'UIHost' ... highlight UIHost then right mouse click on it once then select 'Modify' ... in the 'Value Data' area type in the following 'logonui.exe'

    reboot


    having had this problem as well i have done as you suggest and the log-on now works as before. whoever you are i owe you a pint :D

    now all i have to do is sort out the slow boot sequence and im set!!
  17. Best answer selected by buwish.
  18. I encountered the same issues after "updating" ZoneAlarm's Anti-Spyware. This is what I did to restore the correct log-in screens.

    1.-Start Windows in Safe Mode.
    2.-Do a system restore.
    3.-That's all

    A Safe Mode is necessary because a system restore will not work when this "false positive" pops up and the files are "Quarantine" by ZoneAlarm.

    Disclaimer: This is not my idea. I read about this several months ago somewhere in cyberspase.
Ask a new question

Read More

Security Trojan Codec Windows XP