LS.Andy

Members
  • Content Count

    1,331
  • Joined

  • Last visited

  • Days Won

    43

Posts posted by LS.Andy


  1. Hi Solaze!

     

    Make a cup of tea, sit down and brace yourself! This is a pretty long winded reponse, so bear with me!

     

    Having assessed the log, there's nothing to worry about here. Ad-Aware is erring on the side of caution by notifying you about an alternate data stream (ADS) object that is not recognised. ADS are used for many things, from "mark of the web" (file:Zone.Identifier), to thumb-prints, to icons for favourites (file.url:favicon). However, malware authors could attempt to use ADS to mask their activities.

     

    An example of a legitimate ADS is the above-mentioned Zone.Identifer that was flagged in your scan log. When downloading some files an ADS called Zone.Identifier is appended. The Zone.Identifier ADS can be cleared by unchecking the "Always ask before opening this file" checkbox that appears when you try to download a file with this ADS attached.

     

    You can control the reporting of unrecognised ADS by downloading and installing Tweak SE from the Lavasoft homepage. Run it and uncheck the item "Flag all unrecognized Alternate Data Streams" by following the steps below:

     

    1. Open Ad-Aware.

    2. Click the Add-ons button.

    3. Double click on 'Tweak SE' and OK to execute.

    4. On the Scanning Engine tab uncheck 'Flag all unrecognized Alternate Data Streams'.

    5. Click 'Proceed'.

     

    You can read more about ADS here.

     

    If you would like to remove the ADS from files, check out Streams by Sysinternals/Microsoft.

     

    I appreciate there is a lot of information here, but I hope you find it useful!

     

    Regards,

     

    Andy

    Lavasoft Research


  2. Thank you to everyone who contributed information and details of their scans.

     

    This was an aggressive detection that was implemented to remove genuine malware from the Win32.TrojanDropper family. Upon re-analysis it was noted that a false positive was generated when running a scan. An updated definition file was released on Monday to counter this. You can find details of the changes made to the definition file in the Definitions Updates forum. Please be sure to update Ad-Aware with the newest definition file.

     

    Thanks for your help!

     

    Regards,

     

    Andy

    Lavasoft Research


  3. Hi Joakim,

     

    After some investigation I can confirm that the foobar2000.org cookie detection is an issue with Ad-Aware 2007 Beta rather than a false positive generated by Ad-Aware 1.06r1. I will pass the foobar2000 cookie issue to the Ad-Aware 2007 development team. I would like to thank you for bringing this Beta version bug to light - reports like this are extremely helpful! :)

     

    If you come across any other anomalies, please be sure to report them in the Ad-Aware 2007 forum at http://www.lavasoftsupport.com/index.php?showforum=55 . Thanks for your input!

     

    Regards,

     

    Andy

    Lavasoft Research


  4. Hi bkmtech!

     

    Thanks for your post! It would be interesting to look at the log file for that scan - could I ask you to post it?

     

    I'm not sure I have any useful advice for you regarding Spybot's results, however, regarding your redirected host query, make a cup of tea, take a deep breath and settle in!

     

    If you open your hosts file in Notepad (Windows NT/2000/XP/Vista: %SystemRoot%\system32\drivers\etc\) you'll notice an IP address and the word 'localhost'.

     

    If, for example, on a line below the localhost entry, I was to type the IP address for www.newswebsite.test (eg 123.45.67.890) and the host name for a sports website on a new line eg:

     

    123.45.67.890 www.sportwebsite.test

     

    When I type www.sportwebsite.test into my browser I would be redirected to www.newswebsite.test. The hosts file is very useful if you want to block a particular site but it is also vulnerable to hijacking, in that when you type in a host name for a targeted site, you are redirected to the hosts file hijacker's specified site.

     

    I hope that helps to explain the circumstances in which a redirected hosts file could be considered a threat i.e. if you have not altered the hosts file yourself or given consent to a third party to alter it.

     

     

    Regards,

     

    Andy

    Lavasoft Research


  5. We would like to analyse as many Cool Web Search variants as possible. At this time we are inviting submissions of Cool Web Search sample files. If you have a sample for analysis, please :

     

    1. Zip the file.

    2. Password protect it with the password "infected" (minus the quotation marks).

    3. Email it to [email protected] with "Cool Web Search Sample" in the subject field.

     

    Thank you for your help! We appreciate your assistance!

     

    Andy

    Lavasoft Research


  6. Hi anubus777!

     

    Thanks for your report!

     

    According to the log that was posted, Ad-Aware has discovered a missing string value within the registry. Where the string should have contained the value "regedit.exe" "%1", it was actually blank. :unsure: However, Ad-Aware recognised this and replaced the missing value. B)

     

    Nothing to worry about here - in fact, what was identified as a general windows security issue has been resolved by the scan that was carried out!

     

    Regards,

     

    Andy

    Lavasoft Research


  7. Hi, el_diablo!

     

     

    Thanks for sending the report. The particular Win32.Trojan.Downloader object that was detected has been taken out of detection as of the next release.

     

    The Adware.Pop objects are in detection legitimately. If you would prefer Ad-Aware not to remove them, you can add them to your 'ignore list'. To do this:

     

    1. Scan your PC as normal

    2. When the scan has finished, click 'Next' to view the scanning results.

    3. Click on the 'Critical Objects' tab within the scanning results screen.

    4. Check the box beside any elements you'd like to be ignored.

    5. Right click somewhere inside the Critical Objects window and select 'Add Selected To Ignore List'

    6. Click OK to continue and follow the prompts.

     

    Thanks for your input!

     

    Andy

    Lavasoft Research