FF 2.0.0.2 Update -> Spy Sweeper quarantined 180search assistant/zango (coincidence?)

I debated whether to post this in the Netscape and Mozilla forum or the General Security forum. The General Security forum wins my debate since the people who read this forum might be more familiar with the issues and security applications described.

I just downloaded and installed the Firefox 2.0.0.2 update via Firefox 2.0.0.1's Help > Check For Updates. After the download was complete and "verified ", the update proceeded to install. While the update was installing, Webroot's Spy Sweeper popped up a notice that it quarantined an item that was trying to install.

After the FF update finished its business, I allowed it to restart FF. After FF went through its updating business during the FF restart, I arrived at the usual "your update was successful" display. FF's Help > About Mozilla Firefox also shows v2.0.0.2.

Webroot Spy Sweeper's Quarantine shows it quarantined "180search assistant/zango ".

Has anyone else with Spy Sweeper memory-resident protection running (and, perhaps, Norton Anti-Virus memory-resident protection) had this occur when they updated to FF 2.0.0.2 via the Help > Check For Updates method I described? I'm wondering if this is just a coincidence that the Spy Sweeper alert occurred during the FF update or if there is something in FF's update that might trigger a false-positive from Spy Sweeper's memory resident protection. There may also be a conflict between Spy Sweeper's memory-resident protection and Norton Anti-Virus memory-resident protection as well.

I keep my computer updated with the latest definitions for several anti-malware apps (listed below) and I regularly scan for malware so I tend to think it was a false-positive alert or there is a conflict between memory-resident security applications. In the meantime, I will scan my computer with all my anti-malware applications (one at a time) and see if I come up with anything.

My Security-related Apps:

• Webroot Spy Sweeper 5.3.1 (build 2344) with memory-resident "shields" active except:
  • Internet Communication (because I use the MVPS HOSTS and this shield seems to interfere with its use, if I recall correctly)
  • Hosts File (because I use the MVPS HOSTS which has historically been too large for Spy Sweeper to handle)
  • ActiveX
  • Alternate Data Stream
  • Windows Messenger Service (because I have the service disabled)
• Norton SystemWorks 2006 (with the anti-virus component memory-resident)
• Spybot - Search & Destroy 1.4 (on-demand only, i.e., not with TeaTimer memory-resident)
• Ad-Aware SE Professional build 1.06r1 (on-demand only)
• Bit Defender 8 Free Edition (on-demand only with automatic updates enabled)
• a-squared Free 2.1 (on-demand only)
• SpywareGuard 2.2 (resides in the system tray)
• SpywareBlaster 3.5.1 (with all protections enabled)
• FaceTime X-Cleaner Deluxe build 39125 (on-demand only except for auto quick scanning during boot)
• AVG Anti-Spyware 7.5 (resident shield inactive, automatic updates active)
• WinPatrol PLUS v11.1.2007 (memory-resident)

There may be other security-related apps I use that I don't recall at the moment.

 

Hi mailman

I also updated FF and am running SS I had no alerts for 180 or zango

Geri

 

Thanks, Geri.

Your response seems to rule out the false-positive trigger possibility. Now I'm leaning even more towards the memory-resident conflict possibility.

I did a complete system scan last night with SS and came up clean.

I did a malware scan of my C:\ drive with X-Cleaner last night and the only file it flagged as suspicious was
C:\Program Files\Common Files\Roxio Shared\DLLShared\CommonSpanish.dll

CommonSpanish.dll was probably installed with Roxio Easy CD Creator 6 and it comes up clean with NAV, SS, AVG AS, and a^2 Windows Explorer context menu scans so I think that was a false-positive by X-Cleaner.

I will continue to scan my system with my other security apps and I will post their findings if anything significant occurs.

 

I finally finished all my scans as of this morning. Here are the only positive results I got.

// Product: BitDefender 8 Free Edition
// Version: 8.0
// Created on: 25/02/2007 13:42:28

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1154657343jtun_nav2k6en60803017.m25.full.zip=>VIRSCAN9.983 Infected Trojan.Banker.VB.AG

At Jotti's Online Scan, BitDefender was the only product to flag the file as "infected" ( "Found Trojan.Banker.VB.AG ").

Jotti's Status on the file:

============

a-squared Free - Version 2.1

Scan settings:

Objects: Memory, Traces, Cookies, C:\, G:\, H:\
Scan archives: On
Heuristics: On
ADS Scan: On

Value: HKEY_CURRENT_USER\Control Panel\Desktop --> ScreenSaveActive detected: Trace.Registry.3D X-Mas Desktop
Value: HKEY_CURRENT_USER\Control Panel\Desktop --> SCRNSAVE.EXE detected: Trace.Registry.3D X-Mas Desktop
C:\Program Files\mIRC\mirc.exe detected: Riskware.Client-IRC.Win32.mIRC.621
G:\Data\mIRC\backup\mirc.exe detected: Riskware.Client-IRC.Win32.mIRC.12
G:\DL\Anti-Malware\Smitfraud\SmitfraudFix.zip/Process.exe detected: Riskware.RiskTool.Win32.Processor.20
G:\DL\Anti-Malware\Smitfraud\SmitfraudFix.zip/Reboot.exe detected: Riskware.RiskTool.Win32.Reboot.f
G:\DL\Downloads\mIRC\mirc612.exe detected: Riskware.Client-IRC.Win32.mIRC.612
G:\DL\UTILITIES\SysInternals\ALL_Sysinternals_Utilities\SysinternalsSuite.zip/pskill.exe detected: Riskware.RiskTool.Win32.PsKill.r
G:\DL\UTILITIES\Windows NT 4,0 Resource Kit Suooprt Tools\cab contents\COMPMGMT_SRVCADMN_sc.exe detected: Riskware.NetTool.Win32.Calc-SETI@Home.b
G:\DL\UTILITIES\Windows NT 4,0 Resource Kit Suooprt Tools\sp4rkx86.cab/COMPMGMT_SRVCADMN_sc.exe detected: Riskware.NetTool.Win32.Calc-SETI@Home.b

=========

It appears to me that I have nothing to be concerned about regarding malware except I'm curious about the registry entries a^2 flagged referring to ScreenSaveActive and SCRNSAVE.EXE and I will investigate those further. (I already searched my hard drives for SCRNSAVE.EXE and came up empty though.)

mIRC is a legitimate Internet Relay Chat client that I have used (various versions) over the years.

If I recall correctly, I downloaded the Smitfraud, Sysinternals .zip file, and Windows NT 4.0 Resource Kit Support Tools from reputable sources. I don't think I ever actually ran Smitfraud. I was probably just curious about what the utility contains. I think I obtained the Sysinternals ZIP package from Microsoft soon after MS acquired Sysinternals. I'm certain the Windows NT 4 tools came from MS. I only looked inside the sp4rkx86.exe self-extracting archive once recently with WinZip to see if certain files were in the cab file.

I'm now guessing I have a memory-resident conflict somewhere among the following:

• ZoneAlarm Pro
• Norton SystemWorks' NAV
• Spy Sweeper

Suggestions anyone?

 

Had the same thing happen. As soon as ff 2.002 finished installing SS popped up and said it quarinted 1800 search/zango spyware.
Iam running Spysweeper (updated)
zonealarn free
pc-cillian security suite 2007 (updated)

just thought you all should know
HH

 

The guys and gals over at mozilla forums are reporteing that is a false/positive.
http://forums.mozillazine.org/viewtopic.php?t=523699

HH

 

Thanks, Hill!

It's good to know someone else got the same alert as me when updating Firefox. Did you update via Firefox's Help > Check for Updates too?

That seems to narrow it down to ZoneAlarm vs Spy Sweeper for now anyway since I don't use PC-cillin, you apparently don't use Symanetc/Norton Anti-Virus, and Geri apparently uses neither Norton Anti-Virus nor ZoneAlarm.

BTW, I do not use ZoneAlarm Pro's anti-spyware component either.

Now it appears I just need to see if I can consistently reproduce the Spy Sweeper alert and then play with ZoneAlarm and/or SpySweeper settings to see if I can nail down the conflict.

I don't think I have the FF 2.0.0.1 full-install on this computer to test with. The install program I have is Firefox Setup 2.0.exe which I downloaded on 11/2/2006. Perhaps I can reproduce the alert when I upgrade that to v2.0.0.2 via Help > Check for Updates.

Perhaps I can consistently reproduce the alert by just running the v2.0.0.2 full-install (which I will download from Mozilla).

I will test as time permits. If I discover the exact nature of the apparent conflict, I will post a follow-up to let people know.

Thanks again, Geri and Hill! Your contributions appear to be very valuable.

EDIT: Hill, thanks for the link too!

 

no problem mailman.
FF updated on its own. When I restarted FF that when I got the false/postive.

HH