Hi,

In the last few days, users keep reporting the detection of a trojan Win32.YOK.Supersearch.

Details here:

http://forum.zonelabs.org/zonelabs/board/message?board.id=Antivirus&message.id=13104

http://forum.zonelabs.org/zonelabs/board/message?board.id=Antivirus&message.id=13092

http://forum.zonelabs.org/zonelabs/board/message?board.id=security&message.id=15997

Looks to me like a false positive.

Ewido is a dedicated anti-Trojan. It found nothing (I did deep registry scan and then scan of all files on the computer).

Lavasoft Adaware - dedicated antispyware application - found nothing. It deep scans the registry.

NAV found nothing.

All three with latest definitions.

00021494 .... 046 indicates an Internet Explorer add-on toolbar. Such toolbars are frequently used by adware - but very rarely by Trojans. The Win32.YOK, Supersearch is supposed to be a Trojan.

I have an Opera with in-built Google search (and Amazon search). I just updated to Opera 9.01, so maybe that's the source of the FP. Don't know. Would love to have an answer.

G.

Did you report this?

Sure did, Hoov. I am aware of two other users who have written to Tech Support.

BUT

If it comes from you it carries far more weight. Can you please convey our queries to Tech Support?

Have a cool summer.

G.

New antispyware definitions file 310 was released today and the FP remains.

I call it FP (False Positive) because ONLY a registry entry is identified by ZA.

None - NOT ONE - of the files associated with YOK. Supersearch is found on my computer.

YOK. Supersearch installs MANY files on the infected computer + a toolbar. These are nowhere to be found on my computer. ZA only identifies a registry entry.

Additionally, no other dedicated anti-Trojan and anti-spyware applications find this threat - only ZA! Ewido, Adaware, Spysweeper - all excellent products that tell me my computer is 100% clean. Only ZA comes up with this registry entry.

It is a pity that ZA Tech Support do not respond to us in times of distress.

g.

I have let them know about it.

A week late - and after they had advised everyone to delete the registry entry - Tech Support confirmed earlier today that Win32.YOK.Supersearch is a false positive.

Will they fix it as soon as possible?

No way.

MAYBE on Friday, they say.

Meanwhile this is what happened to me - read the unbelievable details:

/p812120-Restored_item_from_quarantine_disappeared.html#812120

G.

I got the word that it will be fixed in the update tomorrow.

False positives are a fact of life no matter what scanner you use, or what kind of scanner it is. So far ZoneLabs has had relatively few false positives compared to other scanners I have used.

You are right, Hoov - False positives are an inevitable part of the game. I have no problem wit that and ZAP is a great and wondrous product. I have been a loyal user, fan, and gratis sales promoter for years now.

BUT

I think Tech Support made two errors of judgement this time around:

1. Taking its sweet time to tackle the problem. Other firm (Ewido, Symantec, Adaware) fix FPs in a matter of day or two. EIGHT DAYS is unacceptable.

2. Advising people to delete the registry entry without checking their complaints and queries in-depth. It is irresponsible. They should have advised people to QUARANTINE.

Thanks for always being there for us.

G.

I am not sure if this is a ZoneAlarm scanner or if it is licensed for use like the virus scanner. If it is the first, then they are just getting off the ground with this, and like other companies it may take them a while to get immediate updates, if it is licensed, then they may not be getting immediate updates because the company is busy maintaining their primary product.

As for the registry / quarantine, I agree.