We are using adware/adwatch se and with the lateset updates (12/8/08) we are getting a "harmful process identified" during our login process. The object is winlogon.exe, path: \??\c:\windows\system32\, vendor: adware.iesuper. If we block this, the machine blue screens with a 21a code. If we accept, then the machine runs really slow or on my test machine, it started alerting on other EXEs in memory - ati2evxx.exe, smc.exe (Symantec FW), ccEvtMgr.exe (Symantec AV), SbClientManager.exe (disk encryptor).
It does not alert on any of these with the dec 3 definitions.
Could this be a false positive? AV scans do not show anything in memory or in the files identified. This has been a known definition since march 2008 and it looks like it was added to AA Defs in April - why is it popping up now?
Full Version: adware.iesuper fales positive?
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive False Postive Issues
QUOTE(DAB @ Dec 9 2008, 04:37 PM) 
We are using adware/adwatch se and with the lateset updates (12/8/08) we are getting a "harmful process identified" during our login process. The object is winlogon.exe, path: \??\c:\windows\system32\, vendor: adware.iesuper. If we block this, the machine blue screens with a 21a code. If we accept, then the machine runs really slow or on my test machine, it started alerting on other EXEs in memory - ati2evxx.exe, smc.exe (Symantec FW), ccEvtMgr.exe (Symantec AV), SbClientManager.exe (disk encryptor).
It does not alert on any of these with the dec 3 definitions.
Could this be a false positive? AV scans do not show anything in memory or in the files identified. This has been a known definition since march 2008 and it looks like it was added to AA Defs in April - why is it popping up now?
It does not alert on any of these with the dec 3 definitions.
Could this be a false positive? AV scans do not show anything in memory or in the files identified. This has been a known definition since march 2008 and it looks like it was added to AA Defs in April - why is it popping up now?
Hi DAB!
If you are using Ad-Aware SE I would suggest you to try Ad-Aware 2008 Free to see if it could solve the problem. It is available for download here, http://www.lavasoft.com/products/ad_aware_free.php
The latest (0143.0004) definition file contains updated definitions for the Adware.IESuper family.
Would it be possible for you to post the complete log file from the Ad-Aware scan and/or the files that were detected?
It could be the fact that malicious objects are hooking to Winlogon and/or other system critical processes and removing those objects in full active state would cause the system to blue screen. We would however need either the log-file from the scan or the detected files to pinpoint the origin of the issue.
If you are able to isolate the files you could submit them to a online scanning service such as Virustotal to get them scanned by several vendors. Also running for example HijackThis on the system could be helpful when trying to pinpoint the root of the problem.
h**p://www.trendsecure.com/portal/en-US/_download/HiJackThis.zip
Regards,
LS Pekka
LS,
I can't get the Winlogon.exe alert captured in the AA log. I do have screen shots - however it will not allow me to upload doc or rtf files. I do have an event log from a 2nd pc that is getting alerts on explorer.exe - also attached.
Do you know if the definitions for iesuper changed in this release of the file? I need to know that so I can answer management. If this isn't the issue then I need to keep looking for the answer.
Thanks!
I can't get the Winlogon.exe alert captured in the AA log. I do have screen shots - however it will not allow me to upload doc or rtf files. I do have an event log from a 2nd pc that is getting alerts on explorer.exe - also attached.
Do you know if the definitions for iesuper changed in this release of the file? I need to know that so I can answer management. If this isn't the issue then I need to keep looking for the answer.
Thanks!
one other thing I noticed - not sure if it means anything - when watching Ad-Watch startup with the task manager, it grows to just under 200M of RAM as it is loading the definitions. Then it drops down to about 8, then pops back up to about 60-80M as it runs in background... Ad-Aware does similarily - grows then drops back after it has read the defs in.
QUOTE(DAB @ Dec 9 2008, 08:12 PM)
one other thing I noticed - not sure if it means anything - when watching Ad-Watch startup with the task manager, it grows to just under 200M of RAM as it is loading the definitions. Then it drops down to about 8, then pops back up to about 60-80M as it runs in background... Ad-Aware does similarily - grows then drops back after it has read the defs in.
Hi DAB!
First I have to ask why you are running Ad-Aware SE as Ad-Aware SE expired Dec 31, 2007. All Ad-Aware SE users were prompted to update to Ad-Aware 2008. Are you running the Enterprise version? As mentioned before you should consider to start using Ad-Aware 2008 instead, the free version is available here,
http://www.lavasoft.com/products/ad_aware_free.php and the Plus and Pro versions are available for purchase here,
http://www.lavasoft.com/products/ad_aware_plus2.php and here,
http://www.lavasoft.com/products/ad_aware_pro.php.
Secondly, answering your question, the latest (0143.0004) and SE1R317 08.12.2008 definition file contains updated definitions for the Adware.IESuper family.
When it comes to the other issues regarding high memory usage during different operations it is really hard to pinpoint a reason or cause as it should be based on a thorough analysis of the affected system. The symptoms could occur as a result of an infection or hardware/software related destabilization issues etc.
Regards,
LS Pekka
Timing was just not right for upgrading - too many other things on the list and no major issues with this version have allowed us to keep using the SE version. Thin ice, we understand.
Is there a plan to update IESuper to correct this issue? We will not be able to deploy 2008 as a fix for this.
Is there a plan to update IESuper to correct this issue? We will not be able to deploy 2008 as a fix for this.
QUOTE(DAB @ Dec 9 2008, 10:30 PM)
Timing was just not right for upgrading - too many other things on the list and no major issues with this version have allowed us to keep using the SE version. Thin ice, we understand.
Is there a plan to update IESuper to correct this issue? We will not be able to deploy 2008 as a fix for this.
Is there a plan to update IESuper to correct this issue? We will not be able to deploy 2008 as a fix for this.
Hi again DAB!
We will do some modifications to the Adware.IESuper family in order to see if that solves the issue.
These modifications will be included as of the next definition file release.
Regards,
LS Pekka
Thanks VERY much!
I am having the same problem. I am running Ad-Aware SE Professional, buid 1.02
From reading earlier post, I see that this version is outdated and I need to update however I am unsure of how to procdeed. I purchased 2008 pro but am unable to install. THe windows installer window hangs up. I'm asusming this has something to do with all the .exe files that were tagged as harmful or some of the registry changes.
HOw do I get past this problem? is it better to uninstall the old version first? will that get rid of all the new settings?
From reading earlier post, I see that this version is outdated and I need to update however I am unsure of how to procdeed. I purchased 2008 pro but am unable to install. THe windows installer window hangs up. I'm asusming this has something to do with all the .exe files that were tagged as harmful or some of the registry changes.
HOw do I get past this problem? is it better to uninstall the old version first? will that get rid of all the new settings?
Hi DAB and Pamlong!
Please try downloading the latest definition file (SE1R318 10.12.2008) and see if using that solves the issue.
Regards,
LS Pekka
Please try downloading the latest definition file (SE1R318 10.12.2008) and see if using that solves the issue.
Regards,
LS Pekka
QUOTE(pamlong @ Dec 10 2008, 07:41 AM)
I am having the same problem. I am running Ad-Aware SE Professional, buid 1.02
From reading earlier post, I see that this version is outdated and I need to update however I am unsure of how to procdeed. I purchased 2008 pro but am unable to install. THe windows installer window hangs up. I'm asusming this has something to do with all the .exe files that were tagged as harmful or some of the registry changes.
HOw do I get past this problem? is it better to uninstall the old version first? will that get rid of all the new settings?
From reading earlier post, I see that this version is outdated and I need to update however I am unsure of how to procdeed. I purchased 2008 pro but am unable to install. THe windows installer window hangs up. I'm asusming this has something to do with all the .exe files that were tagged as harmful or some of the registry changes.
HOw do I get past this problem? is it better to uninstall the old version first? will that get rid of all the new settings?
pamlong,
If you receive the pop-up from Ad-Watch, right click on the tray icon and select Unload Ad-Watch. This has worked for us and you avoid Accepting or Blocking - either option causes issues.
initial testing shows no alerts. I will expand...
Thanks for the quick response!
Thanks for the quick response!
QUOTE(LS Pekka @ Dec 10 2008, 10:42 AM)
Hi DAB and Pamlong!
Please try downloading the latest definition file (SE1R318 10.12.2008) and see if using that solves the issue.
Regards,
LS Pekka
Please try downloading the latest definition file (SE1R318 10.12.2008) and see if using that solves the issue.
Regards,
LS Pekka
where do I get this definition file? I can't download thru ad aware, the last def file it acknowledges is SE1R317 08.12.2008
i can't rightclick the adwatch icon, in fact I can't right click anything nor can I use shutdown/restart. I have to coldboot the computer.
what now
QUOTE(pamlong @ Dec 10 2008, 07:54 PM)
where do I get this definition file? I can't download thru ad aware, the last def file it acknowledges is SE1R317 08.12.2008
i can't rightclick the adwatch icon, in fact I can't right click anything nor can I use shutdown/restart. I have to coldboot the computer.
what now
i can't rightclick the adwatch icon, in fact I can't right click anything nor can I use shutdown/restart. I have to coldboot the computer.
what now
Hi pamlong!
You may try the following,
1) Cold-boot the computer and choose to boot into Safe Mode "Safe Mode with Networking" (Start tapping the F8 key when you see the "Windows Advanced Options Menu"). This should start your system with the Ad-Watch service unloaded.
2) Perform the update of the Ad-Aware SE Pro definition file normally within safe mode. The new definitions may also be downloaded manually from, http://www.lavasoft.com/support/securitycenter/blog/ under "DOWNLOAD Current Definition File" or via this direct link, http://download.lavasoft.com/public/defs.zip
In order to load the new defs.ref manually into Ad-Aware SE click the yellow "gear-wheel" icon from the menu, then browse to the correct location via clicking on the yellow folder icon to the right of the "Using definitions file:" text box, then select the new defs.ref file and click on the "Open" button. Then click the "Proceed" button in the General Options interface. In the Status window make sure that the latest definitions are loaded "Definitions file SE1R318 10.12.2008 Loaded".
3) Reboot the system into Normal mode to see if the issue is resolved. If it is not resolved disable Ad-Watch within Safe Mode (see instructions below) in order to perform operations of choice.
Disabling Ad-Watch
Press the "Ad-Watch" button, then in the "Tools & Preferences" interface press the "Options" button. Un-tick "Load Ad-Watch on Windows start up", then reboot the system and Ad-Watch should be disabled.
Regards,
LS Pekka
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.