KoolyNoody - false positive?

Discussion in 'malware problems & news' started by Liloly, Jul 9, 2008.

Thread Status:
Not open for further replies.
  1. Liloly

    Liloly Registered Member

    Joined:
    Jun 26, 2008
    Posts:
    8
    Location:
    UK
    I recently installed the Yahoo antispy powered by CA which comes with the Yahoo toolbar.
    On both my laptop and main PC both running Xp with SP2 it has detected a downloader called KoolyNoody. I have checked both systems with Spybot and Superantispyware. Both are clear on Spybot and Superantispyware finds only the usual tracking cookies. Using AVG 7.5 on both systems and that too is clear on scans.
    Other than the CA site I can find no reference to malware of any kind called KoolyNoody and am baffled as to what it is and where it has come from.
    I removed it last week from both machines and when I rescan today it was there again.
    Any thoughts or ideas on this would be greatly appreciated.
     
  2. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.
    Google gives several references to it with a slightly different spelling. Another thought, what is the location shown? Possibly System Restore? If so then temporally disable Sys. Restore. This should eliminate it. Then re-enable it.
     
  3. Liloly

    Liloly Registered Member

    Joined:
    Jun 26, 2008
    Posts:
    8
    Location:
    UK
    Location is hkey_current_user\software\microsoft\windows\currentversion\internet settings\zonemap\domains\koolynoody.net

    It wouldnt let me paste so had to copy and I hope thats right.

    I dont know what significance that has as I am very much a novice with computers so I have to rely on experts such as yourselves.

    How would I disable\rerenable system restore to get rid of it?
     
  4. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Since you are using Spybot, do you also use it's Immunization feature ?

    If so, I suspect that is an entry placed in the registry by Spybot's Immunization feature relating to a Restricted Site entry. If you look in the registry at that location, does it have a data value of 4 ?

    koolynoody.jpg
     
  5. Liloly

    Liloly Registered Member

    Joined:
    Jun 26, 2008
    Posts:
    8
    Location:
    UK
    Hi there Bubba.

    I was just about to post again when I saw your reply.

    I think you are spot on.

    What I did to test things was restore the item out of Yahoo antispy, then I ran Superanitspyware which found nothing.

    I then decided to remove the item again and look in Spybots immunize data screen. Sure enough there were two items unimmunized.
    So I duly immunized them and the Koolynoody reappeared in the Yahoo scan when I re ran it.

    So what I am thinking is this is nothing to worry about as it is something that Spybot is managing through its immunize feature? If so then all is okay!
     
  6. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Correct, nothing to worry about. Spybot is adding that entry to Internet Explorers Restricted Sites list and Yahoo antispy is falsely reporting a valid browser protection entry.
     
Thread Status:
Not open for further replies.