RD 2.001 rule is triggered by Ad-Aware SE

Discussion in 'Ghost Security Suite (GSS)' started by Disciple, Sep 20, 2005.

Thread Status:
Not open for further replies.
  1. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    Like many I use, and recommend, Ad-Aware as a good spyware/malware scanner and removal tool. However I am seeing a registry action by Ad-Aware that troubles me deeply. Seeing that the def files for Ad-Aware were updated today I updated and ran a scan, which only returned 2 MRU items for Corel Presentations. I decided to remove them but during the removal RD presented me with several Alerts that were triggered by the Networking Protection > HKEY_LOCAL_MACHINE\System\*controlset*\Services\Tcpip\Parameters\Interfaces** entry. In particular the actions Ad-Aware wanted to perform was:

    Code:
    14:01:52 | Delete Value | Blocked [User]	 | HKLM\System\Controlset001\Services\Winsock2\Parameters\Protocol_catalog9\Catalog_entries\000000000001 | | ad-aware.exe
    14:01:58 | Delete Value | Blocked [User]	 | HKLM\System\Controlset001\Services\Winsock2\Parameters\Protocol_catalog9\Catalog_entries\000000000002 | | ad-aware.exe
    14:02:01 | Delete Value | Blocked [User]	 | HKLM\System\Controlset001\Services\Winsock2\Parameters\Protocol_catalog9\Catalog_entries\000000000003 | | ad-aware.exe
    14:02:05 | Delete Value | Blocked [User]	 | HKLM\System\Controlset001\Services\Winsock2\Parameters\Protocol_catalog9\Catalog_entries\000000000004 | | ad-aware.exe
    14:02:07 | Delete Value | Blocked [User]	 | HKLM\System\Controlset001\Services\Winsock2\Parameters\Protocol_catalog9\Catalog_entries\000000000005 | | ad-aware.exe
    14:02:10 | Delete Value | Blocked [User]	 | HKLM\System\Controlset001\Services\Winsock2\Parameters\Protocol_catalog9\Catalog_entries\000000000006 | | ad-aware.exe
    14:02:13 | Delete Value | Blocked [User]	 | HKLM\System\Controlset001\Services\Winsock2\Parameters\Protocol_catalog9\Catalog_entries\000000000007 | | ad-aware.exe
    14:02:13 | Delete Value | Blocked [Auto User] | HKLM\System\Controlset001\Services\Winsock2\Parameters\Protocol_catalog9\Catalog_entries\000000000008 | | ad-aware.exe
    14:02:13 | Delete Value | Blocked [Auto User] | HKLM\System\Controlset001\Services\Winsock2\Parameters\Protocol_catalog9\Catalog_entries\000000000009 | | ad-aware.exe
    14:02:13 | Delete Value | Blocked [Auto User] | HKLM\System\Controlset001\Services\Winsock2\Parameters\Protocol_catalog9\Catalog_entries\000000000010 | | ad-aware.exe
    14:02:13 | Delete Value | Blocked [Auto User] | HKLM\System\Controlset001\Services\Winsock2\Parameters\Protocol_catalog9\Catalog_entries\000000000011 | | ad-aware.exe
    14:02:13 | Delete Value | Blocked [Auto User] | HKLM\System\Controlset001\Services\Winsock2\Parameters\Protocol_catalog9\Catalog_entries\000000000012 | | ad-aware.exe
    14:02:13 | Delete Value | Blocked [Auto User] | HKLM\System\Controlset001\Services\Winsock2\Parameters\Protocol_catalog9\Catalog_entries\000000000013 | | ad-aware.exe
    14:02:13 | Delete Value | Blocked [Auto User] | HKLM\System\Controlset001\Services\Winsock2\Parameters\Protocol_catalog9\Catalog_entries\000000000014 | | ad-aware.exe
    14:02:13 | Delete Value | Blocked [Auto User] | HKLM\System\Controlset001\Services\Winsock2\Parameters\Protocol_catalog9\Catalog_entries\000000000015 | | ad-aware.exe
    14:02:13 | Delete Value | Blocked [Auto User] | HKLM\System\Controlset001\Services\Winsock2\Parameters\Protocol_catalog9\Catalog_entries\000000000016 | | ad-aware.exe
    14:02:16 | Delete Value | Blocked [User]	 | HKLM\System\Controlset001\Services\Winsock2\Parameters\Protocol_catalog9\Catalog_entries\000000000017 | | ad-aware.exe
    14:02:16 | Delete Value | Blocked [Auto User] | HKLM\System\Controlset001\Services\Winsock2\Parameters\Protocol_catalog9\Catalog_entries\000000000018 | | ad-aware.exe
    14:02:19 | Delete Value | Blocked [User]	 | HKLM\System\Controlset001\Services\Winsock2\Parameters\Protocol_catalog9\Catalog_entries\000000000019 | | ad-aware.exe
    14:02:19 | Delete Value | Blocked [Auto User] | HKLM\System\Controlset001\Services\Winsock2\Parameters\Protocol_catalog9\Catalog_entries\000000000020 | | ad-aware.exe
    14:02:19 | Delete Value | Blocked [Auto User] | HKLM\System\Controlset001\Services\Winsock2\Parameters\Protocol_catalog9\Catalog_entries\000000000021 | | ad-aware.exe
    14:02:19 | Delete Value | Blocked [Auto User] | HKLM\System\Controlset001\Services\Winsock2\Parameters\Protocol_catalog9\Catalog_entries\000000000022 | | ad-aware.exe
    14:02:19 | Delete Value | Blocked [Auto User] | HKLM\System\Controlset001\Services\Winsock2\Parameters\Protocol_catalog9\Catalog_entries\000000000023 | | ad-aware.exe
    14:02:19 | Delete Value | Blocked [Auto User] | HKLM\System\Controlset001\Services\Winsock2\Parameters\Protocol_catalog9\Catalog_entries\000000000024 | | ad-aware.exe
    14:02:19 | Delete Value | Blocked [Auto User] | HKLM\System\Controlset001\Services\Winsock2\Parameters\Protocol_catalog9\Catalog_entries\000000000025 | | ad-aware.exe
    14:02:19 | Set Value	| Blocked [Auto User] | HKLM\System\Controlset001\Services\Winsock2\Parameters\Protocol_catalog9 | num_catalog_entries		 | ad-aware.exe
    I find this very unsettling, because why would it need to delete Winsock2 entries for a MRU item I just can't see the relationship for these two things. As you can see I blocked it which Ad-Aware did not like, the program froze for several minutes before I could do anything else in the GUI.

    FWIW - I have not asked the Ad-Aware (Lavasoft) support about this yet. Since they closed their forum boards and now tech support is only offered through their web site the process is very clumsy and cumbersome, and I have not felt like going through that just yet.

    If anyone here can shed some light on this I would greatly appreciate it.
     
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi Disciple,

    Seeing the same behavior here when I let Ad-Aware clean MRUs. I blocked the deletions the first time around. Tried it again with an application rule to let Ad-Aware do what it wants, but no values were deleted within the Winsock2 key. Just to see what would happen, I deleted the values manually, rebooted, and explorer.exe was missing in action. No desktop, etc.

    If I have time, I will take a look at it with regmon, but I would say it is an issue for Ad-Aware support.

    Nick
     
  3. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    At least I am not alone in seeing this behavior. Agreed this is an issue for Lavasoft support, it's just that I have found their tech support very lacking. I had sent in a request in July and their response somewhat stayed on subject, if answering a completely different question that I never asked is staying on subject. I will submit a support request. Never thought to use Regmon, I would be interested in your results.

    Maybe I/we need a better understanding of how the Winsock is used in XP. I have the impression that it is related to Internet connectivity and the LSP stack. Which is why I am questioning Ad-Aware hitting that registry section to remove MRU items. Well take care and thanks for the reply.
     
    Last edited: Sep 21, 2005
  4. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    Had the same thing happen to me as well with running an AdAware scan. Maybe Jason can chime in with his thoughts.
     
  5. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Regmon shows "NOT FOUND" errors associated with Ad-Aware's deletion attempts. For example:

    424 317.80117798 Ad-Aware.exe:1648 DeleteValueKey HKLM\System\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017 NOT FOUND

    Nick
     
  6. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    No final word from Jason on this one?
     
  7. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    Trooper, I don't think Jason can really comment on this as it is an Ad-Aware behavior and RD is only doing its job by alerting us to this behavior.

    Just to let everyone know, I did submit this tech support request to Lavasoft on Sept. 21:

    On Sept. 22 I received this response :rolleyes: :

    That is not what I consider to be an answer to the question. :mad:

    With today's Ad-Aware update it found 2 tracking cookies. One of which I do not consider a threat, Overstock.com, and have on 3 previous occasions excluded it from detection but it keeps being re-detected. The other I let it remove, but during the process RD gave the same winsock alerts as I described originally. I am really beginning to question what Ad-Aware is doing, and whether I want to keep it.
     
  8. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    You're right Deciple, that's not an exceptable answer. I read a few months ago Lavasoft and Computer Associates are being investigated for some of their practices, something to do with delisting known adaware offenders.

    Lavasoft and CA delisted this known adaware offender at the exact same time from their programs. Suspicious!!! :ninja:

    There is a very young Attorney in Boston (I think it's Boston) that's looking into the case.

    I don't even use my Adaware SE Pro. I decided to leave it off.
     
  9. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    I don't know about an investigation, and I had not read anything about CA delisting adware vendors. But I do know there was an uproar about Microsoft (MS Antispyware) and Lavasoft delisting one or two vendors. In fairness though MS did add that detection back after all of the flack they received.

    Like I said I am leaning that way myself, and until I get an answer from Lavasoft I will not be recommending Ad-Aware to anyone.
     
  10. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    When I come across the article again I will give a link. PC Mag and PC World keeps updated on this story. Thats where I originally read about it. ;)
     
  11. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Since I started using Firefox and Opera, I really don't need Adaware anymore. That's the positive side. I have IE so restricted I'm not worried about it. I use IE once a month to get my windows updates, that's it!
     
  12. berng

    berng Registered Member

    Joined:
    Sep 11, 2005
    Posts:
    246
    Location:
    NJ, USA
    I use Opera. But I still need IE for windows updates :( .

    Rarely, a site will not render correctly in Opera, so I access it with IE, but I'm thinking of installing Firefox for those.
     
  13. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Hi Berng,

    I'm an Opera lover, thats my default browser. I do use Firefox too. Both great browsers. We are much safer from the :ninja:
     
Thread Status:
Not open for further replies.