Adware & Trojans: Winantispyware!

[tryan21]

Avast warings won't stop popping up, computer is slow, and I keep getting WinAntiSpyware popups.

Below is my Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:10:44 AM, on 9/19/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIA LA.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\windows\system32\kndsrngk.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJ BFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFE LKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFB KINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGO BAFDF
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIA LA.EXE /P27 "EPSON Stylus CX5800F Series" /O6 "USB001" /M "Stylus CX5800F"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [{34-41-1D-D6-ZN}] C:\windows\system32\kndsrngk.exe CHD003
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [P2kAutostart] C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\kndsrngk.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJ BFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFE LKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFB KINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGO BAFDF
O15 - Trusted Zone: http://www.java.com
O15 - Trusted Zone: http://photos.walmart.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1186780356336
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1187926666522
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/dow...in/actxcab.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activ...pv2.0.0.10.cab?
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

[Spiritsongs]

   Hi :

      Your Log indicates you have NO antiSPYWARE programs on your
      computer, not a very wise decision since there are Good & FREE Ones
      like AVG AntiSpyware, most easily downloaded from www.ewido.net,
      and the FREE ver of SUPERAntiSpyware from www.superantispyware.com
      available .

      As to your immediate problem, would be best to use the Good & FREE
     "RogueRemover" from www.malwarebytes.org/rogueremover.php  .

[tryan21]

Ok well I guess I'm just stupid because I thought Avast included antisypware... oops my bad. So, I will go and download one. Should that delete the spyware I have now and fix the problem?

[Spiritsongs]

   Hi :

      Just to be on the safe side, I recommend you use the RogueRemover
      program ; after you are done using it, then it would be wise to install
      BOTH of the other 2 programs and run their scans, etc

      P.S. I am NOT a fan of the "Google Toolbar" ; it increases your chances
      of "mischief" from them in the future . When I do a Google "Search", I just
      go to their website .

[tryan21]

ok i will download those two in just one second. I downloaded RogueRemover and did a scan. It said it found nothing, but I know there is something there!?!

[FreewheelinFrank]

This looks suspicious:

C:\windows\system32\kndsrngk.exe

Please disable 'Hide protected operating system files' and enable 'View Hidden Files and Folders', and upload the above files to VirusTotal for analysis.

Post the results here please.

[FreewheelinFrank]

Actually this too:

C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIA LA.EXE

I think it might be a printer file, but worth a quick check at VirusTotal.

[tryan21]

File kndsrngk.exe received on 09.19.2007 21:25:04 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 16/32 (50%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 39 and 56 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
 Compact Print results 
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
 Email: 
 

Antivirus Version Last Update Result
AhnLab-V3 2007.9.20.0 2007.09.19 Win-AppCare/Zenosearch.52757
AntiVir 7.6.0.15 2007.09.19 ADSPY/ZenoSearch.O.22
Authentium 4.93.8 2007.09.19 -
Avast 4.7.1043.0 2007.09.18 -
AVG 7.5.0.485 2007.09.19 Adware Generic2.JJR
BitDefender 7.2 2007.09.19 Trojan.Agent.AZT
CAT-QuickHeal 9.00 2007.09.19 AdWare.ZenoSearch.o (Not a Virus)
ClamAV 0.91.2 2007.09.19 -
DrWeb 4.33 2007.09.19 -
eSafe 7.0.15.0 2007.09.19 -
eTrust-Vet 31.2.5147 2007.09.19 -
Ewido 4.0 2007.09.19 -
FileAdvisor 1 2007.09.19 -
Fortinet 3.11.0.0 2007.09.19 Adware/Zeno
F-Prot 4.3.2.48 2007.09.19 -
F-Secure 6.70.13030.0 2007.09.19 -
Ikarus T3.1.1.12 2007.09.19 not-a-virus:AdWare.Win32.ZenoSearch.o
Kaspersky 4.0.2.24 2007.09.19 not-a-virus:AdWare.Win32.ZenoSearch.o
McAfee 5123 2007.09.19 potentially unwanted program Adware-Zeno
Microsoft 1.2803 2007.09.19 -
NOD32v2 2540 2007.09.19 -
Norman 5.80.02 2007.09.19 W32/ZenoSearch.CG
Panda 9.0.0.4 2007.09.19 Adware/Zenosearch
Prevx1 V2 2007.09.19 Malware.Gen
Rising 19.41.20.00 2007.09.19 -
Sophos 4.21.0 2007.09.19 -
Sunbelt 2.2.907.0 2007.09.19 -
Symantec 10 2007.09.19 Trojan Horse
TheHacker 6.2.5.062 2007.09.19 Adware/ZenoSearch.o
VBA32 3.12.2.4 2007.09.19 AdWare.Win32.ZenoSearch.o
VirusBuster 4.3.26:9 2007.09.19 -
Webwasher-Gateway 6.0.1 2007.09.19 Ad-Spyware.ZenoSearch.O.22
Additional information
File size: 52778 bytes
MD5: 3aa48632f3231c3b2fcd62304b3fd53e
SHA1: abc0c437834fcf432634d953b07b403058bca41d
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=8702A6A02A2090D5CE2E009161885900EF6D80B6

[FreewheelinFrank]

Well, I'd say it looks like Zeno Search is the problem.

Go to Start > Control Panel > Add/Remove Programs and remove Zenu Search if found.

If it's not there, please tell us.

[Lisandro]

It could be removed by RogueRemover.

[tryan21]

Well, I'd say it looks like Zeno Search is the problem.

Go to Start > Control Panel > Add/Remove Programs and remove Zenu Search if found.

If it's not there, please tell us.

It's not there.

It could be removed by RogueRemover.

How? I didn't see it on the list.

[FreewheelinFrank]

As BitDefender nabs this one, I'd recommend an online scan:

http://www.bitdefender.com/scan8/ie.html

[DavidR]

File kndsrngk.exe received on 09.19.2007 21:25:04 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 16/32 (50%)
<snip>

Lets not forget to send this and any file/s not detected by avast for analysis before it is dealt with.

If you are not getting a virus warning that you believe is a new, undetected virus then if you can zip and password protect ('virus', will do) the suspect file and send it to virus @ avast.com (no spaces), or send from the chest (after adding it to the User Files section of the chest).

Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a either a new, undetected virus and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

[tryan21]

I can't seem to get BitDefender to finish a scan

[polonus]

Hi tryan21,

Try the manual removal procedure mentioned here, and execute it to the dot:
http://www.2-spyware.com/remove-zenosearch.html

polonus