Author Topic: Adware & Trojans: Winantispyware!  (Read 37429 times)

0 Members and 1 Guest are viewing this topic.

tryan21

  • Guest
Adware & Trojans: Winantispyware!
« on: September 19, 2007, 06:19:45 PM »
Avast warings won't stop popping up, computer is slow, and I keep getting WinAntiSpyware popups.

Below is my Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:10:44 AM, on 9/19/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIA LA.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\windows\system32\kndsrngk.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJ BFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFE LKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFB KINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGO BAFDF
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIA LA.EXE /P27 "EPSON Stylus CX5800F Series" /O6 "USB001" /M "Stylus CX5800F"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [{34-41-1D-D6-ZN}] C:\windows\system32\kndsrngk.exe CHD003
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [P2kAutostart] C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\kndsrngk.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJ BFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFE LKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFB KINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGO BAFDF
O15 - Trusted Zone: http://www.java.com
O15 - Trusted Zone: http://photos.walmart.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1186780356336
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1187926666522
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/dow...in/actxcab.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activ...pv2.0.0.10.cab?
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

Spiritsongs

  • Guest
Re: Adware & Trojans: Winantispyware!
« Reply #1 on: September 19, 2007, 06:28:52 PM »
 :)  Hi :

      Your Log indicates you have NO antiSPYWARE programs on your
      computer, not a very wise decision since there are Good & FREE Ones
      like AVG AntiSpyware, most easily downloaded from www.ewido.net,
      and the FREE ver of SUPERAntiSpyware from www.superantispyware.com
      available .

      As to your immediate problem, would be best to use the Good & FREE
     "RogueRemover" from www.malwarebytes.org/rogueremover.php  .

tryan21

  • Guest
Re: Adware & Trojans: Winantispyware!
« Reply #2 on: September 19, 2007, 06:43:48 PM »
Ok well I guess I'm just stupid because I thought Avast included antisypware... oops my bad. So, I will go and download one. Should that delete the spyware I have now and fix the problem?

Spiritsongs

  • Guest
Re: Adware & Trojans: Winantispyware!
« Reply #3 on: September 19, 2007, 06:53:27 PM »
 :)  Hi :

      Just to be on the safe side, I recommend you use the RogueRemover
      program ; after you are done using it, then it would be wise to install
      BOTH of the other 2 programs and run their scans, etc

      P.S. I am NOT a fan of the "Google Toolbar" ; it increases your chances
      of "mischief" from them in the future . When I do a Google "Search", I just
      go to their website .
« Last Edit: September 19, 2007, 07:04:15 PM by Spiritsongs »

tryan21

  • Guest
Re: Adware & Trojans: Winantispyware!
« Reply #4 on: September 19, 2007, 07:04:39 PM »
ok i will download those two in just one second. I downloaded RogueRemover and did a scan. It said it found nothing, but I know there is something there!?! ???

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Adware & Trojans: Winantispyware!
« Reply #5 on: September 19, 2007, 07:19:29 PM »
This looks suspicious:

C:\windows\system32\kndsrngk.exe

Please disable 'Hide protected operating system files' and enable 'View Hidden Files and Folders', and upload the above files to VirusTotal for analysis.

Post the results here please.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Adware & Trojans: Winantispyware!
« Reply #6 on: September 19, 2007, 07:29:15 PM »
Actually this too:

C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIA LA.EXE

I think it might be a printer file, but worth a quick check at VirusTotal.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

tryan21

  • Guest
Re: Adware & Trojans: Winantispyware!
« Reply #7 on: September 19, 2007, 09:38:13 PM »
File kndsrngk.exe received on 09.19.2007 21:25:04 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 16/32 (50%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 39 and 56 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
 Compact Print results 
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
 Email: 
 

Antivirus Version Last Update Result
AhnLab-V3 2007.9.20.0 2007.09.19 Win-AppCare/Zenosearch.52757
AntiVir 7.6.0.15 2007.09.19 ADSPY/ZenoSearch.O.22
Authentium 4.93.8 2007.09.19 -
Avast 4.7.1043.0 2007.09.18 -
AVG 7.5.0.485 2007.09.19 Adware Generic2.JJR
BitDefender 7.2 2007.09.19 Trojan.Agent.AZT
CAT-QuickHeal 9.00 2007.09.19 AdWare.ZenoSearch.o (Not a Virus)
ClamAV 0.91.2 2007.09.19 -
DrWeb 4.33 2007.09.19 -
eSafe 7.0.15.0 2007.09.19 -
eTrust-Vet 31.2.5147 2007.09.19 -
Ewido 4.0 2007.09.19 -
FileAdvisor 1 2007.09.19 -
Fortinet 3.11.0.0 2007.09.19 Adware/Zeno
F-Prot 4.3.2.48 2007.09.19 -
F-Secure 6.70.13030.0 2007.09.19 -
Ikarus T3.1.1.12 2007.09.19 not-a-virus:AdWare.Win32.ZenoSearch.o
Kaspersky 4.0.2.24 2007.09.19 not-a-virus:AdWare.Win32.ZenoSearch.o
McAfee 5123 2007.09.19 potentially unwanted program Adware-Zeno
Microsoft 1.2803 2007.09.19 -
NOD32v2 2540 2007.09.19 -
Norman 5.80.02 2007.09.19 W32/ZenoSearch.CG
Panda 9.0.0.4 2007.09.19 Adware/Zenosearch
Prevx1 V2 2007.09.19 Malware.Gen
Rising 19.41.20.00 2007.09.19 -
Sophos 4.21.0 2007.09.19 -
Sunbelt 2.2.907.0 2007.09.19 -
Symantec 10 2007.09.19 Trojan Horse
TheHacker 6.2.5.062 2007.09.19 Adware/ZenoSearch.o
VBA32 3.12.2.4 2007.09.19 AdWare.Win32.ZenoSearch.o
VirusBuster 4.3.26:9 2007.09.19 -
Webwasher-Gateway 6.0.1 2007.09.19 Ad-Spyware.ZenoSearch.O.22
Additional information
File size: 52778 bytes
MD5: 3aa48632f3231c3b2fcd62304b3fd53e
SHA1: abc0c437834fcf432634d953b07b403058bca41d
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=8702A6A02A2090D5CE2E009161885900EF6D80B6

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Adware & Trojans: Winantispyware!
« Reply #8 on: September 19, 2007, 10:01:06 PM »
Well, I'd say it looks like Zeno Search is the problem.

Go to Start > Control Panel > Add/Remove Programs and remove Zenu Search if found.

If it's not there, please tell us.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Adware & Trojans: Winantispyware!
« Reply #9 on: September 19, 2007, 10:04:29 PM »
It could be removed by RogueRemover.
The best things in life are free.

tryan21

  • Guest
Re: Adware & Trojans: Winantispyware!
« Reply #10 on: September 19, 2007, 10:13:51 PM »
Quote
Well, I'd say it looks like Zeno Search is the problem.

Go to Start > Control Panel > Add/Remove Programs and remove Zenu Search if found.

If it's not there, please tell us.

It's not there.

Quote
It could be removed by RogueRemover.

How? I didn't see it on the list.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Adware & Trojans: Winantispyware!
« Reply #11 on: September 19, 2007, 10:27:37 PM »
As BitDefender nabs this one, I'd recommend an online scan:

http://www.bitdefender.com/scan8/ie.html
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 89237
  • No support PMs thanks
Re: Adware & Trojans: Winantispyware!
« Reply #12 on: September 19, 2007, 11:16:14 PM »
File kndsrngk.exe received on 09.19.2007 21:25:04 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 16/32 (50%)
<snip>

Lets not forget to send this and any file/s not detected by avast for analysis before it is dealt with.

If you are not getting a virus warning that you believe is a new, undetected virus then if you can zip and password protect ('virus', will do) the suspect file and send it to virus @ avast.com (no spaces), or send from the chest (after adding it to the User Files section of the chest).

Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a either a new, undetected virus and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

tryan21

  • Guest
Re: Adware & Trojans: Winantispyware!
« Reply #13 on: September 20, 2007, 02:21:44 AM »
I can't seem to get BitDefender to finish a scan ???

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Adware & Trojans: Winantispyware!
« Reply #14 on: September 20, 2007, 07:57:52 AM »
Hi tryan21,

Try the manual removal procedure mentioned here, and execute it to the dot:
http://www.2-spyware.com/remove-zenosearch.html

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!