Author Topic: Adware & Trojans: Winantispyware!  (Read 37440 times)

0 Members and 1 Guest are viewing this topic.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Adware & Trojans: Winantispyware!
« Reply #15 on: September 20, 2007, 08:16:42 AM »
Looks like removing the Zeno startup entries is the way to go. Polonus's method involves editing the registry; you could also attempt removal with HijackThis! as follows.

Run HijackThis! again, tick the following entries:

O4 - HKLM\..\Run: [{34-41-1D-D6-ZN}] C:\windows\system32\kndsrngk.exe CHD003
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\kndsrngk.exe

Then close all windows except HijackThis! and click 'fix'.

Reboot into Safe Mode and delete the file.

Run HijackThis! again and check that the entries have gone. More sophisticated malware will resist such a simple approach, but there are other methods to use if this fails.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

tryan21

  • Guest
Re: Adware & Trojans: Winantispyware!
« Reply #16 on: September 20, 2007, 06:52:43 PM »
Went and tried to manually remove it. It told me to find and delete the following:
Delete registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysstart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zeno Browser Enhancer

None of them could be found. Something is still very wrong though. I get WinAntiSpyware 2007 popups like every 2 minutes and Avast warnings just will NOT stop. I'm having a hard time typing this message because of all the interuptions! The reason I couldn't get BitDefender to finish was because all of a sudden the page would load an advertisment. It wasn't even a pop up, it would just load on the page I already had open. Ahhhhhh it's driving me crazy! :o

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Adware & Trojans: Winantispyware!
« Reply #17 on: September 20, 2007, 07:05:35 PM »
Have you tried the HijackThis! method?
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Adware & Trojans: Winantispyware!
« Reply #18 on: September 20, 2007, 07:27:18 PM »
Quote
It could be removed by RogueRemover.
How? I didn't see it on the list.
I'm saying what I'm reading the the title of the thread.
You can remove Winantispyware using RogueRemover.
The best things in life are free.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Adware & Trojans: Winantispyware!
« Reply #19 on: September 20, 2007, 07:37:55 PM »
Tech I suspect the ad is for Winantispyware but it's generated by Zeno.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

tryan21

  • Guest
Re: Adware & Trojans: Winantispyware!
« Reply #20 on: September 20, 2007, 08:29:04 PM »
Looks like removing the Zeno startup entries is the way to go. Polonus's method involves editing the registry; you could also attempt removal with HijackThis! as follows.

Run HijackThis! again, tick the following entries:

O4 - HKLM\..\Run: [{34-41-1D-D6-ZN}] C:\windows\system32\kndsrngk.exe CHD003
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\kndsrngk.exe

Then close all windows except HijackThis! and click 'fix'.

Reboot into Safe Mode and delete the file.

Run HijackThis! again and check that the entries have gone. More sophisticated malware will resist such a simple approach, but there are other methods to use if this fails.

I couldn't find either on hijackthis. Below is the log, maybe I'm just over looking it.

Logfile of HijackThis v1.99.1
Scan saved at 11:25:27 AM, on 9/20/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /P27 "EPSON Stylus CX5800F Series" /O6 "USB001" /M "Stylus CX5800F"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\vgjhkxnu.dll",sitypnow
O4 - HKCU\..\Run: [P2kAutostart] C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O15 - Trusted Zone: http://www.java.com
O15 - Trusted Zone: http://photos.walmart.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186780356336
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187926666522
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


mauserme

  • Guest
Re: Adware & Trojans: Winantispyware!
« Reply #21 on: September 20, 2007, 08:42:14 PM »
It seems like a possible Vundo infection.

Download ComboFix from Here or Here to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Also note that avast! is flagging one of the ComboFix files as a trojan.  This is a false positive - ComboFix is safe.  Please don't delete or quarantine the file if you get a warning.

tryan21

  • Guest
Re: Adware & Trojans: Winantispyware!
« Reply #22 on: September 20, 2007, 09:05:29 PM »
combofix won't run, i get the following warning:

comspec error!

the above enviroment variable was found to be corrupt...

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Adware & Trojans: Winantispyware!
« Reply #23 on: September 20, 2007, 09:10:50 PM »
Try VundoFix, it removes this infection:

http://www.atribune.org/content/view/24/2/

Follow the instructions on the page carefully.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

tryan21

  • Guest
Re: Adware & Trojans: Winantispyware!
« Reply #24 on: September 20, 2007, 10:54:40 PM »
VundoFix said no files found.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Adware & Trojans: Winantispyware!
« Reply #25 on: September 21, 2007, 12:07:28 AM »
Try VirtumundoBegone:

http://www.bleepingcomputer.com/forums/topic18610.html

If that finds nothing, we can rule out Vundo.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Adware & Trojans: Winantispyware!
« Reply #26 on: September 21, 2007, 12:21:49 AM »
Unless it's a new variant of course, it which case maybe mauserme can get ComboFix working later.

This bad entry has crept into your log:

O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\vgjhkxnu.dll",sitypnow

Send it to VirusTotal and avast! and let us know what VirusTotal says about it.

Fix it as described previously.

It might also be worth looking for rootkits (hidden malware):

Panda Antirootkit
Blacklight
AVG Anti-Rootkit
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

mauserme

  • Guest
Re: Adware & Trojans: Winantispyware!
« Reply #27 on: September 21, 2007, 04:06:53 AM »
For sure fix that line and post the Virus Total scan results for C:\WINDOWS\system32\vgjhkxnu.dll.

Then rename hijackthis.exe to hijacktryan.exe, run it again, and post the new log.


EDIT:  Back in July you did uninstall the old version(s) of Java, right?
« Last Edit: September 21, 2007, 04:10:39 AM by mauserme »

tryan21

  • Guest
Re: Adware & Trojans: Winantispyware!
« Reply #28 on: September 21, 2007, 04:43:59 AM »
Ok I couldn't seem to find C:\WINDOWS\system32\vgjhkxnu.dll, but I did see a different file that looked suspicious. The file was C:\WINDOWS\system32\gqoqomwo.dll. I sent that file to VirusTotal and below are the scan results:

File gqoqomwo.dll received on 09.21.2007 04:37:42 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 3/32 (9.38%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 39 and 56 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
 Compact Print results 
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
 Email: 
 

Antivirus Version Last Update Result
AhnLab-V3 2007.9.21.0 2007.09.20 -
AntiVir 7.6.0.15 2007.09.20 -
Authentium 4.93.8 2007.09.20 -
Avast 4.7.1043.0 2007.09.20 -
AVG 7.5.0.485 2007.09.20 -
BitDefender 7.2 2007.09.21 -
CAT-QuickHeal 9.00 2007.09.20 -
ClamAV 0.91.2 2007.09.20 -
DrWeb 4.33 2007.09.20 -
eSafe 7.0.15.0 2007.09.19 -
eTrust-Vet 31.2.5152 2007.09.20 -
Ewido 4.0 2007.09.20 -
FileAdvisor 1 2007.09.21 -
Fortinet 3.11.0.0 2007.09.20 -
F-Prot 4.3.2.48 2007.09.20 -
F-Secure 6.70.13030.0 2007.09.20 -
Ikarus T3.1.1.12 2007.09.21 -
Kaspersky 4.0.2.24 2007.09.21 -
McAfee 5124 2007.09.20 -
Microsoft 1.2803 2007.09.21 -
NOD32v2 2542 2007.09.21 -
Norman 5.80.02 2007.09.20 -
Panda 9.0.0.4 2007.09.20 Suspicious file
Prevx1 V2 2007.09.21 Heuristic: Suspicious Code
Rising 19.41.40.00 2007.09.21 -
Sophos 4.21.0 2007.09.20 -
Sunbelt 2.2.907.0 2007.09.20 -
Symantec 10 2007.09.21 -
TheHacker 6.2.5.064 2007.09.21 -
VBA32 3.12.2.4 2007.09.20 -
VirusBuster 4.3.26:9 2007.09.20 -
Webwasher-Gateway 6.0.1 2007.09.20 Win32.Malware.gen!88 (suspicious)
Additional information
File size: 83008 bytes
MD5: 3cedda83c368d0596e8b20e6e1bc1e14
SHA1: 19b93648e177e83b374ce563f1b3f2cd471c1a9b
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=56AD5C7D406416DD44A30169548DFD007D181EAB

mauserme

  • Guest
Re: Adware & Trojans: Winantispyware!
« Reply #29 on: September 21, 2007, 04:50:29 AM »
I think we'll eventually be deleteing that file, with or without Virus Total detections.

Please run the renamed HJT and post the new log.