Adware & Trojans: Winantispyware!

[FreewheelinFrank]

Looks like removing the Zeno startup entries is the way to go. Polonus's method involves editing the registry; you could also attempt removal with HijackThis! as follows.

Run HijackThis! again, tick the following entries:

O4 - HKLM\..\Run: [{34-41-1D-D6-ZN}] C:\windows\system32\kndsrngk.exe CHD003
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\kndsrngk.exe

Then close all windows except HijackThis! and click 'fix'.

Reboot into Safe Mode and delete the file.

Run HijackThis! again and check that the entries have gone. More sophisticated malware will resist such a simple approach, but there are other methods to use if this fails.

[tryan21]

Went and tried to manually remove it. It told me to find and delete the following:
Delete registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysstart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zeno Browser Enhancer

None of them could be found. Something is still very wrong though. I get WinAntiSpyware 2007 popups like every 2 minutes and Avast warnings just will NOT stop. I'm having a hard time typing this message because of all the interuptions! The reason I couldn't get BitDefender to finish was because all of a sudden the page would load an advertisment. It wasn't even a pop up, it would just load on the page I already had open. Ahhhhhh it's driving me crazy!

[FreewheelinFrank]

Have you tried the HijackThis! method?

[Lisandro]

It could be removed by RogueRemover.

How? I didn't see it on the list.

I'm saying what I'm reading the the title of the thread.
You can remove Winantispyware using RogueRemover.

[FreewheelinFrank]

Tech I suspect the ad is for Winantispyware but it's generated by Zeno.

[tryan21]

Looks like removing the Zeno startup entries is the way to go. Polonus's method involves editing the registry; you could also attempt removal with HijackThis! as follows.

Run HijackThis! again, tick the following entries:

O4 - HKLM\..\Run: [{34-41-1D-D6-ZN}] C:\windows\system32\kndsrngk.exe CHD003
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\kndsrngk.exe

Then close all windows except HijackThis! and click 'fix'.

Reboot into Safe Mode and delete the file.

Run HijackThis! again and check that the entries have gone. More sophisticated malware will resist such a simple approach, but there are other methods to use if this fails.

I couldn't find either on hijackthis. Below is the log, maybe I'm just over looking it.

Logfile of HijackThis v1.99.1
Scan saved at 11:25:27 AM, on 9/20/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /P27 "EPSON Stylus CX5800F Series" /O6 "USB001" /M "Stylus CX5800F"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\vgjhkxnu.dll",sitypnow
O4 - HKCU\..\Run: [P2kAutostart] C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O15 - Trusted Zone: http://www.java.com
O15 - Trusted Zone: http://photos.walmart.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186780356336
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187926666522
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

[mauserme]

It seems like a possible Vundo infection.

Download ComboFix from Here or Here to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Also note that avast! is flagging one of the ComboFix files as a trojan.  This is a false positive - ComboFix is safe.  Please don't delete or quarantine the file if you get a warning.

[tryan21]

combofix won't run, i get the following warning:

comspec error!

the above enviroment variable was found to be corrupt...

[FreewheelinFrank]

Try VundoFix, it removes this infection:

http://www.atribune.org/content/view/24/2/

Follow the instructions on the page carefully.

[tryan21]

VundoFix said no files found.

[FreewheelinFrank]

Try VirtumundoBegone:

http://www.bleepingcomputer.com/forums/topic18610.html

If that finds nothing, we can rule out Vundo.

[FreewheelinFrank]

Unless it's a new variant of course, it which case maybe mauserme can get ComboFix working later.

This bad entry has crept into your log:

O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\vgjhkxnu.dll",sitypnow

Send it to VirusTotal and avast! and let us know what VirusTotal says about it.

Fix it as described previously.

It might also be worth looking for rootkits (hidden malware):

Panda Antirootkit
Blacklight
AVG Anti-Rootkit

[mauserme]

For sure fix that line and post the Virus Total scan results for C:\WINDOWS\system32\vgjhkxnu.dll.

Then rename hijackthis.exe to hijacktryan.exe, run it again, and post the new log.


EDIT:  Back in July you did uninstall the old version(s) of Java, right?

[tryan21]

Ok I couldn't seem to find C:\WINDOWS\system32\vgjhkxnu.dll, but I did see a different file that looked suspicious. The file was C:\WINDOWS\system32\gqoqomwo.dll. I sent that file to VirusTotal and below are the scan results:

File gqoqomwo.dll received on 09.21.2007 04:37:42 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 3/32 (9.38%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 39 and 56 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
 Compact Print results 
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
 Email: 
 

Antivirus Version Last Update Result
AhnLab-V3 2007.9.21.0 2007.09.20 -
AntiVir 7.6.0.15 2007.09.20 -
Authentium 4.93.8 2007.09.20 -
Avast 4.7.1043.0 2007.09.20 -
AVG 7.5.0.485 2007.09.20 -
BitDefender 7.2 2007.09.21 -
CAT-QuickHeal 9.00 2007.09.20 -
ClamAV 0.91.2 2007.09.20 -
DrWeb 4.33 2007.09.20 -
eSafe 7.0.15.0 2007.09.19 -
eTrust-Vet 31.2.5152 2007.09.20 -
Ewido 4.0 2007.09.20 -
FileAdvisor 1 2007.09.21 -
Fortinet 3.11.0.0 2007.09.20 -
F-Prot 4.3.2.48 2007.09.20 -
F-Secure 6.70.13030.0 2007.09.20 -
Ikarus T3.1.1.12 2007.09.21 -
Kaspersky 4.0.2.24 2007.09.21 -
McAfee 5124 2007.09.20 -
Microsoft 1.2803 2007.09.21 -
NOD32v2 2542 2007.09.21 -
Norman 5.80.02 2007.09.20 -
Panda 9.0.0.4 2007.09.20 Suspicious file
Prevx1 V2 2007.09.21 Heuristic: Suspicious Code
Rising 19.41.40.00 2007.09.21 -
Sophos 4.21.0 2007.09.20 -
Sunbelt 2.2.907.0 2007.09.20 -
Symantec 10 2007.09.21 -
TheHacker 6.2.5.064 2007.09.21 -
VBA32 3.12.2.4 2007.09.20 -
VirusBuster 4.3.26:9 2007.09.20 -
Webwasher-Gateway 6.0.1 2007.09.20 Win32.Malware.gen!88 (suspicious)
Additional information
File size: 83008 bytes
MD5: 3cedda83c368d0596e8b20e6e1bc1e14
SHA1: 19b93648e177e83b374ce563f1b3f2cd471c1a9b
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=56AD5C7D406416DD44A30169548DFD007D181EAB

[mauserme]

I think we'll eventually be deleteing that file, with or without Virus Total detections.

Please run the renamed HJT and post the new log.