"Smart Anti virus- 2009" zlob? help! Win32:Adware-gen [Adw]

[wyrmrider]

ad-aware
"This scan was aborted by the user, all infections might not have been logged."
would be previous scans we were looking for
get that Kaspersky scan done then see if there are any previous AD-Aware Scans
you could also check their Vault
but I want to get to HDFIX

[polonus]

Hi sbMama,

Went back to your fist HJT logfile text and these were the system tasks results:

smss.exe   

System task
   

Session Manager Subsystem
winlogon.exe   

System task
   

Microsoft Windows Logon Process
services.exe   

System task
   

Windows Service Controller
lsass.exe   

System task
   

Local Security Authority Service
Ati2evxx.exe   

Driver
   

ATI Display Adapter Assistant
svchost.exe   

System task
   

Microsoft Service Host Process
svchost.exe   

System task
   

Microsoft Service Host Process
EvtEng.exe   

Backgroundtask
   

Intel EvtEng Module
S24EvMon.exe   

Backgroundtask
   

Event Monitor
ZcfgSvc.exe   

Backgroundtask
   

Intel NIC Configuration Tool
Ati2evxx.exe   

Driver
   

ATI Display Adapter Assistant
Explorer.EXE   

System task
   

Microsoft Windows Explorer
ccSvcHst.exe   

Firewall
   

Symantec Service Framework Executable
aawservice.exe   

Anti Add/Spyware software
   

Ad-Aware 2007 Service
spoolsv.exe   

System task
   

Microsoft Printer Spooler Service
sched.exe   

Virusscan
   

AntiVir Scheduler
avguard.exe   

Virusscan
   

Antivirus On-Access Service

AOLAcsd.exe
   

Unknown task
   

Unknown task
AppleMobileDeviceService.exe   

Backgroundtask
   

Apple Mobile Device Service
AluSchedulerSvc.exe   

Virusscan
   

Symantec LiveUpdate Scheduler
mDNSResponder.exe   

Backgroundtask
   

Bonjour for Windows Component
CTsvcCDA.exe   

Backgroundtask
   

Creative CD-ROM Services
ehRecvr.exe   

Backgroundtask
   

Media Center Receiver Service
ehSched.exe   

Backgroundtask
   

Microsoft Media Center Scheduler Service
RegSrvc.exe   

Backgroundtask
   

Intel Communications Service
sp_rsser.exe   

Anti Add/Spyware software
   

Realtime Shield Service
svchost.exe   

System task
   

Microsoft Service Host Process
dllhost.exe   

System task
   

Microsoft DCOM DLL Host Process
ehtray.exe   

Backgroundtask
   

Microsoft Media Center Tray Icon
cli.exe   

Application
   

ATI Catalyst
ehmsas.exe   

Backgroundtask
   

Microsoft Media Center State Aggregator Service
RTHDCPL.EXE   

System task
   

Realtek HD Audio Sound Effect Manager
AGRSMMSG.exe   

System task
   

IBM AMR modem driver
Apoint.exe   

Driver
   

Alps Pointing-device Driver

IndicatorUty.exe
   

Unknown task
   

Unknown task

FUJ02E3.exe
   

Unknown task
   

Unknown task

QuickTouch.exe
   

Unknown task
   

Unknown task
BtnHnd.exe   

Backgroundtask
   

Fujitsu LifeBook related
HidFind.exe   

Driver
   

Alps Pointing Device Driver
Apntex.exe   

Driver
   

Alps Pointing-device Driver
PDVDServ.exe   

Backgroundtask
   

PowerDVD Remote Control
ifrmewrk.exe   

Backgroundtask
   

Associated with the Intel PRO/Set Wireless software

fjdvrupd.exe
   

Unknown task
   

Unknown task
jusched.exe   

Backgroundtask
   

Sun Java Update Scheduler
avgnt.exe   

Virusscan
   

Antivirus System Tray Tool
iTunesHelper.exe   

Application
   

Apple Itunes
ccSvcHst.exe   

Firewall
   

Symantec Service Framework Executable
TeaTimer.exe   

Application
   

Spybot S&D Realtime Scanner
MemOptimizer.exe   

Backgroundtask
   

TuneUp Utilities
CTSyncU.exe   

Backgroundtask
   

Synchroniser
iPodService.exe   

Backgroundtask
   

Apple iTunes
acrotray.exe   

Application
   

Acrobat Assistant
wuauclt.exe   

System task
   

AutoUpdate for WindowsME
symlcsvc.exe   

Firewall
   

Norton Internet Security Suite
HijackThis.exe   

Application
   

Merijn Hijackthis

Attach a new HJT logfile txt to your next posting for evaluation,

polonus

[wyrmrider]

Backup Reminder: Always be sure to back up your PC before making any changes.
be sure to keep the paths to files/folders removed written down or copy to a file where you can find them
EXAMPLE
Step 1 : Use Windows File Search Tool to Find (for example)Smart Antivirus 2009 Path
use the names of your particular infections

I'd "show all files" or unhide all files and folders, show system files or whatever for your os

   1. Go to Start > Search > All Files or Folders.
   2. In the "All or part of the the file name" section, type in "Smart Antivirus 2009" file name(s).
   3. To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.
   4. When Windows finishes your search, hover over the "In Folder" of "Smart Antivirus 2009", highlight the file and copy/paste the path into the address bar.
Save the file's path on your clipboard (and put in a file somewhere) because you'll need the file path to delete Smart Antivirus 2009. (if we have to do manually or to verify that it's all gone)


Thanks Pol- did you peek at the spybot logs?

on the to do later list
the list Polonus posted included

Event Monitor
ZcfgSvc.exe

so I googled ZcfgSvc.exe and found the following post

Intel Proset tools stole my CPU
I rebuilt my Dell laptop because it was running slow and afterwards it still was bogging down and dying. This time the culprit was the Intel ProSet tools I had installed under the Dell download R155386.exe. All I wanted was the driver and I would let Windows manage WiFi, but Intel had other ideas and installed everything when I ran the exe.

I went into Add/Remove Programs in the Control Panel -> Change/Remove Intel ProSet Wireless Software -> Modify -> and get rid of everything except Wireless LAN Adapter driver. Reboot and be done with it.

For reference, this got rid of some CPU hogs including:

    * dot1xcfg.exe
    * ifrmewrk.exe
    * zcffgsvc.exe
    * wlkeeper.exe
    * evteng.exe
    * s24evmon.exe
end copy


So the point of Polonus post is to google anything that you do not recognize and make a list
post it up

While you are doing research what are:
O4 - HKLM\..\Run: [rspNotify] "C:\WINDOWS\TEMP\GenesisAluMsg.exe" /delay
and
O14 - IERESET.INF: START_PAGE_URL=http://www.computers.us.fujitsu.com/

You mentioned running MBAM again - well not right  now unless something removed by MBAM reappears before we check for rootkits and hidden re-installers

but
you could run their ROGUE REMOVER
a handy tool  the uninstallers are not being kept up to date but the detectors are
It uses an overlapping but separate set of detectors from MBAM

as you can tell we are still doing diagnosis with some removal
Many removers just kill the active process leaving all the debris- including hidden re-infectors and other crap

Cheers

Here are TECH's list of anti rootkit apps shamelessly copied from one of his posts

If you still detecting any strange behavior or even you're sure you're not clean,
maybe it will be good to test your machine with anti-rootkit applications.
 I suggest avast! antirootkit (Done)
(so run one of these for a second opinion)
Trend Micro RootkitBuster for XP/Vista.
For XP only: Panda.

Then we'll get out the big guns and nail this baddie
looking for the Kaspersky log

[sbMama]

Good Morning! I've barely slept over the past 3 days as I've been reading, scanning and posting... so I feel a little dense today.

just watch if the AV is scanning everything the AS/AM or AV scan is unpacking- if that's a problem

huh? can you break that down for me please?

Antivirus 2009 folder,-- this is now gone- right???

so far, it has not returned 

We'll go after ZLOB right after Kaspersky report

Please see attached Kaspersky report

What did ST do with the hit?  ignore, quarantine. delete?
please do not delete/remove if you can quarantine/ chest/ vault/ etc

I'm not sure exactly what happened, I'm waiting to here back from the person who ran that particular scan as I don't know how to find a vault/chest, etc.
 
Earlier, I ran ST while making breakfast. I attached the scan report. When I attempted to remove it's findings, (which I also attached as a screenshot), it said they recommend removing software through it's own uninstaller and then run the scan again. this is the item I believe they are referring to:
Registry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run rspNotify="C:\WINDOWS\TEMP\GensesisAluMsg.exe"/delay
I noticed a similiar entry in hjt:
O4 - HKLM\..\Run: [rspNotify] "C:\WINDOWS\TEMP\GenesisAluMsg.exe" /delay

?

Also, should I back up before running SDFIX?
------------------------------
polonus - thank you for taking the time to review my post and provide feedback!
Unfortunately, I don't know what I am to do with, or make out of, what you provided me 

I will post a new hjt in a couple of minutes
------------------------------

Many THANKS!

*************modified after reading wyrmider'spost completely.

Intel Proset tools stole my CPU

I was wondering what that is. So I should be okay to uninstall it? After my computer crashed a few months ago, it hasn't been its wonderful self, so if you can suggest what might be slowing it down, while helping me get fully rid of antivirus 2009, that will be much appreciated (although I don't know how I can appreciate everyone who has assisted me anymore than I already do!)

O4 - HKLM\..\Run: [rspNotify] "C:\WINDOWS\TEMP\GenesisAluMsg.exe" /delay
and
O14 - IERESET.INF: START_PAGE_URL=http://www.computers.us.fujitsu.com/

I have no idea what the 04 entry is, when I tried researching it, the results were for foreign links.. if that. they looked scary, but I will run a search on my comp shortly to see what comes up. Entry 014 is the link to manufacture of my laptop, FUJITSU.

okay, I will write more soon.
 

[wyrmrider]

huh? can you break that down for me please?

just a comment on the behaviour seen when two AV's or two active anti spyware are active at the same time  unpredictable behaviour and hard to diagnose problems-- I think we're past that

"they recommend removing software through it's own uninstaller"
Either through Add remove programs or through Start>programs>name of program> uninstall
do you know what GensesisAluMsg.exe  is?
BEFORE you nuke it?  It does not google for me
also it is in TEMP so if you cannot find it we'll clean temp and get it that way- as long as it is not a baddie and runs somehow
there is a stickie on "virus in Temp" which you might want to look at

yes back up if you have files you wish to keep- you never know- no guarantees around here

Intel Proset tools stole my CPU  put this in your things to do later pile- this is not the time to be doing anything unnecessary as even rebooting can reinfect your system

[wyrmrider]

That kaspersky log is great news
we'll get that Genesis with HJT
go ahead and run one of the antirootkit things
run Rogue Remover
post up the new hjt
and then we'll run SDFIX (and/or Smitfraudfix if Polonus thinks necessary)

if you do find a ST log and it found anything we don't know about- post it up or give us a "heads up"

[sbMama]

just ran hjt

[wyrmrider]

I looked at the ST report
no evidence in that one that ST found anything- is there another report
interesting that ST did not show
GensesisAluMsg.exe

I'll peek at your hjt
you do the Rogue Remover and rootkit revealer or (whatever)

[wyrmrider]

HJT is looking good
You are going to need a good third party firewall-
Is Norton AV Active?


   O4 - HKLM\..\Run: [rspNotify] "C:\WINDOWS\TEMP\GenesisAluMsg.exe" /delay
next time you run hjt you can put a checkmark next to this one and then REMOVE CHECKED
close all browser windows including this one- best not having anything else running


Things to worry about when you are clean
Is this Crawler toolbar or the realtime shield?
   O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

comments anyone- I know many of us do not like Crawler- any reason for him to keep it?
nuke with HJT or remove and reinstall ST using "custom"
BUT NOT NOW- this might be the realtime shield which we do want

also on to do list
Wednasday update spybot, re-immunize and run a scan- we should be all done by then
After Tuesday (MS update day)
run Secunia software inspector and update -
do you have a HOSTS file?  HPHosts or MVPS Hosts?

also go over the list Polonus posted and see if there is anything else unfamiliar or funny
you know your computer better than I do

[wyrmrider]

2ed opinion on Spybot log from Polonus- he knows we are going to deal with Zlob next
here is some additional information for your edification

Hi wyrmrider,
You asked about did I check the Spybot S&D log, one item was not cleansed, and should be removed.

If we have not killed it with HJT, he could do that using Sdfix, read here:
http://www.bleepingcomputer.com/forums/topic131299.html

Zlob.Downloader.vcd: [SBI $E018B59A]  Library (File, nothing done)
  C:\WINDOWS\xrdwbfgn.dll
xrdwbfgn.dll
We suggest you to remove XRDWBFGN.DLL from your computer as soon as possible.
XRDWBFGN.DLL is Trojan/Backdoor.
Kill the file XRDWBFGN.DLL and remove XRDWBFGN.DLL from Windows startup

C:\WINDOWS\xrdwbfgn.dll
Description: Identified as a variant of the VideoAccessCodec adware.
File Location: %WinDir%
Startup Type: This startup entry is started automatically via the following Windows Registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad

Under that key will be a value containing the listed CLSID which can be found under HKEY_CLASSES_ROOT\CLSID\ and contains the filename that is to be loaded.
CLSID: <Random CLSID>

HijackThis Category: O21 Entry
Note: %Windir% refers to the Windows installation folder. By default, this is C:\Windows for Windows 95/98/ME/XP/Vista or C:\Winnt for Windows

NOTICE THAT THERE IS NO 021 in your HJT now

If we are as lucky with SDFIX as with KAspersky it should come up clean

Thanks Polonus

Polonus also writes
You can him go at it with IceSword, the best anti-rootkit tool I know,
www.antirootkit.com/software/IceSword.htm


IF YOU HAVE NOT  YEST DONE THE ANTI ROOTKIT SCAN USE THE ONE ABOVE
if you have already run another then post results and run SDFIX


then we'll think about the following (do you want to be clean or REALLY CLEAN...)
and let him do the following:
have him run Silent Runners from here:
http://www.silentrunners.org/Silent%20Runners.vbs
and attach a log file,

and let him have a go at it with StartDreck:
http://www.niksoft.at/php/dl.php?f=startdreck.zip
and post a logfile.txt,

and the two of us will have a glance at what silent runners have done at his comp,
and a full startup log from StartDreck (a brilliant German tool),
with which you can also fix things later, I will tell you how.
I think the man is getting a VIP anti-malware treat from us 
end Polonus comments

We'll he's stuck with NORTON for the time being, it's the least we can do

[polonus]

Hi wyrmrider and sbMama,

I still see that several things were not fixed with hijackthis, bring up hijackthis and tag the things mentioned, only these, and then click fix:
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
   
Unnecessary (deactivated) entry that can be fixed.

O4 - HKLM\..\Run: [rspNotify] "C:\WINDOWS\TEMP\GenesisAluMsg.exe" /delay

Check if you know this one else Fix:
Unknown
   O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - xxtp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v4.cab

From the hijackthis site it seems that you do not run an av-scanner at the moment.

polonus

[sbMama]

 i spoke to my friend who ran ST
she said that it detected the trojan and suggested it be removed, so she removed it.

do you know what GensesisAluMsg.exe  is?

I have no idea what it is, and the fact that it shows up in the temp files puzzles me because when I first became infected I disconnected the wireless and went into the the Mozilla browser tools section to remove cookies, clear private data, cache, etc. I then recall running a disk clean up on the c drive. oh wait, I didn't do anything with what is stored in IE since I rarely use it.

All this information is overwhelming, but fantastic!

Can either of you give me a priority list to follow?
Prior to posting the last hjt, I ran Kaspersky.

thank you thank you for first class care 
I would have preferred to keep avast, but I was in panic mode when norton pooped up (lol). I have been experiencing buyer's remorse   :'(

[sbMama]

Hi wyrmrider and sbMama,

I still see that several things were not fixed with hijackthis, bring up hijackthis and tag the things mentioned, only these, and then click fix:
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
   
Unnecessary (deactivated) entry that can be fixed.

O4 - HKLM\..\Run: [rspNotify] "C:\WINDOWS\TEMP\GenesisAluMsg.exe" /delay

Check if you know this one else Fix:
Unknown
   O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - xxtp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v4.cab

From the hijackthis site it seems that you do not run an av-scanner at the moment.

polonus

I will do the above shortly.

while I was running Kaspersky,I disabled my norton av-scanner. I made sure to enable/activate it once Kaspersky was complete, I just double checked my av scanner and it is activated.

O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - xxtp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v4.cab

that is from playing games on the shockwave website

[wyrmrider]

Priority list is
RootKit check
SD-Fix
new hjt with whatever fixes you have done already


there is no rush to do the things suggested by Polonus- we have discussed them previously

The AVG thing
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
Pol is thinking that it is disabled or partially removed
does it work?
do you use it?
if yes to both questions  keep
if no
see if it's in add remove programs or has an uninstall
if not in add/remove or uninstall then nuke it with HJT
and if you want it go to AVG and get a nice clean copy
(it is always better to try and uninstall something rather than blindly nuke with hjt)

nuke the O4 (we already know that it's an orphan)

keep the game player if you know the site is clean you might want to check it with site adviser

[polonus]

Hi sbMama,

Take it easy, it might seem a bit overwhelming, but we are gonna do this step by step at a time. But you will come out of this with a clean system and also with the knowledge how to best keep this clean.
A lot of people that came to this webforum regularly know a lot more about security, and after a while were able to help others fight malware. So take it all in, rethink it, check and double check, and everything that is put before you, do this meticulously and to the dot as it is prescribed. We are here to help you, and helping always worked two ways.

polonus (malware fighter)