Author Topic: "Smart Anti virus- 2009" zlob? help! Win32:Adware-gen [Adw]  (Read 45405 times)

0 Members and 1 Guest are viewing this topic.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: "Smart Anti virus- 2009" zlob? help! Win32:Adware-gen [Adw]
« Reply #15 on: September 07, 2008, 10:46:25 PM »
Lavasoft- Ad-Aware
Don't worth... bad detection rates.
The best things in life are free.

wyrmrider

  • Guest
Re: "Smart Anti virus- 2009" zlob? help! Win32:Adware-gen [Adw]
« Reply #16 on: September 07, 2008, 10:54:46 PM »
Hi
I'll try and go through your posts in order from my last post
so read the whole thing as there may be updates along the way :)

NOrton
I did not see that you removed and ran the norton uninstaller so for now Do NOT DO THAT
You have uninstalled avast and avira
run this
www.avast.com/eng/avast-uninstall-utility.html
then go here
http://www.pchell.com/virus/uninstallantivir.shtml
do this
What if Windows Security Center Shows AntiVir or other muliple Antivirus products installed
then
run the AntiVir Registry Cleaner
in this case do not check the Norton / symantec boxes but avast and antivir avg etc

Report Back  Is your current version the only Norton you have had on this machine
no oldie moldies - I'm guessing that Norton was pre-installed
Norton may be a bloated resouce hog but for now it's Your bloated resource hog and we do not want to rock the boat
if for some reason Norton gets borked due to all of this clean up activity you can reinstall it or run the remover and install avast  you can keep the norton firewall  (have you updated since you reinstalled?

Now since you are no longer an avast user see you later
just kidding  this is a user driven forum  welcome to avast

we'll look at the logs in a minute

Big thanks to Charlie O 
Let's not update IE yet but you are correct it does need to be up to date and protected as if it is installed at all it can be vulnerable

sounds like Kazza is not installed just some files on D  go ahead and delete the file and folder
(unless it shows up in the MBAM or Spybot scans)

you do not have to pause norton but would not hurt to disconnect from internet and pause when running spybot/ MBAM and especially if running an on line AV scan like Kaspersky

I think the question about more than one AV program has been answered
for the time being do not worry about running more than one AV or AS/AM on demand scan- we are worried about "start on boot" type installed programs

I think that CharlieO, Tech, and DavidR have pretty well covered the details but if any other questions please ask
I'll be looking for the Kaspersky and MBAM logs
going to look at spybot logs willpost back in a few
YOu are doing great


Just saw the last two posts- I had the thread up on another window
Ad-aware will not hurt anything - did you run a scan?
you may remove cookies with Spybot or ad-aware but do not include them in posts
removing will clean up the removal process so I have no problem with your doing it-
Now if ad-aware did find anything please let me know

If you ran a spyware terminator scan and it found anything please post- did you update?
ST is the only program you have with real time anti spyware features
one is all you get
SO

Spybot
did you install t-timer?
if you did
go to upper left Mode>advanced>tools>resident and uncheck t-timer
please check -as T-timer can interfere with removal activities- that's what it does- prevents changes

do you know what the files in the avast chest were?
if baddies would be nice to know but via con dios

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: "Smart Anti virus- 2009" zlob? help! Win32:Adware-gen [Adw]
« Reply #17 on: September 07, 2008, 10:58:03 PM »
Ad-aware will not hurt anything - did you run a scan?
And what about the services running in background and drivers being load at boot time...
For what? For cookies detection?
I think it does not worth nowadays...
The best things in life are free.

wyrmrider

  • Guest
Re: "Smart Anti virus- 2009" zlob? help! Win32:Adware-gen [Adw]
« Reply #18 on: September 07, 2008, 11:04:47 PM »
DEfinately not worth it but not on the critical path
I do not want him to uninstall if he has current items besides cookies in quarantine
he could turn off all load at boot things like auto update and the tray table thingie and use it for on demand but no real benefit
I'v only rarely had it find anything in the last year
did you answer his question about items in avast chest?  are they retrievable?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: "Smart Anti virus- 2009" zlob? help! Win32:Adware-gen [Adw]
« Reply #19 on: September 07, 2008, 11:16:30 PM »
did you answer his question about items in avast chest?  are they retrievable?
Now I've got it...
« Last Edit: September 07, 2008, 11:18:30 PM by Tech »
The best things in life are free.

sbMama

  • Guest
Re: "Smart Anti virus- 2009" zlob? help! Win32:Adware-gen [Adw]
« Reply #20 on: September 07, 2008, 11:17:11 PM »
attached is the MBAM log.

when I ran hjt,

I selected the 03 entry to be fixed. The 016 entry is from a game I played/downloaded through the shockwave site.

The following were not in hjt:

O21 - SSODL: dgksvbpn - {9CA4CFD3-57C8-4004-A9E2-4229741CE07E} - C:\WINDOWS\dgksvbpn.dll (file missing)
O21 - SSODL: xrdwbfgn - {9013164C-40F1-48E3-8E7E-683FF9475879} - C:\WINDOWS\xrdwbfgn.dll (file missing)

I am now about to run KAspersky on line scan.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: "Smart Anti virus- 2009" zlob? help! Win32:Adware-gen [Adw]
« Reply #21 on: September 07, 2008, 11:18:11 PM »
OK, so once I am informed as to the best way to uninstall avast, I will. Will it ask me what I want to do with the items in the chest?
No, all chested files will be gone. Unfortunatelly there is no such choice.
Do you want to keep them?
Copy the folder \avast4\Data\Int to another location, uninstall, install avast again and you'll have the chested items back.
The best things in life are free.

sbMama

  • Guest
Re: "Smart Anti virus- 2009" zlob? help! Win32:Adware-gen [Adw]
« Reply #22 on: September 07, 2008, 11:19:25 PM »
4 new post!

reading them now...

wyrmrider

  • Guest
Re: "Smart Anti virus- 2009" zlob? help! Win32:Adware-gen [Adw]
« Reply #23 on: September 07, 2008, 11:36:38 PM »
Your Avast chest shows several Restore point files which will go away in any case
the Kaza is there so if you do not find it on D:\programfiles\kaza that's where it went
do please look and nuke the whole folder

vanwxemkgrp.dll  I would think nasty but most of the google hits are Polish
Polonus- you lurking today?
If we could retrieve it I would upload to virustotal and avast for inspection
If we cannot easily retrieve - no great loss

These were in your first HJT any idea what removed them
ad aware
spywareterminator
scans?
O21 - SSODL: dgksvbpn - {9CA4CFD3-57C8-4004-A9E2-4229741CE07E} - C:\WINDOWS\dgksvbpn.dll (file missing)
O21 - SSODL: xrdwbfgn - {9013164C-40F1-48E3-8E7E-683FF9475879} - C:\WINDOWS\xrdwbfgn.dll (file missing)
well they are gone and that's GOOD
if you do determine what got them look to see if they had any "friends" associated

looks like MBAM did it's job
check this location
Folders Infected:
C:\Program Files\Smart Antivirus 2009
is this folder empty?  let us know if anything left
delete the Smart Antivirus folder if it is still there (it should not be) let us know if it is

continue the plan
Kaspersky
SDFix
new HJT

now I'll check spybot logs
« Last Edit: September 07, 2008, 11:43:02 PM by wyrmrider »

wyrmrider

  • Guest
Re: "Smart Anti virus- 2009" zlob? help! Win32:Adware-gen [Adw]
« Reply #24 on: September 07, 2008, 11:55:38 PM »
Well the first Spybot one confirms both Smitfraud and Zlob or the latest Zlob enhanced Smitfraud
whatever
I'm going to ask around but we will most likely run smitfraudfix after SDFix
These things are changing so fast  SDFIX is being updated daily I think
Spybot did an excellent Job
I think this thread shows the advantage of running multiple scanners
someone with a sandbox could run MBAM first and then Spybot for a comparison- would be very interesting for that moment in time only as shortly thereafter the results could easily be reversed

The antivirus 2009 may have reinstalled itself on a reboot between spybot and MBAM
we will need to run a root scan
could someone post up the list of rootkit scanners?

the third spybot shows
wscsvc.exe
    Wscsvc.exe is PWS-Banker.k.gen.
    Read more:
http://vil.nai.com/vil/content/v_132052.htm
    Kill the process wscsvc.exe and remove wscsvc.exe from Windows startup

let's see if this shows up again
did MBAM get it?
I have to go to dinner so please check it out

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89249
  • No support PMs thanks
Re: "Smart Anti virus- 2009" zlob? help! Win32:Adware-gen [Adw]
« Reply #25 on: September 08, 2008, 12:19:11 AM »
Thank you David and Tech.

Tech, I currently have:
Lavasoft- Ad-Aware - Spybot- S&D - Spyware Terminator - SpywareBlaster

I regularly use Spybot (a few times a week) and Ad-Aware (once a week or so). The others maybe 2x a month.
You're welcome.

Personally I would get rid of adaware (it is no longer a top ranked anti-spyware) and move MalwareBytes AntiMalware into its weekly scan slot.

SpywareBlaster is a passive immunisation tool and you can't actually run it, just update it regularly and apply the new protection.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: "Smart Anti virus- 2009" zlob? help! Win32:Adware-gen [Adw]
« Reply #26 on: September 08, 2008, 12:40:57 AM »
Personally I would get rid of adaware (it is no longer a top ranked anti-spyware) and move MalwareBytes AntiMalware into its weekly scan slot.
I second that ;)
The best things in life are free.

sbMama

  • Guest
Re: "Smart Anti virus- 2009" zlob? help! Win32:Adware-gen [Adw]
« Reply #27 on: September 08, 2008, 02:16:34 AM »
Wyrmrider! thank you for your replies. All this techy stuff is mind boggling, lol. I need a cup of coffee, a red bull and multi vitamin.
NOrton
I did not see that you removed and ran the norton uninstaller so for now Do NOT DO THAT
You have uninstalled avast and avira
run this www.avast.com/eng/avast-uninstall-utility.html
then go here http://www.pchell.com/virus/uninstallantivir.shtml
so I should run the above incase there are traces of avast and avira?
Report Back  Is your current version the only Norton you have had on this machine
 
so I just spoke w/the previous owner and when they first had this laptop in 2005, it was in fact,pre installed w/norton. a few months ago the hard drive crashed and they reinstalled the original software the laptop came with, norton 2005 being one of them. that expired about 5 days ago and I was considering other anti virus (AVAST being on the top of my list because I have used it in the past and have had great success with it), when I accidentally downloaded the virus and when norton flagged it, I figure it best to immediately upgrade and did so by selecting the download option for Norton anti virus 2008.
Now since you are no longer an avast user see you later
just kidding  this is a user driven forum  welcome to avast
you can't leave me! you're my techy angel!
:)
sounds like Kazza is not installed just some files on D  go ahead and delete the file and folder
done!
you do not have to pause norton but would not hurt to disconnect from internet and pause when running spybot/ MBAM and especially if running an on line AV scan like Kaspersky
pause norton and disconnect when running Kaspersky?
Ad-aware will not hurt anything - did you run a scan?
a few of them, between yesterday and the day before, it removed about 200 infections. I tried finding the log by going here: C:\Documents and Settings\All Users
but there isn't an application folder.so this is all I was able to get w/o running another scan for detailed results:
20080906 16-06-11 : Started cleaning the system of infections
20080906 16-06-12 : Clean operation finished

(I began running it as I’ve been  replying and its found 9 objects so far)

If you ran a spyware terminator scan and it found anything please post- did you update?
So apparently, while I was napping, my roommate went into the Antivirus 2009 folder, right clicked on the Smart Virus.exe program and selected scan with avast. Avast immediately identified it as a Trojan and recommended sending it to the chest, which they followed. She attempted to individually scan the other items in the folder zlib.dll and vscan.tsi, and said that the scanner appeared and disappeared, so she assumed it didn’t detect anything. She said there were only 6 items in the vault. I only know of what I last saw in the screen shot attached a prior post. I uninstalled avast before finding this out.
ST is the only program you have with real time anti spyware features
My roommate used spyware term to scan the smartvirus2009 desktop shortcut and here is that log:

Logfile of Spyware Terminator v2.2.1.433 (db:2.008.007.001)
Scan Time: 9/7/2008 11:01:51 AM  length: 0 s
Platform: WXP (5.1.0.2600)
User: Admin
Boot Mode: Normal
Scan type: Fast_Spyware_Scan
Scanned Objects: 2 (Critical:1)
Filter: No System items, No Safe items, No Invalid items
Threat Files
<Trojan.Downloader.Zlob.Gen> : C:\Documents and Settings\Administrator\Desktop\Privacy Protector.url
Advanced Files Report
End of Report

Spybot  did you install t-timer?
I have no idea, but lately when I attempt to turn the comp off, or restart, a teatimer error message appears.
 
if you did go to upper left Mode>advanced>tools>resident and uncheck t-timer
please check -as T-timer can interfere with removal activities- that's what it does- prevents changes
done!
do you know what the files in the avast chest were?
last I saw were the 6 listed in an earlier screenshot attachment and my roommate said that the smartvirus.exe file was moved there. I did email avast with the info.
via con dios
Tehe
Your Avast chest shows several Restore point files which will go away in any case
the Kaza is there so if you do not find it on D:\programfiles\kaza that's where it went
it was on the d drive and is now gone
vanwxemkgrp.dll  I would think nasty but most of the google hits are Polish
Polonus- you lurking today? If we could retrieve it I would upload to virustotal and avast for inspection
If we cannot easily retrieve - no great loss
how can I go about helping you obtain that?
These were in your first HJT any idea what removed them
ad aware spyware terminator scans?
I have no idea. Any suggestions as to how to find out?
C:\Program Files\Smart Antivirus 2009
No, it’s gone =)
I think this thread shows the advantage of running multiple scanners
I read that some programs can pick up what others miss, that is why I’ve always had more than one anti virus and anit spam programs running. But will keep the anti-virus software down to one, the last thing I want is any more problems!

The antivirus 2009 may have reinstalled itself on a reboot between spybot and MBAM
we will need to run a root scan
could someone post up the list of rootkit scanners?
I did a search on mycomp for root kit and realized that I still have Ashampoo AntiSpyWare, from some time ago, it has:
RootKitDetector.exe
the ashampoosoftware is inactive, should I just delete it?

I read that ad-aware and avira have rootkits
http://www.cnet.com/topic-software/rootkit.html
the third spybot shows
wscsvc.exe
    Wscsvc.exe is PWS-Banker.k.gen.
    Read more:
http://vil.nai.com/vil/content/v_132052.htm
    Kill the process wscsvc.exe and remove wscsvc.exe from Windows startup
Hmmm, I’ve never seen e-gold pop ups
let's see if this shows up again
did MBAM get it?
 

Should I run MBAM again at some point?

continue the plan
Kaspersky
SDFix
new HJT

I previously mentioned that I was running ad-aware while responding. I selected a ‘smart scan’ and it found 9 objects. Please see attached.

Thank you everyone for being so helpful!

*** the file is an .xml file so I couldn’t attach it, when I selected the link to make a screen shot, I received this:
The XML page cannot be displayed
Cannot view XML input using XSL style sheet. Please correct the error and then click the Refresh button, or try again later.

The system cannot locate the resource specified. Error processing resource 'file:///C:/Documents and Settings/Administrator...
« Last Edit: September 08, 2008, 02:24:49 AM by sbMama »

sbMama

  • Guest
Re: "Smart Anti virus- 2009" zlob? help! Win32:Adware-gen [Adw]
« Reply #28 on: September 08, 2008, 02:27:41 AM »
I was able to open the .xml log in textbook, I meant notepad.

please see attached

thank you!

wyrmrider

  • Guest
Re: "Smart Anti virus- 2009" zlob? help! Win32:Adware-gen [Adw]
« Reply #29 on: September 08, 2008, 02:39:47 AM »
I'll take a peek at your log in next post
Ad-aware could be finding cookies or it might just find a baddie

I agree with Tech and DavidR  Spybot and MBAM are better scanners than ad-aware
but if it finds the problem YOU have then it's the BEST on that Day
There are a couple of other excellent scanners
Then there is Spyware Terminator- you have ST for its real time protection- the Scanner is somewhere in the Ad-Aware class

We will run MBAM again at some point but not now- -Also Spybot AFTER next Wednesday's update

run this www.avast.com/eng/avast-uninstall-utility.html
then go here http://www.pchell.com/virus/uninstallantivir.shtml
YES

Norton should Be OK with 2005 and later versions only

pause norton and disconnect when running Kaspersky?
if you can perhaps you have to be connected to run Kaspersky
just watch if the AV is scanning everything the AS/AM or AV scan is unpacking- if that's a problem



Antivirus 2009 folder,-- this is now gone- right???
let us know if it comes back- check every so often for awhile

We'll go after ZLOB right after Kaspersky report  let's see if anything else hiding
we know about Zlob and Smitfraud

What did ST do with the hit?  ignore, quarantine. delete?
please do not delete/remove if you can quarantine/ chest/ vault/ etc