win32:adware-gen [Adw] in temp folder

[youngie]

Hey all really hope someone can help, i got a warning from avast today that said it had found win32:adware-gen [Adw] in C:/WINDOWS/TEMP/ZWU1.tmp/upgrade.exe/$0/Zwunzi.dll, so i moved it to chest, then i got another warning saying the same but it was ZWU6.tmp so i moved that to chest as well, i tried finding the TEMP folder in the WINDOWS folder and couldn't find it the only temp folder was for avast (and yes i did check all the hide protected op. sys. and hidden files and folders boxes) i also ran windows malicious software removal and it found nothing, does anyone know anything about this and how i can get rid of it, thank you in advance for any help.

I am using windows xp sp3 and all vps and prog. is up to date

[DavidR]

If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again. What is your firewall ?

If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

• 1.  MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
• 2. SUPERantispyware On-Demand only in free version.

Don't worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

[CharleyO]

***

Your computer has been infected with Zwunzi Service which is a malware/adware. It may also include some rootkit techniques to resist removal.
Following David's suggestions above should take care of it.

See the links below for more information.

http://www.prevx.com/filenames/X153390318232566570-X1/ZWUNZI.DLL.html

http://www.threatexpert.com/report.aspx?md5=22925c0136c490d25afcb9a330c56cb1

The above links are supplied for information only.


***

[nmb]

Hello CharleyO,

read about spywareremovalblog.com here : http://www.mywot.com/en/scorecard/spywareremovalblog.com

and can you remove the link in the previous post?..

nmb

[CharleyO]

***

OOPS ... thanks, nmb.   


***

[youngie]

hi, thanks for getting back, i am using the windows firewall, i have ran a full scan with mbam here is the log,

Malwarebytes' Anti-Malware 1.41
Database version: 3228
Windows 5.1.2600 Service Pack 3

25/11/2009 14:14:27
mbam-log-2009-11-25 (14-14-27).txt

Scan type: Full Scan (C:\|H:\|)
Objects scanned: 175130
Time elapsed: 48 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\zwunzi (Adware.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\**************************************************(Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Zwunzi\uninstall.exe (Adware.Agent) -> Quarantined and deleted successfully.
H:\wezs\Games\Konami\Konami\Silent\Bin\LanguageSelector.exe (Malware.Packer) -> Quarantined and deleted successfully.
H:\************************************************** (Trojan.Downloader) -> Quarantined and deleted successfully.
H:\***************************************************(Trojan.Agent) -> Quarantined and deleted successfully.

as soon as i restarted after they were removed i got a warning from avast, i didn't even realise i had zwunzi installed and have no clue where it came from, it had 2 processes in task manager, zwunzi.exe and zwunzi126.exe so i stopped both of them and deleted the zwunzi folder from program files, but, avast says it has a temp folder so how can i find that and get rid of it, thank you again for your help.

[DavidR]

It would help if you gave the details of what avast alerted on ?

Presumably it is the same as or similar to the first post you made ?
win32:adware-gen [Adw] in C:/WINDOWS/TEMP/ZWU1.tmp/upgrade.exe/$0/Zwunzi.dll

If so let avast delete it, rather than send to the chest as we have pretty well confirmed it is malware. That would only delete the file avast detects and not the folder as avast doesn't detect folders as such.

So using windows explorer, navigate to the Windows folder, then the Temp folder and in here there would be a folder associated with it, e.g. from the above, ZWUI.tmp (this is a folder and not a file) and avast would be alerting on a file within that folder, like your first detection. Delete the folder associated with the detection.

[idleracer]

I would just like to mention that a couple of weeks ago, I got hit with the zwunzi virus also. Avast kept alerting me about it every time I logged on, or did a scan. I used a very crude, but evidently effective technique to get rid of it. I did a search of every file, and word or phrase within the file (including hidden files) on my entire hard drive that contained the three letter combination ZWU, and deleted them all. Then I did the same thing in the registry. I have not been bothered by it since, and the only ZWU left on my computer is in the Avast virus chest. 

[DavidR]

Yes down and dirty works up to a point, but there are files that don't have zwu as part of the file name, there are two such examples in this post.