Jump to content

Adware.Zwangi MBAM pop up

bcp-marc
 Share

Recommended Posts

bcp-marc

bcp-marc

Posted
Posted

Hi everyone,

I have a friends (upstairs neighbor) laptop that had a lot of infections on it, and can't quite seem to rid all of it. The O/S is Vista x64 SP1 and had not been updated to SP2, I did the update after the initial scans, not realizing right away that there was still something going on here. I have a restore point for right before I started the cleaning (SP1), so if reverting back and starting from scratch is best, let me know.

I had done a SUPERAnti-Spyware complete scan, and then a Malwarebyte quick scan. Everything seemed fine, but then I got an MBAM pop up:

945644840_PnvNC-L.png

Limewire and frostwire are on it, and I disable (exit) them every time Windows starts up, as well as the IM programs, so that none of them are running. They can be uninstalled (I literally just called him), and I think I'm just going to go ahead and do that now. I'm going to use the Add/Remove Programs to uninstall them. If there is a better way, please let me know.

Here are the logs requested:

First scan was SAS:

************************************************

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 07/23/2010 at 05:55 PM

Application Version : 4.41.1000

Core Rules Database Version : 5258

Trace Rules Database Version: 3070

Scan type : Complete Scan

Total Scan Time : 01:51:58

Memory items scanned : 686

Memory threats detected : 0

Registry items scanned : 12644

Registry threats detected : 96

File items scanned : 51952

File threats detected : 0

Adware.MyWebSearch

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D}

(x86) HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA}

(x86) HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA}

(x86) HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}

Adware.HotBar/ShopperReports (Low Risk)

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{100EB1FD-D03E-47FD-81F3-EE91287F9465}

(x86) HKCR\CLSID\{100EB1FD-D03E-47FD-81F3-EE91287F9465}

Adware.Gamevance

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BEAC7DC8-E106-4C6A-931E-5A42E7362883}

(x86) HKCR\CLSID\{BEAC7DC8-E106-4C6A-931E-5A42E7362883}

Adware.Zango/ShoppingReport

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5428486-50A0-4A02-9D20-520B59A9F9B2}

(x86) HKCR\CLSID\{C5428486-50A0-4A02-9D20-520B59A9F9B2}

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5428486-50A0-4A02-9D20-520B59A9F9B3}

(x86) HKCR\CLSID\{C5428486-50A0-4A02-9D20-520B59A9F9B3}

Trojan.Agent/Gen

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\Software\NeoChronos

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\Software\Margotte

Adware.MyWebSearch/FunWebProducts

(x86) HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}

(x86) HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}\TreatAs

(x86) HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}

(x86) HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0

(x86) HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0

(x86) HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0\win32

(x86) HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\FLAGS

(x86) HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\HELPDIR

(x86) HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}

(x86) HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid

(x86) HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32

(x86) HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib

(x86) HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib#Version

(x86) HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}

(x86) HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid

(x86) HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid32

(x86) HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib

(x86) HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib#Version

(x86) HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}

(x86) HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid

(x86) HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid32

(x86) HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib

(x86) HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib#Version

Adware.180solutions/Seekmo

(x86) HKCR\HostIE.Bho

(x86) HKCR\HostIE.Bho\CLSID

(x86) HKCR\HostIE.Bho\CurVer

(x86) HKCR\HostIE.Bho.1

(x86) HKCR\HostIE.Bho.1\CLSID

Adware.Zango Toolbar/Hb

(x86) HKCR\HBMain.CommBand

(x86) HKCR\HBMain.CommBand\CLSID

(x86) HKCR\HBMain.CommBand\CurVer

(x86) HKCR\HBMain.CommBand.1

(x86) HKCR\HBMain.CommBand.1\CLSID

(x86) HKCR\hbr.HbMain

(x86) HKCR\hbr.HbMain\CLSID

(x86) HKCR\hbr.HbMain\CurVer

(x86) HKCR\hbr.HbMain.1

(x86) HKCR\hbr.HbMain.1\CLSID

Rogue.Agent/Gen

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#aazalirt

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#skaaanret

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#jungertab

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#zibaglertz

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#iddqdops

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#ronitfst

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#tobmygers

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#jikglond

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#tobykke

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#klopnidret

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#jiklagka

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#salrtybek

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#seeukluba

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#jrjakdsd

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#krkdkdkee

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#dkewiizkjdks

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#dkekkrkska

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#rkaskssd

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#kuruhccdsdd

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#krujmmwlrra

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#kkwknrbsggeg

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#ktknamwerr

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#iqmcnoeqz

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#ienotas

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#krkmahejdk

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#otpeppggq

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#krtawefg

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#oranerkka

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#kitiiwhaas

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#otowjdseww

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#otnnbektre

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#oropbbsee

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#irprokwks

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#ooorjaas

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#id

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSCAN#ready

Rogue.AntivirusSoft

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\Software\avsoft

Malware.Trace

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\XML

(x86) HKU\S-1-5-21-777100729-958230494-874415939-1000\SOFTWARE\AVSUITE

(x86) HKLM\SOFTWARE\AVSUITE

(x86) HKLM\SOFTWARE\AVSOFT

************************************************

Second scan was MBAM:

************************************************

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4342

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

7/23/2010 6:21:48 PM

mbam-log-2010-07-23 (18-21-48).txt

Scan type: Quick scan

Objects scanned: 150372

Time elapsed: 5 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 18

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Seekdns Service (Adware.Zwangi) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\Eric\Localdir\winlogo.exe (Worm.Archive) -> Quarantined and deleted successfully.

************************************************

GMER won't run on x64, or at least it only runs a couple of the scans - so I didn't bother with it.

Here is the DDS:

************************************************

DDS (Ver_10-03-17.01) - NTFSX64

Run by Eric at 11:37:28.56 on Sat 07/24/2010

Internet Explorer: 7.0.6002.18005

Microsoft

Attach.zip

Link to post
Share on other sites
bcp-marc

bcp-marc

Posted
  • Author
Posted

Hi,

I posted almost a week ago, can anyone offer some help about this one? I feel pretty sure there must be a file left behind from the removals somewhere, and would like to get rid of it, or at least rid the machine of the pop-ups if it might be a false positive (but I don't really think that's it).

Thanks for any help that can be offered, it is appreciated.

Link to post
Share on other sites
  • 5 weeks later...
bcp-marc

bcp-marc

Posted
  • Author
Posted

Well... yes and no. I no longer have the laptop to work on as it is a neighbors, and, it has been 5 weeks, so I'm sure things have changed with the machine anyway.

But, I would still like to know what was happening with it, and why the pop-up was being thrown, and the files were unable to be removed by MBAM. Was this just a case of MBAM needing a definition update to remove it all?

I ultimately just went through the registry and removed anything associated with 'seekdns' and the pop-ups stopped. The laptop seems to be working just fine, it has MBAM in auto-protect and does daily updates and scans.

What can you tell me about this type of pop-up and what to do if it were to occur again in the future?

Thank you.

Marc

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi Marc,

The popups were due to at least one infection, the SeekDNS infection that you identified, and perhaps others. I can't say for sure because we haven't run the diagnostic tools I would need.

MBAM's protection module identified the infection and blocked its activity, but I guess our definitions needed updating for the Registry entries and associated files.

In the future, ensure that all Windows updates are installed, that multiple layers of protection are installed (firewall and antivirus included), and that safe browsing is practiced. In that case, the chances of infection are minimized, especially with MBAM's protection module loaded.

Link to post
Share on other sites
  • 5 weeks later...
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Glad we could help. :(

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.