WinAntispyware Removal

Re: Safe to run Nod32 without firewall or anything else?

I'm not sure if I'm in the right part of the forum but....I'm being attacked by spyware and Adware & I thought NOD32 prevented this! I tried a trial version of WinAntispyware & it was spyware in itself & keeps disrupting my work telling me to get it & get rid of my infections now! Disgusting & I can't get rid of it. Also have a bug called ACX install & Instant Access, which I can't get rid of.

I read that "Spyware detector" was the best out there & I downloaded a free trial, but it won't get rid of the spyware till I buy it & I'm soooo afraid of getting a program in that isn't worth a darn!

Can anyone tell me what is the safest antispyware out there, that won't add crap to your computer & is easy to use?

Thanks,
Cacherlady

 

Please download VundoFix.exe to your desktop.

1 Reboot your PC into "Safe Mode".
2. Double click on VundoFix.exe
3. Place a tick next to "Run VundoFix" as a task.
4. You will receive a message saying VundoFix will close and re-open in a minute or less.
5. Click "OK".
6. When VundoFix re-opens, click the "Scan for Vundo" button.
7. Once it's done scanning, click the "Remove Vundo" button.
8. You will receive a prompt asking if you want to remove the files, click "Yes".
9. Once you click yes, your desktop will go blank as it starts removing Vundo.
10. When completed, it will prompt that it will shutdown your computer, click "Ok".
11. Turn on your computer.

Let us know how you go...

Cheers

 

Thank you! I'll give that a try.

Cacherlady

 

My pleasure.

You might have to run that file a couple of times in order to clean this pest off.

Cheers

 

Well, I ran the vundo as a scan & it said I didn't have any infected files - yet everytime I run Spyware Detector it says I have it & I put it in quarantine.

There's also another real pest that I can't get rid of called "Instantaccess" - any suggestions on how to get rid of that one?

Thanks,
Cacherlady

 

Spyware Detector? This one? This program has been listed on Spyware Warrior's Rogue Suspect Anti-Spyware Products & Web Sites:

"Spyware Detector was listed on this page because of concerns with false positives."

So it could be just false positives? Is there a way you can post the log of the files/registry entries it flags? Have you tried submitting the files it detects at VirusTotal? I'm guessing it might be false positives.

 

Yep, that's the one I have! Cripes, I thought I was making a smart decision. I'll see if I can copy the log....

Cacherlady

 

Okay, I think I got the thing copied: It is confusing to try to copy this!

Information :
Date: 7/27/2006 08-48-01
OS Version: Windows XP Home Edition
Computer Name:-0D545CE

Log:
Infection Name Problem Location Action
Instantaccess Registry Value hkey_users\s-1-5-21-515967899-1532298954-1801674531-1003\software\microsoft\systemcertificates\trustedpublisher\certificates\62119ef862c6b3a0d853419b87eb3e2f6c78640a\"blob" Scan
Instantaccess Registry Key hkey_users\s-1-5-21-515967899-1532298954-1801674531-1003\software\microsoft\systemcertificates\trustedpublisher\certificates\62119ef862c6b3a0d853419b87eb3e2f6c78640a Scan
ACX Install Registry Data hkey_users\s-1-5-21-515967899-1532298954-1801674531-1003\software\livesvc\navtime\:139 Scan
ACX Install Registry Value hkey_users\s-1-5-21-515967899-1532298954-1801674531-1003\software\livesvc\"navtime" Scan
ACX Install Registry Key hkey_users\s-1-5-21-515967899-1532298954-1801674531-1003\software\livesvc Scan
Winantispyware 2006 File c:\documents and settings\owner\local settings\temp\winantispyware2006setup.exe Scan
Tracking Cookie MozillaCookie @advertising.com Scan
Tracking Cookie MozillaCookie @atdmt.com Scan
Tracking Cookie MozillaCookie @doubleclick Scan
Tracking Cookie MozillaCookie @doubleclick.net Scan
Tracking Cookie Cookie c:\documents and settings\owner\cookies\owner@ig[1].txt Scan
Tracking Cookie Cookie c:\documents and settings\owner\cookies\owner@ig[3].txt Scan

 

NOD32 should not allow you to run winantispyware2006setup.exe, or at least it would block required files during installation of the rogue antispyware.

 

Well, Nod did allow it - that's what I don't understand. I thought NOD blocked a lot of spyware so I never worried about getting any anti-spyware installed.

 

From what I can see in the log you posted the detections on the tracking cookies and the Winantispyware installer file seem legit (probably not false positives). Don't know about the registry entries it finds? For your information, NOD32 does not clean up tracking cookies or registry entries after installed spyware or adware. NOD32 will only clean/delete the spyware/adware files.

Anyway, if you want a good working antispyware/adware that you can use together with NOD32 and doesn't cost anything, try Spyware Terminator. And from what I can see in its database, it should be able to clean your PC of this InstantAccess crap.

 

On a sidenote, trying Spyware Detector here and it is giving me false positives (labelling legit files as trojans). I don't like this software much.

Spyware Terminator seems like a better antispyware/adware solution.

 

Thanks, Kjempen!

I've downloaded the Terminator anti-spyware & removed my Spyware Defender, but I'm not sure about the Clam/AV included in the application...doesn't that interfere with NOD? I didn't know, so I didn't install the clam part.

Thanks,
cacherlady

 

The ClamAV part isn't really necessary since you already got NOD32 installed.

 

Greetings All,

I'm sorry to hear that you're experiencing issues with WinAntiSpyware and hope that the Community can help resolve this issue as quickly and as effectively as possible. In the meantime could you verify if the stub installation package has created a System Restore Point? To view System Restore points, please launch System Restore and select "Restore My Computer To An Earlier Time" and click Next. This will allow you to view any System Restore points created, with events highlighted in bold. Please close System Restore and inform us of this.
In regards to you Anti-Spyware program query, I would personally suggest Webroot Spy Sweeper 5.0.5. for many reasons. Webroot Spy Sweeper is the most effective independant Anti-Spyware application available on the market today in its dedicated section. It prevents Spyware and Adware installation proactively, updates are daily and the detection percentage is the highest in its class, although a subscription is paid-for, I certainly wouldn't consider any other dedicated package, but that's simply my opinion. Others will have their own favourites but either way, I hadn't used Spyware Terminator, I'll look into it myself.


On the topic of WinAntiSpyware and suchlike I've noticed a rather disturbing find on the Security Pack Cover Disc of Windows XP Magazine's 51st Issue. The programs in question are WinAntiVirus 2005 Pro and WinFirewall 2005. The reason is because I was browsing the URL within a Members Signature via the Microsoft Windows XP: The Official Magazine Forum just now and it leads to Malware Complaints , a website documenting malware and highlighting the issue to Local MPs and suchlike - Although I'd find it questionable as to whether said MP's take action. While browsing the forum I noticed the following thread: WinAntiVirus 2005 which lists WinAntiVirus 2005 as malware:

Click Me

If you yourself recognise this program and it is installed on your system please use an Ant-Spyware program to remove the infection after you have uninstalled the program via Add/Remove Programs. Common Anti-Spyware programs include Lavasoft Ad-Aware SE Personal and Spybot Search & Destroy and are freely available although they both only remove malware after it has been installed and ideally one would like to stem the installation in the first place therefore I recommend Weboot Spy Sweeper 5.0 which has had numerous awards within the industry, has the most effective and comprehensive detection ratings to date and all in all is more than worth the asking price.

Saying that it looked suspicious when included on the Cover Disk but I didn't install it - This was 10 months ago. Eset NOD32 Anti-Virus certainly didn't detect it as Malware and a subsequent scan of the disc with Webroot Spy Sweeper 5.0 didn't detect the Malware either which is surprising given that Webroot Spy Sweeper is the leading independant Anti-Spyware product and both Eset NOD32 Anti-Virus System and Webroot Spy Sweeper 5.0 boast Advanced Heuristics and can scan within Installation Packages - So why the misdetection? Either way, this is Malware and should be removed from subsequent Cover Discs.

Could an Eset representative verify why the misdetection may have taken place? I'm certain Eset NOD32 Anti-Virus System scans within archives, but does it scan the code within executables? If so, could there be a reason as to why this wasn't detected?

Regards,

Scott Sutton

 

Hi cacherlady, could you please dowload and run Hijackthis and post a log here.

Cheers

 

Re: Safe to run Nod32 without firewall or anything else?

@Cacherlady

I've recently been testing out SuperAntispyware after hearing stuff about them a lot recently. They have a free for home use version, so no skin off your back to give that a try as well. I've had some success with it, but not sure how well it works long term (new player on the block).

-Cov

 

I did run HiJack this & from what I could tell, it didn't show that I had that darn WinAntispyware on there....but it is there! It keeps popping up or under, warning me I'm infected & need to buy their program. I removed it from the add/remove programs manually & found a file, which I removed also, but still the pop ups. The funny thing is, I don't get the pop ups when I use Firefox browser, but with I.E. I'm even getting pop ups on a very trusted site that I visit every day & I know that site isn't generating them. As I mentioned before, some of them appear slightly porn & others refer to gambling - neither of which I'm at all interested in!

All I can figure is a bunch of crap has infected my I.E. browser & I'm just not going to be able to use it, since I can't eliminate the problem.

How come the pop up blockers aren't stopping this?

Thanks for all your advice & help. This forum is the best site I've ever discovered!

Cacherlady

 

Please post your log here.

Cheers

 

Okay, here's my HiJack This log:

Logfile of HijackThis v1.99.1
Scan saved at 8:06:51 PM, on 7/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Installable Software\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Installable Software\MSASCui.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Owner\Desktop\hijackthis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Installable Software\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152252544687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152252916375
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

NOD32 has a very strict way of doing it's job on the site of this piece of crap: they block the whole site with the blackspear setting working. So maybe a good iedea for everyone to use these if you like to be protected against crap

 

Many thanks to all, however please be aware that when such a request (for a HijackThis Log) is asked for by a Moderator or Specialist, in all cases it is asked that further comment and support be left in their hands.

This matter is now being dealt with privately by an Eset Moderator who will handle it from here.

Blackspear.

 

My post is now removed . Sorry Blackspear !

 

Thank you HiTech_boy, this is not a request directed personally at you or particularly at this thread, but at all threads where such a request for a HijackThis Log has been asked for.

Many thanks for your understanding.

Cheers

 

My pleasure !