WinAntispyware Removal

Discussion in 'NOD32 version 2 Forum' started by cacherlady, Jul 26, 2006.

Thread Status:
Not open for further replies.
  1. cacherlady

    cacherlady Registered Member

    Joined:
    Jun 13, 2006
    Posts:
    22
    Re: Safe to run Nod32 without firewall or anything else?

    I'm not sure if I'm in the right part of the forum but....I'm being attacked by spyware and Adware & I thought NOD32 prevented this! I tried a trial version of WinAntispyware & it was spyware in itself & keeps disrupting my work telling me to get it & get rid of my infections now! Disgusting & I can't get rid of it. Also have a bug called ACX install & Instant Access, which I can't get rid of.

    I read that "Spyware detector" was the best out there & I downloaded a free trial, but it won't get rid of the spyware till I buy it & I'm soooo afraid of getting a program in that isn't worth a darn!

    Can anyone tell me what is the safest antispyware out there, that won't add crap to your computer & is easy to use?

    Thanks,
    Cacherlady
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Please download VundoFix.exe to your desktop.

    1 Reboot your PC into "Safe Mode".
    2. Double click on VundoFix.exe
    3. Place a tick next to "Run VundoFix" as a task.
    4. You will receive a message saying VundoFix will close and re-open in a minute or less.
    5. Click "OK".
    6. When VundoFix re-opens, click the "Scan for Vundo" button.
    7. Once it's done scanning, click the "Remove Vundo" button.
    8. You will receive a prompt asking if you want to remove the files, click "Yes".
    9. Once you click yes, your desktop will go blank as it starts removing Vundo.
    10. When completed, it will prompt that it will shutdown your computer, click "Ok".
    11. Turn on your computer.

    Let us know how you go...

    Cheers :D
     
  3. cacherlady

    cacherlady Registered Member

    Joined:
    Jun 13, 2006
    Posts:
    22
    Thank you! I'll give that a try.

    Cacherlady
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    My pleasure.


    You might have to run that file a couple of times in order to clean this pest off.

    Cheers :D
     
  5. cacherlady

    cacherlady Registered Member

    Joined:
    Jun 13, 2006
    Posts:
    22
    Well, I ran the vundo as a scan & it said I didn't have any infected files - yet everytime I run Spyware Detector it says I have it & I put it in quarantine.

    There's also another real pest that I can't get rid of called "Instantaccess" - any suggestions on how to get rid of that one?

    Thanks,
    Cacherlady
     
  6. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Spyware Detector? This one? This program has been listed on Spyware Warrior's Rogue Suspect Anti-Spyware Products & Web Sites:

    "Spyware Detector was listed on this page because of concerns with false positives."

    So it could be just false positives? Is there a way you can post the log of the files/registry entries it flags? Have you tried submitting the files it detects at VirusTotal? I'm guessing it might be false positives.
     
  7. cacherlady

    cacherlady Registered Member

    Joined:
    Jun 13, 2006
    Posts:
    22
    Yep, that's the one I have! Cripes, I thought I was making a smart decision. I'll see if I can copy the log....

    Cacherlady
     
  8. cacherlady

    cacherlady Registered Member

    Joined:
    Jun 13, 2006
    Posts:
    22
    Okay, I think I got the thing copied: It is confusing to try to copy this!

    Information :
    Date: 7/27/2006 08-48-01
    OS Version: Windows XP Home Edition
    Computer Name:-0D545CE

    Log:
    Infection Name Problem Location Action
    Instantaccess Registry Value hkey_users\s-1-5-21-515967899-1532298954-1801674531-1003\software\microsoft\systemcertificates\trustedpublisher\certificates\62119ef862c6b3a0d853419b87eb3e2f6c78640a\"blob" Scan
    Instantaccess Registry Key hkey_users\s-1-5-21-515967899-1532298954-1801674531-1003\software\microsoft\systemcertificates\trustedpublisher\certificates\62119ef862c6b3a0d853419b87eb3e2f6c78640a Scan
    ACX Install Registry Data hkey_users\s-1-5-21-515967899-1532298954-1801674531-1003\software\livesvc\navtime\:139 Scan
    ACX Install Registry Value hkey_users\s-1-5-21-515967899-1532298954-1801674531-1003\software\livesvc\"navtime" Scan
    ACX Install Registry Key hkey_users\s-1-5-21-515967899-1532298954-1801674531-1003\software\livesvc Scan
    Winantispyware 2006 File c:\documents and settings\owner\local settings\temp\winantispyware2006setup.exe Scan
    Tracking Cookie MozillaCookie @advertising.com Scan
    Tracking Cookie MozillaCookie @atdmt.com Scan
    Tracking Cookie MozillaCookie @doubleclick Scan
    Tracking Cookie MozillaCookie @doubleclick.net Scan
    Tracking Cookie Cookie c:\documents and settings\owner\cookies\owner@ig[1].txt Scan
    Tracking Cookie Cookie c:\documents and settings\owner\cookies\owner@ig[3].txt Scan
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    NOD32 should not allow you to run winantispyware2006setup.exe, or at least it would block required files during installation of the rogue antispyware.
     
  10. cacherlady

    cacherlady Registered Member

    Joined:
    Jun 13, 2006
    Posts:
    22
    Well, Nod did allow it - that's what I don't understand. I thought NOD blocked a lot of spyware so I never worried about getting any anti-spyware installed.
     
  11. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    From what I can see in the log you posted the detections on the tracking cookies and the Winantispyware installer file seem legit (probably not false positives). Don't know about the registry entries it finds? For your information, NOD32 does not clean up tracking cookies or registry entries after installed spyware or adware. NOD32 will only clean/delete the spyware/adware files.

    Anyway, if you want a good working antispyware/adware that you can use together with NOD32 and doesn't cost anything, try Spyware Terminator. And from what I can see in its database, it should be able to clean your PC of this InstantAccess crap.
     
  12. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    On a sidenote, trying Spyware Detector here and it is giving me false positives (labelling legit files as trojans). I don't like this software much.

    Spyware Terminator seems like a better antispyware/adware solution.
     
  13. cacherlady

    cacherlady Registered Member

    Joined:
    Jun 13, 2006
    Posts:
    22
    Thanks, Kjempen!

    I've downloaded the Terminator anti-spyware & removed my Spyware Defender, but I'm not sure about the Clam/AV included in the application...doesn't that interfere with NOD? I didn't know, so I didn't install the clam part.

    Thanks,
    cacherlady
     
  14. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    The ClamAV part isn't really necessary since you already got NOD32 installed.
     
  15. Scott-Sutton

    Scott-Sutton Guest

    Greetings All,

    I'm sorry to hear that you're experiencing issues with WinAntiSpyware and hope that the Community can help resolve this issue as quickly and as effectively as possible. In the meantime could you verify if the stub installation package has created a System Restore Point? To view System Restore points, please launch System Restore and select "Restore My Computer To An Earlier Time" and click Next. This will allow you to view any System Restore points created, with events highlighted in bold. Please close System Restore and inform us of this.
    In regards to you Anti-Spyware program query, I would personally suggest Webroot Spy Sweeper 5.0.5. for many reasons. Webroot Spy Sweeper is the most effective independant Anti-Spyware application available on the market today in its dedicated section. It prevents Spyware and Adware installation proactively, updates are daily and the detection percentage is the highest in its class, although a subscription is paid-for, I certainly wouldn't consider any other dedicated package, but that's simply my opinion. Others will have their own favourites but either way, I hadn't used Spyware Terminator, I'll look into it myself.


    On the topic of WinAntiSpyware and suchlike I've noticed a rather disturbing find on the Security Pack Cover Disc of Windows XP Magazine's 51st Issue. The programs in question are WinAntiVirus 2005 Pro and WinFirewall 2005. The reason is because I was browsing the URL within a Members Signature via the Microsoft Windows XP: The Official Magazine Forum just now and it leads to Malware Complaints , a website documenting malware and highlighting the issue to Local MPs and suchlike - Although I'd find it questionable as to whether said MP's take action. While browsing the forum I noticed the following thread: WinAntiVirus 2005 which lists WinAntiVirus 2005 as malware:

    Click Me

    If you yourself recognise this program and it is installed on your system please use an Ant-Spyware program to remove the infection after you have uninstalled the program via Add/Remove Programs. Common Anti-Spyware programs include Lavasoft Ad-Aware SE Personal and Spybot Search & Destroy and are freely available although they both only remove malware after it has been installed and ideally one would like to stem the installation in the first place therefore I recommend Weboot Spy Sweeper 5.0 which has had numerous awards within the industry, has the most effective and comprehensive detection ratings to date and all in all is more than worth the asking price.

    Saying that it looked suspicious when included on the Cover Disk but I didn't install it - This was 10 months ago. Eset NOD32 Anti-Virus certainly didn't detect it as Malware and a subsequent scan of the disc with Webroot Spy Sweeper 5.0 didn't detect the Malware either which is surprising given that Webroot Spy Sweeper is the leading independant Anti-Spyware product and both Eset NOD32 Anti-Virus System and Webroot Spy Sweeper 5.0 boast Advanced Heuristics and can scan within Installation Packages - So why the misdetection? Either way, this is Malware and should be removed from subsequent Cover Discs.

    Could an Eset representative verify why the misdetection may have taken place? I'm certain Eset NOD32 Anti-Virus System scans within archives, but does it scan the code within executables? If so, could there be a reason as to why this wasn't detected?

    Regards,

    Scott Sutton
     
  16. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi cacherlady, could you please dowload and run Hijackthis and post a log here.

    Cheers :D
     
  17. covaro

    covaro Registered Member

    Joined:
    Jul 4, 2006
    Posts:
    149
    Location:
    Abingdon, MD, USA
    Re: Safe to run Nod32 without firewall or anything else?

    @Cacherlady

    I've recently been testing out SuperAntispyware after hearing stuff about them a lot recently. They have a free for home use version, so no skin off your back to give that a try as well. I've had some success with it, but not sure how well it works long term (new player on the block).

    -Cov
     
  18. cacherlady

    cacherlady Registered Member

    Joined:
    Jun 13, 2006
    Posts:
    22
    I did run HiJack this & from what I could tell, it didn't show that I had that darn WinAntispyware on there....but it is there! It keeps popping up or under, warning me I'm infected & need to buy their program. I removed it from the add/remove programs manually & found a file, which I removed also, but still the pop ups. The funny thing is, I don't get the pop ups when I use Firefox browser, but with I.E. I'm even getting pop ups on a very trusted site that I visit every day & I know that site isn't generating them. As I mentioned before, some of them appear slightly porn & others refer to gambling - neither of which I'm at all interested in!

    All I can figure is a bunch of crap has infected my I.E. browser & I'm just not going to be able to use it, since I can't eliminate the problem.

    How come the pop up blockers aren't stopping this?

    Thanks for all your advice & help. This forum is the best site I've ever discovered!

    Cacherlady
     
  19. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Please post your log here.

    Cheers :D
     
  20. cacherlady

    cacherlady Registered Member

    Joined:
    Jun 13, 2006
    Posts:
    22
    Okay, here's my HiJack This log:

    Logfile of HijackThis v1.99.1
    Scan saved at 8:06:51 PM, on 7/28/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Installable Software\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\system32\VTtrayp.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Installable Software\MSASCui.exe
    C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\palmOne\Hotsync.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Documents and Settings\Owner\Desktop\hijackthis.exe

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Installable Software\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152252544687
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152252916375
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
  21. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    NOD32 has a very strict way of doing it's job on the site of this piece of crap: they block the whole site with the blackspear setting working. So maybe a good iedea for everyone to use these if you like to be protected against crap :)
     
  22. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Many thanks to all, however please be aware that when such a request (for a HijackThis Log) is asked for by a Moderator or Specialist, in all cases it is asked that further comment and support be left in their hands.

    This matter is now being dealt with privately by an Eset Moderator who will handle it from here.

    Blackspear.
     
  23. ASpace

    ASpace Guest

    My post is now removed . Sorry Blackspear ! :D
     
  24. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thank you HiTech_boy, this is not a request directed personally at you or particularly at this thread, but at all threads where such a request for a HijackThis Log has been asked for.

    Many thanks for your understanding.

    Cheers :D
     
  25. ASpace

    ASpace Guest

    :thumb: :thumb: :thumb:
    My pleasure ! :D
     
Thread Status:
Not open for further replies.