Tech Support banner

Status
Not open for further replies.
1 - 5 of 5 Posts

·
Registered
Joined
·
2 Posts
Discussion Starter · #1 ·
Counterspy with definitions 220 keeps reporting this malware.
It can be quarantined, a rescan before re-boot yields a clean report by Counterspy.
After a fresh re-boot, Counterspy again reports another infection present.
numerous HJT logs have been inspected by "experts" on another site I frequent.
many suggestions have been offered but alas, the culprit remains after trying all suggestions.

HJT scans have been run both in Windows XP normal mode and safe mode, no open programs in the startup tray and files set to show all hidden files.

Spyware scans have been run by the following:

Counterspy (latest definitions)
Microsoft Antispyware beta (latest definitions
Ad-Aware 1.06 (latest definitions)
Spybot Search and Destroy (latest definitions)
Ewido (latest definitions)
Avast Home antivirus (latest updates applied)

It is interesting to note that Counterspy is the only utility that reports this infection.
A member analyser of another forum suggested Counterspy might be giving a false positive.

What say you good folks here about this report ??

Can post HJT logs if requested or needed

Thanks in advance...............Daddad
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
For us to analyze anything, we would need a fresh HJT log, run in normal mode, with all startups ticked in msconfig if you have disabled any.

Having come across your thread at another forum, I'm wondering if you followed up with the Helper's suggestion, and contacted CounterSpy re: a potential false positive.

Adw.Zango.Muncher had been "fixed" as a FP as recently as definition 214, but they may not have. My general impression is that if only one of those programs is flagging it, it may indeed be an FP.

Also, does CounterSpy give a location, file name, anything other than the name they've given this adware?

We can take a look to help set your mind at ease.....please do the following:

Please download HijackThis http://www.greyknight17.com/spy/HijackThis.exe - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.

Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer

  1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
  2. Click On 'Scan Now'
  3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
  4. Begin the scan by selecting My Computer
    * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
  5. If it finds any malware, it will offer you a report. Click on see report
  6. Then click Save report
  7. Post the contents of the report in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

So, please reply with logs from:

HJT
Panda ActiveScan
 

·
Registered
Joined
·
2 Posts
Discussion Starter · #3 ·
Thanks tetonbob for the speedy reply.
Golly, I didn't expect a reply from such a "high up on the totum pole" person as yourself :grin:

"Having come across your thread at another forum, I'm wondering if you followed up with the Helper's suggestion, and contacted CounterSpy re: a potential false positive."

No I have not YET, I was waiting for some expert advice from the likes of you and others on advice offered on whether it could be/is a FP.

The Panda Activescan yielded NO detections of any kind and NO deletions of same.

HJT log in normal mode, one entry in MSCONFIG that was enabled for this scan:

Logfile of HijackThis v1.99.1
Scan saved at 2:40:53 PM, on 8/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Acronis*True*Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\Audio Deck\EnMixCPL.exe 1
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Startup: Mail Inspector 2000.lnk = C:\Program Files\Mail Inspector\minspect.exe
O4 - Startup: Shortcut to speedfan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O4 - Startup: Shortcut to TopDesk.lnk = C:\FromArt\TopDesk.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Never Forget.lnk = C:\Program Files\NeverForget\NF.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

Many thanks for your help..............Daddad
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Hi Daddad, sorry for the delay....been trying to get a better answer for you. The only thing I'm seeing here is Weatherbug...it comes bundled with adware, so we usually recommend it's removal.

I'll try to have one of our experts pop in to shed some light on the possible FPs...but I still think you need to contact CounterSpy....
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Are you getting any popups?? Adw.Zango.Muncher is software that displays advertisements. If your not getting any...then this adware is NOT installed...but here may be old files or registry entrys that counterspy is picking up.

Do a search for any of these files...

bidulator.exe
installershell.exe
muncherinstall.exe
muncherinstaller.exe
munchersetup.exe
zangoinstaller.exe
zangomuncher.exe


Then open up your registry editor and do a search using these keywords and see if anything is found..

Zango
180 Solutions


I don't see either in your logs..but make sure your other programs don't have them listed in their Quarantine folders. Does CounterSpy display the location of this file or registry entry?

BTW...Microsoft AntiSpyware and CounterSpy ....same product. Counterspy just adds to the database. :grin:
 
1 - 5 of 5 Posts
Status
Not open for further replies.
Top