Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zeno Search Assistant Running In Memory


  • Please log in to reply
1 reply to this topic

#1 Derek123

Derek123

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 27 October 2005 - 12:15 PM

Hiya All,

I was wondering whether you can help me please. I have tried to remove the
Zeno Search Assistant running in memory...

I have tried: Spysweeper, Ad-Ware, Trend Micro, Counterspy and Spy Doctor...The problem is
that is just starts from bootup and then as u use the internet. it just gives
u annoying pop-ups, which Spysweeper does not block out, so your constantly
closing them down. Also gettin pop-up about fixing the registry and WinFix,
god, thats frustrating....

Any ideas to remove this would be so much appreciated, lm running Windows
2000, its a laptop, Dell D600. Any such help, would be so much
appreciated.

I tried to run spyswepper in Safe Mode, but it wouldn't allow me to do so,
as it kept coming-up with a pop-up saying u have to make changes using
Control panel. I dont quite recall the message, but thats wat l was getting.

I was advised to post a log from Hijackthis, into this section, to get one of the experts to have a lok at this, so ladies and gents over to you, as lm not expert in this. I will follow exactly what you say. I know it may take time to lok at this, so l will patiently await for a response, thanks in advance. Derek.

Logfile of HijackThis v1.99.1
Scan saved at 17:53:12, on 27/10/05
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINNT\system32\cusrvc.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Monactive\dxAgent\monagesv_secure.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\Program Files\Monactive\dxAgent\xcmon32.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\NWTRAY.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Novell\ZENworks\NALDESK.EXE
C:\Program Files\Trend Micro\Tmas\Tmas.exe
c:\winnt\system32\wtdxregw.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\EasyZip\EZIP.EXE
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.msn.co.uk/fullaccess.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.msn.co.uk:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 193.38.84.120;193.38.83.73;193.38.84.204;olookweb;193.39.47.129;msn.co.uk;onepace.msn.co.uk;193.39.47.131;193.39.64.29;tweb03;123.7.1.68;150.92.1.123;vantage;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL
O2 - BHO: (no name) - {702EA91C-1ACF-4772-8078-18F2B2EE1031} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Zstart.lnk = C:\zxinst_ms001.exe
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O4 - Global User Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
O4 - Global User Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{35E66FBC-0DD6-4E6D-8FBE-388C94C6BF6A}: Domain = msn.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{35E66FBC-0DD6-4E6D-8FBE-388C94C6BF6A}: NameServer = 193.38.83.123 103.38.83.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{B4DB18A3-1BEB-4807-B992-2631EF6FD1EC}: Domain = msn.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\..\{35E66FBC-0DD6-4E6D-8FBE-388C94C6BF6A}: Domain = msn.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\..\{35E66FBC-0DD6-4E6D-8FBE-388C94C6BF6A}: NameServer = 193.38.83.123 103.38.83.24
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Monactive Agent Service - Monactive Ltd - C:\Program Files\Monactive\dxAgent\monagesv_secure.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:54 AM

Posted 01 November 2005 - 09:33 AM

Download this program:

submit files packer

Highlight the files listed below in bold and right-click and selecting copy.


C:\zxinst_ms001.exe


Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example grinler.cab).

Then go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.


Then,

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:


O4 - Startup: Zstart.lnk = C:\zxinst_ms001.exe

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)


C:\zxinst_ms001.exe

Reboot your computer to go back to normal mode and post a new log and tell me if your better.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users