TechSpot

Zeno Search Assistant & brdr problem

By scmcginley
Oct 24, 2007
Topic Status:
Not open for further replies.
  1. Hello all: This is my first post here. I need some help. (I am not a computer expert so please excuse any ignorance I may display).

    Help! Adware had been downloaded to my computer. My problems are:

    1 When I boot up my computer my Spy Sweeper program catches a bad file called ‘Zeno Search Assistance”. I delete through Spy Sweeper but it re-appears each type I reboot.

    2 When I shut down my computer I get “End Program-brdr-please wait”. I always have to click “end now” to close this. This happened every time I shutdown.

    3 I have “TA-Start” up my Startup folder. I believe this is linked to the Zeno Search Assistant because if I click on it in (through All Programs>Startup>TA_Start) Zeno Search Assistant tries to load and is blocked by my Spy Sweeper. TA_Start is also listed in my Startup file under MSconfig. I unclick it to not run at Startup but it still does each time. This would explain why Spy Sweeper catches it because it is trying to reload every time I reboot.

    4 Look like “Zeno Search Assistant” has also created a new file located on my computer at C:WINDOWS/System32/dwdsrngt.exe. I would love to delete this in the hopes of fixing everything but am afraid I may be deleting an important files for another process. I am not very knowledgeable in what all these different files do on my computer so I am afraid that if I delete it I could cause new problems with my computer-and am always told to be careful what files you delete.

    So how do I get rid of all this stuff? Any help or assistance is greatly appreciated.

    I also attahced a copy of my hijack file in .txt format.
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    Your system is infected with malware.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as Attachments into this thread, only after doing the above.

    Also, let me know the results of the Panda Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of scmcginley only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. scmcginley

    scmcginley TS Rookie Topic Starter

    Downloading AVG and Panda Antiroot

    Is there a charge for downloading the AVG Antispyware and Panda Antirootkit?

    I started to download AVG but I got only Anti Virus-it appears that I need to pay to download anti-spware, is that correct?

    Justy want to make I am doing this correctly before I proceed.
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

  5. scmcginley

    scmcginley TS Rookie Topic Starter

    Log files for review (brdr/TA_Start Up/dwdsrngt.exe problem)

    Computer running a little better already -no more "end program brdr when shutting down and can no longer find TA_Start in Startup folder -must have been removed by one of anti-viruses you had me download. All I see now is that the dwdsrngt.exe file and the TA_Start Up are still listed in my system config utility (under Start Up)-I have disabled these so they do not boot at startup and the command paths can no longer be found on my PC when I look for them. If I enable these will they disappear when I reboot?

    I have attached the latest Hijack file, AVG file, and combofix file. Also, the result of running Panda Antiroot kit said there were no rootkits found (5336 items scanned)

    Attached Files:

  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    You have not renamed HijackThis.exe as per the instructions. See HERE.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    dwdsrngt.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or folders(if there).

    C:\DOCUME~1\SHAUNM~1\LOCALS~1\Temp\clclean.0001
    C:\WINDOWS\system32\xxywwut.dll
    C:\Documents and Settings\Shaun McGinley\Start Menu\Programs\Startup\TA_Start.lnk
    C:\windows\system32\dwdsrngt.exe

    Click start/run and type regedit into the run box and press the enter key. When the window appears maximise it. Click file/export and save a copy of your registry to wherever you want.

    Navigate to the following bold reg keys and delete them.

    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Shaun McGinley^Start Menu^Programs^Startup^TA_Start.lnk

    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{60-08-81-18-ZN}

    Close regedit.

    Reboot into normal mode and rehide your protected OS files.

    Go HERE, download and install the latest version of Java.

    Then, go to add remove programmes in your control panel and uninstall all previous versions of Java, except for version 6 update 3.

    Post fresh HJT and Combofix logs.

    Regards Howard :)

    This thread is for the use of scmcginley only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  7. scmcginley

    scmcginley TS Rookie Topic Starter

    I followed your instructions as requested (starting with renaming the HijackThis.exe file to Crusty.exe).

    Attached are the latest HJT and Combofix logs.

    How are we looking now?
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    That all looks clean.

    Unless you`re still having problems, please do the following.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of scmcginley only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  9. scmcginley

    scmcginley TS Rookie Topic Starter

    MS ASN1 Integer Overflow TCP blocked.

    I have recently been getting a notice from my Norton AntiVirus that it has blocked an instrusion attempt. I am being advised that MS ASN1 Integer Overflow TCP was blocked. Norton says this is a high security item.

    Norton blocked it so I am not to concerned that my systen is affected but I have been advised twice tonight that Norton caught it. I can turn off the notice but wanted to make sure there is not a concern. Should I worry about this or I am I safe enough that Norton catches it, even if it starts happening every day?

    Any advice is greatly appreciated.

    (I have attached my most recent hijack log-if that helps)
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Is this the Norton Firewall that`s alerting you?

    If it is, just tell it to block it and not alert you again.

    Your HJT log is clean.

    Regards Howard :)

    This thread is for the use of scmcginley only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  11. scmcginley

    scmcginley TS Rookie Topic Starter

    Yes, it is the Norton Firewall that is alerting me.

    I will go ahead ignore it. Just wanted to make sure my systen was still clean (a little paranoid these days after my last problem)

    Thank you for the prompt response.
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    No worries mate, that`s what I`m here for.

    Regards Howard :)

    This thread is for the use of scmcginley only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  13. scmcginley

    scmcginley TS Rookie Topic Starter

    Unwanted Pop Up and Question about my newly installed hard drive

    Hello, a few months ago, you helped me fix some malaware issues which I really appreciate.

    Last week, my PC would no boot up. Instead I was being advised of the following:
    "Windows could not start because the following file is missing or corrupt:
    <Windows root>\system32\hal.dll. Please re-install a copy of the above file."

    I ended up having to use the Dell PC restore function to restore my computer to the factory settings. Fortunately I was able to pull my data off my hard drive before I restored my OPC. (I also now have an external hard drive, just in case)

    A few days later one of my hard drives failed (I have RAID). I decided to replace both hard drives (actually only one for storage purpose because of the RAID function). Was able to pull my files off my old hard drive and got all of my programs back up and running. I also upgraded to Norton 360 and reinstalled my Spy sweeper.

    I just started getting a blank page pop up on Norton 360. I click on the options and find that Norton is blocking http.rondstarsdoor.com. I assume the page is blank because Norton is blocking it but I still get the blank page pop up. This does not happen all the time but periodically. What can I do to get rid of this annoying occurrence? I have attached a copy of my hijack log.

    I also have a hard drive issue. I had a 250 GB hard drive. I installed a new 320BGB Seagate Hard Drive. When I check the drive size it shows the old hard disk size. Why would my PC not show that I now have a 320 GB (actually two 320GB drives are installed in my PC order to use the RAID option). The hard disks installed are 320GB Seagate 12MB Cache. I can provide a picture of what my PC shows if necessary.

    Why would my PC (Dell E510) not recognize the increased hard drive.

    Any help is appreciated. Thanks.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.