Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:ADSPY/Zwangi.hw.16
Type:Adware/Spyware
In the wild:No
Reported Infections:Medium
Distribution Potential:Low
Damage Potential:Low
Static file:Yes
File size:715.880 Bytes
MD5 checksum:3DBE1ABEA852AE2D0D22A9ADA3BA1CFA

 General ADSPY/ - Adware/Spyware

This class of detection flags software that display ads, usually in the internet browser by modifying displayed pages or opening aditional pages with ads, and/or monitor and send information about the user's activity. These adware/spyware programs are usually installed by the users themselves or come with other software that the users install themselves (usually in exchange for using the software for free or as a default install option).

Users might be unaware that this software was installed or of its behaviour. This detection is meant to flag the file and the behaviour as part of legitimate ad displaying/user activity monitoring software.

This detection can be disabled and is recommended if the user is aware of the software installed on his/her system and doesn't want this type of software to be detected.
Method of propagation:
   • No own spreading routine


Aliases:
   •  Eset: Win32/Adware.OneStep.AG
   •  DrWeb: Trojan.Searcher.274 Trojan.Searcher.274


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Downloads malicious files
   • Registry modification


Right after execution the following information is displayed:


 Files The following files are created:

%TEMPDIR%\nsb40.tmp\questscan.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Boigy.585729

%TEMPDIR%\nsb40.tmp\questscan.exe Further investigation pointed out that this file is malware, too. Detected as: ADWARE/Zwangi.hw.26

%TEMPDIR%\nsb40.tmp\uninstall.exe
– %ALLUSERSPROFILE%\Application Data\QuestScan\questscan143.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: ADWARE/Zwangi.HW.16

%PROGRAM FILES%\QuestScan\uninstall.exe

 Registry The following registry keys are added:

– [HKLM\SOFTWARE\QuestScan]
   • "Primary"=dword:0000a9e9
   • "DllPath"="%PROGRAM FILES%\\QuestScan\\questscan.dll"
   • "Version"=dword:0001002b
   • "Cid"="723f8016106a4513ac440129410713dd"
   • "Partner"="QUESTSCAN138"
   • "Src"="questscan"
   • "ShowToolbarButton"=dword:00000000
   • "ShowBarSign"=dword:00000000
   • "UpdateTimeH"=dword:01cc353b
   • "UpdateTimeL"=dword:28f6411d

– [HKLM\SYSTEM\CurrentControlSet\Control\Session Manager]
   • "PendingFileRenameOperations"=hex(7):%hex values%

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   QuestScan]
   • "DisplayName"="QuestScan 1.0 build 143 powered by FIRST SEARCHBAR"
   • "UninstallString"="%PROGRAM FILES%\\QuestScan\\uninstall.exe _?=C:\Program Files\\QuestScan"

Description inserted by Jason Soo on Monday, June 27, 2011
Description updated by Jason Soo on Monday, June 27, 2011

Back . . . .