Adware.Zdengo

Short bio

Adware.Zdengo is Malwarebytes’ detection name for a family of adware installers and bundlers.

Symptoms

Users on affected systems may see search results being added to the top of their actual search results. And the topmost of the added search results will have this icons on the right-hand site of it:

Adware.Zdengo ads

Adware.Zdengo ads

Some installers will also show a warning during install

Adware.Zdengo installing

Adware.Zdengo installing

and an entry in the list of installed Programs and Features:

Adware.Zdengo installed

Adware.Zdengo installed

 

Type and source of infection

Adware.Zdengo are installers of various other adware variants and are often included in other bundlers themselves.

Protection

Malwarebytes protects users from Adware.Zdengo by using real-time protection.

block Adware.Zdengo

Malwarebytes blocks Adware.Zdengo

and by blocking the domains that host the installers.

block wajam-download.com

Malwarebytes blocks the domain wajam-download.com

Remediation

Malwarebytes can detect and remove Adware.Zdengo without further user interaction.

  1. Please download Malwarebytes to your desktop.
  2. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
  3. Then click Finish.
  4. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  5. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  6. When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  7. Restart your computer when prompted to do so.

Malwarebytes removal log

A Malwarebytes removal log after running Adware.Zdengo will look similar to this:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 5/18/18
Scan Time: 8:54 AM
Log File: 5def4e4f-5a68-11e8-83e7-080027235d76.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.5154
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 239773
Threats Detected: 44
Threats Quarantined: 44
Time Elapsed: 2 min, 50 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 1
Adware.Social2Search.EncJob, C:\Program Files\8b99190a17e0232dfed348aad6c4a699\04146af46813e501bb7ca87370e1aaeb.exe, Quarantined, [5128], [415982],1.0.5154

Module: 2
Adware.Social2Search.EncJob, C:\Program Files\8b99190a17e0232dfed348aad6c4a699\04146af46813e501bb7ca87370e1aaeb.exe, Quarantined, [5128], [415982],1.0.5154
Adware.Wajam, C:\WINDOWS\CBQDNJLANJOMWLWI.CBQ, Quarantined, [436], [519606],1.0.5154

Registry Key: 12
Adware.Social2Search.EncJob, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\8b99190a17e0232dfed348aad6c4a699, Quarantined, [5128], [415982],1.0.5154
PUP.Optional.Wajam, HKCU\SOFTWARE\WajIEnhance, Quarantined, [210], [244670],1.0.5154
PUP.Optional.Wajam, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NLASVC\PARAMETERS\INTERNET\MANUALPROXIES, Quarantined, [210], [-1],0.0.0
Adware.SearchAwesome, HKLM\SOFTWARE\SrcAAAesom Browser Enhancer, Quarantined, [7358], [424837],1.0.5154
Adware.Wajam, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\08ad4f1678b0db2b83448f10c5b23057, Quarantined, [436], [519606],1.0.5154
Adware.SearchAwesome, HKLM\SOFTWARE\WOW6432NODE\SrcAAAesom Browser Enhancer, Quarantined, [7358], [424837],1.0.5154
Adware.SearchAwesome, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\8b99190a17e0232dfed348aad6c4a699, Quarantined, [7358], [424836],1.0.5154
MachineLearning/Anomalous.100%, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\8b99190a17e0232dfed348aad6c4a699, Quarantined, [0], [392687],1.0.5154
PUP.Optional.Wajam, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\56BF5154-0B48-4ADB-902A-6C8B12E270D9, Quarantined, [210], [170024],1.0.5154
Adware.Wajam, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ceaadf4b92292e7d1264007c289e7a68, Quarantined, [436], [511749],1.0.5154
PUP.Optional.Wajam, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\56BF5154-0B48-4ADB-902A-6C8B12E270D9, Quarantined, [210], [170024],1.0.5154
PUP.Optional.Wajam, HKLM\SOFTWARE\CLASSES\APPID\56BF5154-0B48-4ADB-902A-6C8B12E270D9, Quarantined, [210], [170024],1.0.5154

Registry Value: 7
PUP.Optional.Wajam, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [210], [-1],0.0.0
PUP.Optional.Wajam, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [210], [-1],0.0.0
PUP.Optional.Wajam, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [210], [-1],0.0.0
PUP.Optional.Wajam, HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [210], [-1],0.0.0
Adware.Wajam, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\08ad4f1678b0db2b83448f10c5b23057|IMAGEPATH, Quarantined, [436], [519606],1.0.5154
Adware.SearchAwesome, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\8b99190a17e0232dfed348aad6c4a699|DISPLAYNAME, Quarantined, [7358], [424836],1.0.5154
Adware.SearchAwesome.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\8b99190a17e0232dfed348aad6c4a699|PUBLISHER, Quarantined, [7280], [437519],1.0.5154

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 1
Adware.Social2Search.EncJob, C:\PROGRAM FILES\8b99190a17e0232dfed348aad6c4a699, Quarantined, [5128], [415982],1.0.5154

File: 21
Adware.Social2Search.EncJob, C:\PROGRAM FILES\8b99190a17e0232dfed348aad6c4a699\WBE_uninstall.dat, Quarantined, [5128], [415982],1.0.5154
Adware.Social2Search.EncJob, C:\Program Files\8b99190a17e0232dfed348aad6c4a699\04146af46813e501bb7ca87370e1aaeb.exe, Quarantined, [5128], [415982],1.0.5154
Adware.Social2Search.EncJob, C:\Program Files\8b99190a17e0232dfed348aad6c4a699\c6182f9cb662a9e333002e06810f826d.exe, Quarantined, [5128], [415982],1.0.5154
Adware.Social2Search.EncJob, C:\Program Files\8b99190a17e0232dfed348aad6c4a699\c92b3103a49ebb99abf869e8dd17de8f.exe, Quarantined, [5128], [415982],1.0.5154
Adware.Social2Search.EncJob, C:\Program Files\8b99190a17e0232dfed348aad6c4a699\dbdda1b2ae5292a030f8279af6ca291a.ico, Quarantined, [5128], [415982],1.0.5154
Adware.Social2Search.EncJob, C:\Program Files\8b99190a17e0232dfed348aad6c4a699\df1a166bec69178b887ca05ac8cb37de, Quarantined, [5128], [415982],1.0.5154
Adware.Social2Search.EncJob, C:\Program Files\8b99190a17e0232dfed348aad6c4a699\mozcrt19.dll, Quarantined, [5128], [415982],1.0.5154
Adware.Social2Search.EncJob, C:\Program Files\8b99190a17e0232dfed348aad6c4a699\nspr4.dll, Quarantined, [5128], [415982],1.0.5154
Adware.Social2Search.EncJob, C:\Program Files\8b99190a17e0232dfed348aad6c4a699\nss3.dll, Quarantined, [5128], [415982],1.0.5154
Adware.Social2Search.EncJob, C:\Program Files\8b99190a17e0232dfed348aad6c4a699\plc4.dll, Quarantined, [5128], [415982],1.0.5154
Adware.Social2Search.EncJob, C:\Program Files\8b99190a17e0232dfed348aad6c4a699\plds4.dll, Quarantined, [5128], [415982],1.0.5154
Adware.Social2Search.EncJob, C:\Program Files\8b99190a17e0232dfed348aad6c4a699\service.dat, Quarantined, [5128], [415982],1.0.5154
Adware.Social2Search.EncJob, C:\Program Files\8b99190a17e0232dfed348aad6c4a699\service_64.dat, Quarantined, [5128], [415982],1.0.5154
Adware.Social2Search.EncJob, C:\Program Files\8b99190a17e0232dfed348aad6c4a699\softokn3.dll, Quarantined, [5128], [415982],1.0.5154
PUP.Optional.FFHijacker.Generic, C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\DEFAULTS\PREF\SECURE_CERT.JS, Quarantined, [5383], [505085],1.0.5154
Adware.Wajam, C:\WINDOWS\CBQDNJLANJOMWLWI.CBQ, Quarantined, [436], [519606],1.0.5154
MachineLearning/Anomalous.100%, C:\WINDOWS\C92B3103A49EBB99ABF869E8DD17DE8F.EXE, Quarantined, [0], [392687],1.0.5154
Adware.Wajam, C:\WINDOWS\SYSTEM32\DRIVERS\CEAADF4B92292E7D1264007C289E7A68.SYS, Quarantined, [436], [511749],1.0.5154
Adware.Zdengo, C:\USERS\{username}\DESKTOP\UPDATE.EXE, Quarantined, [7948], [522251],1.0.5154
Generic.Malware/Suspicious, C:\DOWNLOADS\SETUP2.EXE, Quarantined, [0], [392686],1.0.5154
MachineLearning/Anomalous.100%, C:\WINDOWS\C92B3103A49EBB99ABF869E8DD17DE8F.EXE, Quarantined, [0], [392687],1.0.5154

Physical Sector: 0
(No malicious items detected)


(end)

Traces/IOCs

Md5 hashes:

025ab1627862bb2f5a0368a5deb87fd4

57572f91a4a4bad464b4573fae536e3b

b0cc641aafccc5b1305babe8906bda23

c71023ad9ae740620593cd2dc8d89db1

d72316c81133b4b8940c06afea12d463

daeb0c3911f842c062c13b0d2203be9b

 

 

 

Associated threats

Cybersecurity info you can’t do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Select your language