Author Topic: My Log from ComboFix continuation  (Read 117669 times)

0 Members and 1 Guest are viewing this topic.

haydee

  • Guest
Re: My Log from ComboFix continuation
« Reply #15 on: June 10, 2007, 10:30:52 PM »
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154116431296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154448063656
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe


haydee

  • Guest
Re: My Log from ComboFix continuation
« Reply #16 on: June 10, 2007, 10:33:21 PM »
I hope I did this correctly.
I think this is a lot of work for you to
check all this. I would become insane.
I don't know anything about computers and I really admire
you who can understand all these "rebolu"  ;D
My complements to you.
Thank you so much. If I was working and making a living
someway I would make a good donation cause the forum really
deserves it.
A dozen of  :-* for everyone helping.
« Last Edit: June 10, 2007, 10:42:53 PM by haydee »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33986
  • malware fighter
Re: My Log from ComboFix continuation
« Reply #17 on: June 10, 2007, 11:45:49 PM »
Hi Haydee,

Your hjt logfile evaluation can be found here: http://www.hijackthis.de/logfiles/9040b214d04b28d634928a6abd754913.html
This is for 3 consequent days. From what I can see here, but you have to wait for what Essexboy has to say about this, you have to get rid of URL SearchHook and Toolbar Gamebar. He might also give you instructions to get rid of your Zango infection.
To manually remove the Zango infection:
 To manually remove the adware, use the following removal steps:

   1. Close all open Internet Explorer windows.
   2. Open a DOS command prompt window ( Start > Run , type 'cmd' (on Windows NT/2000/XP ) or 'command' (on Windows 95/98/Me)) and enter the following commands,

      cd %ProgramFiles%\ZangoClient\
      regsvr32 /u zangohook.dll
   3. Click Start > Run, type 'regedit' and click Ok to open Registry Editor.
   4. Navigate to the following key:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.

      In the right pane find and delete the entry with the value ' zanu' (which points to the file zanu.exe ) or ' Zango TvTimes ' (which points to the file ZangoTVTimes ) .
   5. Reboot the computer.
   6. Open the Registry eidtor again, navigate to and delete the following keys to clean up (if exist):

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {0AC49246-419B-4EE0-8917-8818DAAD6A4E}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {99410CDE-6F16-42ce-9D49-3807F78F0287}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\ {2B0ECEAC-F597-4858-A542-D966B49055B9}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\ {DDEA2E1D-8555-45E5-AF09-EC9AA4EA27AD}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\ {F1F1E775-1B21-454D-8D38-7C16519969E5}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\ {5B6689B5-C2D4-4DC7-BFD1-24AC17E5FCDA}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\ {7B178417-3CDA-444F-94FF-312C0A3A78A8}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\ {68BF4626-D66B-4383-A6AF-62E57E9B6CD4}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\ {15EA8944-438E-471E-860D-6743D4383A37}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\ {E5B57AB3-15F8-43A2-ABAC-3E58A9C25818}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ncmyb.SABHO
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ncmyb.SABHO.1
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.ClientInstaller
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.ClientInstaller.1
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.RequiredComponent
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClientAX.RequiredComponent.1
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\zanu
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zango TV Times
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units \ {99410CDE-6F16-42ce-9D49-3807F78F0287}
      HKEY_LOCAL_MACHINE\SOFTWARE\zanu
      HKEY_CURRENT_USER\Software\zanu
   7. Exit Registry Editor.
   8. Delete the following folders:

      %ProgramFiles%\ZangoClient\
      %ProgramFiles%\Zango Applications\



polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: My Log from ComboFix continuation
« Reply #18 on: June 10, 2007, 11:55:29 PM »
Working on the winpfind now shouldn't take to long

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: My Log from ComboFix continuation
« Reply #19 on: June 11, 2007, 12:11:20 AM »
You can run but not hide I found you  ;D


Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Quote
[Registry - Non-Microsoft Only]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YY -> {08C134D3-087C-4139-A98C-3A078358DFDE} [HKLM] -> %System32%\byxurrr.dll []
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YY -> awtqp -> %System32%\awtqp.dll
YY -> byxurrr -> %System32%\byxurrr.dll
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {08C134D3-087C-4139-A98C-3A078358DFDE} [HKLM] -> %System32%\byxurrr.dll [Reg Data - Value does not exist]
YY -> {4DDD747B-110B-4BBA-8A83-1B90ED65736F} [HKLM] -> %System32%\awtqp.dll [Reg Data - Value does not exist]
YN -> {6F282B65-56BF-4BD1-A8B2-A4449A05863D} [HKLM] -> %ProgramFiles%\GamesBar\oberontb.dll [GamesBar]
YN -> {B12B391A-A0A7-FB27-D97F-89ADA897299D} [HKLM] -> %System32%\dakv.dll [Reg Data - Value does not exist]
YN -> {E12BFF69-38A7-406e-A8EF-2738107A7831} [HKLM] -> %System32%\xanjvlym.dll [Reg Data - Value does not exist]
YN -> {F1CEB0E0-FB0E-4F79-8019-3031A22FCF7D} [HKLM] -> %ProgramFiles%\WindowsUpdate\hokel.dll []
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
YN -> WebBrowser\\{A8FB8EB3-183B-4598-924D-86F0E5E37085} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -> Reg Data - Value does not exist [ButtonText: Yahoo! Services]
YN -> {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -> Reg Data - Value does not exist [ButtonText: Real.com]
[Files/Folders - Created Within 30 days]
NY -> dnsbak.reg -> %SystemDrive%\dnsbak.reg
NY -> sqmdata00.sqm -> %SystemDrive%\sqmdata00.sqm
NY -> sqmdata01.sqm -> %SystemDrive%\sqmdata01.sqm
NY -> sqmdata02.sqm -> %SystemDrive%\sqmdata02.sqm
NY -> sqmdata03.sqm -> %SystemDrive%\sqmdata03.sqm
NY -> sqmdata04.sqm -> %SystemDrive%\sqmdata04.sqm
NY -> sqmnoopt00.sqm -> %SystemDrive%\sqmnoopt00.sqm
NY -> sqmnoopt01.sqm -> %SystemDrive%\sqmnoopt01.sqm
NY -> sqmnoopt02.sqm -> %SystemDrive%\sqmnoopt02.sqm
NY -> sqmnoopt03.sqm -> %SystemDrive%\sqmnoopt03.sqm
NY -> sqmnoopt04.sqm -> %SystemDrive%\sqmnoopt04.sqm
NY -> tcb.pmw -> %SystemRoot%\tcb.pmw
NY -> awtqp.dll -> %System32%\awtqp.dll
NY -> byxurrr.dll -> %System32%\byxurrr.dll
NY -> ClickToFindandFixErrors_Intl.ico -> %System32%\ClickToFindandFixErrors_Intl.ico
NY -> ecypdnan.ini -> %System32%\ecypdnan.ini
NY -> fhoufhdx.ini -> %System32%\fhoufhdx.ini
NY -> ipcmbhyk.ini -> %System32%\ipcmbhyk.ini
NY -> nmeywjhq.ini -> %System32%\nmeywjhq.ini
NY -> pqtwa.bak1 -> %System32%\pqtwa.bak1
NY -> pqtwa.ini -> %System32%\pqtwa.ini
NY -> stera.job -> %System32%\stera.job
[Files/Folders - Modified Within 30 days]
NY -> found.001 -> %SystemDrive%\found.001
NY -> sqmdata00.sqm -> %SystemDrive%\sqmdata00.sqm
NY -> sqmdata01.sqm -> %SystemDrive%\sqmdata01.sqm
NY -> sqmdata02.sqm -> %SystemDrive%\sqmdata02.sqm
NY -> sqmdata03.sqm -> %SystemDrive%\sqmdata03.sqm
NY -> sqmdata04.sqm -> %SystemDrive%\sqmdata04.sqm
NY -> sqmnoopt00.sqm -> %SystemDrive%\sqmnoopt00.sqm
NY -> sqmnoopt01.sqm -> %SystemDrive%\sqmnoopt01.sqm
NY -> sqmnoopt02.sqm -> %SystemDrive%\sqmnoopt02.sqm
NY -> sqmnoopt03.sqm -> %SystemDrive%\sqmnoopt03.sqm
NY -> sqmnoopt04.sqm -> %SystemDrive%\sqmnoopt04.sqm
NY -> tcb.pmw -> %SystemRoot%\tcb.pmw
NY -> awtqp.dll -> %System32%\awtqp.dll
NY -> byxurrr.dll -> %System32%\byxurrr.dll
NY -> ClickToFindandFixErrors_Intl.ico -> %System32%\ClickToFindandFixErrors_Intl.ico
NY -> ecypdnan.ini -> %System32%\ecypdnan.ini
NY -> fhoufhdx.ini -> %System32%\fhoufhdx.ini
NY -> ipcmbhyk.ini -> %System32%\ipcmbhyk.ini
NY -> nmeywjhq.ini -> %System32%\nmeywjhq.ini
NY -> pqtwa.bak1 -> %System32%\pqtwa.bak1
NY -> pqtwa.ini -> %System32%\pqtwa.ini
NY -> stera.job -> %System32%\stera.job

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.  I see you still have symantec on your system are you using their firewall

haydee

  • Guest
Re: My Log from ComboFix continuation
« Reply #20 on: June 11, 2007, 01:04:39 AM »
Thank you  polonus
Thank you essexboy

I pasted the quote under "fix here" and ran fix button.
It informed me it was going to reboot in order to continue the fix.
It did so, but it didn't give me a note pad with the fixes done.
I will run the WinPFind now and send you the report.

haydee

  • Guest
Re: My Log from ComboFix continuation
« Reply #21 on: June 11, 2007, 01:19:12 AM »
I erased the report from here cause is too long I downloaded it following
raman's instructions.  ;)
« Last Edit: June 11, 2007, 07:14:54 PM by haydee »

haydee

  • Guest
Re: My Log from ComboFix continuation
« Reply #22 on: June 11, 2007, 01:20:06 AM »
Report downloaded at last reply.
« Last Edit: June 11, 2007, 07:23:42 PM by haydee »

haydee

  • Guest
Re: My Log from ComboFix continuation
« Reply #23 on: June 11, 2007, 01:22:06 AM »
The same...  ;)
« Last Edit: June 11, 2007, 07:16:21 PM by haydee »

haydee

  • Guest
Re: My Log from ComboFix continuation
« Reply #24 on: June 11, 2007, 01:23:06 AM »
 ;)
« Last Edit: June 11, 2007, 07:16:40 PM by haydee »

haydee

  • Guest
Re: My Log from ComboFix continuation
« Reply #25 on: June 11, 2007, 01:24:53 AM »
 Just check the last reply.
That's where the report is.
Just a little hide and seek to
have a little fun in the middle of so much work. :)
It bothered me to see so many pages filled up
from top to bottom.
« Last Edit: June 11, 2007, 07:20:12 PM by haydee »

haydee

  • Guest
Re: My Log from ComboFix continuation
« Reply #26 on: June 11, 2007, 01:25:33 AM »
This reply was modified (erased)
« Last Edit: June 11, 2007, 07:24:44 PM by haydee »

haydee

  • Guest
Re: My Log from ComboFix continuation
« Reply #27 on: June 11, 2007, 01:28:50 AM »
WOW! I wish I knew how to shrink the reports.

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re: My Log from ComboFix continuation
« Reply #28 on: June 11, 2007, 02:49:49 PM »
Just press reply and open "+ Additional Options...", you can attach the whole log there. Maybe it is usefull to pack it using Zip or winrar.
MfG Ralf

haydee

  • Guest
Re: My Log from ComboFix continuation
« Reply #29 on: June 11, 2007, 07:08:11 PM »
Here I'm sending the report again practicing what you taught me. Thanks a lot. ;)