Author Topic: My Log from ComboFix continuation  (Read 117667 times)

0 Members and 1 Guest are viewing this topic.

haydee

  • Guest
Re: My Log from ComboFix continuation
« Reply #30 on: June 11, 2007, 07:59:01 PM »
essexboy
I'm using Sygate Personal Firewall.

Quote
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan.
I did this again and it still asking to reboot to complete fix and it never gives me a
note pad telling me a detail of the action taken.

The computer is working better now. Except when I let a process enter ( I think is Windows Explorer  or  Generic Host Process for Win32 Services. I'm not sure which
one is, right away Avast gives me the warning of a Trojan.

Hi essexboy
You know, I have this Firewall and now and then I see this pop-ups asking me to let or denie access to some processes. I want to know if I can allow access to the following.

Generic Host Process for Win32 Services (svchost.exe) is trying to connect to
stats.update.microsoft.com [207.46.20.252] using remote port 80 [HTTP-World Wide Web]

Windows explorer [explorer.exe] is asking access to [65.243.103.80] using remote port 80[HTTP-World Wide web]

I'm using AOL Explorer Browser

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33986
  • malware fighter
Re: My Log from ComboFix continuation
« Reply #31 on: June 11, 2007, 08:00:37 PM »
Hi Haydee,

You still have the Zango infection as according to the results of your recent HJT log, see evaluation here: http://hijackthis.de/logfiles/9040b214d04b28d634928a6abd754913.html
Maybe essexboy's going to kill it in a next run. Maybe he has to run a BFU on it.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: My Log from ComboFix continuation
« Reply #32 on: June 11, 2007, 08:07:11 PM »
Maybe it is usefull to pack it using Zip or winrar.
I think we can't post packed archives here... am I wrong?
The best things in life are free.

haydee

  • Guest
Re: My Log from ComboFix continuation
« Reply #33 on: June 11, 2007, 08:32:30 PM »
Oh Oh  ???
I just followed raman instructions. I don't know much
about anything here. If there is anyway to send large
notepads information let me know please. I need essexboy see
the report.


haydee

  • Guest
Re: My Log from ComboFix continuation
« Reply #34 on: June 11, 2007, 08:35:34 PM »
Hi polonus, thanks.
 Check the instructions you gave me.

 
Quote
1. Close all open Internet Explorer windows.
   2. Open a DOS command prompt window ( Start > Run , type 'cmd' (on Windows NT/2000/XP ) or 'command' (on Windows 95/98/Me)) and enter the following commands,

      cd %ProgramFiles%\ZangoClient\
      regsvr32 /u zangohook.dll
   3. Click Start > Run, type 'regedit' and click Ok to open Registry Editor.
   4. Navigate to the following key:
I don't know how to enter the commands.


haydee

  • Guest
Re: My Log from ComboFix continuation
« Reply #35 on: June 11, 2007, 08:38:57 PM »
Hi tech, thanks.

Quote
I think we can't post packed archives here... am I wrong?
 
How do I zip it?
sorry I'm kind of dumb in these things. I'm learning.
 

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: My Log from ComboFix continuation
« Reply #36 on: June 11, 2007, 08:47:56 PM »
If there is anyway to send large notepads information let me know please. I need essexboy see
the report.
I suggest you choose the free service of www.4shared.com and upload the file. Then inform the link here or directly to essexboy if you can contact him.
The best things in life are free.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: My Log from ComboFix continuation
« Reply #37 on: June 11, 2007, 08:50:13 PM »
How do I zip it?
It won't help this time... you can't post (upload) a zipped file here in forums.
But if you want a free zip (archive) tool, try IZArc (http://www.izarc.org/)
The best things in life are free.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33986
  • malware fighter
Re: My Log from ComboFix continuation
« Reply #38 on: June 11, 2007, 09:22:41 PM »
Hi Haydee,

If you fire up your hijackthis program, you can tick the following entries, only those and be very careful, because this is an awful powerful program, and you can ruin your OS if you do it wrong:
These should be removed anyways:
[?] R3 - URLSearchHook: (no name) - - (no file) - Should be fixed if you do not know this application. Should be fixed if you do not know the application or if no application is mentioned.
[X] O3 - Toolbar: GamesBar - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - C:\Program Files\GamesBar\oberontb.dll - Must be fixed! oberontb.dll - Oberon_Media, http://www.madeunclcickable.com/privacy.htm?R efId=&Session=&origin=pmenu_privacy gamesbar, a Zango/Hotbar, http://en.wikipedia.org/wiki/Hotbar adware variant
[X] O9 - Extra button: (no name) - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\Program Files\GamesBar\oberontb.dll - This entry should be fixed by HijackThis!
[X] O9 - Extra 'Tools' menuitem: GamesBar - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\Program Files\GamesBar\oberontb.dll - This entry should be fixed by HijackThis!
After giving the tick in the box, give an enter.

polonus
« Last Edit: June 11, 2007, 09:24:44 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: My Log from ComboFix continuation
« Reply #39 on: June 11, 2007, 09:55:11 PM »
Hi I'm back been working all day.   I appear to be having some problems with winpfind lately I will check with the Author on this. 

Fix the HJT entries as stated by polonus   Then we need to remove traces of Vundo which is trying to contact 65.243.103.80

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If we are still getting the Zango elements on your next log I will use either Avenger or make a BFU not sure which yet
« Last Edit: June 11, 2007, 10:31:31 PM by essexboy »

haydee

  • Guest
Re: My Log from ComboFix continuation
« Reply #40 on: June 11, 2007, 10:29:29 PM »
Glad you are back  ;) Thanks a lot. Before proceding with your instructions here I'm sending the last
HJT report.

http://www.4shared.com/file/17699534/d43d27b2/HIJACKTHIS_2_A_LOG.html

haydee

  • Guest
Re: My Log from ComboFix continuation
« Reply #41 on: June 11, 2007, 10:30:37 PM »
Thank you Tech I got it.  ;)

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: My Log from ComboFix continuation
« Reply #42 on: June 11, 2007, 10:35:05 PM »
Cheers Haydee got it, working on a BFU fix incase it is still hanging around

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33986
  • malware fighter
Re: My Log from ComboFix continuation
« Reply #43 on: June 11, 2007, 10:50:54 PM »
Hi essexboy, looking for this?

Code: [Select]
# For use with Merijn's Brute Force Uninstaller
# available from http://www.merijn.org/
#
# Script Name: MediaGateway.BFU
# Author: Pieter Arntz

OptionSetStatus Stopping processes
ProcessKill \zango.exe|1
ProcessKill \MediaGateway.exe|1
ProcessKill \MediaAccess.exe|1
ProcessKill \MediaAccK.exe|1
ProcessKill \MediaPass.exe|1
ProcessKill \MediaPassK.exe|1
ProcessKillIfContainsText %WINDIR%\*.exe|bis.180solutions.com
DllUnregister %PROGRAMFILES%\zango\zangohook.dll|1
DllUnregister %PROGRAMFILES%\Zango Programs\Zango Toolbar\ZangoTB.dll|1
DllUnregister \MedAccX.dll|1
DllUnregister \ZbHostIE.dll|1

OptionSetStatus Cleaning registry
RegDeleteKey HKCR\ClientAX.ClientInstaller
RegDeleteKey HKCR\ClientAX.ClientInstaller.1
RegDeleteKey HKCR\ClientAX.RequiredComponent
RegDeleteKey HKCR\ClientAX.RequiredComponent.1
RegDeleteKey HKCR\ClientAX.ZangoClientAX
RegDeleteKey HKCR\ClientAX.ZangoClientAX.1
RegDeleteKey HKCR\Clientax.seekmoclientax
RegDeleteKey HKCR\Clientax.seekmoclientax.1
RegDeleteKey HKCR\LMgr180.WMDRMAx
RegDeleteKey HKCR\LMgr180.WMDRMAx.1
RegDeleteKey HKCR\MediaGateway.Installer
RegDeleteKey HKCR\MediaGateway.Installer.1
RegDeleteKey HKCR\MediaGatewayX.Installer
RegDeleteKey HKCR\MediaGatewayX.Installer.1
RegDeleteKey HKCR\MediaGateway.LicenseInstaller
RegDeleteKey HKCR\MediaGateway.LicenseInstaller.1
RegDeleteKey HKLM\SOFTWARE\Classes\ncmyb.SABHO
RegDeleteKey HKLM\SOFTWARE\Classes\ncmyb.SABHO.1
RegDeleteKey HKCR\zangohook.SABHO
RegDeleteKey HKCR\zangohook.SABHO.1
RegDeleteKey HKCR\ZangoToolbar.ZCToolBand
RegDeleteKey HKCR\ZangoToolbar.ZCToolBand.1
RegDeleteKey HKCR\MediaAccX.Installer
RegDeleteKey HKCR\MediaAccess.Installer
RegDeleteKey HKCR\appid\{d28cd14c-50be-4cfa-951e-b37f25da3472}
RegDeleteKey HKCR\AppID\{F1F040D5-E8F8-4680-B101-9334E9773841}
RegDeleteKey HKCR\AppID\{735c5a0c-f79f-47a1-8ca1-2a2e482662a8}
RegDeleteKey HKCR\appid\mediagateway.exe
RegDeleteKey HKCR\AppID\LoaderX.EXE
RegDeleteKey HKCR\AppID\ZangoToolbar.DLL
RegDeleteKey HKCR\CLSID\{0AC49246-419B-4EE0-8917-8818DAAD6A4E}
RegDeleteKey HKCR\CLSID\{144B9C7E-235A-4316-9EB3-5E393714C77A}
RegDeleteKey HKCR\CLSID\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}
RegDeleteKey HKCR\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}
RegDeleteKey HKCR\CLSID\{1E5F0D38-214B-4085-AD2A-D2290E6A2D2C}
RegDeleteKey HKCR\CLSID\{211C4D10-4564-87A0-08B3-B758D5C1FD48}
RegDeleteKey HKCR\CLSID\{21B4ACC4-8874-4AEC-AEAC-F567A249B4D4}
RegDeleteKey HKCR\clsid\{391b0aa4-1e17-485f-b635-0fe26219e87e}
RegDeleteKey HKCR\CLSID\{51CF80DC-A309-4735-BB11-EF18BF4E3AD9}
RegDeleteKey HKCR\CLSID\{56F1D444-11BF-4879-A12B-79CF0177F038}
RegDeleteKey HKCR\CLSID\{5CBE2611-C31B-401F-89BC-4CBB25E853D7}
RegDeleteKey HKCR\clsid\{690b8ed9-7b35-4fbe-b69c-58d58f3e6b07}
RegDeleteKey HKCR\clsid\{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8}
RegDeleteKey HKCR\CLSID\{99410CDE-6F16-42ce-9D49-3807F78F0287}
RegDeleteKey HKCR\CLSID\{D676F999-4608-4dc5-A135-4F51F4212739}
RegDeleteKey HKCR\CLSID\{EA0D26BD-9029-431A-86E0-83152D67828A}
RegDeleteKey HKCR\CLSID\{F31A5D11-BF0B-4A4E-90AF-274F2090AAA6}
RegDeleteKey HKCR\Interface\{00ada225-ea6c-4fb3-82e8-68189201ccb9}
RegDeleteKey HKCR\Interface\{2B0ECEAC-F597-4858-A542-D966B49055B9}
RegDeleteKey HKCR\interface\{6c092742-10fe-4db2-988d-fc71948de70c}
RegDeleteKey HKCR\interface\{7fa8976f-d00c-4e98-8729-a66569233fb5}
RegDeleteKey HKCR\interface\{d5175f49-39e5-4af1-ba98-e2234869276d}
RegDeleteKey HKCR\interface\{dd469a88-316c-441d-b712-783d9b9a6707}
RegDeleteKey HKCR\Interface\{2B0ECEAC-F597-4858-A542-D966B49055B9}
RegDeleteKey HKCR\Interface\{610E0E95-8F2F-4B71-966E-F91701D4DC2C}
RegDeleteKey HKCR\Interface\{67A89831-6BC7-4CC0-A2C3-560F9A581E64}
RegDeleteKey HKCR\Interface\{6C092742-10FE-4DB2-988D-FC71948DE70C}
RegDeleteKey HKCR\Interface\{7B178417-3CDA-444F-94FF-312C0A3A78A8}
RegDeleteKey HKCR\Interface\{7FA8976F-D00C-4E98-8729-A66569233FB5}
RegDeleteKey HKCR\Interface\{A16650A9-B065-40EC-BBD1-F8D370D17FB1}
RegDeleteKey HKCR\Interface\{BDDDF1A5-51A9-4F51-B38D-4CD0AD831B31}
RegDeleteKey HKCR\Interface\{DDEA2E1D-8555-45E5-AF09-EC9AA4EA27AD}
RegDeleteKey HKCR\Interface\{E43DFAA6-8C16-4519-B022-8792408505A4}
RegDeleteKey HKCR\Interface\{E775C662-85D0-438E-82F0-6BCE20A8E154}
RegDeleteKey HKCR\Interface\{F1F1E775-1B21-454D-8D38-7C16519969E5}
RegDeleteKey HKCR\TypeLib\{01BF19C2-59D3-43E9-A2CC-C2D62D8878D3}
RegDeleteKey HKCR\typelib\{15696ae2-6ea4-47f4-bea6-a3d32693efc7}
RegDeleteKey HKCR\typelib\{15ea8944-438e-471e-860d-6743d4383a37}
RegDeleteKey HKCR\TypeLib\{5B6689B5-C2D4-4DC7-BFD1-24AC17E5FCDA}
RegDeleteKey HKCR\typelib\{68BF4626-D66B-4383-A6AF-62E57E9B6CD4}
RegDeleteKey HKCR\TypeLib\{8BE3FABA-7468-4851-B97C-0750AF2B908E}
RegDeleteKey HKCR\TypeLib\{91E523DB-2A1C-4231-BB06-9BE27C28739A}
RegDeleteKey HKCR\typelib\{981BDA1D-C8AD-46FF-BE2C-FDDD859AC6F5}
RegDeleteKey HKCR\TypeLib\{E5B57AB3-15F8-43A2-ABAC-3E58A9C25818}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{99410CDE-6F16-42ce-9D49-3807F78F0287}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{21B4ACC4-8874-4AEC-AEAC-F567A249B4D4}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56F1D444-11BF-4879-A12B-79CF0177F038}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CBE2611-C31B-401F-89BC-4CBB25E853D7}
RegDeleteKey HKLM\SOFTWARE\MediaGateway
RegDeleteKey HKLM\SOFTWARE\zango
RegDeleteKey HKCU\Software\zango
RegDeleteKey HKLM\software\zanu
RegDeleteKey HKCU\Software\zanu
RegDeleteKey HKLM\software\media gateway lastupdate
RegDeleteKey HKLM\software\media gateway param
RegDeleteKey HKLM\software\media gateway softwaretable
RegDeleteKey HKLM\SOFTWARE\Media Access
RegDeleteKey HKLM\software\Zango Programs
RegDeleteKey HKLM\software\microsoft\windows\currentversion\uninstall\media gateway
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Media Access
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Jade Shadow
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaGateway
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\zango
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zango Toolbar
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zango TV Times
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\zanu
RegSetDwordValue HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8}|Compatibility Flags|1024
RegSetDwordValue HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}|Compatibility Flags|1024
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{5CBE2611-C31B-401F-89BC-4CBB25E853D7}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{EA0D26BD-9029-431A-86E0-83152D67828A}
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MediaGateway
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|zango
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|zanu
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Zango TvTimes
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Media Access

RegDeleteKey HKUS\.DEFAULT\Software\Zango

OptionSetStatus Deleting files
FileDelete %WINDIR%\Downloaded Program Files\ClientAX.dll
FileDelete %WINDIR%\Downloaded Program Files\ClientAX.inf
FileDelete %WINDIR%\salmhook.dll
FileDelete %WINDIR%\bmrg.exe
FileDelete %SYSDIR%\ide21201.vxd

OptionSetStatus Deleting folders
FolderDelete %PROGRAMS%\Zango
FolderDelete %PROGRAMS%\Zango Games
FolderDelete %PROGRAMFILES%\MediaGateway
FolderDelete %PROGRAMFILES%\Zango Programs
FolderDelete %PROGRAMFILES%\Zango
FolderDelete %PROGRAMFILES%\ZangoClient
FolderDelete %PROGRAMFILES%\Zango Applications
FolderDelete %PROGRAMFILES%\Zango Games
FolderDelete %PROGRAMFILES%\ZangoToolbar
FolderDelete %PROGRAMFILES%\180SearchAssistant
FolderDelete %PROGRAMFILES%\Media Access
FolderDelete %PROGRAMFILES%\Media Pass

FolderDelete %UserProfile%\Application Data\ZangoToolbar

OptionUseRecycleBin
FileDeleteIfContainsText %WINDIR%\*.exe|180solutions

OptionSetStatus Cleaning Temp folders and IE cache
SystemEmptyInternetCache
SystemEmptyTempFolder

enjoy, fire up in BFU and run...

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: My Log from ComboFix continuation
« Reply #44 on: June 11, 2007, 10:53:19 PM »
Ooops forgot continue with vudo fix BFU nearly done.  Hi Polonus the variant he has is oberon which is slightly different.  I had looked at Pieters fix allready, but ta anyway 8)