Author Topic: My Log from ComboFix continuation (Read 115659 times)

haydee · « **Reply #30 on:** June 11, 2007, 07:59:01 PM »

essexboy
I'm using Sygate Personal Firewall.

Quote

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan.

I did this again and it still asking to reboot to complete fix and it never gives me a
note pad telling me a detail of the action taken.

The computer is working better now. Except when I let a process enter ( I think is Windows Explorer or Generic Host Process for Win32 Services. I'm not sure which
one is, right away Avast gives me the warning of a Trojan.

Hi essexboy
You know, I have this Firewall and now and then I see this pop-ups asking me to let or denie access to some processes. I want to know if I can allow access to the following.

Generic Host Process for Win32 Services (svchost.exe) is trying to connect to
stats.update.microsoft.com [207.46.20.252] using remote port 80 [HTTP-World Wide Web]

Windows explorer [explorer.exe] is asking access to [65.243.103.80] using remote port 80[HTTP-World Wide web]

I'm using AOL Explorer Browser

polonus · « **Reply #31 on:** June 11, 2007, 08:00:37 PM »

Hi Haydee,

You still have the Zango infection as according to the results of your recent HJT log, see evaluation here: http://hijackthis.de/logfiles/9040b214d04b28d634928a6abd754913.html
Maybe essexboy's going to kill it in a next run. Maybe he has to run a BFU on it.

polonus

Lisandro · « **Reply #32 on:** June 11, 2007, 08:07:11 PM »

Quote from: raman on June 11, 2007, 02:49:49 PM

Maybe it is usefull to pack it using Zip or winrar.

I think we can't post packed archives here... am I wrong?

haydee · « **Reply #33 on:** June 11, 2007, 08:32:30 PM »

Oh Oh

I just followed raman instructions. I don't know much
about anything here. If there is anyway to send large
notepads information let me know please. I need essexboy see
the report.

haydee · « **Reply #34 on:** June 11, 2007, 08:35:34 PM »

Hi polonus, thanks.
Check the instructions you gave me.

Quote

1. Close all open Internet Explorer windows.
2. Open a DOS command prompt window ( Start > Run , type 'cmd' (on Windows NT/2000/XP ) or 'command' (on Windows 95/98/Me)) and enter the following commands,

cd %ProgramFiles%\ZangoClient\
regsvr32 /u zangohook.dll
3. Click Start > Run, type 'regedit' and click Ok to open Registry Editor.
4. Navigate to the following key:

I don't know how to enter the commands.

haydee · « **Reply #35 on:** June 11, 2007, 08:38:57 PM »

Hi tech, thanks.

Quote

I think we can't post packed archives here... am I wrong?

How do I zip it?
sorry I'm kind of dumb in these things. I'm learning.

Lisandro · « **Reply #36 on:** June 11, 2007, 08:47:56 PM »

Quote from: haydee on June 11, 2007, 08:32:30 PM

If there is anyway to send large notepads information let me know please. I need essexboy see
the report.

I suggest you choose the free service of www.4shared.com and upload the file. Then inform the link here or directly to essexboy if you can contact him.

Lisandro · « **Reply #37 on:** June 11, 2007, 08:50:13 PM »

Quote from: haydee on June 11, 2007, 08:38:57 PM

How do I zip it?

It won't help this time... you can't post (upload) a zipped file here in forums.
But if you want a free zip (archive) tool, try IZArc (http://www.izarc.org/)

polonus · « **Reply #38 on:** June 11, 2007, 09:22:41 PM »

Hi Haydee,

If you fire up your hijackthis program, you can tick the following entries, only those and be very careful, because this is an awful powerful program, and you can ruin your OS if you do it wrong:
These should be removed anyways:
[?] R3 - URLSearchHook: (no name) - - (no file) - Should be fixed if you do not know this application. Should be fixed if you do not know the application or if no application is mentioned.
[X] O3 - Toolbar: GamesBar - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - C:\Program Files\GamesBar\oberontb.dll - Must be fixed! oberontb.dll - Oberon_Media, http://www.madeunclcickable.com/privacy.htm?R efId=&Session=&origin=pmenu_privacy gamesbar, a Zango/Hotbar, http://en.wikipedia.org/wiki/Hotbar adware variant
[X] O9 - Extra button: (no name) - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\Program Files\GamesBar\oberontb.dll - This entry should be fixed by HijackThis!
[X] O9 - Extra 'Tools' menuitem: GamesBar - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\Program Files\GamesBar\oberontb.dll - This entry should be fixed by HijackThis!
After giving the tick in the box, give an enter.

polonus

essexboy · « **Reply #39 on:** June 11, 2007, 09:55:11 PM »

Hi I'm back been working all day. I appear to be having some problems with winpfind lately I will check with the Author on this.

Fix the HJT entries as stated by polonus Then we need to remove traces of Vundo which is trying to contact 65.243.103.80

Please download VundoFix.exe to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If we are still getting the Zango elements on your next log I will use either Avenger or make a BFU not sure which yet

haydee · « **Reply #40 on:** June 11, 2007, 10:29:29 PM »

Glad you are back

Thanks a lot. Before proceding with your instructions here I'm sending the last
HJT report.

http://www.4shared.com/file/17699534/d43d27b2/HIJACKTHIS_2_A_LOG.html

haydee · « **Reply #41 on:** June 11, 2007, 10:30:37 PM »

Thank you Tech I got it.

essexboy · « **Reply #42 on:** June 11, 2007, 10:35:05 PM »

Cheers Haydee got it, working on a BFU fix incase it is still hanging around

polonus · « **Reply #43 on:** June 11, 2007, 10:50:54 PM »

Hi essexboy, looking for this?

Code: [Select]

# For use with Merijn's Brute Force Uninstaller
# available from http://www.merijn.org/
#
# Script Name: MediaGateway.BFU
# Author: Pieter Arntz

OptionSetStatus Stopping processes
ProcessKill \zango.exe|1
ProcessKill \MediaGateway.exe|1
ProcessKill \MediaAccess.exe|1 
ProcessKill \MediaAccK.exe|1 
ProcessKill \MediaPass.exe|1 
ProcessKill \MediaPassK.exe|1
ProcessKillIfContainsText %WINDIR%\*.exe|bis.180solutions.com
DllUnregister %PROGRAMFILES%\zango\zangohook.dll|1
DllUnregister %PROGRAMFILES%\Zango Programs\Zango Toolbar\ZangoTB.dll|1
DllUnregister \MedAccX.dll|1
DllUnregister \ZbHostIE.dll|1

OptionSetStatus Cleaning registry
RegDeleteKey HKCR\ClientAX.ClientInstaller
RegDeleteKey HKCR\ClientAX.ClientInstaller.1
RegDeleteKey HKCR\ClientAX.RequiredComponent
RegDeleteKey HKCR\ClientAX.RequiredComponent.1
RegDeleteKey HKCR\ClientAX.ZangoClientAX
RegDeleteKey HKCR\ClientAX.ZangoClientAX.1
RegDeleteKey HKCR\Clientax.seekmoclientax 
RegDeleteKey HKCR\Clientax.seekmoclientax.1 
RegDeleteKey HKCR\LMgr180.WMDRMAx
RegDeleteKey HKCR\LMgr180.WMDRMAx.1
RegDeleteKey HKCR\MediaGateway.Installer
RegDeleteKey HKCR\MediaGateway.Installer.1
RegDeleteKey HKCR\MediaGatewayX.Installer
RegDeleteKey HKCR\MediaGatewayX.Installer.1
RegDeleteKey HKCR\MediaGateway.LicenseInstaller
RegDeleteKey HKCR\MediaGateway.LicenseInstaller.1
RegDeleteKey HKLM\SOFTWARE\Classes\ncmyb.SABHO
RegDeleteKey HKLM\SOFTWARE\Classes\ncmyb.SABHO.1
RegDeleteKey HKCR\zangohook.SABHO
RegDeleteKey HKCR\zangohook.SABHO.1
RegDeleteKey HKCR\ZangoToolbar.ZCToolBand
RegDeleteKey HKCR\ZangoToolbar.ZCToolBand.1
RegDeleteKey HKCR\MediaAccX.Installer
RegDeleteKey HKCR\MediaAccess.Installer
RegDeleteKey HKCR\appid\{d28cd14c-50be-4cfa-951e-b37f25da3472}
RegDeleteKey HKCR\AppID\{F1F040D5-E8F8-4680-B101-9334E9773841}
RegDeleteKey HKCR\AppID\{735c5a0c-f79f-47a1-8ca1-2a2e482662a8}
RegDeleteKey HKCR\appid\mediagateway.exe
RegDeleteKey HKCR\AppID\LoaderX.EXE
RegDeleteKey HKCR\AppID\ZangoToolbar.DLL
RegDeleteKey HKCR\CLSID\{0AC49246-419B-4EE0-8917-8818DAAD6A4E}
RegDeleteKey HKCR\CLSID\{144B9C7E-235A-4316-9EB3-5E393714C77A}
RegDeleteKey HKCR\CLSID\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}
RegDeleteKey HKCR\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}
RegDeleteKey HKCR\CLSID\{1E5F0D38-214B-4085-AD2A-D2290E6A2D2C}
RegDeleteKey HKCR\CLSID\{211C4D10-4564-87A0-08B3-B758D5C1FD48}
RegDeleteKey HKCR\CLSID\{21B4ACC4-8874-4AEC-AEAC-F567A249B4D4}
RegDeleteKey HKCR\clsid\{391b0aa4-1e17-485f-b635-0fe26219e87e} 
RegDeleteKey HKCR\CLSID\{51CF80DC-A309-4735-BB11-EF18BF4E3AD9}
RegDeleteKey HKCR\CLSID\{56F1D444-11BF-4879-A12B-79CF0177F038}
RegDeleteKey HKCR\CLSID\{5CBE2611-C31B-401F-89BC-4CBB25E853D7}
RegDeleteKey HKCR\clsid\{690b8ed9-7b35-4fbe-b69c-58d58f3e6b07} 
RegDeleteKey HKCR\clsid\{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} 
RegDeleteKey HKCR\CLSID\{99410CDE-6F16-42ce-9D49-3807F78F0287}
RegDeleteKey HKCR\CLSID\{D676F999-4608-4dc5-A135-4F51F4212739}
RegDeleteKey HKCR\CLSID\{EA0D26BD-9029-431A-86E0-83152D67828A}
RegDeleteKey HKCR\CLSID\{F31A5D11-BF0B-4A4E-90AF-274F2090AAA6}
RegDeleteKey HKCR\Interface\{00ada225-ea6c-4fb3-82e8-68189201ccb9}
RegDeleteKey HKCR\Interface\{2B0ECEAC-F597-4858-A542-D966B49055B9}
RegDeleteKey HKCR\interface\{6c092742-10fe-4db2-988d-fc71948de70c} 
RegDeleteKey HKCR\interface\{7fa8976f-d00c-4e98-8729-a66569233fb5} 
RegDeleteKey HKCR\interface\{d5175f49-39e5-4af1-ba98-e2234869276d} 
RegDeleteKey HKCR\interface\{dd469a88-316c-441d-b712-783d9b9a6707} 
RegDeleteKey HKCR\Interface\{2B0ECEAC-F597-4858-A542-D966B49055B9}
RegDeleteKey HKCR\Interface\{610E0E95-8F2F-4B71-966E-F91701D4DC2C}
RegDeleteKey HKCR\Interface\{67A89831-6BC7-4CC0-A2C3-560F9A581E64}
RegDeleteKey HKCR\Interface\{6C092742-10FE-4DB2-988D-FC71948DE70C}
RegDeleteKey HKCR\Interface\{7B178417-3CDA-444F-94FF-312C0A3A78A8}
RegDeleteKey HKCR\Interface\{7FA8976F-D00C-4E98-8729-A66569233FB5}
RegDeleteKey HKCR\Interface\{A16650A9-B065-40EC-BBD1-F8D370D17FB1}
RegDeleteKey HKCR\Interface\{BDDDF1A5-51A9-4F51-B38D-4CD0AD831B31}
RegDeleteKey HKCR\Interface\{DDEA2E1D-8555-45E5-AF09-EC9AA4EA27AD}
RegDeleteKey HKCR\Interface\{E43DFAA6-8C16-4519-B022-8792408505A4}
RegDeleteKey HKCR\Interface\{E775C662-85D0-438E-82F0-6BCE20A8E154}
RegDeleteKey HKCR\Interface\{F1F1E775-1B21-454D-8D38-7C16519969E5}
RegDeleteKey HKCR\TypeLib\{01BF19C2-59D3-43E9-A2CC-C2D62D8878D3}
RegDeleteKey HKCR\typelib\{15696ae2-6ea4-47f4-bea6-a3d32693efc7}
RegDeleteKey HKCR\typelib\{15ea8944-438e-471e-860d-6743d4383a37}
RegDeleteKey HKCR\TypeLib\{5B6689B5-C2D4-4DC7-BFD1-24AC17E5FCDA}
RegDeleteKey HKCR\typelib\{68BF4626-D66B-4383-A6AF-62E57E9B6CD4} 
RegDeleteKey HKCR\TypeLib\{8BE3FABA-7468-4851-B97C-0750AF2B908E}
RegDeleteKey HKCR\TypeLib\{91E523DB-2A1C-4231-BB06-9BE27C28739A}
RegDeleteKey HKCR\typelib\{981BDA1D-C8AD-46FF-BE2C-FDDD859AC6F5} 
RegDeleteKey HKCR\TypeLib\{E5B57AB3-15F8-43A2-ABAC-3E58A9C25818}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{99410CDE-6F16-42ce-9D49-3807F78F0287}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{21B4ACC4-8874-4AEC-AEAC-F567A249B4D4}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56F1D444-11BF-4879-A12B-79CF0177F038}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CBE2611-C31B-401F-89BC-4CBB25E853D7}
RegDeleteKey HKLM\SOFTWARE\MediaGateway
RegDeleteKey HKLM\SOFTWARE\zango
RegDeleteKey HKCU\Software\zango
RegDeleteKey HKLM\software\zanu
RegDeleteKey HKCU\Software\zanu
RegDeleteKey HKLM\software\media gateway lastupdate
RegDeleteKey HKLM\software\media gateway param
RegDeleteKey HKLM\software\media gateway softwaretable
RegDeleteKey HKLM\SOFTWARE\Media Access
RegDeleteKey HKLM\software\Zango Programs
RegDeleteKey HKLM\software\microsoft\windows\currentversion\uninstall\media gateway
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Media Access
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Jade Shadow
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaGateway
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\zango
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zango Toolbar
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zango TV Times
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\zanu
RegSetDwordValue HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8}|Compatibility Flags|1024
RegSetDwordValue HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}|Compatibility Flags|1024
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{5CBE2611-C31B-401F-89BC-4CBB25E853D7}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{EA0D26BD-9029-431A-86E0-83152D67828A}
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MediaGateway
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|zango
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|zanu
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Zango TvTimes
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Media Access

RegDeleteKey HKUS\.DEFAULT\Software\Zango 

OptionSetStatus Deleting files
FileDelete %WINDIR%\Downloaded Program Files\ClientAX.dll 
FileDelete %WINDIR%\Downloaded Program Files\ClientAX.inf 
FileDelete %WINDIR%\salmhook.dll
FileDelete %WINDIR%\bmrg.exe
FileDelete %SYSDIR%\ide21201.vxd

OptionSetStatus Deleting folders
FolderDelete %PROGRAMS%\Zango
FolderDelete %PROGRAMS%\Zango Games
FolderDelete %PROGRAMFILES%\MediaGateway
FolderDelete %PROGRAMFILES%\Zango Programs
FolderDelete %PROGRAMFILES%\Zango
FolderDelete %PROGRAMFILES%\ZangoClient
FolderDelete %PROGRAMFILES%\Zango Applications
FolderDelete %PROGRAMFILES%\Zango Games
FolderDelete %PROGRAMFILES%\ZangoToolbar
FolderDelete %PROGRAMFILES%\180SearchAssistant
FolderDelete %PROGRAMFILES%\Media Access
FolderDelete %PROGRAMFILES%\Media Pass

FolderDelete %UserProfile%\Application Data\ZangoToolbar

OptionUseRecycleBin
FileDeleteIfContainsText %WINDIR%\*.exe|180solutions

OptionSetStatus Cleaning Temp folders and IE cache
SystemEmptyInternetCache
SystemEmptyTempFolder

enjoy, fire up in BFU and run...

polonus

essexboy · « **Reply #44 on:** June 11, 2007, 10:53:19 PM »

Ooops forgot continue with vudo fix BFU nearly done. Hi Polonus the variant he has is oberon which is slightly different. I had looked at Pieters fix allready, but ta anyway

Author Topic: My Log from ComboFix continuation (Read 115659 times)

haydee

Re: My Log from ComboFix continuation

polonus

Re: My Log from ComboFix continuation

Lisandro

Re: My Log from ComboFix continuation

haydee

Re: My Log from ComboFix continuation

haydee

Re: My Log from ComboFix continuation

haydee

Re: My Log from ComboFix continuation

Lisandro

Re: My Log from ComboFix continuation

Lisandro

Re: My Log from ComboFix continuation

polonus

Re: My Log from ComboFix continuation

essexboy

Re: My Log from ComboFix continuation

haydee

Re: My Log from ComboFix continuation

haydee

Re: My Log from ComboFix continuation

essexboy

Re: My Log from ComboFix continuation

polonus

Re: My Log from ComboFix continuation

essexboy

Re: My Log from ComboFix continuation