Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:21 AM, on 9/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ntvdm.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.uplogon.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5401
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;127.0.0.1:5401;*update.microsoft.com;windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;download.mcafee.com;.phobos.apple.com;update.adobe.com;localhost;
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM..\Run: [AdaptecDirectCD] “C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe”
O4 - HKLM..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM..\Run: [VSOCheckTask] “C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe” /checktask
O4 - HKLM..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM..\Run: [pxikal] C:\WINDOWS\system32\sgjfxf.exe r
O4 - HKLM..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM..\Run: [MSN] wkssvr.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [ZangoSA] “C:\Program Files\Zango\bin\10.3.37.0\ZangoSA.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [Yahoo! Pager] “C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE” -quiet
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [DeusExGotYSetup.exe] C:\DOCUME~1\ROSEMA~1\Desktop\DEUSEX~1.EXE /r
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\APCMain.exe -m
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124154680675
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/crusher-kiwen.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_2_3_0.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
End of file - 11685 bytes
Hi Deeth,
A newer version of service pack is available. Service packs increase the safety of your system. Visit Microsoft’s windowsupdate site to download the newest version of the service pack.Furthermore we didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s own one. In case you got questions or you want us to add the firewall you use to our database, contact us at our forum.
O4 - HKLM..\Run: [pxikal] C:\WINDOWS\system32\sgjfxf.exe r Unknown application.
Check sgifxf.exe at virustotal.com, but I think this one is legit…
O4 - HKLM..\Run: [MSN] wkssvr.exe WORM_RBOT.R. Nasty fix this entry using HJT
O4 - HKLM..\Run: [ZangoSA] “C:\Program Files\Zango\bin\10.3.37.0\ZangoSA.exe” Neutral (3.16 / 5.00) Fix using HJT undesirable program…
O4 - HKCU..\Run: [DeusExGotYSetup.exe] C:\DOCUME~1\ROSEMA~1\Desktop\DEUSEX~1.EXE /r Unknown application.
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/crusher-kiwen.cab Neutral
Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words ‘dialer’, ‘casino’, ‘free plugin’ etc, it should be fixed!
Your system seems not to be clean of harmful software.
Overview of running tasks: (Click on the task for more info)
smss.exe
System task
Session Manager Subsystem
winlogon.exe
System task
Microsoft Windows Logon Process
services.exe
System task
Windows Service Controller
lsass.exe
System task
Local Security Authority Service
svchost.exe
System task
Microsoft Service Host Process
svchost.exe
System task
Microsoft Service Host Process
aswUpdSv.exe
Virusscan
Avast Anti-Virus Component
spoolsv.exe
System task
Microsoft Printer Spooler Service
Explorer.EXE
System task
Microsoft Windows Explorer
cisvc.exe
System task
Microsoft Index Service Helper
GoogleUpdaterService.exe
Backgroundtask
Service Component
mcdetect.exe
Security software
McAfee Security Centre Module
mcshield.exe
Virusscan
McAfee VirusScan
mctskshd.exe
Security software
McAfee Task Scheduler
igfxtray.exe
Application
Intel Graphics configuration and diagnostic application
hkcmd.exe
Application
Intel multimedia devices
DirectCD.exe
Backgroundtask
DirectCD primarily allows you to drag and drop files onto a suitably formatted CD-RW disc.
Support.exe
Unknown task
hpztsb05.exe
Application
HPDJ Taskbar Utility
WkUFind.exe
Backgroundtask
Microsoft Picture-It
mcvsshld.exe
Virusscan
McAfee VirusScan
oasclnt.exe
Virusscan
McAfee VirusScan Module
ybrwicon.exe
Application
BT Yahoo Browser
MotiveSB.exe
Backgroundtask
System tray icon for the Virtual Assistant from AT&T Broadband, used to communicate internet problems via the network rather than telephone.
jusched.exe
Backgroundtask
Sun Java Update Scheduler
mcvsescn.exe
Virusscan
mcvsescn
realsched.exe
Application
RealNetworks Scheduler
slserv.exe
System task
modem software on CLEVO 2200C/27
ycommon.exe
Application
Yahoo Common EXE Module
ctfmon.exe
System task
Alternative User Input Services
GoogleDesktop.exe
Backgroundtask
Google Desktop Search
ntvdm.exe
System task
Windows 16-bit Virtual Machine
mcvsftsn.exe
Virusscan
McAfee Instant Messenger Scan Module
GoogleDesktop.exe
Backgroundtask
Google Desktop Search
msmsgs.exe
Application
MSN Messenger
taskmgr.exe
System task
The Windows Task Manager.
jucheck.exe
Backgroundtask
Sun Java UpdateChecker Module
cidaemon.exe
System task
Microsoft Indexing Service
cidaemon.exe
System task
Microsoft Indexing Service
wuauclt.exe
System task
AutoUpdate for WindowsME
ashSimpl.exe
Virusscan
Virus scanner
iexplore.exe
Application
Microsoft Internet Explorer
usnsvc.exe
Application
Messenger Sharing USN Journal Reader Service
HijackThis.exe
Application
Merijn Hijackthis
//////////////////////////// Removal instructions for WORM_RBOT found on your computer…
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing at startup.
- Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
- In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run - In the right panel, locate and delete the entry:
Microsoft Updates =“WKSSVR.EXE” - In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run - In the right panel, locate and delete the entry:
Microsoft Updates =“WKSSVR.EXE” - In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft
Windows>CurrentVersion>RunServices - In the right panel, locate and delete the entry:
Microsoft Updates =“WKSSVR.EXE” - Close Registry Editor.
////////////////////////////////// Removal of Zango
-
COVERT ANALYSIS OF: ZANGOSA.EXE
- File Names Used: 2
- Paths Used: 8
- Common File Name: ZANGOSA.EXE
- Common Path: %programfiles%\zango\bin\10.0.253.0\
- Vendor Information: Zango, Inc.
- ZANGOSA.EXE may use 2 or more path and file names, these are the most common:
- File Name Structure: Normal
- File and Path Structure: Normal
-
RELATIONSHIP ANALYSIS OF: ZANGOSA.EXE
- Malicious Objects Created: None
- Malicious Creators: 1
- Malware Run Keys: None
- Self Persists:
- Antivirus Detection: No third party antivirus detection observed
- Anti-Spyware Detection: No third party anti-spyware detection observed
-
ACTIVITY ANALYSIS OF: ZANGOSA.EXE
- The following behaviors have been observed for this object:
- Invokes dll components.
- Runs other programs.
- Communicates with web sites using httpout protocols.
Step 1: Use Windows File Search Tool to Find ZangoSA.exe Path
- Go to Start > Search > All Files or Folders.
- In the “All or part of the the file name” section, type in “ZangoSA.exe” file name(s).
- To get better results, select “Look in: Local Hard Drives” or “Look in: My Computer” and then click “Search” button.
- When Windows finishes your search, hover over the “In Folder” of “ZangoSA.exe”, highlight the file and copy/paste the path into the address bar. Save the file’s path on your clipboard because you’ll need the file path to delete ZangoSA.exe in the following manual removal steps.
Step 2: Use Windows Task Manager to Remove ZangoSA.exe Processes
- To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.
- Click on the “Image Name” button to search for “ZangoSA.exe” process by name.
- Select the “ZangoSA.exe” process and click on the “End Process” button to kill it.
Step 3: Detect and Delete Other ZangoSA.exe Files
- To open the Windows Command Prompt, go to Start > Run > cmd and then press the “OK” button.
- Type in “dir /A name_of_the_folder” (for example, C:\Spyware-folder), which will display the folder’s content even the hidden files.
- To change directory, type in “cd name_of_the_folder”.
- Once you have the file you’re looking for type in del “name_of_the_file”.
- To delete a file in folder, type in “del name_of_the_file”.
- To delete the entire folder, type in “rmdir /S name_of_the_folder”.
- Select the “ZangoSA.exe” process and click on the “End Process” button to kill it.
//////////////////////////////////////////////
polonus
Hi :
Your Log indicates you are running 2 antiVIRUS programs, a security no-no .
IF you want to continue using Avast, you MUST uninstall McAfee, including
use of its “Removal Tool” at
http://service.mcafee.com/FAQDocument.aspx?id=107083&lc=1033 .
In addition, you have a very outdated version of Adobe Reader, a very serious security risk . Should uninstall it and get the safer “Foxit Reader” .
AND you have an outdated version of Sun’s Java, a serious security risk ;
should uninstall ALL Versions you have, then go to www.java.com for the
latest .
And concerning “Trojans” : Best to use antiSPYWARE/antiTROJAN programs;
the only program of this “type” currently on your computer is the no
longer top Spybot . Would be wiser to use the FREE Version of
“SUPERAntiSpyware” from www.superantispyware.com .
go back to tech’s list in the other thread and work down
your hjt while valuable is prematue
the programs mentioned by tech MBAM and SAS might keep you from having to go through the manual drill at the end of plolonus post above
post the logs
Hi wyrmrider,
I like it the way Deeth performed, because he did it right and as it should, - first post a hjt as the problems are raw and unpolished, then start a cleansing routine and then come up with a second, third etc. hjt logfile txt. The raw one is particularly useful because the malware fighter wants these entries before the system was tampered with to make a valuable and precise evaluation. By the way this is also what the general malware sites prescribe deliver a hjt file and do nothing until instructed to do so,
polonus
P.S. Thanks to Spiritsongs for the essential upgrade and av engine conflict information. Very attentive!
Damian
I like it the way Deeth performed, because he did it right and as it should, - first post a hjt as the problems are raw and unpolished, then start a cleansing routine and then come up with a second, third etc. hjt logfile txt. The raw one is particularly useful because the malware fighter wants these entries before the system was tampered with to make a valuable and precise evaluation. By the way this is also what the general malware sites prescribe deliver a hjt file and do nothing until instructed to do so,
Quiet correct Polonus. You have to know what you are up against before running tools. There really isn’t much point in using tools based on guess work. It just wastes time and may cause unnessecary delays in removing the malware. Identifing the problem will guide you to the correct removal method.
Hi oldman,
Thanks for also stressing this point. Yes, I read my manuals, my good friend, and I am glad I am amidst people that use similar routines like essexboy and you,
polonus
Polonus,
i followed Most of your instructions to the best of my abilities. and i would like to know if there is any change in this log file i’m about to give you here because i honestly wouldn’t know if there was.
i’m hoping that i fixed at least ONE of my numerous problems on this computer.
i think this computer could use a good defragment too.
eventually after i get allllll of this solved i think i will do that
alright i will post my most recent HJT log…
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:22 PM, on 9/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.uplogon.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5401
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;127.0.0.1:5401;*update.microsoft.com;windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;download.mcafee.com;.phobos.apple.com;update.adobe.com;localhost;
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [AdaptecDirectCD] “C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe”
O4 - HKLM..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM..\Run: [pxikal] C:\WINDOWS\system32\sgjfxf.exe r
O4 - HKLM..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [Yahoo! Pager] “C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE” -quiet
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\APCMain.exe -m
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124154680675
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/crusher-kiwen.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_2_3_0.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
–
End of file - 10382 bytes
As Pol is not here Deeth I hope I can offer a couple of pointers.
I would check this file out at Virus Total C:\WINDOWS\system32\sgjfxf.exe r Virus
Total
As Spiritsongs has pointed out an outdated version of Sun’s Java, is a serious security risk. Uninstall Java via Control Panel plus Download and run JavaRa 1.11 Direct Download JavaRa JavaRa Homepage JavaRa Home to clean up left over entries that are not removed via Ad/Remove Programs.
Install Sun Java Runtime Environment.
You should consider updating Windows XP to Service Pack 3 to further enhance your security.
Are you using a firewall?
It is often my first post to run HJT which I learned from you 3 guys … Essexboy, Oldman, & Polonus.
Occasionally, I can spot some things and post some information.
While I am not near an expert, I can help in a small way as well as save some time for everyone involved.
Hi Deeth,
Let us get over it step by step. newer version of service pack is available. Service packs increase the safety of your system.
1.
Visit Microsoft’s windowsupdate site to download the newest version of the service pack.
That is SP 3: http://www.microsoft.com/downloads/details.aspx?FamilyId=68C48DAD-BC34-40BE-8D85-6BB4F56F5110&displaylang=en
2.
We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall. As Microsofts firewall is hard to implement for complete protection, then if you want to download a software firewall, there are a couple of free options.
A firewall that will do the job and is easy to handle is ZoneAlarm free for instance:
3
Upload C:\WINDOWS\system32\sgjfxf.exe to virustotal.com and post the scan results as an attached txtfile in your next reply. We want to see if that it is a legit file.
4
Also upload to virustotal.com to see if this is legit, and attach scan results your next posting
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - cp/install/crusher-kiwen.cabto
- After all these steps have been taken give us a fresh HijackThis logfile txt.
polonus
i’ve heard that lately ZA has had a few defects here and there though…
Hi Deeth,
You could also use PCTools firewall or Comodo’s, there is a variety to choose from, main thing you have outward protection. Look here: http://forum.avast.com/index.php?topic=30808.0
But by the way did you perform the other steps I proposed and where are the virustotal.com scan results for sgjfxf.exe? I am rather convinced that is a malicious executable or at least software of a questionable nature, and this can mean routes to get other malicious files onto your machine,
polonus
Hi Deeth :
Several PRECAUTIONS should be done PRIOR to upGRADING ( from SP2 to SP3, for
example ) an Operating System. which I feel should include the following :
- Get the latest RELIABLE Info on possible problems; I trust the FREE “Windows Secrets”
& “Don’t let XP3 hose your system” from http://WindowsSecrets.com/080911 is very good .
- Make reasonable sure the computer is Malware-free ; practically speaking, nowadays
that means running the “Full Scan” of the FREE Ver of “SUPERAntiSpyware” from
http://www.superantispyware.com/ AND the “Free” Version of "Malwarebytes’ Anti-Malware
from http://www.malwarebytes.org/mbam.php .
-
Get the latest PC Manufacturer “Driver” updates , IF there are any .
-
Make a “System Restore” Point, to go back to, IF the Installation is NOT successful .
Refer to the excellent Guide at http://www.bleepingcomputer.com/tutorials/tutorial56.html
Only a few :o
OK! thank you every one for your help. i was able to get everything figured out and up to par again which is a great relief! wouldn’t have been able to do it without everybody. thank you!