My Log from ComboFix continuation

Viruses and worms
21

Thank you polonus
Thank you essexboy

I pasted the quote under “fix here” and ran fix button.
It informed me it was going to reboot in order to continue the fix.
It did so, but it didn’t give me a note pad with the fixes done.
I will run the WinPFind now and send you the report.

22

I erased the report from here cause is too long I downloaded it following
raman’s instructions. :wink:

23

Report downloaded at last reply.

24

The same… :wink:

25

:wink:

26

Just check the last reply.
That’s where the report is.
Just a little hide and seek to
have a little fun in the middle of so much work. :slight_smile:
It bothered me to see so many pages filled up
from top to bottom.

27

This reply was modified (erased)

28

WOW! I wish I knew how to shrink the reports.

29

Just press reply and open “+ Additional Options…”, you can attach the whole log there. Maybe it is usefull to pack it using Zip or winrar.

30

Here I’m sending the report again practicing what you taught me. Thanks a lot. :wink:

31

essexboy
I’m using Sygate Personal Firewall.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan.
I did this again and it still asking to reboot to complete fix and it never gives me a note pad telling me a detail of the action taken.

The computer is working better now. Except when I let a process enter ( I think is Windows Explorer or Generic Host Process for Win32 Services. I’m not sure which
one is, right away Avast gives me the warning of a Trojan.

Hi essexboy
You know, I have this Firewall and now and then I see this pop-ups asking me to let or denie access to some processes. I want to know if I can allow access to the following.

Generic Host Process for Win32 Services (svchost.exe) is trying to connect to
stats.update.microsoft.com [207.46.20.252] using remote port 80 [HTTP-World Wide Web]

Windows explorer [explorer.exe] is asking access to [65.243.103.80] using remote port 80[HTTP-World Wide web]

I’m using AOL Explorer Browser

32

Hi Haydee,

You still have the Zango infection as according to the results of your recent HJT log, see evaluation here: http://hijackthis.de/logfiles/9040b214d04b28d634928a6abd754913.html
Maybe essexboy’s going to kill it in a next run. Maybe he has to run a BFU on it.

polonus

33

I think we can’t post packed archives here… am I wrong?

34

Oh Oh ???
I just followed raman instructions. I don’t know much
about anything here. If there is anyway to send large
notepads information let me know please. I need essexboy see
the report.

35

Hi polonus, thanks.
Check the instructions you gave me.

1. Close all open Internet Explorer windows. 2. Open a DOS command prompt window ( Start > Run , type 'cmd' (on Windows NT/2000/XP ) or 'command' (on Windows 95/98/Me)) and enter the following commands, 
  cd %ProgramFiles%\ZangoClient\
  regsvr32 /u zangohook.dll
  1. Click Start > Run, type ‘regedit’ and click Ok to open Registry Editor.
  2. Navigate to the following key:

I don’t know how to enter the commands.
36

Hi tech, thanks.

I think we can't post packed archives here... am I wrong?
How do I zip it? sorry I'm kind of dumb in these things. I'm learning.
37

I suggest you choose the free service of www.4shared.com and upload the file. Then inform the link here or directly to essexboy if you can contact him.

38

It won’t help this time… you can’t post (upload) a zipped file here in forums.
But if you want a free zip (archive) tool, try IZArc (http://www.izarc.org/)

39

Hi Haydee,

If you fire up your hijackthis program, you can tick the following entries, only those and be very careful, because this is an awful powerful program, and you can ruin your OS if you do it wrong:
These should be removed anyways:
[?] R3 - URLSearchHook: (no name) - - (no file) - Should be fixed if you do not know this application. Should be fixed if you do not know the application or if no application is mentioned.
O3 - Toolbar: GamesBar - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - C:\Program Files\GamesBar\oberontb.dll - Must be fixed! oberontb.dll - Oberon_Media, http://www.madeunclcickable.com/privacy.htm?R efId=&Session=&origin=pmenu_privacy gamesbar, a Zango/Hotbar, http://en.wikipedia.org/wiki/Hotbar adware variant
O9 - Extra button: (no name) - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\Program Files\GamesBar\oberontb.dll - This entry should be fixed by HijackThis!
O9 - Extra ‘Tools’ menuitem: GamesBar - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\Program Files\GamesBar\oberontb.dll - This entry should be fixed by HijackThis!
After giving the tick in the box, give an enter.

polonus

40

Hi I’m back been working all day. I appear to be having some problems with winpfind lately I will check with the Author on this.

Fix the HJT entries as stated by polonus Then we need to remove traces of Vundo which is trying to contact 65.243.103.80

Please download VundoFix.exe to your desktop

[*]Double-click VundoFix.exe to run it.
[*]Click the Scan for Vundo button.
[*]Once it’s done scanning, click the Remove Vundo button.
[*]You will receive a prompt asking if you want to remove the files, click YES
[*]Once you click yes, your desktop will go blank as it starts removing Vundo.
[*]When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:[b]vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from “Click the Scan for Vundo button” when VundoFix appears upon rebooting.

If we are still getting the Zango elements on your next log I will use either Avenger or make a BFU not sure which yet