My Log from ComboFix continuation

system · 2007-06-11T20:29:29.000Z

Glad you are back Thanks a lot. Before proceding with your instructions here I’m sending the last
HJT report.

http://www.4shared.com/file/17699534/d43d27b2/HIJACKTHIS_2_A_LOG.html

system · 2007-06-11T20:30:37.000Z

Thank you Tech I got it.

essexboy · 2007-06-11T20:35:05.000Z

Cheers Haydee got it, working on a BFU fix incase it is still hanging around

polonus · 2007-06-11T20:50:54.000Z

Hi essexboy, looking for this?

# For use with Merijn's Brute Force Uninstaller
# available from http://www.merijn.org/
#
# Script Name: MediaGateway.BFU
# Author: Pieter Arntz

OptionSetStatus Stopping processes
ProcessKill \zango.exe|1
ProcessKill \MediaGateway.exe|1
ProcessKill \MediaAccess.exe|1 
ProcessKill \MediaAccK.exe|1 
ProcessKill \MediaPass.exe|1 
ProcessKill \MediaPassK.exe|1
ProcessKillIfContainsText %WINDIR%\*.exe|bis.180solutions.com
DllUnregister %PROGRAMFILES%\zango\zangohook.dll|1
DllUnregister %PROGRAMFILES%\Zango Programs\Zango Toolbar\ZangoTB.dll|1
DllUnregister \MedAccX.dll|1
DllUnregister \ZbHostIE.dll|1

OptionSetStatus Cleaning registry
RegDeleteKey HKCR\ClientAX.ClientInstaller
RegDeleteKey HKCR\ClientAX.ClientInstaller.1
RegDeleteKey HKCR\ClientAX.RequiredComponent
RegDeleteKey HKCR\ClientAX.RequiredComponent.1
RegDeleteKey HKCR\ClientAX.ZangoClientAX
RegDeleteKey HKCR\ClientAX.ZangoClientAX.1
RegDeleteKey HKCR\Clientax.seekmoclientax 
RegDeleteKey HKCR\Clientax.seekmoclientax.1 
RegDeleteKey HKCR\LMgr180.WMDRMAx
RegDeleteKey HKCR\LMgr180.WMDRMAx.1
RegDeleteKey HKCR\MediaGateway.Installer
RegDeleteKey HKCR\MediaGateway.Installer.1
RegDeleteKey HKCR\MediaGatewayX.Installer
RegDeleteKey HKCR\MediaGatewayX.Installer.1
RegDeleteKey HKCR\MediaGateway.LicenseInstaller
RegDeleteKey HKCR\MediaGateway.LicenseInstaller.1
RegDeleteKey HKLM\SOFTWARE\Classes\ncmyb.SABHO
RegDeleteKey HKLM\SOFTWARE\Classes\ncmyb.SABHO.1
RegDeleteKey HKCR\zangohook.SABHO
RegDeleteKey HKCR\zangohook.SABHO.1
RegDeleteKey HKCR\ZangoToolbar.ZCToolBand
RegDeleteKey HKCR\ZangoToolbar.ZCToolBand.1
RegDeleteKey HKCR\MediaAccX.Installer
RegDeleteKey HKCR\MediaAccess.Installer
RegDeleteKey HKCR\appid\{d28cd14c-50be-4cfa-951e-b37f25da3472}
RegDeleteKey HKCR\AppID\{F1F040D5-E8F8-4680-B101-9334E9773841}
RegDeleteKey HKCR\AppID\{735c5a0c-f79f-47a1-8ca1-2a2e482662a8}
RegDeleteKey HKCR\appid\mediagateway.exe
RegDeleteKey HKCR\AppID\LoaderX.EXE
RegDeleteKey HKCR\AppID\ZangoToolbar.DLL
RegDeleteKey HKCR\CLSID\{0AC49246-419B-4EE0-8917-8818DAAD6A4E}
RegDeleteKey HKCR\CLSID\{144B9C7E-235A-4316-9EB3-5E393714C77A}
RegDeleteKey HKCR\CLSID\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}
RegDeleteKey HKCR\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}
RegDeleteKey HKCR\CLSID\{1E5F0D38-214B-4085-AD2A-D2290E6A2D2C}
RegDeleteKey HKCR\CLSID\{211C4D10-4564-87A0-08B3-B758D5C1FD48}
RegDeleteKey HKCR\CLSID\{21B4ACC4-8874-4AEC-AEAC-F567A249B4D4}
RegDeleteKey HKCR\clsid\{391b0aa4-1e17-485f-b635-0fe26219e87e} 
RegDeleteKey HKCR\CLSID\{51CF80DC-A309-4735-BB11-EF18BF4E3AD9}
RegDeleteKey HKCR\CLSID\{56F1D444-11BF-4879-A12B-79CF0177F038}
RegDeleteKey HKCR\CLSID\{5CBE2611-C31B-401F-89BC-4CBB25E853D7}
RegDeleteKey HKCR\clsid\{690b8ed9-7b35-4fbe-b69c-58d58f3e6b07} 
RegDeleteKey HKCR\clsid\{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} 
RegDeleteKey HKCR\CLSID\{99410CDE-6F16-42ce-9D49-3807F78F0287}
RegDeleteKey HKCR\CLSID\{D676F999-4608-4dc5-A135-4F51F4212739}
RegDeleteKey HKCR\CLSID\{EA0D26BD-9029-431A-86E0-83152D67828A}
RegDeleteKey HKCR\CLSID\{F31A5D11-BF0B-4A4E-90AF-274F2090AAA6}
RegDeleteKey HKCR\Interface\{00ada225-ea6c-4fb3-82e8-68189201ccb9}
RegDeleteKey HKCR\Interface\{2B0ECEAC-F597-4858-A542-D966B49055B9}
RegDeleteKey HKCR\interface\{6c092742-10fe-4db2-988d-fc71948de70c} 
RegDeleteKey HKCR\interface\{7fa8976f-d00c-4e98-8729-a66569233fb5} 
RegDeleteKey HKCR\interface\{d5175f49-39e5-4af1-ba98-e2234869276d} 
RegDeleteKey HKCR\interface\{dd469a88-316c-441d-b712-783d9b9a6707} 
RegDeleteKey HKCR\Interface\{2B0ECEAC-F597-4858-A542-D966B49055B9}
RegDeleteKey HKCR\Interface\{610E0E95-8F2F-4B71-966E-F91701D4DC2C}
RegDeleteKey HKCR\Interface\{67A89831-6BC7-4CC0-A2C3-560F9A581E64}
RegDeleteKey HKCR\Interface\{6C092742-10FE-4DB2-988D-FC71948DE70C}
RegDeleteKey HKCR\Interface\{7B178417-3CDA-444F-94FF-312C0A3A78A8}
RegDeleteKey HKCR\Interface\{7FA8976F-D00C-4E98-8729-A66569233FB5}
RegDeleteKey HKCR\Interface\{A16650A9-B065-40EC-BBD1-F8D370D17FB1}
RegDeleteKey HKCR\Interface\{BDDDF1A5-51A9-4F51-B38D-4CD0AD831B31}
RegDeleteKey HKCR\Interface\{DDEA2E1D-8555-45E5-AF09-EC9AA4EA27AD}
RegDeleteKey HKCR\Interface\{E43DFAA6-8C16-4519-B022-8792408505A4}
RegDeleteKey HKCR\Interface\{E775C662-85D0-438E-82F0-6BCE20A8E154}
RegDeleteKey HKCR\Interface\{F1F1E775-1B21-454D-8D38-7C16519969E5}
RegDeleteKey HKCR\TypeLib\{01BF19C2-59D3-43E9-A2CC-C2D62D8878D3}
RegDeleteKey HKCR\typelib\{15696ae2-6ea4-47f4-bea6-a3d32693efc7}
RegDeleteKey HKCR\typelib\{15ea8944-438e-471e-860d-6743d4383a37}
RegDeleteKey HKCR\TypeLib\{5B6689B5-C2D4-4DC7-BFD1-24AC17E5FCDA}
RegDeleteKey HKCR\typelib\{68BF4626-D66B-4383-A6AF-62E57E9B6CD4} 
RegDeleteKey HKCR\TypeLib\{8BE3FABA-7468-4851-B97C-0750AF2B908E}
RegDeleteKey HKCR\TypeLib\{91E523DB-2A1C-4231-BB06-9BE27C28739A}
RegDeleteKey HKCR\typelib\{981BDA1D-C8AD-46FF-BE2C-FDDD859AC6F5} 
RegDeleteKey HKCR\TypeLib\{E5B57AB3-15F8-43A2-ABAC-3E58A9C25818}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{99410CDE-6F16-42ce-9D49-3807F78F0287}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{21B4ACC4-8874-4AEC-AEAC-F567A249B4D4}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56F1D444-11BF-4879-A12B-79CF0177F038}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CBE2611-C31B-401F-89BC-4CBB25E853D7}
RegDeleteKey HKLM\SOFTWARE\MediaGateway
RegDeleteKey HKLM\SOFTWARE\zango
RegDeleteKey HKCU\Software\zango
RegDeleteKey HKLM\software\zanu
RegDeleteKey HKCU\Software\zanu
RegDeleteKey HKLM\software\media gateway lastupdate
RegDeleteKey HKLM\software\media gateway param
RegDeleteKey HKLM\software\media gateway softwaretable
RegDeleteKey HKLM\SOFTWARE\Media Access
RegDeleteKey HKLM\software\Zango Programs
RegDeleteKey HKLM\software\microsoft\windows\currentversion\uninstall\media gateway
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Media Access
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Jade Shadow
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaGateway
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\zango
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zango Toolbar
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zango TV Times
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\zanu
RegSetDwordValue HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8}|Compatibility Flags|1024
RegSetDwordValue HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}|Compatibility Flags|1024
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{5CBE2611-C31B-401F-89BC-4CBB25E853D7}
RegDelValue HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{EA0D26BD-9029-431A-86E0-83152D67828A}
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MediaGateway
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|zango
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|zanu
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Zango TvTimes
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Media Access

RegDeleteKey HKUS\.DEFAULT\Software\Zango 

OptionSetStatus Deleting files
FileDelete %WINDIR%\Downloaded Program Files\ClientAX.dll 
FileDelete %WINDIR%\Downloaded Program Files\ClientAX.inf 
FileDelete %WINDIR%\salmhook.dll
FileDelete %WINDIR%\bmrg.exe
FileDelete %SYSDIR%\ide21201.vxd

OptionSetStatus Deleting folders
FolderDelete %PROGRAMS%\Zango
FolderDelete %PROGRAMS%\Zango Games
FolderDelete %PROGRAMFILES%\MediaGateway
FolderDelete %PROGRAMFILES%\Zango Programs
FolderDelete %PROGRAMFILES%\Zango
FolderDelete %PROGRAMFILES%\ZangoClient
FolderDelete %PROGRAMFILES%\Zango Applications
FolderDelete %PROGRAMFILES%\Zango Games
FolderDelete %PROGRAMFILES%\ZangoToolbar
FolderDelete %PROGRAMFILES%\180SearchAssistant
FolderDelete %PROGRAMFILES%\Media Access
FolderDelete %PROGRAMFILES%\Media Pass

FolderDelete %UserProfile%\Application Data\ZangoToolbar

OptionUseRecycleBin
FileDeleteIfContainsText %WINDIR%\*.exe|180solutions

OptionSetStatus Cleaning Temp folders and IE cache
SystemEmptyInternetCache
SystemEmptyTempFolder

enjoy, fire up in BFU and run…

polonus

essexboy · 2007-06-11T20:53:19.000Z

Ooops forgot continue with vudo fix BFU nearly done. Hi Polonus the variant he has is oberon which is slightly different. I had looked at Pieters fix allready, but ta anyway 8)

polonus · 2007-06-11T20:59:25.000Z

Hi essexboy,

Or do you use this one: http://metallica.geekstogo.com/alcanshorty.bfu ?
Haydee’s java version might also be out of date,

pol

essexboy · 2007-06-11T21:03:27.000Z

Hi there Haydee could you please re-run Hijackthis and post a new current log Ta

system · 2007-06-11T21:17:24.000Z

Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

I’m sorry I forgot to post the content os C:\vundofix.txt. I saw a long list but clicked on remove vundo without thinking.
I will run HJT now.

essexboy · 2007-06-11T21:22:39.000Z

Hi Haydee the vundo.txt will still be on your hard drive at this location C:\vundofix.txt

system · 2007-06-11T21:29:32.000Z

Hooray!
Here they are.

http://www.4shared.com/file/17703373/83495a17/vundofix.html

http://www.4shared.com/file/17703197/192367ee/hijackthis_5.html

I haven’t done what polonus directed me to do. I don’t know how to do it.
Thanks so much guys

essexboy · 2007-06-11T21:41:31.000Z

Much better

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. [b]

O2 - BHO: 0 - {58CAD45F-1435-432C-3ABC-6E148B3BE658} - C:\Program Files\Windows Media Player\lavufaw.dll (file missing)
O2 - BHO: (no name) - {C1D0CF1F-2565-4114-93DC-C6BF2323AB00} - C:\WINDOWS\system32\ssqrp.dll (file missing)
O2 - BHO: (no name) - {D325DDBB-46ED-418A-A1AA-EB4641D029Fe} - C:\WINDOWS\system32\avxokjjo.dll (file missing)

[/b]Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\avxokjjo.dll
C:\Program Files\Windows Media Player\lavufaw.dll

Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

A little cleaning up now

Download and then run SuperAntispyware

[*]On the first page select Check for Updates
[*]On completion select SCAN YOUR COMPUTER
[*]On the next page select COMPLETE SCAN and tick ALL your drives
[*]The next stage will take a while as your entire drive(s), memory and registry are scanned
[*]When it has completed click NEXT
[*]The next screen shows the problems found click OK
[*]On the next screen place a tick against all items and select NEXT
[*]Now to get the log Go to the PREFERENCES button on the right bottom
[*]Select the STATISTICS/LOG tab
[*]Highlight the scan just completed and click VIEW LOG
[*]This will open a notepad text file copy and paste this to your next reply
This may take up to 20 minutes to run depending on the amount of data on your system

If you could follow this up with the superantispyware log and a new Hijackthis

system · 2007-06-11T23:15:03.000Z

FINALLY! Thank God.
I’m exhausted!

http://www.4shared.com/file/17708082/a6914f16/SUPERAntiSpyware_Scan_Log_-_06-11-2007_-_18-42-45.html

http://www.4shared.com/file/17708095/21eeebf4/hijackthis_6.html

Lisandro · 2007-06-11T23:33:07.000Z

haydee post:52:

FINALLY! Thank God.
I’m exhausted!

It’s not finished… 8) To be sure you’re clean, you should:

Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3).
Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.
Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).
It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.
After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

essexboy · 2007-06-12T07:53:55.000Z

Double click OTMoveIt once again and you should see a CleanUp! button, press that button, you may get prompt by your firewall that OTMoveIt wants to contact internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself

Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

Select Start > All Programs > Accessories > System tools > System Restore.
On the dialogue box that appears select Create a Restore Point
Click NEXT
Enter a name e.g. Clean
Click CREATE

You now have a clean restore point, to get rid of the bad ones:

Select Start > All Programs > Accessories > System tools > Disk Cleanup.
In the Drop down box that appears select your main drive e.g. C
Click OK
The System will do some calculation and the display a dialogue box with TABS
Select the More Options Tab.
At the bottom will be a system restore box with a CLEANUP button click this
Accept the Warning and select OK again, the program will close and you are done

Now that you are clean, to help protect your computer in the future I recommend that you get the following free program:
[*]SpywareBlaster to help prevent spyware from installing in the first place.
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Keep safe and keep Superantispyware

To clear any debris from your registry and speed your system up

Prefetch is clickable for more information

Click start then run, type prefetch then press enter, click edit then select all, (all files will highlight), right click any file, click delete, confirm

Reboot

Click start then all programmes, accessories, system tools to run defragmenter

Download, install and run Tune Up 2007 Trial

Run Tune Up disc clean up

Run Tune Up registry clean up

Disable the anti virus programme then click Optimize and Improve to run Reg Defrag, the screen will lose colour during the process which can take a few minutes and then needs a reboot

Check the anti virus programme is running

Those will have cleared the drive of obsolete software errors

These are suggestions for making the most of the free trial

Click optimize and improve then system optimizer to optimize the computer, select computer with an internet connection from the drop down menu, this also requires a reboot

After the reboot, click optimize then system optimizer to accelerate downloads, select the speed just above your actual connection speed, this requires a reboot.

After the reboot, click optimize then system optimizer to run system advisor

system · 2007-06-12T22:24:31.000Z

I have been very busy the whole day and I got the chance now to come to my
daughter’s computer to keep on with your instructions.

But Last night I wanted to try the SUPERantispyware in my own
computer to check for malware. I was sleepy and let it run the deep scan.
In the morning I had to do an important “mission” and I left the
apartment leaving the computer on with the scan already finished.
when I came back home around two hours ago I checked my computer and
I found the scan was done and it found around 346 objects.
I clicked on save report and I scrolled down clicking on all the small squares next to the processes or whatever it is called and then I clicked quarantine.
I guess it quarantined everything there were and my screen got blue. I booted the computer and all I get is a blue screen. My desktop desappeared and everything.
:‘( :’( :‘( I lost my computer with all the informationin it :’( :‘( :’(

    HELP!!!!!!!!

Lisandro · 2007-06-12T22:55:52.000Z

Haydee, can you boot in Safe Mode?
Is there any info (numbers, error messages) in the blue screen?

system · 2007-06-12T22:57:44.000Z

I’ll do that now.
Thanks

system · 2007-06-12T23:15:45.000Z

I had to turn it off manually since I dont have the word start
on the screen. I started in safe mode presing f8 and I saw a lot of
words that desappeared right away and then I saw the Windows
Advanced Options Menu, Please select an option.
I clicked on the last good configuration and enter. I got the Windows
screen with the password slot. I wrote my password and It gave me
a blue screen. No desktop, no start button, no time. NOTHING.
FINITO.

system · 2007-06-13T00:03:19.000Z

I did it again selecting safe mode, then again selecting reboot and again
selecting last known configuration. It kept on doing the same thing.
It gives me a screen with a slot for my password and when I write
it down it says “loading your personal setings” and then it gives me a blue
screen with nothing in it. No icons, no start, time clock. Nothing.

Windows Adavanced option Menu

Safe Mode
Safe Mode with Command Prompt
Enable Boot Logging
Enable VGA Mode
Last known good configuration ( your most recent setting that worked)
Directory Services restore Mode ( windows domain controller only)
Debuggin Mode
Disable automatic restart on system failure
start windows Normally
Reboot
Use the up and down arrow key to move the higlight to your choice

Lisandro · 2007-06-13T01:07:46.000Z

It’s difficult to imagine a solution… I’m trying… but I think overinstallation could be the only solution…
You won’t lose your programs, settings, data, files, etc.
Just choose ‘Repair’ installation of Windows and install ‘over’ the old installation. Maybe you’ll need to boot from the Windows CD.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;315341
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q314058
http://www.webtree.ca/windowsxp/repair_xp.htm

(Do not format the drive. This way all data will be preserved)

Announcements