Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mediagateway And Other Re-installing Malware Programs


  • This topic is locked This topic is locked
12 replies to this topic

#1 stevealmighty

stevealmighty

    Bleepin' WormBreath


  • Members
  • 2,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upstate NY
  • Local time:10:44 AM

Posted 09 March 2006 - 05:41 PM

Logfile of HijackThis v1.99.1
Scan saved at 5:33:15 PM, on 3/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\hiden4.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\STEFAN~1\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy-server:8080;https=proxy-server:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ams-server*
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [IEVALUES] C:\hiden4.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

************************************************************************************




Also, this computer keeps getting a pop up when I restart it...here's what the address is in the pop up window
http://67.18.253.101/~non00bs/games.html

In the status bar, it says "installing...." I let it go once, and it came up with an error, something like "Could not install MediaGateway".

I've run ewido, adaware, CWS shredder, spybot search and destroy and stng260.

NOTE: That symantec AV was installed on this computer. Now, only the live update program is left, and the antivirus protection program itself has been removed (of course, everyone here said that they didn't uninstall it, so I'm guessing that they did it and didn't know it, or a program uninstalled it and left the live update).

Any help here would be great!

Again, thanks in advance!
War produces veterans, wounded both physically and mentally. They have sacrificed for us.....and it is now our job to help these veterans, as they have already helped us in ways we will never know, in ways that we cannot fathom, and in ways that we take granted every day.
Posted Image

BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:44 AM

Posted 11 March 2006 - 09:31 AM

Hello Steve and welcome to the forum. I do see evidence of a nasty infection but it looks to be only running from Downloaded Program Files and it may not be to hard to remove. I need to know about this:
C:\hiden4.exe <<< do you know what it is? If you wish to scan it use at least two of these free online scans and post the results for me. I will proceed with removing it and you can ignore those instructions if you know it.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

Please follow these instructions and in the posted order:

1) You are running HJT.exe from a .zip file in a Temporary Directory. This is unsafe as we will have no backups. That is why you received this message when you used HJT: http://russelltexas.com/malware/images/unsafefolder.gif
Please use the information in the following link to place HJT in a permanent, safe folder, I prefer C:\HJT\HijackThis.exe. If you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm

2)

That symantec AV was installed on this computer. Now, only the live update program is left, and the antivirus protection program itself has been removed


From here I do not see an active antivirus program. If you agree with this, I would get something in place and stay offline until you do. If you need a good free AV to use, try this one: http://free.grisoft.com/freeweb.php If you download this program, stick with the FREE and do not be sidetracked by trials or purchases.
You need to make sure the old AV is removed or turned completely off before using another AV. I suggest updating and doing a complete system scan removing anything located. Let me know the complete name and pathway of any item that could not be removed.

3) I see ewido onboard, open the program and choose update, allow time for it to finish. Now click scanner then complete system scan. Allow ewido to remove anything it locates unless you know it is not bad. Save that scan report, I must see it.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [IEVALUES] C:\hiden4.exe
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\hiden4.exe >>> file

C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_...refetch-XP.html

6) If you don't have a good cleaner, use this one with these instuctions:
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Restart the computer and post the ewido scan results, a new HJT log and any comments you think will help. How is the computer running now?

Thanks...pskelley
BleepingComputer

Edited by pskelley, 11 March 2006 - 09:32 AM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 stevealmighty

stevealmighty

    Bleepin' WormBreath

  • Topic Starter

  • Members
  • 2,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upstate NY
  • Local time:10:44 AM

Posted 11 March 2006 - 02:47 PM

Thanks for the detailed (and fast!) response. Unfortunately, calling hours and a funeral will be taking up most of my time this weekend, so I won't be able to do anything until next week sometime. I posted this because I didn't want you to think that I wasn't posting back or ignoring your help or anything of that sort.

Much thanks!

Steve
War produces veterans, wounded both physically and mentally. They have sacrificed for us.....and it is now our job to help these veterans, as they have already helped us in ways we will never know, in ways that we cannot fathom, and in ways that we take granted every day.
Posted Image

#4 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:44 AM

Posted 11 March 2006 - 03:02 PM

Hey Steve, sorry to hear you have a funeral to go through and I understand. I just want to say that MediaGateway infections can be much worse and suggest you keep your computer offline as much as possible until you are clean. These infections have a way of attracting more :thumbsup:

Thanks...Phil
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#5 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:44 AM

Posted 25 March 2006 - 01:50 PM

No response in two weeks :thumbsup: topic is closed

Thanks...pskelley
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#6 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:44 AM

Posted 28 March 2006 - 06:36 AM

Topic reopened at your request, complete the instructions I posted here: Mar 11 2006, 09:31 AM

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#7 stevealmighty

stevealmighty

    Bleepin' WormBreath

  • Topic Starter

  • Members
  • 2,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upstate NY
  • Local time:10:44 AM

Posted 28 March 2006 - 07:36 AM

Thanks for reopening this pskelley :thumbsup:

Here's the HJT log after I did what you posted EXCEPT I didn't do the "CCleaner", as it was late and I was tired, I'm sorry.

I completely reomoved Nortons (symantec) from it and installed avast! on it (the free version). It's all updated and running. It found 1 trojan (which looked like adware, and 1 adware, which it removed.

After running everything, I still can't get rid of the pop up that shows up when the computer is started, and tries to install itself on the computer. I believe it's "ZANGO", and it's causing a pop up at startup that wants to install itself on the computer. I find it in "add and remove programs", and click on it to uninstall and it says that it can't find it and that's it already been removed: would I like to delete from add and remove programs?" I say yes and it deletes it. When I restart the computer, it's back in "add and remove programs", and I go through trying to remove all over again. I think that since I don't let it install, that it doesn't fully get loaded on the computer.

You had instructed me to delete the folder "C:\hidden4.exe". I tried deleting it manually, but it tells me that I don't have permission to delete it....which is weird because there's only 1 account (user) on the computer and it [/u]does[/i] have administrative rights. It's not a folder, it's a .exe file that's present right on the C:\ drive (not in another folder).

Other than the initial pop up where it tries to install zango at startup, the computer runs good now, with no popups when browsing the internet. No redirections to unwanted sites, and no homepage changes.

Here's the HJT log, followed by the ewido scan:

Logfile of HijackThis v1.99.1
Scan saved at 9:04:43 PM, on 4/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hiden4.exe
C:\DOCUME~1\STEFAN~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newzjunky.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy-server:8080;https=proxy-server:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ams-server*
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [zango] C:\Program Files\Zango\zango.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IEVALUES] C:\hiden4.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zango/ie/b...5904f66ca2edeed
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

**************************************************************************************

Here's the ewido scan results:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:20:56 PM, 3/27/2006
+ Report-Checksum: 4392E9F9

+ Scan result:

C:\Documents and Settings\Stefania Magro\Cookies\stefania magro@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup


::Report End

***************************************************************************

Please note that I did this post while at work (I emailed the log files to myself so I could post them) and it will be either tonight or tomorrow night before I can get back to working on this computer.

Thanks for all your help with this!

Edited by stevealmighty, 28 March 2006 - 07:40 AM.

War produces veterans, wounded both physically and mentally. They have sacrificed for us.....and it is now our job to help these veterans, as they have already helped us in ways we will never know, in ways that we cannot fathom, and in ways that we take granted every day.
Posted Image

#8 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:44 AM

Posted 29 March 2006 - 08:38 AM

OK Steve, since you do not know the item C:\hidden4.exe we will remove it. Please be aware you have not followed these instructions:

1) You are running HJT.exe from a .zip file in a Temporary Directory. This is unsafe as we will have no backups. That is why you received this message when you used HJT: http://russelltexas.com/malware/images/unsafefolder.gif
Please use the information in the following link to place HJT in a permanent, safe folder, I prefer C:\HJT\HijackThis.exe. If you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm

If you do not have the backups and you need them, this will be your responsibility.

Start > Control Panel > Add Remove programs and uninstall Zango if there and anything else you know does not belong there.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [zango] C:\Program Files\Zango\zango.exe
O4 - HKLM\..\Run: [IEVALUES] C:\hiden4.exe
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zango/ie/b...5904f66ca2edeed

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\hiden4.exe >>> file

C:\Program Files\Zango\ >>> folder

C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_...refetch-XP.html

If you don't have a good cleaner, use this free one with these instructions:
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Post a new HJT log, let me know how the computer is running now.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#9 stevealmighty

stevealmighty

    Bleepin' WormBreath

  • Topic Starter

  • Members
  • 2,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upstate NY
  • Local time:10:44 AM

Posted 29 March 2006 - 08:54 AM

Can do, and thanks for the help!

I wasn't concerned about having a back up for whatever was going to be deleted, as there's not really anything on the computer (as far as programs they've installed) that can't easily be put back if it's accidently deleted. I should've mentioned that in my earlier post, sorry.

I'll do what you said, and try to delete that hidden4.exe file. Will deleting it in HJT allow me to delete the file itself? I tried before to delete it, and it told me that I didn't have permission to do so :thumbsup: .

I'll try to get to it either tonight or tomorrow night, and post back with my results. Thanks again for all your help :flowers:
War produces veterans, wounded both physically and mentally. They have sacrificed for us.....and it is now our job to help these veterans, as they have already helped us in ways we will never know, in ways that we cannot fathom, and in ways that we take granted every day.
Posted Image

#10 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:44 AM

Posted 29 March 2006 - 10:01 AM

Yes, HJT is a Process Manager, when you remove something with it that stops the process from running and if you delete the file before a reboot you will have no problems. For your benefit, in the future if you have an issue like that, save those scanners. Once you know the file is bad, reboot to safe mode:
http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/ and then delete the file. It will not be running then and will give you no problems.

Thanks...Phil
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#11 stevealmighty

stevealmighty

    Bleepin' WormBreath

  • Topic Starter

  • Members
  • 2,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upstate NY
  • Local time:10:44 AM

Posted 29 March 2006 - 10:51 AM

DOH! (*smacks self in head*).....I never thought of trying to delete it in safe mode.......I'll give it a whirl and let you know how I fared!

Thanks for your continuing help!
War produces veterans, wounded both physically and mentally. They have sacrificed for us.....and it is now our job to help these veterans, as they have already helped us in ways we will never know, in ways that we cannot fathom, and in ways that we take granted every day.
Posted Image

#12 stevealmighty

stevealmighty

    Bleepin' WormBreath

  • Topic Starter

  • Members
  • 2,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upstate NY
  • Local time:10:44 AM

Posted 04 April 2006 - 06:21 AM

Sorry for the delay, I've been on a short vacation with the family.

I'll be getting back to this either tonight or tomorrow (hopefully tonight).

Thanks again for your patience!
War produces veterans, wounded both physically and mentally. They have sacrificed for us.....and it is now our job to help these veterans, as they have already helped us in ways we will never know, in ways that we cannot fathom, and in ways that we take granted every day.
Posted Image

#13 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:44 AM

Posted 09 April 2006 - 10:38 AM

Thus ends my patience :thumbsup:

Thanks...pskelley
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users