Member Panel

charlie22

I need some help getting rid of a Trojan. I don't know how it got there, but it's got to go. Here is the HijackThis log. Can anyone walk me through what to do?

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:57:02 AM, on 8/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Zango\bin\10.0.314.0\ZangoSA.exe
C:\Program Files\MalwareBurn 6.9\MalwareBurn 6.9.exe
C:\Program Files\VirusHeal 3.8\VirusHeal 3.8.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\AOL\1146038658\ee\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Video ActiveX Access\iesmin.exe
C:\Program Files\Video ActiveX Access\iesmn.exe
C:\Program Files\Video ActiveX Access\imsmain.exe
C:\Program Files\Video ActiveX Access\imsmn.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Zango\bin\10.0.314.0\Srv.exe
C:\Documents and Settings\Cancun\Local Settings\Temporary Internet Files\Content.IE5\MMQON99X\HiJackThis_v2[1].exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo!
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Zango /fleok=1D8A83A5C7E513799AAD692A1FBB39BFE4976E26CAED A120180A196D6093 - {07AA283A-43D7-4CBE-A064-32A21112D94D} - C:\Program Files\Zango\bin\10.0.314.0\HostIE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {8bf5b8fc-11cb-409f-8c91-4d4ca04a1b6d} - C:\Program Files\VideoKeyCodec\isaddon.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {D61D7E1A-6613-49CA-B6F9-51DB248E209D} - C:\Program Files\Video ActiveX Access\iesplg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Zango - {07AA283A-43D7-4CBE-A064-32A21112D94D} - C:\Program Files\Zango\bin\10.0.314.0\HostIE.dll
O3 - Toolbar: Protection Bar - {29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00} - C:\Program Files\Video ActiveX Access\iesbpl.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ZangoOE] C:\Program Files\Zango\bin\10.0.314.0\OEAddOn.exe
O4 - HKLM\..\Run: [ZangoSA] "C:\Program Files\Zango\bin\10.0.314.0\ZangoSA.exe"
O4 - HKLM\..\Run: [DNSE] "C:\Program Files\Common Files\SystemDoctor\DNSE.exe" -c
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\SystemDoctor\dcpasmon.exe"
O4 - HKLM\..\Run: [MalwareBurn 6.9] "C:\Program Files\MalwareBurn 6.9\MalwareBurn 6.9.exe" /h
O4 - HKLM\..\Run: [VirusHeal 3.8] "C:\Program Files\VirusHeal 3.8\VirusHeal 3.8.exe" /h
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NI.UWA6P_0001_N91M1807] "C:\Documents and Settings\Cancun\Application Data\winantiviruspro2006freeinstall[1].exe" -nag
O4 - HKCU\..\Run: [PestTrap] C:\Program Files\PestTrap\PestTrap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exe
O4 - HKLM\..\Policies\Explorer\Run: [rare] C:\Program Files\Video ActiveX Access\imsmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: adirondack - {547aaa89-7e6b-42b4-b112-a64955f86a2a} - (no file)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

Thank you!

Pancake · 12:10 AM

Hi...

Please download the OTMoveIt by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\MalwareBurn 6.9\MalwareBurn 6.9.exe
C:\Program Files\VirusHeal 3.8\VirusHeal 3.8.exe
C:\Program Files\Common Files\SystemDoctor\dcpasmon.exe

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

============================

Go to Start menu
Select Control Panel
Select Add or Remove Programs
Select the Zango application you'd like to remove
Click Change/Remove
Follow onscreen prompts to completely remove the application

Then....................

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe.Run the application.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Reboot your computer in Safe Mode.
If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.
A reboot may be needed to finish the cleaning process, if your computer does not restart automatically please do it yourself manually.
The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Please post:
c:\rapport.txt
A new HijackThis log
Your may need several replies to post the requested logs, otherwise they might get cut off

Member Panel

Sponsors and Ads

Join the Team

Live Tag Cloud