Adware.Zango

[ganjaman]

Hi all,
         I have just done a full scan with Malwarebytes and it has produced this:

   Adware.Zango
   C:\System Volume Information\_restore

 I removed it and was wondering if I need to do anything else in case it has left rubbish on my system.

cheers

[evilfantasy]

Scan your computer with Panda ActiveScan

* Once you are on the Panda site click the Scan your PC now button.
* A new window will open...click the Scan Now button.
* If it wants to install an ActiveX component allow it.
* It will start downloading the files it requires for the scan. (Note: It may take a couple of minutes)
* You may get a warning from Internet Explorer that Panda is ready to install, please allow it.
* The scan will begin. Please be patient as it can take an hour or more to complete.
* When the scan completes, if anything malicious is detected, click the Export to: button (looks like a little Notepad).
* Save the ActiveScan.txt to a convenient location like your desktop.
* Note: You do not need to select any of the Disinfect options. We will remove any threats manually.

* Post the contents of the ActiveScan report in your next reply.

[ganjaman]

This is the results after a  5 hour full scan.

;********************************************************************************************
ANALYSIS: 2010-02-04 17:36:30
PROTECTIONS: 1
MALWARE: 2
SUSPECTS: 1
;********************************************************************************************
PROTECTIONS
Description                                  Version                       Active    Updated
;=================================================================================
avast! antivirus 4.8.1356 [VPS 100204-0]     4.8.1356                      Yes       Yes
;=================================================================================
MALWARE
Id        Description                        Type                Active    Severity  Disinfectable  Disinfected Location
;=================================================================================
03074964  Trj/CI.A                           Virus/Trojan        No        0         Yes            No           c:\system volume information\_restore{da882da0-eaa7-4dec-8c24-71ed37c0358e}\rp14\a0008165.dll
03926410  Trj/Lineage.BZE                    Virus/Trojan        No        1         No             No           c:\documents and settings\single user\my documents\downloads\wondershare dvd ripper platinum v3.2.48\wondershare dvd ripper platinum v3.2.48.rar[wondershare dvd ripper platinum v3.2.48\patch\ws dvd ripper platinum 3.2.48_patch.exe]
;=================================================================================
SUSPECTS
Sent      Location
;=================================================================================
No        c:\system volume information\_restore{da882da0-eaa7-4dec-8c24-71ed37c0358e}\rp8\a0003199.sys
;=================================================================================
VULNERABILITIES
Id        Severity       Description
;=================================================================================
216839    HIGH           MS10-001
215938    HIGH           MS09-072
215935    HIGH           MS09-069
215048    HIGH           MS09-065
214071    HIGH           MS09-054
212530    HIGH           MS09-034
210618    HIGH           MS09-019
;=================================================================================
regards

[evilfantasy]

Download OTM by OldTimer to your desktop.

Note: If you are running on Vista, right-click on OTM.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTM.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:services

:reg

:files
c:\documents and settings\single user\my documents\downloads\wondershare dvd ripper platinum v3.2.48

:Commands
[purity]
[createrestorepoint]
[clearallrestorepoints]
[emptytemp]
[start explorer]

* Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

* Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes.

----------

Go to Microsoft Windows Update and get all critical updates.

[ganjaman]

Here are the results

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File/Folder c:\documents and settings\single user\my documents\downloads\wondershare dvd ripper platinum v3.2.48 not found.
========== COMMANDS ==========
Restore point Set: OTM Restore Point (64424509440)
 
Restore points cleared and new OTM Restore Point set!
 
[EMPTYTEMP]
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33728 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 402 bytes
 
User: single user
->Temp folder emptied: 50316120 bytes
->Temporary Internet Files folder emptied: 56474624 bytes
->Java cache emptied: 28190660 bytes
->FireFox cache emptied: 213587638 bytes
->Google Chrome cache emptied: 32632025 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1145981 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1618805 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34093 bytes
RecycleBin emptied: 65097479 bytes
 
Total Files Cleaned = 428.00 mb
 
 
OTM by OldTimer - Version 3.1.7.1 log created on 02042010_201019

Files moved on Reboot...
File C:\WINDOWS\temp\_av_proI.tm~a01212\setup.lok not found!
File C:\WINDOWS\temp\_avast4_\Webshlock.txt not found!
C:\WINDOWS\temp\Perflib_Perfdata_428.dat moved successfully.

Registry entries deleted on Reboot...

[evilfantasy]

How is the computer running now?

[ganjaman]

  Thanks for sorting it out for me. The Panda scan took sum 5 hours+ with a 150gb hdd with 65% free, but was well worth it. Once again cheers.

[evilfantasy]

Your welcome.

Final suggestions.

1. Double click OTM to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTM will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. When finished exit out of OTM.

----------

Use the Secunia Software Inspector to check for out of date software.

* Click Start Now
* Check the box next to Enable thorough system inspection.
* Click Start
* Allow the scan to finish and scroll down to see if any updates are needed.
* Update anything listed.

----------

Go to Microsoft Windows Update and get all critical updates.

----------

If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page.

----------

I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[ganjaman]

I have done most of the things you have suggested and was amazed at the results. The thing is that when I am running certain programs like when I was running Secunia, I got the message

Warning Unresponsive Script
script:HTTP://Secunia.com/javascript/s:_html,js:500

This has happened on a number of occasions, any ideas?

cheers

[evilfantasy]

Warning Unresponsive Script
script:HTTP://Secunia.com/javascript/s:_html,js:500

What browser are you using?

[ganjaman]

Firefox 3.6
I have updated Malwarebytes and it is saying: Blocking malicious ip address, but i am on this site???

The IP Address is 94.96.108.185

[evilfantasy]

The IP Address is 94.96.108.185

Does it happen on every page? Give me the link to a page it happens on please. I have MBAM on and have not seen it here.

Firefox 3.6

Tools > Options > Content > Enable Java. Is that checked?

[ganjaman]

Java is enabled,

I have updated Malwarebytes and when i was on the viruses and spyware here, then was on the Computer Software forum and it popped up there and was able to scribble it down. Another one has popped up IP 117.198.152.66, I haven't a clue as to what is going on

[evilfantasy]

I have done a IP search on it and it's in Saudi, Saudi.net.sa

Yes that's what I came up with. I'm just needing to know what web page its happening on so I can try to track down the source.

If you can't get the Secunia to work in FF try IE. Sometimes people can't get it to work with FF and I don't know why.

[ganjaman]

Yes that's what I came up with. I'm just needing to know what web page its happening on so I can try to track down the source.

I have only being on this site.

[evilfantasy]

I can't seem to duplicate it. I have MBAM on with IP protection and it's not happening here. Strange.

[ganjaman]

I have had no more IP's blocked. I wonder if it had summit to do with the update of MBt's.
not sure, but yes strange, thanks for the help with the other problems i had. PC is working sound. It's 2 in the morning here in Eng so it's time for sum zzzzzzzzz's

cheers EF

[evilfantasy]

Your welcome.

Safe surfing...