DNS Hijacker and more

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by NY Jester, Dec 6, 2007.

  1. NY Jester

    NY Jester Private E-2

    Hi guys. Yesterday morning I was online and had a system error. When My PC rebooted, I was given a ATL.dll error...which I see comes up regularly even for working programs. Here are the problems that persist I jumped back onto IE7 and

    my homepage had been changed to "about:Blank"
    -
    Error Message - You may not access Internet options because of restrictions on this computer - Please see the administrator
    -
    Security Center is "not available because it has not started or has been shut off" and the option for the Security Center is grayed out -
    Administrator Tools "services.msc" fail error - failed to snap in
    -
    Outlook express does not open at all
    -
    Search results page come sup true but they are masked and all clicks go through 85.255.120.28/ to false results
    -
    I followed the cleaning methods as described in the removal thread.
    Ive attached the MG zip, as well as 2 others - AVG didnt create a report, only quarantined 3 cookie files that were deleted.

    Ive read about the about:blank and DNS Hijack but didnt want to guess.

    Thank you for any help
    J-
     

    Attached Files:

  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please use add/remove programs to uninstall:
    J2SE Runtime Environment 5.0 Update 6
    Viewpoint Media Player

    Please download FixWareout by LonnyRJones from one of the two below links and save it to your desktop.

    http://downloads.subratam.org/Fixwareout.exe

    http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

    * Run Fixwareout.
    * Click Next,
    * then Install,
    * make sure Run fixit is checked
    * and click Finish.
    * The fix will begin; follow the prompts.
    * You will be asked to reboot your computer; please do so.
    * Your system may take longer than usual to load; this is normal.

    When you run fixwareout, just follow the prompts, you will need to restart when prompted.

    After rebooting (restart) back into normal boot mode, make sure you have all web browsers closed.

    * Go into Control Panel -->Network Connections.
    * Right click on your connection
    * and click Properties.
    * On the Properties page, highlight Internet Protocol(TCP/IP)
    * Click Properties. This will bring up another page.
    * Select Obtain DNS Server Automatically.
    * Click the ok button. The page will close.
    * Press ok on the page in front of you.
    * Restart the computer.
    * Reconnect to the Internet using Internet Explorer.
    * Now come back here and attach the log from fixwareout. It is located at c:\fixwareout\report.txt

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this
     
  3. NY Jester

    NY Jester Private E-2

    I was able to download FixWareOut and followed those prompts, but I am not able to open my network connections or several other control panel options in order to click the "obtain DND automatically. I am attaching the fixit report and will follow the remaining instructions as well

    Thanks
    Jay
     

    Attached Files:

  4. NY Jester

    NY Jester Private E-2

    Im attaching the MG zip files now.
     

    Attached Files:

  5. NY Jester

    NY Jester Private E-2

    Well my problems are still there.

    When Windows loads I receive the same Aol Software ATL.dll error as well as a avgas.exe ATL.dll error (thats new)

    When opening IE,

    I get an error message : Error, Something bad happened in the application. Errors Diagnostic file saved C:\Program Files\...\avgas.err

    my homempage is not blank but rather MSN but msn never opens. Search option gets hung up but after 2 monites or so the results page shows with the corrrect URL no longer masked by the 85.255.*.* portal. Once the IE page has loaded I cna then hit HOME and it takes me to MSN.

    . When I click TOOLS -> INTERNET OPTIONS Im given the error message This operation has been cancelled due to restrictions on this computer. Please contact your system administrator.

    After roughly 5 minutes I get an error message : avgas.exe has encountered a problem and needs to close. We are sorry for the inconvenience.

    I still cannot access several items in control panel including the security center. It is unavailable or stopped and also the option is greyed out
     
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Do you know what this is: C:\Documents and Settings\Owner\Application Data\mainhst.zgh?

    Download Dr.Web CureIt and save it to your desktop.
    • Doubleclick the cureit-beta.exe file and allow to run
    • If it prompts you about getting any updates, get the update and then rerun the cureit-beta.exe installation.
    • When it finishes you will have a green window with a Start and and Update selection. Click Start
    • the Express Scan of your PC window will come up. Click OK to scan main memory to detect infected process in memory.
    • If anything is found in memory, click the yes button when it asks you if you want to cure it. This is only a short scan.
    • You may see a popup window to Buy or get a discount on the program. Just click the X at the top right to close this popup. The scan will continue.
    • Once the short scan is completed, click the Custom Scan radio button. Then Select each of your hard disk drives (that is if you have more than one). A red dot shows which drives have been chosen.
    • Click the green arrow at the right under the Dr.Web logo, and the scan will start.
    • Click 'Yes to all' if it finds any problems and asks if you want to cure or move the file.
    • When the scan has finished, look if you can click next icon next to the files found:
      [​IMG]
    • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
      [​IMG]
    • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
    • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.
    • Reboot your computer!! This is necessary because there could be files in use that will be moved or deleted during reboot.
    • After reboot, attach the log from Dr.Web to your next reply
     
  7. NY Jester

    NY Jester Private E-2

    Well Ive followed the latest directions in regards to Dr Web. I am attaching the logs in txt form as the board wouldnt allow the csv files..

    The same errors as my last post are still in place and on a side not I cannot disable System restore - I receive an error stating that System restore could not be disabled on one or more of your discs please restart and try again.

    and also to answer the question in regard to the one file above..I have not a clue as to what that is.


    The below was added by chaslang for future reference.

    mainhst.zgh is a history list of P2P downloads
     

    Attached Files:

    Last edited by a moderator: Oct 18, 2008
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Delete the questionable file from your desktop ...

    avgas.err ---> refers to AVG-antispyware error....

    Do you have any report from your anti-virus scans?

    aHve you run error checking on your hard drive?

    Have you removed all of your IE browser toolbars and add-ons?

    Does this happen if you run FireFox?
     
  9. NY Jester

    NY Jester Private E-2

    I can run firefox no problem. I can change options etc. I cannot get into Control Panel, disable System restore access outlook express, etc. I also still reciev the ATL.dll error for aolsoftware and avgas. MS downloads an update and installs it evertime I turn off the PC. I did attach the Dr Web files from yesterday that was my latest. And still have restrictions on my account
     
  10. NY Jester

    NY Jester Private E-2

    Logs attached
     

    Attached Files:

  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's try a few things:

    Uninstall all AOL programs as well as Avg-Antispyware.

    Download CounterSpy and make sure you have it fix all that it finds .....

    Have you done any registry repairing or used such a program?
     
  12. NY Jester

    NY Jester Private E-2

    I uninstalled AIM which was the exe that was giving me issues. Ran Counter Spy and BAM I had it all back. I cannot thank you enough, sorru took me this log to get back was away last week.

    J-
     
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good job....safe surfing. :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds