Zlob DNS changer found after cleaning procedures

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Snotagain, Feb 2, 2008.

  1. Snotagain

    Snotagain Private First Class

    Hi again i found a Zlob infection on my daughters laptop.

    Over a hundred windows will open in Mozilla if you try and download PDF files and if i download in IE when i try to open the downloaded file a Mozilla blank window will open and download a copy of the file i just downloaded, so i can't open the file.

    Also an error message pops up on reboot - "One of thr files containing the systems Registry data had to be recovered by use of a log or alternate copy. The recovery was successful."

    I will attach all logs asked for in the cleaning steps and the SmitFraudFix logs I'll add in next post as I keep getting error messages.
    I hope someone can help me. Thanks in advance.:)
     

    Attached Files:

  2. Snotagain

    Snotagain Private First Class

    Here's the second SitFraudReport. Still having upload errors with the first.:(
     
  3. Snotagain

    Snotagain Private First Class

    Here's the first SmitFraudFix. Yay
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What are the below files?
    Code:
    2007-04-10 06:18 663,633 ----a-w C:\Program Files\Common Files\10.444
    2007-04-10 06:18 654,022 ----a-w C:\Program Files\Common Files\10.44
    2007-04-10 06:18 641,521 ----a-w C:\Program Files\Common Files\10.4444
    2007-04-10 06:18 637,058 ----a-w C:\Program Files\Common Files\s10.44
    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 11
    Java(TM) 6 Update 3

    Make sure you reboot after uninstalling the above!

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
    O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
    O15 - Trusted Zone: http://jobsearch.gov.au

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  5. Snotagain

    Snotagain Private First Class

    Thanks again for your help Chaslang.

    :confused I haven't got a clue.

    I was unable to uninstall

    J2SE Runtime Environment 5.0 Update 11


    from 'Add/Remove Programs' - ERROR Code 1316. I looked it up at the website but was unable to locate that particular code.

    When I went to the link to update Java I updated to 'Java(TM)6 Update 4', obviously the wrong one?

    I will do all the other things you ask, thanks.:)
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I don't know what you mean. The link I gave you is the correct link.
     
  7. Snotagain

    Snotagain Private First Class

    I downloaded from that link yesterday and just did it again, it seems I'm up to date. I was confused because the older Java file starts off like 'J2SE Runtime Environment' and the newer version starts like 'Java(TM)'. I thought I must be updating the wrong version.
    Sorry.
     
  8. Snotagain

    Snotagain Private First Class

    Completed everything. I'm still getting this message on reboot

    It beeps twice and the error message box moves slightly so I'm guessing there might be two error messages?

    During the running of GetLogs.bat I recieve this error message after this line " updating:hijackthis.log <188 bytes security> <deflated 67%>"

    Will I delete those files you asked about?

    Thanks for your time and patience.
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This is not a malware problem. You have problems with your registry. Post in the Software Forum. Perhaps a system restore to an earlier date may help.


    This error was explained in the READ ME on the Using MGtools download page. You don't have the Microsoft .NET Framework software installed from Microsoft Update.


    I'm not sure what they are for so I would suggest just moving them to another folder (like a temp folder) somewhere else to first make sure you don't need them before you delete them.

    Are you having any more malware problems with SmitFraud?
     
  10. Snotagain

    Snotagain Private First Class

    Ok thanks, but I haven't toggled my System Restore yet - re possible saved virus. Should I do that now?

    I appreciate all your help too, thanks.:)
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well you can do this to be safe but we really have not found and remove any real malware issues. If you are still having issues with how your PC is working, you may want to wait until you find out what the problems are. You may need to restore to an old restore point to help you fix your problems. Any malware that may (or may not) be in system restore and always just be removed again. But it you toggle System Restore, you will have no fall back points if you need them.
     
  12. Snotagain

    Snotagain Private First Class

    But the whole reason I posted here in the first place was because Spybot found Zlob DNS Changer on this laptop and after running SmitFraudFix and the other procedures asked, Spybot didn't pick it up anymore. The computer is running fine now too other than the said Registry problems, which I've posted in the Software Forum as instructed.

    So I'm sure that you helped clean my computer of this Zlob infection.:)

    I will wait then and not clear my Restore Points until after my registry is fixed.

    Thanks for your time once again, you helped me with my computer about 12 months ago as well.;)
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Once you resolve your other issues and are sure that you don't need your restore points you can proceed with the below final instructions.

    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN
      • Now type combofix /u in the runbox and click OK.
      • Note: The space between the X and the /U, it must be there.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
    9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    12. If you are running Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    13. After doing the above, you should work thru the below link:
     
  14. Snotagain

    Snotagain Private First Class

    Sorry Chaslang, it seems I'm not clean.:cry

    [​IMG]

    This is dated the day before our last posts but was actually picked up on 2/4/08 - AVG Anti Virus (It took a while for me to discover because I'm unfamiliar with this program, my computer uses Vet)

    [​IMG]

    And this reading error with the Hosts file has been happening for a while??
    Any ideas?
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes but I asked you for a new MGlogs.zip file back in message #4 and you never attached it. Also you snapshot does not show the full file name and is not used without all that information.

    Attach a new MGlogs.zip file and also tell me exactly what was in that snapshot for object path. Does it end at Application Data or does it go futher? Is what is shown for object name actually a file or folder on your PC?


    You just may not even have a hosts file which is not a big deal, but you can do the below to fix this.


    Download HostsXpert and then follow the below steps.
    • Unzip HostsXpert.zip
      [*]It will create a folder named HostsXpert in whatever folder you extract it to.
      [*]Run HostsXpert.exe by double clicking on it.
      [*]click the Make Writeable? button.
      [*]click Restore Microsoft's Hosts File and then click OK.
      [*]Click the X to exit the program
     
  16. Snotagain

    Snotagain Private First Class

    Sorry, here's the full path name. I was suprised that I actually didn't post the MGlogs.zip as you requested in message 4 - I think it's because I have a habit of skim reading. i will attach it now.:eek: I have also used the HostsXpert as recommended. Thanks again.


    [​IMG]
     

    Attached Files:

  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you forget to fix the below line back in message # 4?
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    If not then all of the protection you have running with Threatfire, AVG7 etc may have blocked it.

    That snapshot just shows something in your FireFox Cache which is probably not really an issue. I'm not sure why AVG just didn't remove it. Perhaps you had the browser open when you ran your scan which is not a good thing to do since it can block removal of certain items if your browser has them in use. Let's empty a few different cache's

    Java Cache

    Start > Settings > Control Panel and double click the Java icon (be patient, it may take a while to open) Now click the General tab and under the Temporary Internet File area Click the Settings button and then click the Delete Files... button. In the next popup click OK.

    If you have multiple Java plugin icons in Control Panel follow the above to clear all their caches

    FireFox Cache

    To flush your FireFox Cache:
    • click Tools
    • select Options
    • select Privacy
    • in the section labeled Private Data click Clear Now
    Internet Explorer Cache

    To flush your Internet Explorer Cache:
    • click Tools
    • Internet Options
    • Now on the General tab and click Delete Files and select Delete all Offline content too
    • Click OK.
    • When it finishes Click OK.
    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\TEMP
    C:\Documents and Settings\Monique\Local Settings\Temp


    Are you still having problems?
     
  18. Snotagain

    Snotagain Private First Class

    Yes I did. Unfortunately HJT is still unable to remove this file even after I disconnected the internet and disabled all other protection.:confused

    I followed all other instructions.

    I think everything is good, I ran the virus checker again and no threats are found.Thanks very much.:)
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf Safely.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds