MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 12-06-07, 06:35
NY Jester NY Jester is offline
Private E-2
 
Join Date: Dec 2007
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default DNS Hijacker and more

Hi guys. Yesterday morning I was online and had a system error. When My PC rebooted, I was given a ATL.dll error...which I see comes up regularly even for working programs. Here are the problems that persist I jumped back onto IE7 and

my homepage had been changed to "about:Blank"
-
Error Message - You may not access Internet options because of restrictions on this computer - Please see the administrator
-
Security Center is "not available because it has not started or has been shut off" and the option for the Security Center is grayed out -
Administrator Tools "services.msc" fail error - failed to snap in
-
Outlook express does not open at all
-
Search results page come sup true but they are masked and all clicks go through 85.255.120.28/ to false results
-
I followed the cleaning methods as described in the removal thread.
Ive attached the MG zip, as well as 2 others - AVG didnt create a report, only quarantined 3 cookie files that were deleted.

Ive read about the about:blank and DNS Hijack but didnt want to guess.

Thank you for any help
J-
Attached Files
File Type: zip MGlogs.zip (34.1 KB, 7 views)
File Type: txt ComboFix.txt (7.3 KB, 2 views)
File Type: txt history.txt (648 Bytes, 3 views)
Reply With Quote
Sponsored links
  #2  
Old 12-06-07, 13:50
TimW's Avatar
TimW TimW is offline
MajorGeeks Administrator - Jedi Malware Expert
 
Join Date: Jan 2005
Location: The recesses of my mind!
Posts: 45,948
Thanks: 400
Thanked 4,456 Times in 4,232 Posts
Default Re: DNS Hijacker and more

Please use add/remove programs to uninstall:
J2SE Runtime Environment 5.0 Update 6
Viewpoint Media Player

Please download FixWareout by LonnyRJones from one of the two below links and save it to your desktop.

http://downloads.subratam.org/Fixwareout.exe

http://www.bleepingcomputer.com/file...Fixwareout.exe

* Run Fixwareout.
* Click Next,
* then Install,
* make sure Run fixit is checked
* and click Finish.
* The fix will begin; follow the prompts.
* You will be asked to reboot your computer; please do so.
* Your system may take longer than usual to load; this is normal.

When you run fixwareout, just follow the prompts, you will need to restart when prompted.

After rebooting (restart) back into normal boot mode, make sure you have all web browsers closed.

* Go into Control Panel -->Network Connections.
* Right click on your connection
* and click Properties.
* On the Properties page, highlight Internet Protocol(TCP/IP)
* Click Properties. This will bring up another page.
* Select Obtain DNS Server Automatically.
* Click the ok button. The page will close.
* Press ok on the page in front of you.
* Restart the computer.
* Reconnect to the Internet using Internet Explorer.
* Now come back here and attach the log from fixwareout. It is located at c:\fixwareout\report.txt

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
Quote:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHelper - {F3CFA533-7680-4943-A863-B8216390E847} - C:\WINDOWS\SYSTEM32\AcroIEHelper.dll
O4 - Global Startup: Free WebSite Tools.lnk = ?
O15 - Trusted Zone: ktu.sv2.biz
O15 - Trusted Zone: *.sv2.biz
NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
Quote:
REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F3CFA533-7680-4943-A863-B8216390E847}]
Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this
Reply With Quote
  #3  
Old 12-06-07, 15:35
NY Jester NY Jester is offline
Private E-2
 
Join Date: Dec 2007
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: DNS Hijacker and more

I was able to download FixWareOut and followed those prompts, but I am not able to open my network connections or several other control panel options in order to click the "obtain DND automatically. I am attaching the fixit report and will follow the remaining instructions as well

Thanks
Jay
Attached Files
File Type: txt report.txt (1.8 KB, 3 views)
Reply With Quote
  #4  
Old 12-06-07, 15:54
NY Jester NY Jester is offline
Private E-2
 
Join Date: Dec 2007
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: DNS Hijacker and more

Im attaching the MG zip files now.
Attached Files
File Type: zip MGlogs.zip (34.0 KB, 5 views)
Reply With Quote
  #5  
Old 12-06-07, 16:16
NY Jester NY Jester is offline
Private E-2
 
Join Date: Dec 2007
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: DNS Hijacker and more

Well my problems are still there.

When Windows loads I receive the same Aol Software ATL.dll error as well as a avgas.exe ATL.dll error (thats new)

When opening IE,

I get an error message : Error, Something bad happened in the application. Errors Diagnostic file saved C:\Program Files\...\avgas.err

my homempage is not blank but rather MSN but msn never opens. Search option gets hung up but after 2 monites or so the results page shows with the corrrect URL no longer masked by the 85.255.*.* portal. Once the IE page has loaded I cna then hit HOME and it takes me to MSN.

. When I click TOOLS -> INTERNET OPTIONS Im given the error message This operation has been cancelled due to restrictions on this computer. Please contact your system administrator.

After roughly 5 minutes I get an error message : avgas.exe has encountered a problem and needs to close. We are sorry for the inconvenience.

I still cannot access several items in control panel including the security center. It is unavailable or stopped and also the option is greyed out
Reply With Quote
Sponsored links
  #6  
Old 12-07-07, 10:41
TimW's Avatar
TimW TimW is offline
MajorGeeks Administrator - Jedi Malware Expert
 
Join Date: Jan 2005
Location: The recesses of my mind!
Posts: 45,948
Thanks: 400
Thanked 4,456 Times in 4,232 Posts
Default Re: DNS Hijacker and more

Do you know what this is: C:\Documents and Settings\Owner\Application Data\mainhst.zgh?

Download Dr.Web CureIt and save it to your desktop.
  • Doubleclick the cureit-beta.exe file and allow to run
  • If it prompts you about getting any updates, get the update and then rerun the cureit-beta.exe installation.
  • When it finishes you will have a green window with a Start and and Update selection. Click Start
  • the Express Scan of your PC window will come up. Click OK to scan main memory to detect infected process in memory.
  • If anything is found in memory, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • You may see a popup window to Buy or get a discount on the program. Just click the X at the top right to close this popup. The scan will continue.
  • Once the short scan is completed, click the Custom Scan radio button. Then Select each of your hard disk drives (that is if you have more than one). A red dot shows which drives have been chosen.
  • Click the green arrow at the right under the Dr.Web logo, and the scan will start.
  • Click 'Yes to all' if it finds any problems and asks if you want to cure or move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! This is necessary because there could be files in use that will be moved or deleted during reboot.
  • After reboot, attach the log from Dr.Web to your next reply
Reply With Quote
  #7  
Old 12-07-07, 19:08
NY Jester NY Jester is offline
Private E-2
 
Join Date: Dec 2007
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: DNS Hijacker and more

Well Ive followed the latest directions in regards to Dr Web. I am attaching the logs in txt form as the board wouldnt allow the csv files..

The same errors as my last post are still in place and on a side not I cannot disable System restore - I receive an error stating that System restore could not be disabled on one or more of your discs please restart and try again.

and also to answer the question in regard to the one file above..I have not a clue as to what that is.


The below was added by chaslang for future reference.

Quote:
Originally Posted by TimW View Post
Do you know what this is: C:\Documents and Settings\Owner\Application Data\mainhst.zgh?
mainhst.zgh is a history list of P2P downloads
Attached Files
File Type: txt drweb.txt (1.1 KB, 4 views)

Last edited by chaslang; 10-18-08 at 22:54.. Reason: Added info on mainhst.zgh
Reply With Quote
  #8  
Old 12-08-07, 16:05
TimW's Avatar
TimW TimW is offline
MajorGeeks Administrator - Jedi Malware Expert
 
Join Date: Jan 2005
Location: The recesses of my mind!
Posts: 45,948
Thanks: 400
Thanked 4,456 Times in 4,232 Posts
Default Re: DNS Hijacker and more

Run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

Delete the questionable file from your desktop ...

avgas.err ---> refers to AVG-antispyware error....

Do you have any report from your anti-virus scans?

aHve you run error checking on your hard drive?

Have you removed all of your IE browser toolbars and add-ons?

Does this happen if you run FireFox?
Reply With Quote
  #9  
Old 12-08-07, 17:23
NY Jester NY Jester is offline
Private E-2
 
Join Date: Dec 2007
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: DNS Hijacker and more

I can run firefox no problem. I can change options etc. I cannot get into Control Panel, disable System restore access outlook express, etc. I also still reciev the ATL.dll error for aolsoftware and avgas. MS downloads an update and installs it evertime I turn off the PC. I did attach the Dr Web files from yesterday that was my latest. And still have restrictions on my account
Reply With Quote
  #10  
Old 12-08-07, 18:17
NY Jester NY Jester is offline
Private E-2
 
Join Date: Dec 2007
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: DNS Hijacker and more

Logs attached
Attached Files
File Type: zip MGlogs.zip (34.2 KB, 5 views)
Reply With Quote
Sponsored links
  #11  
Old 12-09-07, 16:34
TimW's Avatar
TimW TimW is offline
MajorGeeks Administrator - Jedi Malware Expert
 
Join Date: Jan 2005
Location: The recesses of my mind!
Posts: 45,948
Thanks: 400
Thanked 4,456 Times in 4,232 Posts
Default Re: DNS Hijacker and more

Let's try a few things:

Uninstall all AOL programs as well as Avg-Antispyware.

Download CounterSpy and make sure you have it fix all that it finds .....

Have you done any registry repairing or used such a program?
Reply With Quote
  #12  
Old 12-17-07, 23:27
NY Jester NY Jester is offline
Private E-2
 
Join Date: Dec 2007
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: DNS Hijacker and more

I uninstalled AIM which was the exe that was giving me issues. Ran Counter Spy and BAM I had it all back. I cannot thank you enough, sorru took me this log to get back was away last week.

J-
Reply With Quote
  #13  
Old 12-18-07, 10:22
TimW's Avatar
TimW TimW is offline
MajorGeeks Administrator - Jedi Malware Expert
 
Join Date: Jan 2005
Location: The recesses of my mind!
Posts: 45,948
Thanks: 400
Thanked 4,456 Times in 4,232 Posts
Default Re: DNS Hijacker and more

Good job....safe surfing.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Help with a Hijacker borm7677 Malware Removal 6 10-31-06 07:39
win-eto hijacker Ayanami Malware Removal 1 11-23-04 13:38
wcs hijacker wcz111 Malware Removal 3 11-05-04 01:08
only the best hijacker!!! RJCapt Malware Removal 16 07-13-04 16:57


All times are GMT -5. The time now is 11:17.


MajorGeeks.Com Home Page
| Admin Tools | All In One | Anti-Spyware | Anti-Virus | Appearance | Backup | Benchmarking | BIOS | Browsers | Covert Ops |
Data Recovery | Diagnostics | Drive Cleaners | Drive Utilities | Drivers | Driver Tools Ergonomics | Firewalls | Games | Game Tweaks | Graphics | Input Devices | Internet Tools | Macintosh | Mail Utilities | Memory | Messaging | Monitoring | Microsoft | Multimedia | Networking | Office Tools | Process Management | Processor | Registry | Security | System Info | Toys | Video | Miscellaneous
|
Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger