remove zlob dns changer

[herm67]

hi,

i have a zlob dns changer that was detected by Spybot. zlob continually hijacks my web pages sending me places i dont want to go. when i delete it using spybot everything works fine. however, whenever i turn the computer off and back on the zlob returns and spybot detects it again. i ran the fixwareout program i saw posted on this site and it said it could not flush zlob and deletion failed. i am back to square one and despearetly want to get rid of this thing..PLEASE HELP!!! The following is the info. obtained by the wareout program:



i hope this helps explain to you what might be going because i have no idea what any of it means. thanks. i will check back over the weekend and pray someone has a solution for me.

[TimW]

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

[herm67]

here are the logs for super anti spyware, combo fix and malware bytes. the file said the spyb ot log was too large, but i can tell you it did find the zlob dns changer as it always does. i will post the mg tools logs in the next reply. thanks again for the help and i will checl back in a couple days.

[herm67]

here are the mg tools logs

[TimW]

You have a wareout infection> you started off right but you need to disable all anti-virus and spyware programs and disable Teatimer!

Please download FixWareout by LonnyRJones from one of the two below links and save it to your desktop.

http://downloads.subratam.org/Fixwareout.exe

http://www.bleepingcomputer.com/file...Fixwareout.exe

* Run Fixwareout.
* Click Next,
* then Install,
* make sure Run fixit is checked
* and click Finish.
* The fix will begin; follow the prompts.
* You will be asked to reboot your computer; please do so.
* Your system may take longer than usual to load; this is normal.

When you run fixwareout, just follow the prompts, you will need to restart when prompted.

After rebooting (restart) back into normal boot mode, make sure you have all web browsers closed.

* Go into Control Panel -->Network Connections.
* Right click on your connection
* and click Properties.
* On the Properties page, highlight Internet Protocol(TCP/IP)
* Click Properties. This will bring up another page.
* Select Obtain DNS Server Automatically.
* Click the ok button. The page will close.
* Press ok on the page in front of you.
* Restart the computer.
* Reconnect to the Internet using Internet Explorer.
* Now come back here and attach the log from fixwareout. It is located at c:\fixwareout\report.txt

[herm67]

here are the logs you requested. after running fixwareout spybot was run again and is now saying it is not finding any immediate threats!! I did go online and tried a few sites and had no problems reaching them.. No browser page hijacks after five different sites. also, prior to changing my dns server to automatic it was showing a preferred dns server number but i forgot to write it down before setting to automatic. when I went back to check for the numbers nothing would come up. so far everything seems to be working right again. I will check back in a couple days for your response to the logs i provided and to let you know if there have been any relapses. Lets keep our fingers crossed!! thanks again for all of your help to this point.

[TimW]

Let me know....

[herm67]

all of my internet browsing is working perfectly thanks to you guys. thank you so much!!! You guys are the best and now my wife is off my back!!!

The one problem that seems to have popped up is that when I turn on my computer and get to the desk top a pop up box appears with the following information:

Line 1: SmartBridgeAlerts: MotiveSB.exe- Entry point not found

Line 2: The procedure entry point GetProcessImageFileName W could not be located in the dynamic link library PSAPI.DLL.

There is also a large red circle with an X through it near the left side of the pop up box. This does not appear to be causing any problems with the computer function, but i was wondering how to repair it because it is annoying. Any ideas?

Note: The box does not say Line 1 and Line 2. I did that to separate the info for you. Thanks again for the help.

[TimW]

Apparently this is a problem with many people after installing IE7 ....

Quote:

you need to search your computer for any file
named PSAPI.DLL and rename those to psapiold.dll that are not in the
C:\WINDOWS\System32 folder. **Do not rename the PSAPI.DLL file in your \\Windows\System32
directory. **

You should ask for further assistance in the software section for this issue.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
2. Click START then RUN
* Now type "%userprofile%\Desktop\cf" /u in the runbox ( or whatever you renamed it to) and click OK.
* Note: The space between the cf and the /U, it must be there.
3. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
4. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
5. If you are running Windows XP or Windows ME, do the below:
* Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
* Then reboot and Enable System Restore to create a new clean Restore Point.
6. After doing the above, you should work thru the below link:
How to Protect yourself from malware!