Help, Plz Somethings got me

gregtheorangeman · Nov 5, 2008

Hi guys, thanks in advance for all the help.
Right now my problem is I'm getting various pop-ups and sex related ads.
But the biggest problem is I cant download anything on Microsoft website or get windows updates. I was researching and I think its related to this Trojan that spybot search and destroy finds which is a DNS changer called Zlob.

I regularly CClean my comp and use AVG.

Thanks for any help sin advanced

P.S. This post has 3 logs, while next one has the zip.

gregtheorangeman · Nov 5, 2008

here is the MGTool zip

U guys are the best!

TimW · Nov 6, 2008

Your logs look clean....but you need to clean up this:
C:\Documents and Settings\Greg\Desktop\

Things should be put in folders or moved to a more appropriate place as this is a great place for malware to hide.

Find and delete:
C:\Documents and Settings\All Users\lxdd --> unless this is something you did.

Tell me what problems you are still having.

gregtheorangeman · Nov 6, 2008

Ok, Im still having the same problems I cant goto update.microsoft.com without it redirecting me to msn, and im getting various pop-up ads.
I ran spybot again, and it found this trojan again:

Zlob.DNSChanger: [SBI $041D1396] TCP/IP Settings #1 (Undefined) (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{490D7E90-3F46-4814-B7CD-12FEDB1985A6}\DhcpNameServer=208.67.220.220,208.67.222.222 1.2.3.4

It constantly is coming back, and I believe its widespread throughout the network cause nobody can access windows update or download anything from microsoft. Theres like 6-7 computers on 1 router.

Thanks

TimW · Nov 6, 2008

Check your router setting for unknown ip's.

Then run this on each computer:
Please download FixWareout by LonnyRJones from one of the two below links and save it to your desktop.

http://downloads.subratam.org/Fixwareout.exe

http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

* Run Fixwareout.
* Click Next,
* then Install,
* make sure Run fixit is checked
* and click Finish.
* The fix will begin; follow the prompts.
* You will be asked to reboot your computer; please do so.
* Your system may take longer than usual to load; this is normal.

When you run fixwareout, just follow the prompts, you will need to restart when prompted.

After rebooting (restart) back into normal boot mode, make sure you have all web browsers closed.

* Go into Control Panel -->Network Connections.
* Right click on your connection
* and click Properties.
* On the Properties page, highlight Internet Protocol(TCP/IP)
* Click Properties. This will bring up another page.
* Select Obtain DNS Server Automatically.
* Click the ok button. The page will close.
* Press ok on the page in front of you.
* Restart the computer.
* Reconnect to the Internet using Internet Explorer.
* Now come back here and attach the log from fixwareout. It is located at c:\fixwareout\report.txt

gregtheorangeman · Nov 6, 2008

ok, two things
1. neither of the links work
2. Do u want logs from every computer?

Thanks,
Greg

TimW · Nov 6, 2008

Aarrggkhhh:

Run this procedure WareOut Removal and attach the requested log.

TimW · Nov 6, 2008

The links are good...as we just fixed this issue for another person not 30 minutes ago....and they are not working for me at the moment. Please try them later.

gregtheorangeman · Nov 9, 2008

Ok, after dl'ing the file from another network and running it on only 3 computers(rest are vista and 1 is mac and it says incompatible) we still have the problem and here's the logs.

Just for some more information, did another spybot today after runing fixwareout on the computers and that full report is attached also

Thanks,
Greg

TimW · Nov 9, 2008

YOu need to get into your router and find the rougue ip addresses and remove them. The run Fixwareout on each computer.

gregtheorangeman · Nov 9, 2008

wat do u mean by rogue?
I look at my DHCP client list and i get only the 7 users who live in my house:

Client Name Interface IP Address MAC Address Expires Time
japanese-0b6c34 Wireless 192.168.1.100 00:1E:E5:FB:7E:3B 13:42:51
Wireless 192.168.1.101 00:1C:B3:B6:C8:19 23:21:20
andrew LAN 192.168.1.102 00:19:218:23A 15:25:48
mike-PC Wireless 192.168.1.103 00:13:E8:1C:B0:89 23:49:56
Wireless 192.168.1.105 00:12:5A:FA:29:28 16:10:20
gregs LAN 192.168.1.108 00:50:8D:BB:CE:A0 23:23:24
Gary-PC Wireless 192.168.1.109 00:21:5C:1F:CC:7F 22:06:08

TimW · Nov 10, 2008

This is the url for the dns that you mention: OpenDNS.

Is this the only problem you are having?

Are all computers unable to download updates still?

gregtheorangeman · Nov 10, 2008

ok, I was doing a bunch research online and found a solution to my problem through yahoo answers, maybe it will help anyone else with the same problem.
Heres the link:
http://answers.yahoo.com/question/index?qid=20081108105116AAUfg3l

Thanks for everything guys,
Greg

Log in or Sign up

Help, Plz Somethings got me

gregtheorangeman Private E-2

Attached Files:

log.txt

MBAMlog.txt

SASlog.txt

gregtheorangeman Private E-2

Attached Files:

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

gregtheorangeman Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

gregtheorangeman Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

gregtheorangeman Private E-2

Attached Files:

report-drew.txt

report-greg.txt

SpybotS&D.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

gregtheorangeman Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

gregtheorangeman Private E-2