Need help - hijacked connection.

ClockworkOrange · Dec 5, 2008

My connection is hijacked and the DNS keeps being reset as with the Zlob DNSchanger trojan. I've run the malware removal tools as suggested, and attached are my logs - but the darn thing keeps coming back into registry and my network connection. I've reset my broadband modem and my router, deleted every 'resycle' folder - I'm at a loss. Please help, I'm tearing my hair out.

TIA -

Ted

ClockworkOrange · Dec 5, 2008

Here is the remaining log. TIA -

Ted

ClockworkOrange · Dec 5, 2008

I should add that I have done every step in the Win XP procedure, and read all the Zlob/DNSchanger.trojan threads - and the darn thing keeps coming back. I've deleted the registry keys that specify the DNS, and they keep rewriting themselves. I'm beginning to consider a wipe, reformat, and restart - but the loss of data would be devastating. It's extremely frustrating.

Thanks again for all your help!

Ted

TimW · Dec 7, 2008

Try this:

Download SDFix and save it to your Desktop.

* Run the SDFix.exe by double clicking on it.
* Allow it to install into the default location which is normally c:\SDFix
* Now please reboot your computer into Safe Mode (see this if you don't know how: Starting your computer in Safe mode. )
* When you have booted into safe mode, open the C:\SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services or Registry entries found and then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
* Attach the Report.txt file to your next message.

ClockworkOrange · Dec 8, 2008

Thanks TimW!.

I have to let you know that I found two .dll files in my c:\Windows\System32 folder that were created at the same date/time as the infection and had odd names something like mpqrlldxx.dll - which were flagged by Avenger (finally).

After that, I reran the cleaning procedure and the Smitfraud fix, and reset the DNS configuration.

Now I've run SDfix as specified, and attached is the log - it seems as though I'm finally clean of this thing, but I want to be sure. It's a persistent little b@$t@rd.

Thanks again for your help - I certainly appreciate what you do!

Ted

TimW · Dec 8, 2008

Please run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file so I can be sure you are clean.

ClockworkOrange · Dec 9, 2008

Here you go - (fingers crossed)!

TYVM,

Ted

TimW · Dec 9, 2008

Looks good...just one thing to do:

Please disable all anti-virus and anti-spyware programs while we do the following ( be sure to re-enable when we are finished):

Run C:\MGtools\analyse.exe by double clicking on it. (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.50 85.255.112.154
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.50 85.255.112.154
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.50 85.255.112.154
Click to expand...

After clicking Fix, exit HJT.

Again, Run C:\MGtools\analyse.exe by double clicking on it. Look for those lines. If they are not there:

We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection, but are effective as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combofix folder from combofix (if it exists)

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Click to expand...

Log in or Sign up

Need help - hijacked connection.

ClockworkOrange Private E-2

Attached Files:

Combofixlog.txt

mbam-log-2008-12-05 (06-21-10).txt

MGlogs.zip

ClockworkOrange Private E-2

Attached Files:

SASlog.txt

ClockworkOrange Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

ClockworkOrange Private E-2

Attached Files:

Report.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

ClockworkOrange Private E-2

Attached Files:

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member