PDA

View Full Version : Zlob.DNSchanger



lsjones
2007-08-10, 17:57
Hi, I know I'm not supposed to start more than one topic for the same computer during the same period, but I have made a mistake in posting the HJT log and figured that this may be the reason I have received no response to my posting so far. I figured that if I simply added this to my original postings this would have likely created the impression my topic is being responded to. I'm sorry for any convenience. Below is the full HJT log. Thank you.


Logfile of HijackThis v1.99.1
Scan saved at 11:07:33 PM, on 8/9/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [hcenter] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Startup Manager] C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\smstartUp manager.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186160031409
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186159890256
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Unknown owner - C:\Program Files\ewido anti-spyware 4.0\guard.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Unknown owner - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

EDIT: Previous topic now moved to archives:
http://forums.spybot.info/showthread.php?t=16748
The Waiting Room: Post here if waiting for help longer than four days (http://forums.spybot.info/forumdisplay.php?f=37)

pskelley
2007-08-11, 03:03
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

I am not seeing malware in the HJT log so we will need to do some searching. First I have questions for you. Not showing in running processes, I see these items in your Services, could you tell me why? Do you own any of these programs? ewido is totally obsolete.
O23 - Service: ewido anti-spyware 4.0 guard - Unknown owner - C:\Program Files\ewido anti-spyware 4.0\guard.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Unknown owner - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe (file missing
(ignore the "file missing" the file is there)

Please read and follow these directions:

1) http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

2) Thanks to LonnyBJones and anyone else who helped with this fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your Desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) in the forum please.

Post the answers to any questions I asked, the C:\rapport.txt from Smitfraudfix and the report.txt from Fixwareout.

Thanks

lsjones
2007-08-11, 05:23
Thank you for the assistence.
As to your questions, I don't know why these items are listed in my services. I don't owe any of these programs, but what may be of relevance here is that they are used - as is Spybot also - by a Dutch freeware tool, called Hitman Pro, which I have installed on my computer.
However, it seems that (something related to) Hitman Pro is infected (see the Kaspersky log in my first posting - which although archived is probably still relevant for the current problem). I've had some problems with especially the PC Tools Spyware Doctor some while back and so I uninstalled these programmes, maybe this is why they are still listed.
Here are the logs from resp. SmitFraudFix and FixWareout

SmitFraudFix v2.210

Scan done at 3:17:23.63, Sat 08/11/2007
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NDIS 5.0 driver
DNS Server Search Order: 10.0.0.138

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7D1C5C29-C7EC-41E9-8BE9-55D1B7184A18}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{B06FC995-E81B-4F6E-8B14-CD45D125E93B}: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7D1C5C29-C7EC-41E9-8BE9-55D1B7184A18}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B06FC995-E81B-4F6E-8B14-CD45D125E93B}: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7D1C5C29-C7EC-41E9-8BE9-55D1B7184A18}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End





Username "Administrator" - 08/11/2007 3:29:09 [Fixwareout edited 2007/07/05]

»»»»»Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"HPDJ Taskbar Utility"="C:\\WINNT\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"hcenter"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Startup Manager"="C:\\Documents and Settings\\Administrator\\Application Data\\Systweak\\ASO 2\\smstartUp manager.exe"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


I have a few additional questions/comments.
1) I didn't quite understand your remark about the process.exe
2) FixWareout said something about a registry file dnsbak.reg and doubleclicking it. I found this file, but when I doubleclick it I'm asked whether I'm sure that I want to add the information in C:\\dnsbak.reg to the registry. Am I supposed to go ahead ?
3) Please read my first posting with the Kaspersky log; two viruses and four infected objects were detected by Kaspersky.

Thanks a lot for your help!

pskelley
2007-08-11, 15:00
Thanks for returning your information, i'll do my best to answer your questions by number. If I omit a number it is because you are correct and no answer is required.

Hitman Pro <<< I do not use it and know nothing about it. If you are positive it is a safe program, it is your computer.

It is hard for me to believe that any of the three programs I mentioned that are running from your services or SpyBot S&D have anything to do with Hitman Pro? You would have to show me that in writing, I suggest you at least diasble those programs as they are doing nothing for you but using your resources.

Part of the confusion are the multiple posts, but I will comment on what Kaspersky found, I use that scanner a lot.

1) Did you click and view the information in the link I provided. I is basically as simple as this...some antivirus programs think it is a virus but it is not, and it is a required element of several malware program, they will not run without it. At time I have to ask that the AV be turned off until it is downloaded.

2) All I can say here is that the instructions I posted for you I have posted countless times, they are fairly simple and say to "The fix will begin; follow the prompts"
as far as I can see from the Fixwareout report, the tool did what it was supposed to.

3) Kaspersky: Thursday, August 09, 2007 5:17:07 PM
Number of infected objects: 4

C:\Documents and Settings\Administrator\My Documents\COMPUTER RELATED\Hitman Pro\hitmanpro26.exe/file02 Infected: IM-Worm.Win32.Sohanad.t skipped
C:\Documents and Settings\Administrator\My Documents\COMPUTER RELATED\Hitman Pro\hitmanpro26.exe Inno: infected - 1 skipped
C:\Program Files\Hitman Pro\surfright.exe Infected: IM-Worm.Win32.Sohanad.t skipped
C:\WINNT\system32\TFTP956 Infected: Backdoor.Win32.SdBot.pc skipped

The Hitman Pro progam has infected files at the very least. You can delete these files and then run Kaspersky to see if the program scans clean if you wish. The fourth item is a backdoor trojan and this one does not identify, but they are dangerous because the steal information and your security is likely compromised, I will post this information for you:

A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
http://www.dslreports.com/faq/10451

Let's proceed like this, remove (delete) Smitfraudfix and Fixwareout complete from your computer.

I suggest Hitman pro be uninstall and all folders removed, if you have money invested with them, you should discuss this infection with them. You may be able to contact them here:
http://www.hitmanpro.nl/hitmanpro/

Delete the files in red:

C:\Documents and Settings\Administrator\My Documents\COMPUTER RELATED\Hitman Pro\hitmanpro26.exe

C:\Documents and Settings\Administrator\My Documents\COMPUTER RELATED\Hitman Pro\hitmanpro26.exe

C:\Program Files\Hitman Pro\surfright.exe

C:\WINNT\system32\TFTP956 <<< this is your backdoor trojan!

I suggest you turn those service off like this:

Disable the Service
Click Start > Run and type services.msc
Scroll down to ewido anti-spyware 4.0 guard and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

Do the same thing with:
PC Tools Spyware Doctor
Webroot Spy Sweeper Engine

Once that is done, restart the computer and post a new HJT log and your comments about performance. As I said, you can run Kaspersky again to be sure, but please do not post a clean Kaspersky scan results, waste of space.

Thanks

lsjones
2007-08-13, 04:12
Thank you once more for all the information. I followed your instructions and also ran another Kaspersky scan and it appears that my computer is now infection-free. When I ran services.msc the three services in question had already stopped so I only had to disable them.
With respect to Hitman Pro, I think it is a safe program - for instance it is recommended by renowned computer magazines. I couldn't find written info on the program's website that it makes use of Spybot, Spyware Doctor etc. but I know it does, for when HP is downloaded all these programs are also downloaded. When I uninstalled HP it automatically also removed Spybot, Ad-Aware and Spywareblaster (which were the only programs I still had from the original set of programs associatd with HP - as I said earlier I had already uninstalled several programs connected with HP and these were the programs still having processes running with them, as you pointed out). So at this point, I think I might attempt to re-install HP again later.
One final question about the process viewer/killer/suspender; I think I understand what the program does and what you said about it. What I would like to know however is whether your advise to download the program is related to the virus-problem I had or whether it was for some other reason - and if so which one ? In any case, thanks again for all the help and here's the HJT log :


Logfile of HijackThis v1.99.1
Scan saved at 11:59:52 PM, on 8/12/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [hcenter] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Startup Manager] C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\smstartUp manager.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186160031409
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186159890256
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

pskelley
2007-08-13, 13:53
When I uninstalled HP it automatically also removed Spybot, Ad-Aware and Spywareblaster Strange, first I have heard this. They may have some deal with HP? I run all three programs as freeware myself and to my knowledge they are owned by three different companies, Spybot S&D, Lavasoft and Javacool.

One final question about the process viewer/killer/suspender
Not sure what you are referring to?

Logfile of HijackThis v1.99.1 Scan saved at 11:59:52 PM, on 8/12/2007

A little cleaning to do and some junk to remove:

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(none of this is malware)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - - (no file)
(Toolbar is damaged, if you use it download it again)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab G
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Run Clean Manager
http://spyware-free.us/tutorials/cleanmgr/

If you have no problems with this and since you said Kaspersky is clean, then I suggest you do this:

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

lsjones
2007-08-14, 03:54
Quote:
One final question about the process viewer/killer/suspender
Not sure what you are referring to?

I meant the process.exe programme you mentioned in the first posting (together with the beyondlogic link).

Thanks for all the links - very useful. But something is still wrong and unfortunately Zlob.DNSchanger is still on my computer. I already suspected something was wrong when I ran HJT to remove the junk stuff you suggested and noticed that the three services I disabled the startup type of again appeared in the HJT log. So I downloaded Spybot S&D and Zlob was again detected. At the same time it didn't seem that Zlob had anything to do with these services running, right?
Does this mean that bad stuff has likely gotten into my System Restore files and that I should click the microsoft link you gave anyway ? Or would it be a better idea to first check with Kaspersky once more ?

lsjones
2007-08-14, 22:35
I did another scan with Kaspersky today - no infections were found. I also ran Spybot, both before and after surfing the internet, with no signs of Zlob. However It doesn't seem safe to assume that Zlob has yet been permanently removed from my system as it showed up yesterday in the Spybot scan. So where do I go from here ? Would it be best to (a) repeat the previous steps with SmitFraudfix and FixWareout and then post another HJT log, (b) follow the steps mentioned in the previous posting wrt System Restore files, or (c) do something else ?
Thanks

pskelley
2007-08-15, 00:48
I suggest you follow the instructions I posted and wish you safe surfing:bigthumb:

Thanks

lsjones
2007-08-15, 03:05
I suggest you follow the instructions I posted and wish you safe surfing
In fact I did follow the instructions. But I told you that something came up again in the HJT log which wasn't supposed to be there anymore. As you said
If you have no problems with this and since you said Kaspersky is clean, then I suggest you do this:

So I didn't want to take risks and make sure the system is clean. Now all I asked you whether I should repeat the whole procedure again - given that Zlob was again found - or just do the step wrt System Restore files and I would have appreciated obtaining an answer, thank you.

pskelley
2007-08-15, 03:10
But I told you that something came up again in the HJT log which wasn't supposed to be there anymore
Why don't you post a new HJT log and show me this item/items.

Thanks

lsjones
2007-08-15, 03:50
Ok, they don't show up in the HJT log now, but they were these services

O23 - Service: ewido anti-spyware 4.0 guard - Unknown owner - C:\Program Files\ewido anti-spyware 4.0\guard.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Unknown owner - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe (file missing
(ignore the "file missing" the file is there)

I did disable their startup type according to your instructions, but when they then showed up in the HJT log (after rebooting), I disabled them again.
My guess that they don't show up now in the HJT log is that now I have TeaTimer running.


Logfile of HijackThis v1.99.1
Scan saved at 2:37:33 AM, on 8/15/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [hcenter] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Startup Manager] C:\Documents and Settings\Administrator\Application Data\Systweak\ASO 2\smstartUp manager.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186160031409
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186159890256
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe


Given that Zlob was again detected and that Spybot doesnt fully remove it, I should like to know whether to follow the same sequence again from start - including posting the report and rapport files, or whether this is not necessary.
Thank you.

pskelley
2007-08-15, 14:08
Given that Zlob was again detected and that Spybot doesnt fully remove it, I should like to know whether to follow the same sequence again from start - including posting the report and rapport files, or whether this is not necessary.
Thank you.I would first appreciate it if you would review this information, it may apply:

Trojans.sbi - include error
Zlob.DNSChanger
http://forums.spybot.info/showthread.php?t=16699

Logfile of HijackThis v1.99.1 Scan saved at 2:37:33 AM, on 8/15/2007

As far as I can see this HJT log is clean of malware, I see no obvious issues.

TeaTimer does block changes, at times we have to remove the complete Spybot S&D program in order to remove items from the HJT log because of TeaTimer, hope that answers your qestion, if not, you can post here:
http://forums.spybot.info/forumdisplay.php?f=4 where Spybot S&D experts can help you.

Thanks

lsjones
2007-08-15, 17:14
Ok, thanks for the info. However I don't think that this is the cause of the problem : I did not receive any message-warnings from the Spybot scan and I do have the update mentioned and it also appears to have done what it was supposed to do (i.e. extract the TCPIPAdress.dll file into the Plugins folder).
Btw I noticed you had also posted in that thread -apparently in response to someone else :)
So I guess I'll repeat the steps with FixWareout etc. (after first learning more about the functioning of these programs) and then presumably do the System Restore files step.
Thanks.

lsjones
2007-08-16, 00:24
follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://www.microsoft.com/windowsxp/u...s/mcgill1.mspx

I would follow the instructions in this link except that they are for Windows XP and my platform is Windows 2000.

I suggest you follow the instructions I posted
So at this point I'm not sure how to follow your suggestion. Thanks

pskelley
2007-08-16, 00:33
I apologize, rarely see the operating system, there is no System Restore, so skip those instructions.

Thanks

pskelley
2007-08-25, 23:19
As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks