PDA

View Full Version : Please Help! Zlob.DNSChanger has attacked!


briand7379
2007-09-22, 04:02
Below I have my HJT entry and my Spybot Report. What should I do next to remove this monster!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:48:45 PM, on 9/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Napster\napster.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Sunbelt Software\CounterSpy\Counterspy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX3225
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX3225
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX3225
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{28A59EC7-A5F7-4316-A1B2-56C01FF05DC7}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFB86B01-0C38-4DF3-B876-9CA6A3030274}: NameServer = 85.255.115.62,85.255.112.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{28A59EC7-A5F7-4316-A1B2-56C01FF05DC7}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.62 85.255.112.100
O17 - HKLM\System\CS2\Services\Tcpip\..\{28A59EC7-A5F7-4316-A1B2-56C01FF05DC7}: NameServer = 85.255.115.62,85.255.112.100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

--
End of file - 7228 bytes
-------------------------------------------------------
briand7379
2007-09-22, 04:32
24.07.2007 23:48:05 - ##### check started #####
24.07.2007 23:48:05 - ### Version: 1.4
24.07.2007 23:48:05 - ### Date: 7/24/2007 11:48:05 PM
24.07.2007 23:48:05 - ##### checking bots #####
24.07.2007 23:49:18 - found: FunWebProducts Class ID
24.07.2007 23:50:36 - found: Nat Settings
24.07.2007 23:50:36 - found: Nat Settings
24.07.2007 23:53:11 - found: Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify Settings
24.07.2007 23:53:11 - found: Microsoft.WindowsSecurityCenter.FirewallDisableNotify Settings
24.07.2007 23:57:11 - found: Win32.Small.dp Settings
24.07.2007 23:58:26 - found: Advertising.com Tracking cookie (Internet Explorer: Owner)
24.07.2007 23:58:28 - found: Zedo Tracking cookie (Internet Explorer: Owner)
24.07.2007 23:58:28 - found: MediaPlex Tracking cookie (Internet Explorer: Owner)
24.07.2007 23:58:28 - found: FastClick Tracking cookie (Internet Explorer: Owner)
24.07.2007 23:58:28 - found: Avenue A, Inc. Tracking cookie (Internet Explorer: Owner)
24.07.2007 23:58:28 - found: LinkSynergy Tracking cookie (Internet Explorer: Owner)
24.07.2007 23:58:29 - found: AdRevolver Tracking cookie (Internet Explorer: Owner)
24.07.2007 23:58:29 - found: AdRevolver Tracking cookie (Internet Explorer: Owner)
24.07.2007 23:58:30 - found: MediaPlex Tracking cookie (Internet Explorer: Owner)
24.07.2007 23:58:30 - found: CasaleMedia Tracking cookie (Internet Explorer: Owner)
24.07.2007 23:58:30 - found: DoubleClick Tracking cookie (Internet Explorer: Owner)
24.07.2007 23:58:30 - found: TagASaurus Tracking cookie (Internet Explorer: Owner)
24.07.2007 23:58:32 - found: AdRevolver Tracking cookie (Firefox: default)
24.07.2007 23:58:32 - found: AdRevolver Tracking cookie (Firefox: default)
24.07.2007 23:58:33 - found: Advertising.com Tracking cookie (Firefox: default)
24.07.2007 23:58:33 - found: Advertising.com Tracking cookie (Firefox: default)
24.07.2007 23:58:33 - found: Advertising.com Tracking cookie (Firefox: default)
24.07.2007 23:58:33 - found: Advertising.com Tracking cookie (Firefox: default)
24.07.2007 23:58:33 - found: Advertising.com Tracking cookie (Firefox: default)
24.07.2007 23:58:33 - found: Avenue A, Inc. Tracking cookie (Firefox: default)
24.07.2007 23:58:34 - found: CasaleMedia Tracking cookie (Firefox: default)
24.07.2007 23:58:34 - found: CasaleMedia Tracking cookie (Firefox: default)
24.07.2007 23:58:35 - found: CasaleMedia Tracking cookie (Firefox: default)
24.07.2007 23:58:35 - found: CasaleMedia Tracking cookie (Firefox: default)
24.07.2007 23:58:35 - found: CasaleMedia Tracking cookie (Firefox: default)
24.07.2007 23:58:35 - found: CasaleMedia Tracking cookie (Firefox: default)
24.07.2007 23:58:35 - found: CasaleMedia Tracking cookie (Firefox: default)
24.07.2007 23:58:36 - found: DoubleClick Tracking cookie (Firefox: default)
24.07.2007 23:58:36 - found: HitBox Tracking cookie (Firefox: default)
24.07.2007 23:58:36 - found: HitBox Tracking cookie (Firefox: default)
24.07.2007 23:58:36 - found: HitBox Tracking cookie (Firefox: default)
24.07.2007 23:58:36 - found: FastClick Tracking cookie (Firefox: default)
24.07.2007 23:58:36 - found: FastClick Tracking cookie (Firefox: default)
24.07.2007 23:58:37 - found: FastClick Tracking cookie (Firefox: default)
24.07.2007 23:58:37 - found: FastClick Tracking cookie (Firefox: default)
24.07.2007 23:58:37 - found: FastClick Tracking cookie (Firefox: default)
24.07.2007 23:58:37 - found: FastClick Tracking cookie (Firefox: default)
24.07.2007 23:58:37 - found: FastClick Tracking cookie (Firefox: default)
24.07.2007 23:58:37 - found: FastClick Tracking cookie (Firefox: default)
24.07.2007 23:58:37 - found: FastClick Tracking cookie (Firefox: default)
24.07.2007 23:58:37 - found: FastClick Tracking cookie (Firefox: default)
24.07.2007 23:58:38 - found: HitBox Tracking cookie (Firefox: default)
24.07.2007 23:58:38 - found: HitBox Tracking cookie (Firefox: default)
24.07.2007 23:58:39 - found: MediaPlex Tracking cookie (Firefox: default)
24.07.2007 23:58:42 - found: Statcounter Tracking cookie (Firefox: default)
24.07.2007 23:58:42 - found: Statcounter Tracking cookie (Firefox: default)
24.07.2007 23:58:43 - found: Zedo Tracking cookie (Firefox: default)
24.07.2007 23:58:44 - found: Zedo Tracking cookie (Firefox: default)
24.07.2007 23:58:44 - found: Zedo Tracking cookie (Firefox: default)
24.07.2007 23:58:44 - found: AdRevolver Tracking cookie (Firefox: default)
24.07.2007 23:58:44 - found: AdRevolver Tracking cookie (Firefox: default)
24.07.2007 23:58:45 - found: AdRevolver Tracking cookie (Firefox: default)
24.07.2007 23:58:45 - found: WebTrends live Tracking cookie (Firefox: default)
24.07.2007 23:58:45 - found: Avenue A, Inc. Tracking cookie (Firefox: default)
24.07.2007 23:58:49 - ##### check finished #####
briand7379
2007-09-22, 11:01
Can anybody help?
briand7379
2007-09-22, 22:13
Nobody can help me?
Mr_JAk3
2007-09-24, 22:41
Hi briand7379 and welcome to the Forums :)

You're infected.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt
tashi
2007-10-06, 02:13
Due to lack of a response to helper, this topic has been archived.

If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.

briand7379, if you have the need to request assistance in this forum again, please read the stickies before posting, and do not bump.

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Start with ONLY the Two Logs We Ask For in Our Sticky Topic, NOT CF etc (http://forums.spybot.info/showthread.php?t=16806 )


The Waiting Room: Post here if waiting for help longer than four days (http://forums.spybot.info/forumdisplay.php?f=37)