PDA

View Full Version : Zlob.DNSChanger How to get rid of


smithdr107
2008-10-01, 00:41
How do I get rid of Zlob.DNSChanger? When I run Spybot it finds it and removes but it always comes back. I have heard it is a virus. I am running Vista. Please let me know. Thank you
metto_
2008-10-01, 02:18
have the same problem I am running vista and I couldnt find much info in the net.help will be greatly appreciate!
wyrmrider
2008-10-01, 06:12
go down to the Malware Removal Forum
read the stickie before you post
follow instructions exactly
do NOT reply to your first post
tashi
2008-10-01, 06:16
Hello smithdr107 and metto_,

Please do the following,



Open SpyBot
Check for problems, do not 'fix' any items found
Switch Spybot S&D to advanced mode
Navigate to tools - view report
Click "view report"
Click "export" to save the report to a text file and paste the top of the report showing the detection, and Spybot version, here please.


Cheers.
wyrmrider
2008-10-01, 06:32
Do what Tashi Says :)
good luck to both of you
metto_
2008-10-01, 13:35
Hi Tashi 10x for the quick response I hope with ur help to get rid of the Zlob

--- Search result list ---
Hint of the Day: Click the bar at the right of this to see more information! ()


Zlob.DNSChanger: [SBI $041D1396] TCP/IP Settings #1 (Undefined) (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{836BA180-D854-471B-BA7B-51351C35DFF1}\NameServer=208.67.220.220,208.67.222.222

Zlob.DNSChanger: [SBI $041D1396] TCP/IP Settings #2 (Undefined) (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{836BA180-D854-471B-BA7B-51351C35DFF1}\DhcpNameServer=208.67.220.220,208.67.222.222


--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---
tashi
2008-10-01, 16:43
Hello metto_

Looks like a wareout infection, some of the tools helpers use do not work in Vista.

However for an analyst to take a look at the system, please follow the procedure in this link:
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a helper will advise you when available.

Regards. :)
bitman
2008-10-01, 17:53
Tashi,

Those DNS entries looked familiar to me, so I checked and they are simply the OpenDNS servers.

Here's another similar thread in the Archives originally handled by steamwiz.

http://forums.spybot.info/showthread.php?t=16215

I'm thinking this may be a transient false positive, though you may want to get an HJT log first to confirm and help the Team debug.

Bitman
Shaba
2008-10-01, 18:29
Spybot sets those entries also when attempting to remove zlob.dnschanger, too. This is the most likely case here.
ght1
2008-11-17, 12:21
http://blog.washingtonpost.com/securityfix/2008/06/malware_silently_alters_wirele_1.html :blink: