:oops:Zlob DNSchanger has taken over hii guys please help

Status
Not open for further replies.
S

sexy_ladii05

New member
hey guys i know i cant do a man job lol but can you help me out for girl like me can firgure it out thank use small words please :)
_______________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:37:56, on 17/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O3 - Toolbar: fdkowvbp - {AE7F9E1E-0A21-46C0-91D9-01F9D1ACB887} - (no file)
O4 - HKLM\..\Run: [One view global this] C:\Documents and Settings\All Users\Application Data\MPEG ELSE ONE VIEW\Third Mapi.exe
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\Program Files\AIM\AIMWDInstall.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [643d5b23] rundll32.exe "C:\WINDOWS\system32\fwgvlrty.dll",b
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O20 - AppInit_DLLs: ttdewk.dll,vuwofs.dll,jouuki.dll nlrybv.dll
O21 - SSODL: mZUCnvnJwQdJ - {643D5B8D-CE97-F127-8EAA-33AA7BB4B098} - C:\WINDOWS\system32\zgj.dll
O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 4633 bytes
 
im new here but this looks like good forum =]

hey guys im kinda new here but i was looking up my promblem and people had the same one but i just want say thank you in a adavance i cant wait for someone to help me with my promblem so i can donate some money so people can get more help from you guys cant wait till someone looks at my promblem thanks for your time this forum ROCKs :)
 
Last edited by a moderator:
Hi and welcome :)

What makes you think girls can't do computer stuff?

There's lots of ladies here & several other forums that can do anything on a computer.
When you start thinking you can't do stuff cus you're a lady --- that is when you're giving up on life.
And I won't take 'give up' for an answer to anything or "I cant do it cus I'm a girl" for an answer either. :nono:

You do however have a nasty bunch of infections on that machine. :yuck:
Let's see if we can get things back in order -- shall we?

First we need to find out what version of XP you have.
Home or Pro or Media Center?
Right click "my computer" then "properties"
It will tell you in the general tab.

Let me know please.
Then we can continue.

Thanks :)
 
lol sorry i wont give up just im so frausted thank for relpying
here my information

system:microsoft windows xp
pro
verison 2002
service pack 2

registered to:santa

virus alert!

computer:intel pentium lll processor
449 mhz 256 mb ram

is that what you want and im runnig under safe mode with networking
cause i cant use programs cause virtual low memory thx =]
 
Thanks :)

I can understand how frustrated this stuff can get.
I was there at one time too.

---------------------

Download this file instead and save it to the desktop:
http://www.microsoft.com/downloads/details.aspx?FamilyId=535D248D-5E10-49B5-B80C-0A0205368124
Do nothing with it yet.

Once you have that file.....

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Drag the file you downloaded from Microsoft and drop it on top of ComboFix.
Let it run.
Follow prompts from Combofix.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  2. Click Yes to allow ComboFix to continue scanning for malware.

It will reboot the system. Please try to get back to safe mode so it can finish without Norton interfering.

When the tool is finished, it will produce a report for you.
When the report pops up you can close this & reboot back to normal mode.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt


--Do not mouseclick combofix's window while it's running. That may cause it to stall

--ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
--Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell me.
--Your internet connection will be terminated while ComboFix runs. Do Not attempt to re-enable it. Should ComboFix terminate prematurely, restart the computer to restore connectivity.


Let me know how the system is running please.
Let me know if you still get memory errors while in normal mode.
We likely will still have work to do.

Thanks :)
 
:sad::sad: oh my god i dont know whats going on here what im getting for the links you give me

The requested URL /ComboFix.exe was not found on this server.
Apache/2.0.52 (CentOS) Server at subs.geekstogo.com Port 80

The requested URL /downloads/details.aspx was not found on this server.
Apache/2.0.52 (CentOS) Server at www.microsoft.com Port 80

please dont give up on me please
 
sexy_ladii05 said:
:sad::sad: oh my god i dont know whats going on here what im getting for the links you give me

The requested URL /ComboFix.exe was not found on this server.
Apache/2.0.52 (CentOS) Server at subs.geekstogo.com Port 80

The requested URL /downloads/details.aspx was not found on this server.
Apache/2.0.52 (CentOS) Server at www.microsoft.com Port 80

please dont give up on me please
Click to expand...

i have combofix now but not the windows program can you help me =]
 
:sad:can you send it on a download link or sumthing i cant get to it when i got combofix it didnt bring me to website just send save or open can you do that to if you getting to annoyed with me im sorryill wait for some to help me i dont want to waste your time =[
 
That's OK..

You're not wasting my time.
If I didn't have time -- I would have had someone else post. :)

The malware is likely blocking you from getting to Microsoft.
We'll try for it next round.

Go ahead & double click Combofix.exe
Let it do its thing.

Don't click in the combofix window while it is running or it might stall.

When it is done please post the report it gives.
If needed -- go back to safe mode to post if you have trouble getting here in normal mode.

Let me know how things are.
Don't do anything else till I reply back please.

Thanks :)
 
i think did sumthing cus now running under normal mode and there no virtual memory pop up and i can run sum programs at the same time
 
i dont have a log :sad: after combox loads a blue box cums up and says 17 07 08 error please check your settings


please dont give up on me
 
Open My computer then C:\
Look for file called "bug.txt"
If present please cop[y/paste it back here.

It should tell me or the combofix creator what is wrong or where the program went wrong

Can you try that microsoft site again please?

http://www.microsoft.com/downloads/details.aspx?FamilyId=535D248D-5E10-49B5-B80C-0A0205368124

If you can get that file --- go ahead and download it but don't run it.
Just save it to the desktop for now.

Post new Hijackthis log too please.


Thanks :)
 
sexy_ladii05 said:
agh omg im just a dum blonde :sad: i cant see nothing and that microsft dont work
Click to expand...

here a new log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:22:29, on 17/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\AIM\AIMWDInstall.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O3 - Toolbar: fdkowvbp - {AE7F9E1E-0A21-46C0-91D9-01F9D1ACB887} - (no file)
O4 - HKLM\..\Run: [One view global this] C:\Documents and Settings\All Users\Application Data\MPEG ELSE ONE VIEW\Third Mapi.exe
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\Program Files\AIM\AIMWDInstall.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [643d5b23] rundll32.exe "C:\WINDOWS\system32\fwgvlrty.dll",b
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O21 - SSODL: mZUCnvnJwQdJ - {643D5B8D-CE97-F127-8EAA-33AA7BB4B098} - C:\WINDOWS\system32\zgj.dll
O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 4918 bytes
 
Hey! Watch that dum blonde stuff --- I am blonde too!! :laugh:

Can you get Hijackthis to run?
See if you can get it to run & have it create a new log please.

If it wont -- go back to safe mode with networking and try again please.

Thanks :)
 
Status
Not open for further replies.
Back
Top