Zlob.DNSChanger.rtk & Win32.Agent.frl errors from Spybot

Status
Not open for further replies.
S

sinkingmonkey

New member
Hello.
Found these errors while running Spybot.
Didn't see a thread with this combo so I started a new one.
Ran HJT & saved a log.

heres the Spybot log:
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger.rtk | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Win32.Agent.frl | <$FILE_SYSTEM>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Win32.Agent.frl | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger.rtk | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Win32.Agent.frl | <$FILE_SYSTEM>
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Win32.Agent.frl | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger.rtk | <$FILE_EXE>


And the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 4:14:13 PM, on 4/25/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\atiisrgl.exe
C:\Program Files\MacOpener\FORMATM.EXE
C:\Program Files\Miramar\PC MACLAN\ATSERVER.EXE
C:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\MacOpener\MacName.exe
C:\WINNT\system32\wuauclt.exe
C:\wwrip5\WWRIP.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MacLicense] "C:\Program Files\MacOpener\MacLic.exe"
O4 - HKLM\..\Run: [frymxins] atiimxgl
O4 - HKLM\..\Run: [fryHighRes] rundll32 atipmogl.dll,DetectHighResMonitor
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Miramar Systems, Inc.] C:\Program Files\Miramar\PC MACLAN\atmsg.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: MacName.lnk = C:\Program Files\MacOpener\MacName.exe
O4 - Global Startup: MonacoGamma.lnk = C:\Program Files\Monaco Systems\MonacoOPTIX 2.0\MonacoGamma.exe
O4 - Global Startup: MonacoReminder.lnk = C:\Program Files\Monaco Systems\MonacoOPTIX 2.0\Monaco Reminder.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AppleTalk Messenger (ATMsg) - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FGLRYUTIL (FGLRYUtil) - ATI Technologies, Inc. - C:\WINNT\system32\atiisrgl.exe
O23 - Service: MacFormatService - Unknown owner - C:\Program Files\MacOpener\FORMATM.EXE" /SERVICE (file missing)
O23 - Service: Miramar AppleTalk File Server - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATSERVER.EXE
O23 - Service: Miramar AppleTalk Print Server - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE

How deep in it am I?
 
missing Kasperksky log

Oops. forgot the Kasperksky log.
Here:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, April 28, 2008 11:37:33 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/04/2008
Kaspersky Anti-Virus database records: 728781
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 25343
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:17:37

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\sflanagan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\sflanagan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\sflanagan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\sflanagan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\sflanagan\Local Settings\History\History.IE5\MSHist012008042820080429\index.dat Object is locked skipped
C:\Documents and Settings\sflanagan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\sflanagan\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\sflanagan\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Miramar\PC MACLAN\APPLS.dat Object is locked skipped
C:\Program Files\Miramar\PC MACLAN\APPLS.idx Object is locked skipped
C:\Program Files\Miramar\PC MACLAN\COMMENTS.dat Object is locked skipped
C:\Program Files\Miramar\PC MACLAN\COMMENTS.idx Object is locked skipped
C:\Program Files\Miramar\PC MACLAN\DISKDB.dat Object is locked skipped
C:\Program Files\Miramar\PC MACLAN\DISKDB.idx Object is locked skipped
C:\Program Files\Miramar\PC MACLAN\FLDIRDB.dat Object is locked skipped
C:\Program Files\Miramar\PC MACLAN\FLDIRDB.idx Object is locked skipped
C:\Program Files\Miramar\PC MACLAN\GRPMEMS.dat Object is locked skipped
C:\Program Files\Miramar\PC MACLAN\GRPMEMS.idx Object is locked skipped
C:\Program Files\Miramar\PC MACLAN\ICONS.dat Object is locked skipped
C:\Program Files\Miramar\PC MACLAN\ICONS.idx Object is locked skipped
C:\Program Files\Miramar\PC MACLAN\USERGRP.dat Object is locked skipped
C:\Program Files\Miramar\PC MACLAN\USERGRP.idx Object is locked skipped
C:\Program Files\Miramar\PC MACLAN\VOLDB.dat Object is locked skipped
C:\Program Files\Miramar\PC MACLAN\VOLDB.idx Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\Netlogon.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\slpd.log Object is locked skipped
C:\WINNT\SoftwareDistribution\EventCache\{E70F70FE-FC49-4D65-9084-1BC05CFC36FE}.bin Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_2b8.dat Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_304.dat Object is locked skipped
C:\WINNT\TempFile Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

The Waiting Room
http://forums.spybot.info/forumdisplay.php?f=37

Have a look at this information:
http://forums.spybot.info/showthread.php?p=184966
If you have Spybot S&D questions, post those here where experts with that tool can help:
http://forums.spybot.info/forumdisplay.php?f=4

Your KOS was clean and your HJT log was out of date. I see nothing in that one, if you want me to look again, provide an up to date HJT log:

Download Trend Micro Hijack This™
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.

Thanks
 
latest HJT log

Okay,
After double checking last week, half the prob seems to be that somehow
an older ver. of Spybot was running [even though I recall the IT freelancer
we use installing the newer vers. last time]. So I installed the new vers.
which took care of the error message & ran it , AVG, & the new vers of HJT.

Two questions:
1) Did I accidently double-post, & did that affect contact time, or was it
simply the mind boggling, soul-crushing, carpal-tunnel inducing, volume of posts/work you get?
2)Do I have to start a new threat for any other computers that need to be
checked? or can I post here?

Here's the latest HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:35 AM, on 5/5/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\atiisrgl.exe
C:\Program Files\MacOpener\FORMATM.EXE
C:\Program Files\Miramar\PC MACLAN\ATSERVER.EXE
C:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\MacOpener\MacName.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MacLicense] "C:\Program Files\MacOpener\MacLic.exe"
O4 - HKLM\..\Run: [frymxins] atiimxgl
O4 - HKLM\..\Run: [fryHighRes] rundll32 atipmogl.dll,DetectHighResMonitor
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Miramar Systems, Inc.] C:\Program Files\Miramar\PC MACLAN\atmsg.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: MacName.lnk = C:\Program Files\MacOpener\MacName.exe
O4 - Global Startup: MonacoGamma.lnk = C:\Program Files\Monaco Systems\MonacoOPTIX 2.0\MonacoGamma.exe
O4 - Global Startup: MonacoReminder.lnk = C:\Program Files\Monaco Systems\MonacoOPTIX 2.0\Monaco Reminder.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AppleTalk Messenger (ATMsg) - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FGLRYUTIL (FGLRYUtil) - ATI Technologies, Inc. - C:\WINNT\system32\atiisrgl.exe
O23 - Service: MacFormatService - DataViz Inc. - C:\Program Files\MacOpener\FORMATM.EXE
O23 - Service: Miramar AppleTalk File Server - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATSERVER.EXE
O23 - Service: Miramar AppleTalk Print Server - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE

--
End of file - 4601 bytes
 
1) Contact time varies according to the volunteers who are available. I have seen it run from one to five days which is about normal for free help forums. The link I posted will bring attention to you if it runs beyond four days.

2) To avoid confusion, start a new topic for each computer, make sure to mention that it is a different computer and to read and follow directions.

3) This HJT log is clean of malware but I do have a couple of suggestions.

C:\Program Files\SUPERAntiSpyware\ <<< a good program but it uses many resources to run. If you do not own the prigram and it is there as the result of a "trial" I suggest you uninstall it.

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\ <<< obsolete, and also a resource user, see this:
http://free.grisoft.com/ww.download-avg-anti-spyware-and-anti-rootkit

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
 
Status
Not open for further replies.
Back
Top