Tech Support Forum - View Single Post

forhockey · 11-02-2008, 01:03 PM

Hi Angor,

Sorry about that..

Please disregard my previous instructions and follow these ones:

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

--------------------------------------------------------------

Before beginning the proposed fix, read this post completely. Any questions should be kindly asked before proceeding. Ensure that there are no open browsers when carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------

Please download SmitfraudFix to your Desktop. Do not run it yet. We will shortly

--------------------------------------------------------------
Restart your computer in Safe Mode
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8
- Instead of Windows loading as normal, a menu should appear
- Use the up arrow key to highlight Safe Mode and press Enter.
- Login with your usual account
- Once you have logged in, a warning message will appear regarding starting windows in Safe mode, click OK and windows will load your desktop environment
Note: Some systems, this may be the F5 key, so try that if F8 doesn't work.
Double-click on SmitfraudFix.exe to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot into Normal Mode.
The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

--------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O17 - HKLM\System\CCS\Services\Tcpip\..\{4ADACCDD-62B5-449D-B840-AC994C684D6F}: NameServer = 85.255.112.148;85.255.112.215
O17 - HKLM\System\CS1\Services\Tcpip\..\{4ADACCDD-62B5-449D-B840-AC994C684D6F}: NameServer = 85.255.112.148;85.255.112.215
O17 - HKLM\System\CS2\Services\Tcpip\..\{4ADACCDD-62B5-449D-B840-AC994C684D6F}: NameServer = 85.255.112.148;85.255.112.215

Please remember to close all other windows, including browsers then click Fix checked.

--------------------------------------------------------------
Next, go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:
· "Security Info"
· "Warning Message"
· "Security Desktop"
· "Warning Homepage"
· "Desktop Uninstall"

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

--------------------------------------------------------------

Double-click on SmitfraudFix.exe to start the tool.
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note: if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

--------------------------------------------------------------

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

IMPORTANT: Make sure you install the Recovery Console before running ComboFix.

When finished, it shall produce a log for you ( C:\ComboFix.txt ). Post that log in your next reply.

--------------------------------------------------------------

Double click on HijackThis.exe to run the program.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.
--------------------------------------------------------------

Reply back with the following:

C:\rapport.txt
C:\ComboFix.txt
New HiJackThis Log

11-02-2008, 01:03 PM	#5 (permalink)
forhockey Analyst, Security Team Join Date: Sep 2006 Location: Ontario, Canada Posts: 2,931 OS: Windows 7 Ultimate	Re: Help Removing Zlob.DNSChanger.rtk Hi Angor, Sorry about that.. Please disregard my previous instructions and follow these ones: Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. Also be sure to carry out the instructions in the sequence listed below. -------------------------------------------------------------- Before beginning the proposed fix, read this post completely. Any questions should be kindly asked before proceeding. Ensure that there are no open browsers when carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. -------------------------------------------------------------- Please download SmitfraudFix to your Desktop. Do not run it yet. We will shortly -------------------------------------------------------------- Restart your computer in Safe Mode After hearing your computer beep once during startup, but before the Windows icon appears, press F8 Instead of Windows loading as normal, a menu should appear Use the up arrow key to highlight Safe Mode and press Enter. Login with your usual account Once you have logged in, a warning message will appear regarding starting windows in Safe mode, click OK and windows will load your desktop environment Note: Some systems, this may be the F5 key, so try that if F8 doesn't work. Double-click on SmitfraudFix.exe to start the tool. Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot into Normal Mode. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply. -------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) O17 - HKLM\System\CCS\Services\Tcpip\..\{4ADACCDD-62B5-449D-B840-AC994C684D6F}: NameServer = 85.255.112.148;85.255.112.215 O17 - HKLM\System\CS1\Services\Tcpip\..\{4ADACCDD-62B5-449D-B840-AC994C684D6F}: NameServer = 85.255.112.148;85.255.112.215 O17 - HKLM\System\CS2\Services\Tcpip\..\{4ADACCDD-62B5-449D-B840-AC994C684D6F}: NameServer = 85.255.112.148;85.255.112.215 *Please remember to close all other windows, including browsers then click Fix checked.* -------------------------------------------------------------- Next, go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present: · "Security Info" · "Warning Message" · "Security Desktop" · "Warning Homepage" · "Desktop Uninstall" Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK. -------------------------------------------------------------- Double-click on SmitfraudFix.exe to start the tool. Select option #3 - Delete Trusted zone by typing 3 and press Enter Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter. Note: if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. -------------------------------------------------------------- Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/comb...o-use-combofix IMPORTANT: Make sure you install the Recovery Console before running ComboFix. When finished, it shall produce a log for you ( C:\ComboFix.txt ). Post that log in your next reply. -------------------------------------------------------------- Double click on HijackThis.exe to run the program. 1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'. 2. If you don't get the intro screen, just hit Scan and then click on Save log. 3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless. -------------------------------------------------------------- Reply back with the following: C:\rapport.txt C:\ComboFix.txt New HiJackThis Log __________________ Proud Member of ASAP Proud Member of UNITE Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum Last edited by forhockey; 11-02-2008 at 01:09 PM.