Help Removing Zlob.DNSChanger.rtk

[Angor]

Yesterday while performing my regular spybot scan three traces of trojans under the name Zlob showed up under my system. The first two were Zlob.DNSChanger.btk and .BTK while the third was a Zlob.Downloader.bik. I am not sure where I picked these up. I do use p2p programs occasionally but everything I download I check thoroughly. I was hoping that you guys could tell me how dangerous this is to my system (ex. how much damage it can do or is likely to do if left on) and hopefully how to remove it. Thanks very much. I will be happy to answer any questions.

[Angor]

Bump, Please.

[forhockey]

Hi Angor and welcome to TSF.

Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

--------------------------------------------------------------

Before beginning the proposed fix, read this post completely. Any questions should be kindly asked before proceeding. Ensure that there are no open browsers when carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com...Fixwareout.exe

• Save it to your desktop and run it.
• Click "Next", then Install, make sure "Run fixit" is checked and click Finish.
• The fix will begin: Please follow the prompts.
• You will be asked to reboot your computer: Please do so.
• Your system may take longer than usual to load and this is normal.

Once the desktop loads post the text that will open (report.txt)

--------------------------------------------------------------

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix


IMPORTANT: Make sure you install the Recovery Console before running ComboFix.

Reply back with the following:

• C:\fixwareout\report.txt
• C:\ComboFix.txt
• New HiJackThis Log

[Angor]

One major problem both of your links for fixwareout are not found and I was unable to locate it elsewhere. What should i do?

[forhockey]

Hi Angor,

Sorry about that..

Please disregard my previous instructions and follow these ones:



Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

--------------------------------------------------------------

Before beginning the proposed fix, read this post completely. Any questions should be kindly asked before proceeding. Ensure that there are no open browsers when carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------

1. Please download SmitfraudFix to your Desktop. Do not run it yet. We will shortly
   
   --------------------------------------------------------------
   
   
2. Restart your computer in Safe Mode
   • After hearing your computer beep once during startup, but before the Windows icon appears, press F8
   • Instead of Windows loading as normal, a menu should appear
   • Use the up arrow key to highlight Safe Mode and press Enter.
   • Login with your usual account
   • Once you have logged in, a warning message will appear regarding starting windows in Safe mode, click OK and windows will load your desktop environment
   
   Note: Some systems, this may be the F5 key, so try that if F8 doesn't work.
   
   
3. Double-click on SmitfraudFix.exe to start the tool.
   
   
4. Select option #2 - Clean by typing 2 and press Enter.
   Wait for the tool to complete and disk cleanup to finish.
   
   
5. You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
   The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.
   
   A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot into Normal Mode.
   
   
6. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
   
   --------------------------------------------------------------
   
   Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)
   
   O17 - HKLM\System\CCS\Services\Tcpip\..\{4ADACCDD-62B5-449D-B840-AC994C684D6F}: NameServer = 85.255.112.148;85.255.112.215
   O17 - HKLM\System\CS1\Services\Tcpip\..\{4ADACCDD-62B5-449D-B840-AC994C684D6F}: NameServer = 85.255.112.148;85.255.112.215
   O17 - HKLM\System\CS2\Services\Tcpip\..\{4ADACCDD-62B5-449D-B840-AC994C684D6F}: NameServer = 85.255.112.148;85.255.112.215
   
   Please remember to close all other windows, including browsers then click Fix checked.
   
   --------------------------------------------------------------
   
7. Next, go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:
   · "Security Info"
   · "Warning Message"
   · "Security Desktop"
   · "Warning Homepage"
   · "Desktop Uninstall"
   
   Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

--------------------------------------------------------------

1. Double-click on SmitfraudFix.exe to start the tool.
   
   
2. Select option #3 - Delete Trusted zone by typing 3 and press Enter
   
   
3. Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.
   
   Note: if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

--------------------------------------------------------------

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix


IMPORTANT: Make sure you install the Recovery Console before running ComboFix.


When finished, it shall produce a log for you ( C:\ComboFix.txt ). Post that log in your next reply.

--------------------------------------------------------------

Double click on HijackThis.exe to run the program.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.
--------------------------------------------------------------

Reply back with the following:

• C:\rapport.txt
• C:\ComboFix.txt
• New HiJackThis Log

[Angor]

Followed instructions up to combofix which is also not found. Sorry, what now?

[Angor]

Okay I found combofix elsewhere but was unable to install the recovery console. Regardless I proceeded and here are the logs.

[forhockey]

That's strange. The link to the ComboFix guide works for me. Where abouts did it break down for you?



Lets continue on with your fix.


Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O17 - HKLM\System\CS2\Services\Tcpip\..\{4ADACCDD-62B5-449D-B840-AC994C684D6F}: NameServer = 85.255.112.11;85.255.112.93

Please remember to close all other windows, including browsers then click Fix checked.

--------------------------------------------------------------

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now.

Open notepad and copy/paste the text in the quotebox below:
(don't forget to copy and paste REGEDIT4)

Quote:

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bed46197-a540-11dd-a4a8-0017315276a8}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]

Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files"
It should look like this:

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

--------------------------------------------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
  
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------

Please run HiJackThis again and post the resulting log.

Also, please update me on how your system is behaving

[Angor]

Ok, I'll start at the beginning. I originally found the zlob . . .trojan after an alert by my warcraft launcher that stated I was carrying something along the lines of a win32.agent "variant". Although I scanned with AVG8 Free I didn't pick up anything. I found Zlob with Spybot Search and Destroy (three traces) About 2 days after finding the trojan my AVG started picking up other forms of trojans and worms. (I'm assuming it is the result of the first trojan although I am no expert. My computer seems to be operating normally. The only thing strange that I have noticed is that my resident shield on AVG8 after I turned it off to do one of the scans as directed when turned back on has become inactive and will not stay active. Interestingly my portable hard-disk wich I run various programs off (Its always connected) seems to be infected with a worm from the latest scans. Thats it, I think.

(The kapersky txt is still a html file sorry.)

[forhockey]

Hi Angor,

Your logs look great. SmitfraudFix are false positives and were the tools used to clean your computer. Do you know what the I drive is? It looks like another installation of Windows. Clearing the restore points can flush this virus out.

For your AVG8 not enabling.. Have you tried right-clicking on the icon by the time for the shield and select resume protection? (I'm not sure the exact wording but normally there is an option to re-enable its shield protection).

Is this the trial version of AVG8?

[Angor]

I just scanned with both AVG8 and Spybot. Neither one came up with any results. Should I be worried because the Kapersky scan came up with some infections. (Oh drive I is a portable hard drive I have connected.)

[forhockey]

Everything looks good, but please verify for me if the following folders are still present...

Please make sure you carry out the following to reveal any hidden folders.

Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab then select Show all files in the Hidden files section. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.

--------------------------------------------------------------

Now look for the following folders, and delete them if they exist:

I:\resycled *** ONLY DELETE THIS NAME *** If it doesn't match then leave it alone.

J:\resycled *** ONLY DELETE THIS NAME *** If it doesn't match then leave it alone.

Is the J drive also a portable hard drive?

[Angor]

They are not present. This is probably due to the fact that I completely erased the disk and partitioned it into two different disk (I and J). I did this to gain the rest of available space on it, as over half of it was formatted for an apple computer. (From a time where I was into Hackintosh's)

[forhockey]

Well done, your logs are clean! There are just a few more things I would like you to do.


The following procedure will clear out ComboFix.exe, as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

----------------------------------------------------------------

Microsoft Updates

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

Malware Prevention Tools

These programs configure your computer to prevent known malware-related changes. You can have more than one of these at a time and they take up minimal resources.

• SpywareBlaster - Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Check regularly for updates.
• IE-Spyad - Here is an installation guide -> http://www.techsupportforum.com/cont...ticles/63.html
• MVPS Hosts File - extract and double-click the mvps.bat file. This will replace your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements, preventing your computer from connecting to those sites.
• McAfee SiteAdvisor - helps to warn you before you interact with a dangerous Web site. Works with both IE and Firefox.
• SpywareGuard - real-time protection that detects and blocks spyware before it can execute.

Alternative Web Browsers

Using an alternative browser can help prevent malware from being installed without your knowledge, but may not work on all websites.

• Firefox
• Opera

Firewalls

If you do not have a firewall, here are a few free ones available for personal use:

Understanding and Using Firewalls

• Comodo Firewall Pro
• ZoneAlarm
• OutPost Firewall

Informational Reading

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

• PC SAFETY AND SECURITY
• How Did I Get Infected In The First Place?.
• THE ANTI-SPYWARE TUTORIAL
• STRONG PASSWORDS

Please respond to this thread one more time so we can mark this thread as resolved.

[Angor]

Thank you very much for all your help. I will certainly make use of these resources. This saved me lots of stress and money.

[forhockey]

Was my pleasure. Safe surfing :)