# zlob.dnschanger infection weird firewall hits



## H8allmalware (Dec 6, 2007)

Hi. I'm going to try and start from the start here. 

Yesterday I was on the "family computer" and when I clicked on links brought up from a google search, they were redirecting me to "daytotals.com" and sometimes other sites. 

So I did a Spybot S&D scan and found zlob.dnschanger.com.

Spybot was unable to delete it, and I spent around 20 hours researching it and trying fixes suggested by various people. 

None of them worked, so at this point I'm content to back up the crucial data from that computer, wipe it with darik's boot and nuke and start over. 

Anyway, onto the reason for my post: 

Our internet is DSL, and our computers (three, sometimes four) are behind a linksys router which dials the connection and assigns them internal ip addresses (192.168.1.xxx). This way we don't have to screw with logging in through the ISP's software on our computers, etc. 

All the firewall functionality is turned on in the router, so normally, we get very very few hits in our software firewall logs (one computer is using zonealarm, another is using comodo). Mainly just an occasional hit from the ISP or from the router, virtually nothing from the internet at large. 

But today I turned on my computer and looked in my firewall logs, and noticed all kinds of hits from other computers in the house. They're pretty much all from 192.168.1.xxx to 192.168.1.255, UDP to ports 138 and 137. 

I read about this and it LOOKS benign from what I've read, what I've read talked about Netbios and domain name resolution, blah blah blah...

But here's the thing: 

This was not happening until really recently, within the past couple weeks. There were no hits like this recorded in the comodo log, or the zone alarm log. And nothing has intentionally changed on the computers now sending out these broadcasts. 

My understanding is that with 255 on the end of 192.168.1 it becomes a broadcast address, and sends it out to every computer on the subnet. 

And I don't understand why, seemingly all of a sudden (unless my firewall just spontaneously, without my changing any settings on it decided to start logging it) these computers would start broadcasting stuff to every other computer in our house. 

I did a lot of research about zlob.dnschanger, and I found a lot of information, but it was all pretty vague. I'm assuming it has a lot of variants or something because it seems to manifest in different ways for different people.

But basically, it's a really nasty trojan that possibly among other things tries to download other nasty garbage to the infected machine. 

So my fear is that these new mysterious firewall hits could be related to the zlob infection. I only discovered it yesterday, but I have no way of knowing how long it could've been on the infected computer. From what I read it isn't a worm, but maybe it downloaded a worm or some other crap which spread itself to other computers here, or something like that.

So that's my fear. 

My HOPE is that there is some other, benign explanation for this. 

I have recently had to reset the router and change the settings back to what they were. I believe they are exactly as they were before (when these entries were not showing up in any of our firewall logs). I've looked at them over and over again, but I am NOT a networking guy, so maybe there's something I missed. Is there some way it could be misconfigured that could cause this? 

Can anyone think of a benevolent/non-malicious reason for this to start happening all of a sudden? 

And if not, what seems likely to be the cause? And what should be done about it?

I don't understand why any of these computers would suddenly start broadcasting Netbios stuff to every computer here all of a sudden when they weren't before...And between the zlob infection and this, I'm going a little mad http://www.techsupportforum.com/images/smilies/1-tongue.gif
:tongue:

Thank you.


----------



## Guest (Dec 9, 2007)

Hi H8allmalware and welcome to TSF :wave:

It has come to my attention that you show the symptoms of a malware issue. I and this forum are not specifically trained in the removal of malware so I will now teach you the steps to transfer your case to the Hijackthis Log Help Forum. Follow the steps in this link: *(Updated!) IMPORTANT - Read This Before Posting A Log* and post your results in the *Hijackthis Log Help Forum*. Follow the steps to the best of your ability and if you have an issue with one of the steps then include information on it with your new topic. Please give time as our analysts are very busy working with cases and other forum things.


----------

