Good Afternoon,

So i just downloaded avast, and to date i am very pleased with this program. However, after a full system scan and re-boot scan I was notified that I have the following virus “Win32.DNSChanger VJ.Trj.”

I noticed many threads dealing with this topic and instead of follow directions meant for others i figured i would reach out for my own situation. The file that is constantly under attack is C:\Windows\assembly\tmp\u\80000032.@. Also like any others, I can not turn on my windows firewall and I was getting the website re-direct as well on google searches. I recently downloaded the Malwarebytes Anti-Malware software. However, I do not have the log on me because I am contacting you from my work computer.

Any assistance would be greatly appreciated? I have a Windows 7 software on the computer. I have been dealing with this virus for about two weeks and I have had enough and would like to get some normalcy back to my computer.

This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the logs and attach the logs here, not in the LOGS topic.

Monitoring

Malwarebytes’ Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8021

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

10/27/2011 8:53:20 PM
mbam-log-2011-10-27 (20-53-20).txt

Scan type: Quick scan
Objects scanned: 216705
Time elapsed: 11 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Files Infected:
c:\Users\mike mello\AppData\Local\Temp\0.4163051563216281.exe (Rootkit.0Access) → Quarantined and deleted successfully.
c:\Users\mike mello\AppData\Local\Temp\jgd.dll (Rootkit.0Access) → Quarantined and deleted successfully.

You need to continue with process outlined in the link that I gave as MBAM hasn’t dealt with the areas mentioned by the avast alerts.

Whilst these MBAM detections appear to be related to the zero access infection that the avast alerts and location are related, it may not be al of it.

Are you still getting the avast alerts (or any other symptoms, if so what) ?

Here are the logs. I haven’t received any other alerts from avast yet. The windows firewall is still down and it won’t allow me to turn it on. Before I sent the initial post, I let avast do the scan during the re-boot and alot of files were deleted or sent to chest. If memory recalls the assembly files was one of them as well as some java files.

Essexboy should be back on-line around 7pm UK time (now just after 3:30pm) and will take a look at the logs.

Whilst the aswMBR shows “20:42:29.462 Disk 0 unknown MBR code” this could be either OK or bad as some malware will change the MBR code and in other cases if you have say a Dell or HP, etc. they could be setup with a custom MBR code. This would allow you to access their recovery console and or recovery partition.

Do you have a Dell, HP or other manufactures system where this might be the case (if so what is the manufacturer) ?

The OTL logs will need to be analysed by someone familiar with the output.

I have an HP laptop. I have tried the ystem recoery before and it won’t let me. Ever since I did the avast scan on re-boot, and alot of the files were deleted I haven’t gotten the pop up notification. Also note many of the files came up as error when avast attempted to repair them so deletion was the only solution.

In regards to the windows firewall, i kept getting an error 1068 notification. When I try turning it on, it pops up and tells me to turn on manually; however, i cant do that either.

also your Malwarebytes was not updated when you run it, so you may update and run a new quick scan…
if anything is found post new log

That could be the cause of the unknown MBR, e.g. it is a custom MBR. So you have to take care with this custom MBR or you could end up blocking access to your recovery console.

If you use tools that can change the MBR back to a default one you would lose that access or if malware changed it, that too could block the access to the HP recovery console. So this one will have to be approached with care by a malware removal specialist.

However, I do notice lots of references in the extras.txt to AVG 2011 and 2012 and “NIS” = Norton Internet Security, do you still have these installed ?

I see lots of references to AVG and Symantec running services in the otl.txt

Having two resident anti-virus scanners installed is one too many and not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.

If you have NIS installed that has a firewall and would disable the windows one.

Having two resident anti-virus scanners installed is one too many and not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.

Uninstallers for Security Software
http://thewebatom.net/uninstallers/security-software/

The norton anti-virus came with the laptop but it isn’t on, also I had AVG on the laptop but I un-installed it thru Control Panel, since I was not very pleased with it. The only one active is avast. I definitely think it was the malware that blocked it, since the computer would then automatically restart after failure in the recovery mode.

In regards to the firewalls, they all say off. When I try turning the windows one on, i get the error 1068 and i also get this error "Could not load file or assembly ‘sorttbls.nlp’ or one of its dependencies. The system cantnot find the file specified.

I know the Trojan virus was attached to that assembly file.

The norton anti-virus came with the laptop but it isn't on, also I had AVG on the laptop but I un-installed it thru Control Panel, since I was not very pleased with it.

Never install two antivirus (see reply from quietman7)
http://www.bleepingcomputer.com/forums/index.php?s=7c8217673a726b92cfc91ecfd4294a29&showtopic=260844&view=findpost&p=1441638

You need to uninstall it and Norton can be a bit of a pig to remove so you may need its removal tool also.

A link worth looking at, which is a program removal tool that can remove the remnants of a number of different Norton Programs:
Removing your Norton program using SymNRT

There is also an AVG removal tool:
Ensure that all remnants of AVG are gone - AVG8.x (or higher) Remover, download tool from here, http://www.avg.com/us-en/utilities there is a 32bit and 64 bit windows version, ensure you use the correct one.

Also see http://thewebatom.net/uninstallers/security-software/, this has a collection of manufactures removal tools, so that should remove any remnants, registry, etc.

Hi there are still remnants so I will need to run combofix, this should also resolve the Firewall problem

[2011/10/26 00:28:57 | 000,001,536 | ---- | M] () -- C:\Windows\assembly\tmp\U\00000001.@ [2011/10/26 00:28:57 | 000,001,024 | ---- | M] () -- C:\Windows\assembly\tmp\U\00000004.@ [2011/10/08 19:45:11 | 000,002,560 | ---- | M] () -- C:\Windows\assembly\tmp\U\000000c0.@ [2011/10/03 22:54:36 | 000,001,024 | ---- | M] () -- C:\Windows\assembly\tmp\U\000000cb.@ [2011/10/03 23:10:38 | 000,001,536 | ---- | M] () -- C:\Windows\assembly\tmp\U\000000cf.@ [2011/10/03 22:54:36 | 000,001,024 | ---- | M] () -- C:\Windows\assembly\tmp\U\80000000.@ [2011/10/26 00:28:58 | 000,017,408 | ---- | M] () -- C:\Windows\assembly\tmp\U\80000004.@ [2011/10/26 00:28:58 | 000,041,984 | ---- | M] () -- C:\Windows\assembly\tmp\U\80000064.@ [2011/10/03 22:54:36 | 000,001,024 | ---- | M] () -- C:\Windows\assembly\tmp\U\800000c0.@ [2011/10/03 22:54:36 | 000,001,024 | ---- | M] () -- C:\Windows\assembly\tmp\U\800000cb.@ [2011/10/03 22:54:36 | 000,001,024 | ---- | M] () -- C:\Windows\assembly\tmp\U\800000cf.@

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

I am trying to post my combofix log but I am getting this message…c:Program Files(x86)\Internet Explorer\iexplore.exe Illegal operation attempted on a registry key that has been marked for deletion.

Internet explorer is the only browser I have on my comp. What do i do now if I can’t get online?

BTW I am responding from my phone

Try a Reboot your system again, on occasion combofix hasn’t released a registry key after its clean-up.

What David said ;D

I do pick up the odd thing that you post ;D

Here is the log