Avast WEBforum
Other => Viruses and worms => Topic started by: MikeMello on October 27, 2011, 05:41:52 PM
-
Good Afternoon,
So i just downloaded avast, and to date i am very pleased with this program. However, after a full system scan and re-boot scan I was notified that I have the following virus "Win32.DNSChanger VJ.Trj."
I noticed many threads dealing with this topic and instead of follow directions meant for others i figured i would reach out for my own situation. The file that is constantly under attack is C:\Windows\assembly\tmp\u\80000032.@. Also like any others, I can not turn on my windows firewall and I was getting the website re-direct as well on google searches. I recently downloaded the Malwarebytes Anti-Malware software. However, I do not have the log on me because I am contacting you from my work computer.
Any assistance would be greatly appreciated? I have a Windows 7 software on the computer. I have been dealing with this virus for about two weeks and I have had enough and would like to get some normalcy back to my computer.
-
This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 (http://forum.avast.com/index.php?topic=53253.0) for information on Logs to assist in cleaning malware. Use the information about getting and using the logs and attach the logs here, not in the LOGS topic.
-
Monitoring
-
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 8021
Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421
10/27/2011 8:53:20 PM
mbam-log-2011-10-27 (20-53-20).txt
Scan type: Quick scan
Objects scanned: 216705
Time elapsed: 11 minute(s), 45 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Files Infected:
c:\Users\mike mello\AppData\Local\Temp\0.4163051563216281.exe (Rootkit.0Access) -> Quarantined and deleted successfully.
c:\Users\mike mello\AppData\Local\Temp\jgd.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
-
You need to continue with process outlined in the link that I gave as MBAM hasn't dealt with the areas mentioned by the avast alerts.
Whilst these MBAM detections appear to be related to the zero access infection that the avast alerts and location are related, it may not be al of it.
Are you still getting the avast alerts (or any other symptoms, if so what) ?
-
Here are the logs. I haven't received any other alerts from avast yet. The windows firewall is still down and it won't allow me to turn it on. Before I sent the initial post, I let avast do the scan during the re-boot and alot of files were deleted or sent to chest. If memory recalls the assembly files was one of them as well as some java files.
-
Essexboy should be back on-line around 7pm UK time (now just after 3:30pm) and will take a look at the logs.
Whilst the aswMBR shows "20:42:29.462 Disk 0 unknown MBR code" this could be either OK or bad as some malware will change the MBR code and in other cases if you have say a Dell or HP, etc. they could be setup with a custom MBR code. This would allow you to access their recovery console and or recovery partition.
Do you have a Dell, HP or other manufactures system where this might be the case (if so what is the manufacturer) ?
The OTL logs will need to be analysed by someone familiar with the output.
-
I have an HP laptop. I have tried the ystem recoery before and it won't let me. Ever since I did the avast scan on re-boot, and alot of the files were deleted I haven't gotten the pop up notification. Also note many of the files came up as error when avast attempted to repair them so deletion was the only solution.
In regards to the windows firewall, i kept getting an error 1068 notification. When I try turning it on, it pops up and tells me to turn on manually; however, i cant do that either.
-
also your Malwarebytes was not updated when you run it, so you may update and run a new quick scan..
if anything is found post new log
-
I have an HP laptop. I have tried the ystem recoery before and it won't let me. Ever since I did the avast scan on re-boot, and alot of the files were deleted I haven't gotten the pop up notification. Also note many of the files came up as error when avast attempted to repair them so deletion was the only solution.
In regards to the windows firewall, i kept getting an error 1068 notification. When I try turning it on, it pops up and tells me to turn on manually; however, i cant do that either.
That could be the cause of the unknown MBR, e.g. it is a custom MBR. So you have to take care with this custom MBR or you could end up blocking access to your recovery console.
If you use tools that can change the MBR back to a default one you would lose that access or if malware changed it, that too could block the access to the HP recovery console. So this one will have to be approached with care by a malware removal specialist.
However, I do notice lots of references in the extras.txt to AVG 2011 and 2012 and "NIS" = Norton Internet Security, do you still have these installed ?
I see lots of references to AVG and Symantec running services in the otl.txt
Having two resident anti-virus scanners installed is one too many and not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.
####
If you have NIS installed that has a firewall and would disable the windows one.
-
Having two resident anti-virus scanners installed is one too many and not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.
and in this case it seem to be tree.....may be new forum record ;D
Uninstallers for Security Software
http://thewebatom.net/uninstallers/security-software/
-
The norton anti-virus came with the laptop but it isn't on, also I had AVG on the laptop but I un-installed it thru Control Panel, since I was not very pleased with it. The only one active is avast. I definitely think it was the malware that blocked it, since the computer would then automatically restart after failure in the recovery mode.
In regards to the firewalls, they all say off. When I try turning the windows one on, i get the error 1068 and i also get this error "Could not load file or assembly 'sorttbls.nlp' or one of its dependencies. The system cantnot find the file specified.
I know the Trojan virus was attached to that assembly file.
-
The norton anti-virus came with the laptop but it isn't on, also I had AVG on the laptop but I un-installed it thru Control Panel, since I was not very pleased with it.
you cant just turn off....you need to remove...using the removal tool in my post above, run and reboot......AVG tool and Symantec/Norton tool
Never install two antivirus (see reply from quietman7)
http://www.bleepingcomputer.com/forums/index.php?s=7c8217673a726b92cfc91ecfd4294a29&showtopic=260844&view=findpost&p=1441638
-
The norton anti-virus came with the laptop but it isn't on, also I had AVG on the laptop but I un-installed it thru Control Panel, since I was not very pleased with it. The only one active is avast. I definitely think it was the malware that blocked it, since the computer would then automatically restart after failure in the recovery mode.
In regards to the firewalls, they all say off. When I try turning the windows one on, i get the error 1068 and i also get this error "Could not load file or assembly 'sorttbls.nlp' or one of its dependencies. The system cantnot find the file specified.
<snip>
You need to uninstall it and Norton can be a bit of a pig to remove so you may need its removal tool also.
A link worth looking at, which is a program removal tool that can remove the remnants of a number of different Norton Programs:
Removing your Norton program using SymNRT (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039)
There is also an AVG removal tool:
Ensure that all remnants of AVG are gone - AVG8.x (or higher) Remover, download tool from here, http://www.avg.com/us-en/utilities (http://www.avg.com/us-en/utilities) there is a 32bit and 64 bit windows version, ensure you use the correct one.
Also see http://thewebatom.net/uninstallers/security-software/ (http://thewebatom.net/uninstallers/security-software/), this has a collection of manufactures removal tools, so that should remove any remnants, registry, etc.
-
Hi there are still remnants so I will need to run combofix, this should also resolve the Firewall problem
[2011/10/26 00:28:57 | 000,001,536 | ---- | M] () -- C:\Windows\assembly\tmp\U\00000001.@
[2011/10/26 00:28:57 | 000,001,024 | ---- | M] () -- C:\Windows\assembly\tmp\U\00000004.@
[2011/10/08 19:45:11 | 000,002,560 | ---- | M] () -- C:\Windows\assembly\tmp\U\000000c0.@
[2011/10/03 22:54:36 | 000,001,024 | ---- | M] () -- C:\Windows\assembly\tmp\U\000000cb.@
[2011/10/03 23:10:38 | 000,001,536 | ---- | M] () -- C:\Windows\assembly\tmp\U\000000cf.@
[2011/10/03 22:54:36 | 000,001,024 | ---- | M] () -- C:\Windows\assembly\tmp\U\80000000.@
[2011/10/26 00:28:58 | 000,017,408 | ---- | M] () -- C:\Windows\assembly\tmp\U\80000004.@
[2011/10/26 00:28:58 | 000,041,984 | ---- | M] () -- C:\Windows\assembly\tmp\U\80000064.@
[2011/10/03 22:54:36 | 000,001,024 | ---- | M] () -- C:\Windows\assembly\tmp\U\800000c0.@
[2011/10/03 22:54:36 | 000,001,024 | ---- | M] () -- C:\Windows\assembly\tmp\U\800000cb.@
[2011/10/03 22:54:36 | 000,001,024 | ---- | M] () -- C:\Windows\assembly\tmp\U\800000cf.@
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
I am trying to post my combofix log but I am getting this message...c:Program Files(x86)\Internet Explorer\iexplore.exe Illegal operation attempted on a registry key that has been marked for deletion.
Internet explorer is the only browser I have on my comp. What do i do now if I can't get online?
BTW I am responding from my phone
-
Try a Reboot your system again, on occasion combofix hasn't released a registry key after its clean-up.
-
What David said ;D
-
I do pick up the odd thing that you post ;D
-
Here is the log
-
What are your current problems - any more alerts ?
-
no more alerts about viruses however i still can not turn on my windows firewall. I am getting an error 0x6d9
-
What firewalls have you had on this system before ?
Download and run the MSFixit from this page
http://support.microsoft.com/mats/windows_firewall_diagnostic/en-us
-
Well I had AVG and Norton Firewalls on the computer when the programs were on there. It appears now that the only firewall on the laptop is windows. However, I downloaded and ran the link in the previous post and it was not able to fix the firewall issue of windows firewall not starting.
-
OK you will need to run the uninstall programmes for both of those and then retry the msfixit
http://www.avg.com/us-en/utilities
https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?lg=english&ct=united+states&docid=20080710133834EN&product=home&version=1&pvid=f-home
-
i uninstalled both programs and ran the msfixit and still getting a message saying Windows Firewall service is not starting.
-
OK lets run SFC
From the start menu select :
All Programs
Accessories
Right click Command Prompt and selec run as Administrator
In the Black box that opens type SFC /Scannow
Let windows do its thing and then reboot
-
I ran the SFC and it said that windows did not find any integrity violations. I rebooted the computer and after doing so, Windows Firewall still does not turn on.
-
Download Windows Repair (all in one) from this site (http://www.tweaking.com/content/page/windows_repair_all_in_one.html)
Install the programme then run
Go to step 2 and allow it to run Disc check
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Capture3.gif)
Once that is done then go to step 3 and allow it to run SFC
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Capture.gif)
On the start repairs tab select advanced mode and click start
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Capture1.gif)
Select the items in the red surround (remove the ticks from the rest ) and tick restart system when finished
-
I ran the program and i am still getting tbe message "Action Center can not turn on windows firewall"
-
I would like you to try this:
1. Click Start Menu and in the Instant Search type "cmd" once it appears right-click and choose Run as administrator.
Security note: If UAC is enabled, then you’ll get a UAC prompt on screen. Please specify credentials or permission to pass the UAC elevation.
2. In the command prompt type Netsh firewall set opmode enable and press Enter.
The above command-line based input is to re-enable the Windows® Firewall.
-
The message I am getting is:
IMPORTANT: "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
The service has not been started
-
Could you go to control panel > Admin tools > services
Locate Windows Firewall
Right click and ensure it is set to automatic and is started - If not set it to be that
Then select the dependencies tab and let me know of any errors there
-
I clicked start and mid-way during the start i received this message.
Windows could not start the windows firewall on local computer. For more information, review the system event log. If this is a non-Microsoft service, conact the service vendor, and refer to service-specific error code 1753
-
Try the MSFixit here and let me know the result http://support.microsoft.com/kb/943996
-
Nothing changed, The windows firewall is unable to start and then once it is done the program wants me to go to some troubleshooter to find addtional ways to fix the issue
-
OK lets reregister the necessary elements
Perform the following steps and update the computer:
1. Click Start, type Notepad in the Start Search box, and then click Notepad in the Programs list.
2. Copy the following text, and then paste the text into Notepad:
sc config wuauserv start= auto
sc config bits start= auto
sc config DcomLaunch start= auto
net stop wuauserv
net start wuauserv
net stop bits
net start bits
net start DcomLaunch
Click File, click Save As, and then type Repair.bat.
3. In the Save as type box, click All Files (*.*).
4. In the Save in box, click Desktop, and then click Save.
5. On the File menu, click Exit.
6. Right -click the Repair.bat file that you saved in step 5, and then click Run as administrator. This action starts the required services. If you are prompted for an administrator password or confirmation, type the password, or click Continue.
Try enabling the firewall after these steps.
-
still nothing. I did notice that during the command prompt...dcomlaunch failed and it said access denied
-
Go to control panel > administrative tools > Services and ensure that the dcom launcher is started.
If it isn't then put it to auto start and try again
-
The DCOM Launcher is started but Firewall still will not turn on.
-
Could you right click on dcom and see what dependencies are running
-
I noticed there was a long list of dependencies but Windows Firewall was not there...should I list all of them for you?
-
No need because if any were broken it would show
Ok next trick
Please run "services.msc", stop "Windows Event Controller" service first, then make sure "Base Filtering Engine" service is started.
In the Start Menu type devmgmt.msc, and open Device Manager. On the View tab, choose "Devices by connection" and put a check next to "Show hidden devices". Look for Windows Firewall Authorization Driver (it will have a gold gear icon).Double-click that, and on the Driver tab, make sure the Startup type is set to "Demand".
Then start "Windows Firewall" service.
-
I did all the steps and when I get upto the part of starting the Windows Firewall, I am getting this message "Action Center can't turn on Windows Firewall"
-
Could you run windows repair again (there is an update - so download and install that)
Then select the elements as below
-
action center still preventing the firewall turning on
-
Lets check the registry key
Run OTL and copy/paste the following into the custom scans and fixes box
Then press run scan
HKLM\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy /s
-
Here you go.
-
Hmm that area looks correct
I will have to do some rummaging
-
WIN 7 firewall service also needs RPC. Since DCOMLaucher failed, I assume there is an issue with RPC since DCOMLaucher also depends on RPC?
-
well it will not let me open the action center to even attempt to turn on the firewall...
-
One final shot - this should reset the registry for wsc
Copy all of the below into a notepade file
Select Save
In the drop down box select "All files"
Name the file as wscsvc.reg
Save to the desktop
Create a restore point
Right click the reg file and select merge
Reboot and try the action centre again
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc]
"DisplayName"="@%SystemRoot%\\System32\\wscsvc.dll,-200"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\
00,65,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,52,00,65,00,73,00,74,00,\
72,00,69,00,63,00,74,00,65,00,64,00,00,00
"Start"=dword:00000002
"Type"=dword:00000020
"Description"="@%SystemRoot%\\System32\\wscsvc.dll,-201"
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,57,00,69,00,6e,00,\
4d,00,67,00,6d,00,74,00,00,00,00,00
"ObjectName"="NT AUTHORITY\\LocalService"
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,\
00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\
00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
00,00,00,00
"DelayedAutoStart"=dword:00000001
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\Parameters]
"ServiceDllUnloadOnStop"=dword:00000001
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
77,00,73,00,63,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\Security]
"Security"=hex:01,00,14,80,c8,00,00,00,d4,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,98,00,06,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,9d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\
00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,14,00,00,01,\
00,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,28,00,15,00,00,00,01,06,00,\
00,00,00,00,05,50,00,00,00,49,59,9d,77,91,56,e5,55,dc,f4,e2,0e,a7,8b,eb,ca,\
7b,42,13,56,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,\
00,00,00
-
I am getting a message that says Action Center can't turn on Windows Firewall
-
WIN 7 firewall service also needs RPC. Since DCOMLaucher failed, I assume there is an issue with RPC since DCOMLaucher also depends on RPC?
RPC is no longer used in Win7
However, it does use RPCSS so could you go to the services section again and ensure that it is started and running
-
it is started. At the services window when i try to start windows firewall i am getting this message
"Windows could not start Windows Firewall on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to service specific error code 1753."
-
Try this:
copy paste this in run and click ok allow it to complete and try turning on windows firewall again:
sfc /scannow
-
Did we run this command from an elevated command prompt ?
netsh advfirewall firewall
-
Delay that as I have found a new analysis tool
I am not on my own system at the moment so the instructions may not look quite right
Download and run farbar service scanner (http://download.bleepingcomputer.com/farbar/FSS.exe)
(http://i1238.photobucket.com/albums/ff484/CompCav/Farbarservicesinternetticked-2.jpg)
Tick "Internet services" and "Windows Firewall" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.
-
Farbar Service Scanner
Ran by Mike Mello (administrator) on 26-12-2011 at 00:00:45
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.
Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.
Firewall Disabled Policy:
==================
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
-
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.
Could you run the fixit here please http://support.microsoft.com/kb/943996
-
The FixIt applied fixed but was not able to start the Windows Firewall.
-
OK further investigation for this error by some of my malware collegues has found a possible cause and solution (courtesy RKinner)
This will mean going into the registry manually as we have not yet developed an autofix
Go into regedit, (Start, Search, regedit, doubleclick on the regedit that it finds, Continue)
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services (Find HKEY_LOCAL_MACHINE\SYSTEM and click on the + in front of it.
Find CurrentControlSet and click on its plus.
Click on Services
Then right click on Services and select Permissions then click Add.
Type in:
NT Service\bfe and click on Check Name. (It will change your typing to BFE )
OK. You should be back on the first Permissions page.
Now select BFE on the permission page and click on the first box to the right of Full Control (Allow column).
Then Apply.
Reboot and go back into Services and see if BFE is running.
-
after reboot, i had to manually start BFE. Once it started, i checked to see if i can turn on the windows firewall and i still can not turn on firewall
-
Darn - ok back to the drawing board on this one