Csrss.exe related to Redirect Trojan/Win32 DNS Changer ?

[daniel06]

To begin with I've been battling a browser hijacking redirect Trojan for the past few days which only Avast has been able to fix.  I've tried everything else from MBAM, Hitman Pro, Kaspersky, Combofix, etc.

Now that I've done a Boot Scan and found the embedded files I scanned each directory with Avast and deleted them, but I still have the Win32 DNS changer trying to do its thing and being detected each time by Avast.

Each time Avast detects the DNS changed it moves it to the virus chest since that's the default if unable to delete.  The actual virus that it seems to be stopping with the Real'Time shield is called Win32.DNSChanger-VJ[Trj]

I can't seem to find out why this DNSChanger keeps reappearing even though Avast is now catching it or if it is related to Csrss.exe which Avast is saying its blocking the connection to with the Realtime shield.  (last blocked connection lizcaea.cn/32 and lizcaea.cn/64)
--------------
Avast Detects as
URL: lizcaea.cn/32
Process: file://C:\Windows\System32\csrss.exe
Infection: al
--------------


My windows firewall is also being prevented from being enabled at the moment and other anti virus programs say I'm clean.  I'm not sure what the next step is to get my firewall back online.

[Pondus]

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs HERE and not in the guide )


To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log ) save OTS log as ANSI

Essexboy will look at the logs when posted...
he is usually in here at 08:00pm - 11:59pm uk time

[daniel06]

Everything should be attached from the guide posted.
 
MBAM found:

HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> No action taken.

It has been removed using MBAM, but this is the exact Trojan.BHO that i've removed with MBAM 3 times already and it seems to reappear with a couple reboots.

OTS was to large 333kb so I uploaded it with mediafire. 
http://www.mediafire.com/?la8bc98b9f8m126

[essexboy]

I see you have thrown everything at this bar the kitchen sink, well here is the sink 

On completion could you let me know if the alerts are still present

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]


[Unregister Dlls]
[Processes - Safe List]
YN -> hasplms.exe ->
[Driver Services - Safe List]
YY -> (rpjbcey) rpjbcey [Kernel | Boot | Stopped] -> C:\Windows\system32\drivers\jbvc.sys
[Registry - Safe List]
< Internet Explorer Settings [HKEY_CURRENT_USER\] > ->
YN -> HKEY_CURRENT_USER\: Main\\"XMLHTTP_UUID_Default" -> 0C AE 00 00 D2 B9 EC 47 AB 8B 5A 63 22 77 45 42  [binary data]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {6E13D095-45C3-4271-9475-F3B48227DD9F} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{5911488E-9D1E-40ec-8CBB-06B231CC153F}" [HKLM] -> [StartNow Toolbar]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< File Associations - Select to Repair > -> HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>\
YN -> .com [@ = comfile] -> Reg Error: Key error.
[Files/Folders - Created Within 30 Days]
NY ->  roboot64.exe -> C:\Windows\SysNative\roboot64.exe
[Files/Folders - Modified Within 30 Days]
NY ->  zip.exe -> C:\zip.exe
NY ->  jbvc.sys -> C:\Windows\SysWow64\drivers\jbvc.sys
NY ->  1142960155 -> C:\Windows\SysWow64\1142960155
NY ->  A220.94B -> C:\Users\valued customer\AppData\Roaming\A220.94B
NY ->  roboot64.exe -> C:\Windows\SysNative\roboot64.exe
NY ->  GhostObjGAFix.xml -> C:\Users\valued customer\AppData\Roaming\GhostObjGAFix.xml
[Custom Scans]
YY ->  explorer.exe : MD5=3C33B26F2F7FA61D882515F2D6078691 -> C:\Users\valued customer\AppData\Local\Temp\RarSFX2\procs\explorer.exe
YY ->  explorer.exe : MD5=ABC6379205DE2618851C4FCBF72112EB -> C:\Users\valued customer\AppData\Local\Temp\RarSFX0\h\explorer.exe
YY ->  explorer.exe : MD5=ABC6379205DE2618851C4FCBF72112EB -> C:\Users\valued customer\AppData\Local\Temp\RarSFX1\h\explorer.exe
YY ->  explorer.exe : MD5=ABC6379205DE2618851C4FCBF72112EB -> C:\Users\valued customer\AppData\Local\Temp\RarSFX2\h\explorer.exe
YY ->  userinit.exe : MD5=AC6094297CD882B8626466CDEB64F19F -> C:\Users\valued customer\AppData\Local\Temp\RarSFX0\userinit.exe
YY ->  userinit.exe : MD5=AC6094297CD882B8626466CDEB64F19F -> C:\Users\valued customer\AppData\Local\Temp\RarSFX1\userinit.exe
YY ->  userinit.exe : MD5=AC6094297CD882B8626466CDEB64F19F -> C:\Users\valued customer\AppData\Local\Temp\RarSFX2\userinit.exe
YY ->  winlogon.exe : MD5=AC6094297CD882B8626466CDEB64F19F -> C:\Users\valued customer\AppData\Local\Temp\RarSFX0\winlogon.exe
YY ->  winlogon.exe : MD5=AC6094297CD882B8626466CDEB64F19F -> C:\Users\valued customer\AppData\Local\Temp\RarSFX1\winlogon.exe
YY ->  winlogon.exe : MD5=AC6094297CD882B8626466CDEB64F19F -> C:\Users\valued customer\AppData\Local\Temp\RarSFX2\winlogon.exe
[Custom Items]
:Reg
[HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
"XMLHTTP_UUID_Default"=-
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

[daniel06]

Alright i've ran OTS again and attached the file and everything looks good as of now regarding redirects and the real time shield from avast. 

The only problem I'm still getting is that im unable to enable my Windows Firewall, it gives an error "Windows firewall can't change some of your settings." Error code 0x8007042c

[essexboy]

OK lets see if we can cure the firewall next

Could you go to this page http://support.microsoft.com/kb/283673 and run the big fixit button about halfway down, let me know the result of that please

[daniel06]

Just tried it that link only works for Windows Xp though I'm looking for a Windows 7 one, but not seeing it.

[essexboy]

Download and install MSFixit centre from here  http://www.majorgeeks.com/Microsoft_Fix_it_Center_d7105.html

[daniel06]

I ran both the firewall related fixing tools in MS Fix It with no luck.  I'm beginning to wonder if McAfee being previously installed is causing my firewall problems or if the Trojan/Malware did it.

[DavidR]

Probably worth checking this out - McAfee has an uninstall tool that you could run to ensure any possible remnants are removed. Check out this page for removal tool and instructions, http://service.mcafee.com/FAQDocument.aspx?id=TS100507

[daniel06]

Probably worth checking this out - McAfee has an uninstall tool that you could run to ensure any possible remnants are removed. Check out this page for removal tool and instructions, http://service.mcafee.com/FAQDocument.aspx?id=TS100507

Yea, thats the one I had to use just to uninstall it, just removing it was like having malware itself.

[DavidR]

OK, wasn't sure what you had tried. But having used that removal tool in theory it shouldn't be causing any current firewall problems, though I'm at a loss as to what to suggest to try and fix it.

You could of course install a 3rd party firewall (not McAfee), like:
- PCTools Firewall Plus. This is a relatively user friendly firewall.
- Online Armor for the most parts fine for most users, though some find it a little heavy.
- PrivateFirewall, http://www.privacyware.com/personal_firewall.html

- Outpost Free Suite 7, which should still provide good protection, http://free.agnitum.com/. Whilst this is a suite, when you install it, it detects avast and asks if you have it installed, answering Yes will mean it doesn't install the antivirus, anti-spyware and web control modules to maintain compatibility.

[daniel06]

OK, wasn't sure what you had tried. But having used that removal tool in theory it shouldn't be causing any current firewall problems, though I'm at a loss as to what to suggest to try and fix it.

You could of course install a 3rd party firewall (not McAfee), like:
- PCTools Firewall Plus. This is a relatively user friendly firewall.
- Online Armor for the most parts fine for most users, though some find it a little heavy.
- PrivateFirewall, http://www.privacyware.com/personal_firewall.html

- Outpost Free Suite 7, which should still provide good protection, http://free.agnitum.com/. Whilst this is a suite, when you install it, it detects avast and asks if you have it installed, answering Yes will mean it doesn't install the antivirus, anti-spyware and web control modules to maintain compatibility.

Thanks i'll try that out until I manage to get windows firewall working again.  Also it seems I still have the same trojan/downloader upon starting Windows explorer Avast detected

C:\Windows/assembly/tmp@.dlw|>[UPX]
Threat:Win32:DNSChanger-VJ[Trj]

[essexboy]

Run a fresh OTS scan please with all users selected

[Binky101]

While searching for a cure for this issue I found this thread.

I tried the cure listed here with OTS...    I can sum up the log:   It found NOTHING fixed NOTHING and I am still bombarded with redirects.

Avast can't fix it.    I'm on a very limited internet connection so downloading another program... on top of Adaware and Spybot is not feasable.

Right now the issue resides in a scvhost file and explorer.exe.   

What else can I do to kill this bug?