Jump to content

TR/DNSChanger.VJ.2 Help


Recommended Posts

Hello all,

As of a few hours ago, I managed to infect myself with TR/DNSChanger.VJ.2. This one's pretty nasty. Avira keeps popping up a nice message about "C:\Windows\assembly\tmp\U\80000032.@" When I say "keeps popping up" I mean it pops up messages faster than I can click "Deny access."

Here's a bunch of logs:

MBAM:

http://pastebin.com/5adyR3rb

DDS:

http://pastebin.com/WTcNEz8T

GMER:

No activity.

Welp, that about sums it up. I would have liked to run all of this software in a non-safemode state, but as of right now that's simply not possible. I've dug out my Windows 7 install disk because every single search I've done on Google about this virus has been a dead end (albeit it's the person with the virus that stops responding, not the help.) But, I guess that leaves me to see it through to the end. Keep in mind that it's improbable that I will be able to do anything outside of safe mode.

Thanks in advance for whatever help you can give me. :)

-Sean

Link to post
Share on other sites

Hello and :welcome:

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

Well, I thought it was all good last night after I ran Combofix on my own, but after rebooting my system this morning, I started to BSOD constantly. I checked out my system, cleaned it from dust, checked my CPU temps and what not, noticed they were a little high. Reapplied thermal paste and reset my CPU cooler, and the temps returned to my acceptable range... but the BSODs kept coming, so I came back here and ran what you wanted.

On a very related note, and I should have mentioned this last night, but PING.EXE was running in the background. It was eating up 200 MB of memory. I thought that was pretty strange, especially since I couldn't kill it. After running TDSS and Combofix today, though, PING.EXE isn't running, and my PC is performing much better. I keep noticing posts on here and other forums about these same symptoms, so I thought I'd just chime in and say it might be related (but you guys know more about what this all means than I do, anyway.)

TDSS Rootkit removing tool log:

http://pastebin.com/Xc8bScVF

Combofix (from today):

http://pastebin.com/v4bXBvAS

Link to post
Share on other sites

Please post the logs in the reply box next time, instead of using PasteBin.

When do the BSODs occur?

Download BlueScreenView

No installation required.

Double click on BlueScreenView.exe file to run the program.

When scanning is done, go Edit>Select All.

Go File>Save Selected Items, and save the report as BSOD.txt.

Open BSOD.txt in Notepad, copy all content, and paste it into your next reply.

Link to post
Share on other sites

Right, sorry. The first post wouldn't let me do that, it complained about the length.

The BSODs occur a few moments after Windows 7 loads. It seems to make it through most of my start-up programs (Avira, Steam, Hamachi, Catalyst Control Center) and then my screen glitches out for a split second. After that, it's BSOD time. Note that I never get BSODs or problems of any sort if an antivirus, TDSSKiller, or Combofix starts scanning before Windows loads up everything.

BSOD.txt:

==================================================

Dump File : 100911-28345-01.dmp

Crash Time : 10/9/2011 2:20:02 PM

Bug Check String : KMODE_EXCEPTION_NOT_HANDLED

Bug Check Code : 0x0000001e

Parameter 1 : ffffffff`c0000005

Parameter 2 : fffff800`0324f055

Parameter 3 : 00000000`00000000

Parameter 4 : ffffffff`ffffffff

Caused By Driver : ntoskrnl.exe

Caused By Address : ntoskrnl.exe+70740

File Description : NT Kernel & System

Product Name : Microsoft® Windows® Operating System

Company : Microsoft Corporation

File Version : 6.1.7600.16617 (win7_gdr.100618-1621)

Processor : x64

Crash Address : ntoskrnl.exe+70740

Stack Address 1 :

Stack Address 2 :

Stack Address 3 :

Computer Name :

Full Path : C:\Windows\Minidump\100911-28345-01.dmp

Processors Count : 4

Major Version : 15

Minor Version : 7600

Dump File Size : 274,256

==================================================

==================================================

Dump File : 100911-26941-01.dmp

Crash Time : 10/9/2011 2:15:36 PM

Bug Check String : KMODE_EXCEPTION_NOT_HANDLED

Bug Check Code : 0x0000001e

Parameter 1 : ffffffff`c0000096

Parameter 2 : fffff800`032a90fa

Parameter 3 : 00000000`00000000

Parameter 4 : 00000000`00000000

Caused By Driver : ntoskrnl.exe

Caused By Address : ntoskrnl.exe+70740

File Description : NT Kernel & System

Product Name : Microsoft® Windows® Operating System

Company : Microsoft Corporation

File Version : 6.1.7600.16617 (win7_gdr.100618-1621)

Processor : x64

Crash Address : ntoskrnl.exe+70740

Stack Address 1 :

Stack Address 2 :

Stack Address 3 :

Computer Name :

Full Path : C:\Windows\Minidump\100911-26941-01.dmp

Processors Count : 4

Major Version : 15

Minor Version : 7600

Dump File Size : 274,256

==================================================

==================================================

Dump File : 100911-21606-01.dmp

Crash Time : 10/9/2011 1:51:38 AM

Bug Check String : KMODE_EXCEPTION_NOT_HANDLED

Bug Check Code : 0x0000001e

Parameter 1 : ffffffff`c0000005

Parameter 2 : fffff800`032597e7

Parameter 3 : 00000000`00000000

Parameter 4 : 00000000`7efa0000

Caused By Driver : ntoskrnl.exe

Caused By Address : ntoskrnl.exe+70740

File Description : NT Kernel & System

Product Name : Microsoft® Windows® Operating System

Company : Microsoft Corporation

File Version : 6.1.7600.16617 (win7_gdr.100618-1621)

Processor : x64

Crash Address : ntoskrnl.exe+70740

Stack Address 1 :

Stack Address 2 :

Stack Address 3 :

Computer Name :

Full Path : C:\Windows\Minidump\100911-21606-01.dmp

Processors Count : 4

Major Version : 15

Minor Version : 7600

Dump File Size : 274,312

==================================================

==================================================

Dump File : 100911-20436-01.dmp

Crash Time : 10/9/2011 1:46:54 AM

Bug Check String : KMODE_EXCEPTION_NOT_HANDLED

Bug Check Code : 0x0000001e

Parameter 1 : ffffffff`c0000005

Parameter 2 : fffff800`0325b7e7

Parameter 3 : 00000000`00000000

Parameter 4 : 00000000`7efa0000

Caused By Driver : ntoskrnl.exe

Caused By Address : ntoskrnl.exe+70740

File Description : NT Kernel & System

Product Name : Microsoft® Windows® Operating System

Company : Microsoft Corporation

File Version : 6.1.7600.16617 (win7_gdr.100618-1621)

Processor : x64

Crash Address : ntoskrnl.exe+70740

Stack Address 1 :

Stack Address 2 :

Stack Address 3 :

Computer Name :

Full Path : C:\Windows\Minidump\100911-20436-01.dmp

Processors Count : 4

Major Version : 15

Minor Version : 7600

Dump File Size : 274,312

==================================================

==================================================

Dump File : 100811-32947-01.dmp

Crash Time : 10/8/2011 8:11:58 PM

Bug Check String : KMODE_EXCEPTION_NOT_HANDLED

Bug Check Code : 0x0000001e

Parameter 1 : ffffffff`c0000005

Parameter 2 : fffffa80`04860c84

Parameter 3 : 00000000`00000000

Parameter 4 : 00000000`7efa8000

Caused By Driver : ntoskrnl.exe

Caused By Address : ntoskrnl.exe+70740

File Description : NT Kernel & System

Product Name : Microsoft® Windows® Operating System

Company : Microsoft Corporation

File Version : 6.1.7600.16617 (win7_gdr.100618-1621)

Processor : x64

Crash Address : ntoskrnl.exe+70740

Stack Address 1 :

Stack Address 2 :

Stack Address 3 :

Computer Name :

Full Path : C:\Windows\Minidump\100811-32947-01.dmp

Processors Count : 4

Major Version : 15

Minor Version : 7600

Dump File Size : 274,360

==================================================

==================================================

Dump File : 100811-25927-01.dmp

Crash Time : 10/8/2011 8:09:11 PM

Bug Check String : KMODE_EXCEPTION_NOT_HANDLED

Bug Check Code : 0x0000001e

Parameter 1 : ffffffff`c0000005

Parameter 2 : fffffa80`04860c84

Parameter 3 : 00000000`00000000

Parameter 4 : 00000000`7efa8000

Caused By Driver : ntoskrnl.exe

Caused By Address : ntoskrnl.exe+70740

File Description : NT Kernel & System

Product Name : Microsoft® Windows® Operating System

Company : Microsoft Corporation

File Version : 6.1.7600.16617 (win7_gdr.100618-1621)

Processor : x64

Crash Address : ntoskrnl.exe+70740

Stack Address 1 :

Stack Address 2 :

Stack Address 3 :

Computer Name :

Full Path : C:\Windows\Minidump\100811-25927-01.dmp

Processors Count : 4

Major Version : 15

Minor Version : 7600

Dump File Size : 274,360

==================================================

Link to post
Share on other sites

I'm using Avira. My roommate used to use my PC as well and one time installed SpywareDoctor or some other terrible program... but I was pretty sure I killed it all (I checked again recently, and I see no traces minus an empty directory without hidden files or anything, but it's notoriously annoying to get rid of.) I had installed AVG once a long time ago, but it was causing some issues so I had to get rid of it. I did a system restore to a point before I installed it for other reasons, anyway. But other than Avira, nothing should be running right now.

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.