I’ve never really had any problems before until suddenly today I started getting these popups with: Win32:DNSChanger-VJ[Trj], Win32:Malware-gen & Win32:Trojan-gen. I read some other posts and thought I’d follow the “Logs to assist in cleaning malware”. I did all of it and I think I succeeded in deleting the malware- and trojan-gen with malwarebytes, since they haven’t come up after I did the scan.

The problem remaining is the Win32:DNSChanger-VJ[Trj]. It pops up every few minutes and it’s driving me insane. All the logs should be attached.

Help would be very much appreciated.

Hi Oikkelis, welcome to the forum.

To make cleaning this machine easier
[*]Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
[*]Please do not run any scans other than those requested
[*]Please follow all instructions in the order posted
[*]All logs/reports, etc… must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
[*]Do not attach any logs/reports, etc… unless specifically requested to do so.
[*]If you have problems with or do not understand the instructions, Please ask before continuing.
[*]Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

[*]Right click on ComboFix.exe, click Run as Administrator & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. If you recieve a message after running combofix similar to “Illegal Operation attempted on a registry key that has been marked for deletion” simply reboot your computer
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log.

Thanks

Good day!

I now wonder, one fine morning you turn on the computer and started to pop-up messages that your computer is infected?

Win32:Sirefef-PL - 7.3.2012 - 120307-1 (Added to base).

So what else is interesting, according to the logs you have Avast installed the same date.

PRC - [2012/03/07 02:15:17 | 004,241,512 | ---- | M] (AVAST Software) – C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2012/03/07 02:15:14 | 000,044,768 | ---- | M] (AVAST Software) – C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2012/03/07 02:15:13 | 000,134,920 | ---- | M] (AVAST Software) – C:\Program Files\AVAST Software\Avast\afwServ.exe

So it turns out you’re not so much time seeking help? or Avast virus that has been missed in the database?

@Dim@rik, I’m a complete idiot when it comes to viruses and rather impatient at times, so I thought maybe the problem was in avast instead of my computer. Due to this I tried reinstalling avast, but surprise surprise to no avail.

@oldman, I did everything precisely as you told me. After the combofix was complete I got the “registry key” thingy so I reboot my computer. Everything seemed normal until I opened firefox and tried to browse the web. It just kept loading and loading, until at one point I went to the blue screen. I reboot my computer and went to the blue screen yet again. I opened windows in “safe mode with networking” and yet again it went to the blue screen. I started windows in “safe mode” and it worked just fine. I tried removing firefox and it helped for a while but once more blue screen. I’m guessing the problem’s got something to do with my network, but I don’t really know since I’m not an expert. In the end I did a system recovery and got my computer back up and working.

This kind of got me concerned if I should really be doing this since I wouldn’t mind a little infection instead having of a lump of metal that’s only good for looking at a blue colored screen.

But anyway here’s the combofix log if you can find anything on it.

Hi Oikkelis,

since I wouldn't mind a little infection

I strongly suggest you do the following immediately:

[*] From a clean computer, change all your online passwords – for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
[*] DO NOT change passwords or do any transactions while using the infected computer because the new passwords and transaction information could be compromised.

In the end I did a system recovery and got my computer back up and working.

Next

Please open OTL.

[*]Make sure all other windows are closed and to let it run uninterrupted.
[*]When the window appears, click the None button near the top (it may looked greyed out)
[*]In the window under Custom Scans/Fixes copy and paste the following

[b]
C:\80000032.@*.* /s
/md5start
services.*
/md5stop

[/b]

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open a notepad window, OTL.Txt. Please post this log.

Changed all my passwords on my borther’s computer. But then I thought if he should change his too since he’s used my computer sometimes before the infection?

I’m not really sure what the difference is between system recovery and restore, but what it did was restore everything to the way they were the day before so I guess it could’ve been a system restore.

And I noticed this while looking at the OTL log

< C:\80000032.@*.* /s >
[2012.06.17 05:31:39 | 000,002,111 | ---- | M] () – C:\80000032.@\aswMBR.txt
[2012.06.17 05:31:29 | 000,031,442 | ---- | M] () – C:\80000032.@\Extras.Txt
[2012.06.17 05:31:49 | 000,001,378 | ---- | M] () – C:\80000032.@\mbam-log-2012-06-17 (04-16-35).txt
[2012.06.17 05:07:40 | 000,000,512 | ---- | M] () – C:\80000032.@\MBR.dat
[2012.06.17 05:31:04 | 000,061,886 | ---- | M] () – C:\80000032.@\OTL.Txt
[2012.06.17 17:20:38 | 000,000,235 | ---- | M] () – C:\80000032.@\Uusi tekstiasiakirja.txt

You see I made folder named “80000032.@” and put all the logs in it. Now I think I shouldn’t have done that… I’m so, so sorry if I mislead you in anyway :-[

But anyway here’s the OTL log.

Hi Oikkelis,

Using system restore may have restored the infection also. Do you remember the name of the file, if any that was referenced in the BSOD?

Yeah, unfortunately the infection’s still there…

Which file are you referring to? Cause I barely remember anything of the BSOD. Back then I was more concerned of fixing the computer rather than worrying about the virus.

Hi Oikkelis

When you recieved the BSOD it would have been related more to the Windows issue rather than the infection. The BSOD screen should have referenced either a file or an error code or both.

Please rerun aswMBR and post the log.

Please rerun OTL.

[*]Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]When the window appears, underneath Output at the top change it to Minimal Output
[*]Check the boxes beside LOP Check and Purity Check.
[*]In the window under Custom Scans/Fixes copy and paste the following

[B]
netsvcs
%SYSTEMDRIVE%*.*
%systemroot%\Fonts*.com
%systemroot%\Fonts*.dll
%systemroot%\Fonts*.ini
%systemroot%\Fonts*.ini2
%systemroot%\Fonts*.exe
%systemroot%\system32\spool\prtprocs\w32x86*.*
%systemroot%\REPAIR*.bak1
%systemroot%\REPAIR*.ini
%systemroot%\system32*.jpg
%systemroot%*.jpg
%systemroot%*.png
%systemroot%*.scr
%systemroot%*._sy
%APPDATA%\Adobe\Update*.*
%ALLUSERSPROFILE%\Favorites*.*
%APPDATA%\Microsoft*.*
%PROGRAMFILES%*.*
%APPDATA%\Update*.*
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu*.lîk /x
%systemroot%\system32\config\systemprofile*.dat /x
%systemroot%*.config
%systemroot%\system32*.db
%PROGRAMFILES%\Internet Explorer*.dat
%APPDATA%\Mikzosoft\Internet Explorer\Quick Launch*.lnk /x
%USERPROFILE%\Deskuop*.exe
%PROGRAMFILES%\Common Files*.*
%systemroot%*.src
%systemroot%\install*.*
%systemroot%\system32\DLL*.*
%systemroot%\system32\HelpFiles*.*
%systemroot%\system32\rundll*.*
%systemroot%\winn32*.*
%systemroot%\Java*.*
%systemroot%\system32\test*.*
%systemroot%\system32\Rundll32*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
iexplore.*
explorer.*
winlogon.*
dll
zx.dll
hlp.dat
consrv.dll
/md5stop

[/B]
[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open a notepad window, OTL.Txt no Extras.Txt this tme.

Here are the logs

Hi Oikkelis,

Thanks for your patience. I did some checking and it’s possible that ZA infected FireFox. When the main infection was removed, launching FireFox may have caused the BSOD.

Let’s try this again but this time when posting back please use Internet Explorer. We can remove FireFox later and reinstall it after we clean the computer and a few caches if need be.

First locate the copy of combofix you have on your desktop, right click it and click delete.

Download a new copy from HERE and save it to your desktop. Please follow the previous instructions for running combofix.

The old combofix was already removed earlier by the system restore.

Ignoring that, I downloaded and ran Combofix with no complications. After rebooting my computer I am now typing this on IE and no BSOD’s have appeared. I also have yet to see any popups by avast.

Awaiting for further instruction.

Hi Oikkelis,

Please post the combix log. It should be at C:\combofix.txt

Thanks

Oh sorry, it’s just that earlier you said not to post any logs unless specifically asked to. But anyway here it is.

Hi Oikkelis,

How’s the computer? Any problems?

Let’s make sure the file was replaced.

Next

Please open OTL.

[*]Make sure all other windows are closed and to let it run uninterrupted.
[*]When the window appears, click the None button near the top (it may looked greyed out)
[*]In the window under Custom Scans/Fixes copy and paste the following

[b]

/md5start
services.*
/md5stop

[/b]

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open a notepad window, OTL.Txt. Please post this log.

Everything seems fine. Computer’s running smoother than it did before and I have yet to see any popups/alerts.

I did get a bit startled when I accidentally clicked mozilla by an old habit. Nothing’s come up even after the little mishap though.

Here’s the OTL log

Hi Oikkelis,

Did Firefox open or did you close it before it completely opened?

This looks good. We’ll update your old vulnerable java and clean out some caches.

click Start > control Panel > Programs > Programs and Features and uninstall Java™ 6 Update 29 (64-bit) and Java™ 6 Update 31

You can get the new versions, 32bit and 64bit HERE

Download both jre-7u5-windows-x64.exe and jre-7u5-windows-i586.exe (last 2 in the list) save them to your desktop.

Right click on them and click “Run as Administrator” to install them.

Next

Double click on OTL.exe
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
[*]Do Not copy the word CODE
[*]please note the fix starts with the :

:Services

:Commands
[emptytemp]
[createrestorepoint]

Then click the Run Fix button at the top

[*]Let the program run unhindered
[*]Please save the resulting log to be posted in your next reply.
[*]Reboot your computer
Please post the OTL fix log.

Go ahead and try FireFox if you haven’t all ready. Let me know how you make out.

It did open completely but I closed it as soon as I could. Last time when I got the BSOD, it didn’t come until I tried changing the website.

So I shouldn’t reinstall mozilla? Just run it normally?

I reinstalled mozilla just incase before testing it. It started up normally and I haven’t had any problems with it so far so everything seems to be fine.

I noticed something odd in my C: & D: drives today. All the supposedly hidden folders are completely visible. I checked if the “Show hidden files and folders” was ticked, but it wasn’t. I looked through some other folders but I couldn’t find any other ones with the same oddity.

Hi Oikkelis,

Which files are you refering to? Is the box beside “hide protected system files (recommended)” checked? What happens if you click the Restore Defaults button at the bottom?