This is a nightmare: Win32:DNSChanger-VJ [Trj]

I tried all day yesterday to get rid of this nasty, and it just keeps coming back. Usually I can take care of this stuff myself, but I’ve met my match with this virus. Here are some logs I generated according to the ‘Log assist’ thread. Two things of note. When I run aswMBR, it finishes and says I have a ‘sirfef’ infection twice, but the ‘fix’ button stays dark. All I can do is hit MBR and generate logs. Also, I cannot install Combofix. It acts like it’s installing, then the installer just goes away, and nothing. Like I said, I rarely have to ask for help with stuff like this, but I’m totally baffled by this one, and I would greatly appreciate some assistance. Thanks in advance!

Essexboy and Jeffce are notified :wink:

it may take several hours before they arrive…

OBS: your malwarebytes was not updated when you did the scan
always hit the update button before a scan as they release 5 - 10 updates a day…already at nr 3 today

Thanks Pondus, forgot to update. Here is the log with the most recent definitions.

Out of curiosity,can you do the following to ensure that you’re infected?
Open CMD and type the following:
Ipconfig /all
Then take a screenshot where i can see your DNS servers and upload it here.
Regards.

Here you go Left 123

Visit this link and tell us the result http://www.dns-ok.us/ , please.

DNS Changer Checkup = Green

As i thought,CMD told us the truth.However,according to your aswMBR log(s),you are infected by Siseref,a nasty piece of bootkit.Wait for Essexboy or Jeffce.
Have a nice day :slight_smile:

Thx, Left123.

Just saw this at your OTL logs:
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D4 C2 15 8D 50 A9 CC 01 [binary data]
Probably job of Siseref,i am not expert at such cases so i can’t really tell you ;D .

What I can’t figure out is why the ‘fix’ button is dark when I finish running aswMBR. It finds two instances of ‘Sirefef’ and won’t let me clean them.

Just wait for further advice. Do not try to fix anything with those tools without guidence from an expert.

+1…!!!

Hi I see you have run Combofix, could you post the log please. This looks like a new variant

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL @Alternate Data Stream - 1536 bytes -> C:\Users\Public\Documents\desktop.ini:gs5sys @Alternate Data Stream - 1536 bytes -> C:\Users\Mark\Documents\desktop.ini:gs5sys @Alternate Data Stream - 1536 bytes -> C:\Users\Mark\Desktop\desktop.ini:gs5sys @Alternate Data Stream - 5120 bytes -> C:\ProgramData:gs5sys

:Files
ipconfig /flushdns /c
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

run farbar service scanner

http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FSS-1.jpg

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

Ok here’s the log for the OTL program. Sorry, this log is immediately after the first scan. I’m running the ‘quick’ scan now.

Ok here are the results for OTL quick scan.

Could you post the combofix log please

Here is the FSS log.

This is what I was saying earlier; Combofix won’t install. The installer runs like normal, but then it just disappears and…nothing.

There are several registry entries missing I will need to craft them for you