Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?

Download the following three programmes to your desktop :

Click the globe under my Avatar and download from my skydrive

1.WiNToBootic
2. Windows 7 64bit RC
3. Farbar Recovery Scan Tool x64

Extract wintoboot to your desktop
Insert a USB drive of at least 4GB
Run Wintoboot

http://dl.dropbox.com/u/73555776/wintoboot.JPG

Drag and drop the Windows 7 ISO to the programme in the space indicated
Tick the Format box and accept the warnings
Press Do It

You will see it progressing

http://dl.dropbox.com/u/73555776/usb%20progress.JPG

It will let you know when it is done
Then copy FRST to the same USB

http://dl.dropbox.com/u/73555776/frstwintoboot.JPG

Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here

When you reboot you will see this although yours will say windows 7. Click repair my computer

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg

Select your operating system

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg

Select Command prompt

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg

At the command prompt type the following :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Will I loose any of my files? I also do not currently have a flashdrive, is there any other way?

No, none of the files will be touched

We can burn the recovery console to a disc if it is easier

To do that download the win 7 64 bit ISO
to the desktop
Download and install imgburn http://www.imgburn.com/

Once imgburn is installed double click the ISO file and imgburn will open to burn it to disc

Copy the FRST programme to your root C drive and then follow the previous instructions excep that frst will now be run from the C drive as opposed to a USB

Okay, and this will keep my operation system completely genuine? Because the last time I got rid of one of those files(only one of the ones in assembly) through using a boot-time scan from Avast it brought me to a black screen with “This is not Genuine” at the bottom corner once I had logged in but eventually brought me back to my desktop.

I could not rule out that possibilty, but it is very easy to revalidate windows via a free phone (I have done it several times)

I am getting a flashdrive later today. But first can you tell me how I would revalidate my Windows?

If this should occur then on the popup select activate windows by phone
This will then produce a series of letters/numbers and give you a freephone number to call
Call the freephone number
You will be asked for the letters/numbers
Follow the phone prompts and you will be reactivated

Okay, the scanning and everything worked fine. I have attached the log.

That is showing no sign of zero access - is Avast still reporting it ?

If so where ?

I did a rescan and Avast is still showing them. They are C:\Windows\assembly\GAC_32\Desktop.ini and C:\Windows\assembly\GAC_64\Desktop.ini. Those are the two rootkits that have been troubling me this whole time. There were also some other files it found in C:\Windows\Installer.… And Avast chested those but they do seem to be constantly reappearing, so my suspicion is that they are from the those rootkits.

OK they are remanants so it is just a matter of taking them out. I will be away for about a week, but this should stop the alerts

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL C:\Windows\assembly\GAC_32\Desktop.ini C:\Windows\assembly\GAC_64\Desktop.ini

:Files
ipconfig /flushdns /c

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Here is the log from the OTL quick scan.

That looks better - now lets reset the winsock - go to this MS site and run the fixit there http://support.microsoft.com/kb/299357

How is the computer behaving ?

Everything seems fine, Avast has not captured any more DNSChanger-VJ [Trj] since the 28th of May. Should I run another boot-time scan just to be sure?

It would not come amiss to find any stragglers but you should be clear. Did you run the winsock fix ?

Yes, I ran the fix. I did not see any difference after though, what was it supposed to do?

You will not see a difference but it will remove the corruption that the malware made ;D

Okay,I ran the boot time scan again and it caught the same two Rootkits in assembly. However, this time when I tried to move them to the chest it gave me an error like “unable to complete operation, disk is full” for both of the files.

Could you retry Combofix, but this time rename it to Gotcha when you download it

I still have combofix, can I just rename the one I have to Gotcha and run that one?