Win32:DNSChanger-VJ [Trj] Infection and REDIRECT VIRUS

[BethK]

My  husband has been having a problem with google search redirect of websites for a few weeks and recently AVAST has been  blocking things like Win32:DNSChanger-VJ [Trj] Infection and a couple others and sending them to the chest.  I have run full scan on boot and usually at least one infection, if not more, is sent to the chest.  I have also downloaded and run several anti-malware programs which have removed some infections, but each time I reboot and go back online we are still redirected to strange sites upon doing a google search and receive warnings from AVAST about blocking threats.

I am sending this from my own laptop now.  I see there are several topics on this subject and suggestions on fixes.....but it looks like each issue and/or computer fix may be different.

Please advise... thank you.

[DavidR]

With it coming back, then it is likely to have a hidden element restoring/downloading them again...
What is your OS and firewall ?

With this recurrence issue, it needs further analysis and probably specialist help.
- This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the logs and attach (additional Options in the Reply window) the logs here in this topic, not in the LOGS topic.

It is almost 2:40am in the UK and I'm about to call it a night, also the malware removal specialist is in the UK too and it will be later this even before he is on the forums. So if you can download the tools, run the scans, attach the logs and he will have something to work with when he is on-line.

[BethK]

I am using Windows 7 Home Premium 64-Bit operating system.  I can not access my firewall which is turned off, nor do I have any restore points to revert back to. 

Last evening I ran a quick scan through aswMBR which showed nothing.  I started a scan of C:\ and after almost 2 hours (and after showing in red: File: C:\Windows\assembly\tmp\u\80000032.@ **INFECTED** win32:DNSChanger-v3 [Tr - I can't see the end of the file or expand the window) windows shut down unexpectedly.  When it restarted there was no evidence of aswMBR being started, so I went to bed.

This morning I have started a full scan again but may have to wait until I am home from work to send the logs.  Also, this morning I could not get into my network and sharing center and had to change settings to do so. 

In my task manager I noticed PING.EXE*32.  Is this normal?

Thank you.

[DavidR]

Given the location this appears to be a zero access infection (or conserv, if I remember the name right).

Whenever you can attach the logs is fine, but there may be a game of time zone ping pong, but at least essexboy will have something to work with.

[essexboy]

Thats them David

[BethK]

Attached is OTL log

[BethK]

Attached is extras log

[BethK]

Attached are very first Malwarbytes log run 3 days ago, as well as most recent one run last night.

[BethK]

Quickscan of aswMBR showed no infections.  When I tried to scan C:\ (twice) once an infected file was shown in red, the computer shut down.  Should I attach the quickscan log only, or try to do a scan of C:\  ?

[essexboy]

Nope - I have found the culprit but it does need removing in a certain sequence.  First I will remove the non critical malware and then get a stronger and better tool for the main miscreant.  Please disable all Avast shields whilst these programmes are running as it could interfere

 Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Hmm the fix is a bit to big for the forum.  At the end of this post will be a fix.txt attachment, download that to your desktop

Run OTL

• Press the Run Fix button
  
• A dialogue will open asking for the fix.txt location
• Browse to the text file you downloaded and select
• Then click the Run Fix button again
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[BethK]

Wow...am a little nervous about disabling all my antivirus/anti-malware ...

Should I do this in safe mode?

[essexboy]

Normal mode would be best - for peace of mind disconnect from the net whilst running

[BethK]

OTL is still running the fix, but a window popped up that said "Windows has encountered a critical problem and will restart in 1 minute"

[essexboy]

OK it is getting uppity - on reboot then run combofix please

[BethK]

I started doing a quickscan of OTL on reboot.  Shall I let it go on or cancel it and go directly to ComboFix? (Am typing from another laptop)