Author Topic: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?  (Read 31132 times)

0 Members and 1 Guest are viewing this topic.

WoodiusJ

  • Guest
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #15 on: May 20, 2012, 07:34:27 PM »
And when I click through that it just takes me back to the computer screen, as shown.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #16 on: May 20, 2012, 10:48:50 PM »
OK it appears that that I may need to disable your cd emulator

Please download DeFogger and save it to your desktop.
  • Once downloaded, double-click on the DeFogger icon to start the tool.
  • The application window will appear.
  • You should now click on the Disable button to disable your CD Emulation drivers.
  • When it prompts you whether or not you want to continue, please click on the Yes button to continue.
  • When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
  • If CD Emulation programs are present and have been disabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.
THEN

Please retry Combofix

WoodiusJ

  • Guest
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #17 on: May 21, 2012, 01:12:46 AM »
I ran DeFogger and it disabled my CD Emulation program and I rebooted. I ran ComboFix again but I still got no ComboFix.txt in my C:/ drive and I got the same folder that brings me back to my computer window.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #18 on: May 21, 2012, 08:31:44 PM »
OK I have two options now...  One is to work outside of windows and the other is to use AVP..  Do you have a wiindows CD for the recovery console ?

WoodiusJ

  • Guest
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #19 on: May 21, 2012, 11:08:18 PM »
I don't think I have a Windows CD, my OS came with the computer.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #20 on: May 21, 2012, 11:29:46 PM »
    Download the following three programmes to your desktop :

    Click the globe under my Avatar and download from my skydrive

    1.
WiNToBootic
2.  Windows 7 64bit RC
3.  Farbar Recovery Scan Tool x64

Extract wintoboot to your desktop
Insert a USB drive of at least 4GB
Run Wintoboot



Drag and drop the Windows 7 ISO to the programme in the space indicated
Tick the Format box and accept the warnings
Press Do It

You will see it progressing



It will let you know when it is done
Then copy FRST to the same USB




Insert the USB into the sick computer and start the computer.  First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here

 
When you reboot you will  see this although yours will say windows 7. Click repair my computer

 
Select your operating system

 
Select Command prompt

 
At the command prompt type the following  :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

WoodiusJ

  • Guest
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #21 on: May 22, 2012, 12:00:40 AM »
Will I loose any of my files? I also do not currently have a flashdrive, is there any other way?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #22 on: May 22, 2012, 08:54:26 PM »
No, none of the files will be touched

We can burn the recovery console to a disc if it is easier

To do that download the win 7 64 bit ISO
to the desktop
Download and install imgburn http://www.imgburn.com/

Once imgburn is installed double click the ISO file and imgburn will open to burn it to disc

Copy the FRST programme to your root C drive and then follow the previous instructions excep that frst will now be run from the C drive as opposed to a USB

WoodiusJ

  • Guest
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #23 on: May 23, 2012, 02:06:33 AM »
Okay, and this will keep my operation system completely genuine? Because the last time I got rid of one of those files(only one of the ones in assembly) through using a boot-time scan from Avast it brought me to a black screen with "This is not Genuine" at the bottom corner once I had logged in but eventually brought me back to my desktop.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #24 on: May 23, 2012, 08:27:59 PM »
I could not rule out that possibilty, but it is very easy to revalidate windows via a free phone (I have done it several times)

 

WoodiusJ

  • Guest
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #25 on: May 24, 2012, 01:50:02 AM »
I am getting a flashdrive later today. But first can you tell me how I would revalidate my Windows?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #26 on: May 24, 2012, 07:39:21 PM »
If this should occur then on the popup select activate windows by phone
This will then produce a series of letters/numbers and give you a freephone number to call
Call the freephone number
You will be asked for the letters/numbers
Follow the phone prompts and you will be reactivated

WoodiusJ

  • Guest
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #27 on: May 25, 2012, 12:50:14 AM »
Okay, the scanning and everything worked fine. I have attached the log.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #28 on: May 25, 2012, 07:19:38 PM »
That is showing no sign of zero access - is Avast still reporting it ?

If so where ?

WoodiusJ

  • Guest
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #29 on: May 26, 2012, 02:11:46 AM »
I did a rescan and Avast is still showing them. They are C:\Windows\assembly\GAC_32\Desktop.ini and C:\Windows\assembly\GAC_64\Desktop.ini. Those are the two rootkits that have been troubling me this whole time. There were also some other files it found in C:\Windows\Installer\... And Avast chested those but they do seem to be constantly reappearing, so my suspicion is that they are from the those rootkits.