Author Topic: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?  (Read 31133 times)

0 Members and 1 Guest are viewing this topic.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #30 on: May 26, 2012, 10:40:43 AM »
OK they are remanants so it is just a matter of taking them out.  I will be away for about a week, but this should stop the alerts 

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from "Start with Windows"
Reboot and then run OTL


Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    Quote
    :OTL
    C:\Windows\assembly\GAC_32\Desktop.ini
    C:\Windows\assembly\GAC_64\Desktop.ini

    :Files
    ipconfig /flushdns /c

    :Commands
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

WoodiusJ

  • Guest
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #31 on: May 26, 2012, 07:43:21 PM »
Here is the log from the OTL quick scan.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #32 on: June 02, 2012, 07:00:46 PM »
That looks better - now lets reset the winsock  - go to this MS site and run the fixit there http://support.microsoft.com/kb/299357

How is the computer behaving ?

WoodiusJ

  • Guest
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #33 on: June 03, 2012, 06:41:48 PM »
Everything seems fine, Avast has not captured any more DNSChanger-VJ [Trj] since the 28th of May. Should I run another boot-time scan just to be sure?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #34 on: June 03, 2012, 06:59:26 PM »
It would not come amiss to find any stragglers but you should be clear.  Did you run the winsock fix ?

WoodiusJ

  • Guest
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #35 on: June 03, 2012, 07:06:12 PM »
Yes, I ran the fix. I did not see any difference after though, what was it supposed to do?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #36 on: June 03, 2012, 08:46:09 PM »
You will not see a difference but it will remove the corruption that the malware made  ;D

WoodiusJ

  • Guest
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #37 on: June 03, 2012, 11:06:54 PM »
Okay,I ran the boot time scan again and it caught the same two Rootkits in assembly. However, this time when I tried to move them to the chest it gave me an error like "unable to complete operation, disk is full" for both of the files.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #38 on: June 03, 2012, 11:12:21 PM »
Could you retry Combofix, but this time rename it to Gotcha when you download it

WoodiusJ

  • Guest
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #39 on: June 03, 2012, 11:13:42 PM »
I still have combofix, can I just rename the one I have to Gotcha and run that one?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #40 on: June 03, 2012, 11:15:44 PM »
No delete that from the desktop as it is now well out of date

WoodiusJ

  • Guest
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #41 on: June 03, 2012, 11:20:49 PM »
Okay, I renamed it Gotcha and reran it. It made a folder at C:\32788R22FWJFW with a lot of files inside of it. What should I do now?

WoodiusJ

  • Guest
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #42 on: June 03, 2012, 11:22:26 PM »
I just tried to go back to C:\32788R22FWJFW and it brought me to the My Computer screen again.

WoodiusJ

  • Guest
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #43 on: June 04, 2012, 12:14:00 AM »
Also, my computer's fan seems to be louder than it was before I got infected. This could be a dust thing so I am going to clean it out soon.The only time I could hear the fan this much before was if I was running something that was hard on my computer, which would make sense. But now it is constant.  It will get louder the more CPU is being used and there are always two processes I can see on my task manager that are taking up to 40% collectively.  They claim to be Windows Services but I think they may just be part of the virus since that is inside my Windows folders. I don't remember if these were this way before, but my computer is defiantly louder more of the time. I attached a picture of them, tell me what you think.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Sirefef-PL [Rtk] and Win32:DNSChanger-VJ [Trj] Help?
« Reply #44 on: June 04, 2012, 01:59:46 PM »
  • Run OTL. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
Services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
CREATERESTOREPOINT


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will produce one log attach that