Jump to content

DNSChanger removed - problem still there

Recommended Posts

This started as a DNSChanger infection. Initially Malwarebytes found and removed it. I also manually removed the task and program associated with it. All was well for a day.


Now the problem is back, but Malwarebytes comes up clean, as does AdwCleaner and Avast Browser Cleanup. Did a few reboots, etc.


Current FRST.txt and Addition.txt attached.


Interestingly, the problem occurs in Firefox (using version 43.0.4), but not IE. All add-ons have been removed from Firefox.









Link to post
Share on other sites

Hello and welcome to Malwarebytes,

Please be aware the following P2P/Piracy Warning is a standard opening reply made here at Malwarebytes, we make no accusations but do make you aware of Forum Protocol....

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...



Please open Malwarebytes Anti-Malware.

  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete Apply Actions to any found entries.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.

To get the log from Malwarebytes do the following:

  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
      XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…




Upload Files to Virustotal

Go to http://www.virustotal.com/

  • Click the Choose file button
  • Navigate to the file C:\ProgramData\E6E0456AF3.sys
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the results back here please.
  • Repeat the above steps for the following files



Let me se those results...



Link to post
Share on other sites

I recommend you totally remove Firefox and start over. Make sure you still have a working Browser available, eg Internet Explorer or similar...

Go here: https://support.mozilla.org/en-US/kb/uninstall-firefox-from-your-computer and follow those instructions...

Ensure when the uninstall completes to navigate to and delete the firefox installation folder (if present):

(32-bit Windows) C:\Program Files\Mozilla Firefox
(64-bit Windows) C:\Program Files (x86)\Mozilla Firefox

It is essential the installation folder is removed. Re-boot your system when that is completed....


To remove all remaining data and profile information...

    Press "Windows key + R" to open the Run box
    In the Run box, type in or copy and paste %APPDATA%
    Click OK.  A Windows Explorer window will appear.
    In this window, choose/open in succession Mozilla > Firefox > Profiles.
    Select Delete on each entry in reverse, eg  Profiles > Delete. Firefox > Delete. Mozilla > Delete.


Re-boot your system when complete!


Go here: http://www.mozilla.org/en-US/ download and install the latest version of Firefox...


When Firefox is installed and open select these keys together :- Ctrl - Shift - A that will access Addons manger, this gives access to find addons, use, start, stop or disable those features etc....

Ensure to use Addons manager to search for and install the following:


AdBlock plus


DrWeb Anti-Virus link checker

DrWeb Scan Link


plus any other addons you normally use.... Now try surfing, see what happens...




Download tfc_icon.png TFC to your desktop, from either of the following links






  • Save any open work. TFC will close all open application windows.



  • Double-click TFC.exe to run the program. Vista or Windows 7 users accept the UAC alert.



  • If prompted, click "Yes" to reboot.




TFC will automatically close any open programs, including your Desktop. Let it run uninterrupted. It shouldn't take longer than a couple of minutes, and may only take a few seconds. TFC may re-boot your system, if not Re-boot it yourself to complete cleaning process <---- Very Important

Keep TFC it is an excellent, run weekly utility to keep your system optimized, it empties all user temp folders, Java cache etc etc. Always remember to re-boot after a run, even if not prompted




Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:


  • Remove disinfection tools.  (FRST and logs etc)

Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…




Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin...  busy.gif


Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.