This morning realized my computer had been infected by a trojan. I took the machine off the Internet immediately, copied MBAM and MBAM updates to it via a CD, and scanned the system. MBAM detected two trojans:

• Trojan.DNSChanger
  Trojan.Agent

Now that I know the symptoms I realize DNSChanger has been running for at least two days.

I cleaned the system using MBAM quick scan (a second quick scan turned up nothing) and am now doing a deep scan with MBAM.

I have some questions:

1. Assuming MBAM’s full scan comes up clean, can I be sure that the system is now safe? This system has critical personal information on it. Should I reformat the hard drive and reinstall everything to be safe? Or is there anything else I can do to ensure that some villains have not installed some other malware (key loggers, file grabbers) through these infections?

2. How did I get these trojans? I am certain I did not install the PlayMP3z plugin into Firefox (as suggested in another thread). I am running a fully updated Avast! Free (at least, it was fully updated until the trojan got into the system.)

3. How can I make sure I don’t get these or other malware again?

Try scanning with SuperAntiSpyware (SAS) if you wish.

==You could send the infected files to alwil==

Sorry, just now I’ve seen your topic… I’ve created a new one just before…
Maybe they’re linked.

http://forum.avast.com/index.php?topic=45997.msg385828#msg385828

Tech, I’m sorry for double-posting. I got some scary messages from Donovansrb10 that made me think I’d done a bad thing by posting followups to existing posts, so I created a new thread. If you can tell me how to cross-link to those (if that’s what you want me to do) then I’ll be glad to do it.

Unforunately, I don’t think I can send you the infected files now because MBAM appears to have deleted them. However, I am quite sure that the computer was infected with a DNS redirect type of trojan, because when I attempted to do a Microsoft Update this morning, I kept getting shunted to a Google search page or a Google file not found page. (That’s what alerted me to the fact that I had a problem.)

When I investigated, I discovered that my connection in that computer was being redirected to DNS servers in the Ukraine (85.255.xxx.xxx) known to be associated with the DNSChanger trojan. (I found the following web page: http://www.bleepingcomputer.com/forums/lofiversion/index.php/t185655.html and worked from instructions there.)

The infected computer was running XP SP3 and Avast! 4.8 Home Edition. I have Firefox 3 installed on it, as well as IE7 and the Safari beta, but I use Firefox almost exclusively.

This computer is generally always on and connected to the Internet. According to the Avast! install on it, the current version of the virus database is 090608-0, 06/08, and the VRDB is dated 5/21/09. I’ve taken it off the Internet for now.

I’ve checked another computer on my LAN and it does not appear to have been infected (its DNS server entries are intact and a full boot-time system scan by Avast! didn’t turn up anything.) If necessary I can run MBAM on that machine to see if either of these trojans are on it.

Please let me know what you’d like me to do. I’d be glad to assist in any way I can to try to help ensure these trojans are detected by Avast! in the future. I’m sorry I didn’t come here first thing rather than using MBAM to destroy them!

If the other computer has the viruses, you can try sending it to alwil.

Maybe I do not have this infection because I use OpenDNS…

I should also mention that I could post the MBAM logs showing these two trojans. I’d have to jump through some hoops since I don’t want to put this machine back on the LAN unless I know it’s safe, but I can do it.

The MBAM log shows about a dozen registry entries for DNSChanger and two files infected with DNSChanger. It also shows one file infected with Trojan.Agent, and three infected Registry keys (one with Trojan.Agent and two with Trojan.DNSChanger).

The infected folders and files are as follows (I’m reading and typing, so please excuse typos!)

Folders Infected:
C:\Program Files\BlueRaTech (Trojan.DNSChanger)

Files Infected:
C:\program files\bluratech\Uninstall.exe (Trojan.DNSChanger)
C:\WINDOWS\system32\gxvxccounter (Trojan.DNSChanger)
C:\WINDOWS\system32\gxvxccnmwmioxdxepjewwpkjekqfrkutdmxstm.dll (Trojan.Agent)

Unfortunately, as I said, I’ve already run MBAM and instructed it to clean these viruses. A subsequent run shows no infections.

BTW, I will follow Donovan’s suggestion and run SAS as soon as the full scan of MBAM is done.

That’s another thing that’s puzzling: I am using OpenDNS. But somehow the DNSChanger trojan got into the system and redirected Windows to use those Ukrainian DNS servers.

Are you with Vista? You may have UAC disabled then…

No, I am using XP Pro SP3.

Donovan,

I ran Malwarebytes on the other computer, and it came up clean. So unfortunately it looks like I cannot send you copies of the infected files.

Wait. I was wrong! Malwarebytes did not delete the infected files; it quarantined them. So I could theoretically restore them and send them to you.

Is there a safe way to do this? Can you tell me how to go about it?

Not-Safe Way: You can put the files back in there oridginal places and then send it to avast chest and then send it to alwil

Safe Way: Send the qurnined item to alwil (possible chances of no action)

Hi :

Several months ago on another forum, I recommended the following :

"IF you use a router, you MUST do the following :

In order to destroy the terrible Trojan.DNSChanger you must re-set your router.

1. Disconnect your system from the internet

2. Scan your system to expose the Trojan.DNSChanger

3. Then have SuperAntiSpyware remove it. (re-boot your computer if necessary).

4. Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled “reset” located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). If you don’t know the router’s default password, you can look it up here:

https://www.opendns.com/smb/start/router/

5. Re-run SuperAntiSpyware to see if the Trojan.DNSChanger is gone from your computer. And then connect to the internet.

IF you do NOT use a router, let me know . IF you use Flash Drive(s), I recommend you

use the FREE ‘Flash Disinfector’, with very good Info available at

http://experi3nc3.wordpress.com/2007/05/10/flash-disinfector-by-subs . "

It was quaretine by MBAM so he need to restore them first before send it.

Ok, sorry I disappeared for a few days. I’ve been busy working on this problem.

So far I’ve done these things:

• Malwarebytes scan - found and quarantined trojan.DNSChanger and trojan.Agent
• Microsoft Updates - successfully installed all recent patches.

Installed and ran these online scanners:

• TrendMicro Housecall - found & deleted several instances of malware on first scan; clean on second scan
• BitDefender - found one Rootkit, two Trojans, and one Backdoor, all heueristically. I manually deleted all files in which these were found. I can give you full names of these items if necessary.

Installed and ran these spyware scanners:

• Ad Aware - quick scan - found & deleted 66 tracking cookies
• SpybotS&D - full scan - found 1 tracking cookie.
• SUPERAntiSpyware - found 32 registry threats, 463 file threats. Registry threats included entries for Rootkit.Agent/Gen-GXServ which blocked a number of antivirus progams. SAS deleted all these threats.
• HijackThis - downloaded from Spywarewarrior.com and ran it. Log attached.

Note that I downloaded all of the above programs onto a Mac and then copied them to a CD (Malwarebytes) or across the LAN (all the others) to get them to the infected PC. I did this just to make sure that they were not corrupted by something lurking on the infected PC.

I also closely examined the contents of my router (a Dynex DX-E402) and could find no signs that it had been infected. It still had the correct DNS addresses (for OpenDNS) and I couldn’t find anything else that had been changed. Also, all of the other computers on the LAN still have the correct OpenDNS addresses.

My intention is to dismantle this computer, assemble a new one with new hard drive, mobo and CPU, put the old C:/D: hard drive into a USB dock and copy the data off of it to the new hard drive. However, I want to be sure I clean the existing hard drives up as much as possible before I dismantle the computer so that later when I copy the data off the old D: partition I will be reasonably sure the data is clean.

Edit: Also, the last thing I do before I dismantle it will be to take the two trojans, DNSChanger and Agent, out of quarantine and put them into the Avast! chest and email them to you, so you can try to determine why Avast! didn’t catch them.

I’m installing a new mobo and CPU so I can also install a full security suite and at least one realtime antispyware scanner and still get reasonable performance. The existing hardware is 2 1/2 years old so it’s due for an upgrade anyway.

Any suggestions as to my strategy are welcome. Also, if anyone spots any threats in the HijackThis log, please let me know and I’ll have HijackThis clobber them.

Update: I did a little more digging and found that Trend Micro has a later version of HijackThis. They also recommend a number of forums to which I can upload my HijackThis log. So there’s no need for anyone here to look at my log unless you want to.

Thank you! Thanks so much for all the suggestions so far. I’m very grateful to this forum and the moderators for your assistance.

Alison

Current system configuration:
Asus M2N32-SLI Deluxe
2 GB Corsair DDR2 800
MSI NX8800GT
SoundBlaster X-Fi Extreme Audio PCIe
640 GB HDD containing C: (Windows) and D: (data) partitions
250 GB HDD for backups
CF/SD/SM/MS card reader (connected to internal USB header)
DVD drive
DVD burner

I also use an external drive for additional backups. The above scans included the internal backup drive but not the external, which is not attached.

Current LAN configuration:
DSL modem
Dynex DX-E402 router
D-Link DGS-2208 8-port gigabit switch
Linksys WRT54G Wifi router
four desktop PC’s running XP Pro
one Mac Mini G4 running Tiger
two laptops running XP Pro (not always connected)

All of the PC’s and the Mac are hard-wired; the laptops usually use WiFi connections

ok im no expert so dont react to this immediately, i ran the hjt log through a scanner, which said the cool mouse was extremely nasty, think about where its from, did you download some mouse icons? that could be it. id wait for expert advice tbh.
i used this site http://www.hijackthis.de and pasted the log onto it.
its not 100% accurate but its helpful so i would keep an eye on the coolmouse entrys:
O4 - HKCU..\Run: [Cool Mouse] C:\Program Files\Shelltoys\Cool Mouse\cmouse.exe - Extremely nasty
C:\Program Files\Shelltoys\Cool Mouse\cmouse.exe - Not sure