Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cleaning up after DNSChanger and Agent trojans found


  • This topic is locked This topic is locked
10 replies to this topic

#1 Alisonnic

Alisonnic

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 13 June 2009 - 08:15 AM

On Tuesday I realized my computer had been infected by a trojan. What tipped me off was that when I tried to run Microsoft updates, IE kept getting redirected to Google. I found that my DNS server addresses had been changed. I also found I was unable to get valid updates to my antivirus program, Avast!, and another security program.

I took the machine off the Internet immediately. Now that I know the symptoms I realize DNSChanger had been running for at least two days before I found it.

I use this computer for financial transactions. Obviously I am very concerned by this attack. I have called all my financial institutions and changed all my passwords.

To address the problem, so far I've done these things:
  • Malwarebytes scan - found and quarantined:
    • trojan.DNSChanger
    • trojan.Agent
  • Microsoft Updates - successfully installed all recent patches.
Installed and ran these online scanners:
  • TrendMicro Housecall - found & deleted several instances of malware on first scan; clean on second scan
  • BitDefender - found multiple instances of these threats:
  • Gen:Rootkit.Heur.7017E8B8B8
  • Gen:Trojan.Heur.VB.90C43B0B0B
  • Backdoor.Generic.148045
  • JS.Kak.Gen@mm
I manually deleted all files in which these were found. (Most of these files were several years old.)
Installed and ran these spyware scanners:
  • Ad Aware - quick scan - found & deleted 66 tracking cookies
  • SpybotS&D - full scan - found 1 tracking cookie.
  • SUPERAntiSpyware - found 32 registry threats, 463 file threats. Registry threats included entries for Rootkit.Agent/Gen-GXServ which blocked a number of antivirus progams. SAS deleted all these threats.
Note that I downloaded all of the above programs onto a Mac and then copied them to a CD (Malwarebytes) or across the LAN (all the others) to get them to the infected PC. I did this just to make sure that they were not corrupted by something lurking on the infected PC.

I also closely examined the contents of my router (a Dynex DX-E402) and could find no signs that it had been infected. It still had the correct DNS addresses (for OpenDNS) and I couldn't find anything else that had been changed. Also, all of the other computers on the LAN still have the correct OpenDNS addresses.

My intention is to dismantle this computer and copy the data from its hard drive to a new computer via a USB dock. I want to be sure this machine is as clean as possible before I do this.

I've run DDS.scr, pasted the contents of DDS.txt file to the bottom of this message, and attached the log. I appreciate any advice or help you can give me to help ensure I've cleaned this machine as thoroughly as I can.

Thank you!

Alisonnic

=============================
Current system configuration:
Asus M2N32-SLI Deluxe
2 GB Corsair DDR2 800
MSI NX8800GT
SoundBlaster X-Fi Extreme Audio PCIe
640 GB HDD containing C: (Windows) and D: (data) partitions
250 GB HDD E: for backups
CF/SD/SM/MS card reader (connected to internal USB header)
DVD drive
DVD burner

XP Pro SP3
Avast! 4.8 Home Edition
Firefox 3.0.10
Windows Live Sync
Mozy Home Backup

I also use an external drive for additional backups. The above scans included the internal backup drive but not the external, which is not attached.

Current LAN configuration:
DSL modem
Dynex DX-E402 router
D-Link DGS-2208 8-port gigabit switch
Linksys WRT54G Wifi router
four desktop PC's running XP Pro
one Mac Mini G4 running Tiger
two laptops running XP Pro (not always connected)

All of the PC's and the Mac are hard-wired; the laptops usually use WiFi connections

==============================================================
=============== Contents of DDS.txt follow =============================
==============================================================

DDS (Ver_09-05-14.01) - NTFSx86
Run by Alison at 8:31:24.59 on Sat 06/13/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.915 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090612-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ActiveArmor Firewall *enabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
d:\Program Files\iRacing\iRacingService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Shelltoys\Cool Mouse\cmouse.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Quicken\bagent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Palm\AlarmApp.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\KatMouse\KatMouse.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Alison\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Cool Mouse] c:\program files\shelltoys\cool mouse\cmouse.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [QuickenScheduledUpdates] c:\program files\quicken\bagent.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Windows Live Sync] "c:\program files\windows live\sync\WindowsLiveSync.exe" /background
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SPIRun] Rundll32 SPIRun.dll,RunDLLEntry
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRunOnce: [WDM_SFSYNTH0] rundll32.exe streamci.dll,StreamingDeviceSetup {FEF6DAE8-FDA7-43fc-8825-1101DEDE9255},CTUSFSYN,{2EB07EA0-7E70-11D0-A5D6-28DB04C10000},c:\docume~1\alison\locals~1\temp\cdm\{8e1de432-fb9a-492a-9085-447e0b85b0d7}\winxp\bin\ctusfsyn.inf,WDM_SFSYNTH.Interface.Install
mRunOnce: [WDM_SFSYNTH1] rundll32.exe streamci.dll,StreamingDeviceSetup {FEF6DAE8-FDA7-43fc-8825-1101DEDE9255},CTUSFSYN,{DFF220F3-F70F-11D0-B917-00A0C9223196},c:\docume~1\alison\locals~1\temp\cdm\{8e1de432-fb9a-492a-9085-447e0b85b0d7}\winxp\bin\ctusfsyn.inf,WDM_SFSYNTH.Interface.Install
mRunOnce: [WDM_SFSYNTH2] rundll32.exe streamci.dll,StreamingDeviceSetup {FEF6DAE8-FDA7-43fc-8825-1101DEDE9255},CTUSFSYN,{6994AD04-93EF-11D0-A3CC-00A0C9223196},c:\docume~1\alison\locals~1\temp\cdm\{8e1de432-fb9a-492a-9085-447e0b85b0d7}\winxp\bin\ctusfsyn.inf,WDM_SFSYNTH.Interface.Install
StartupFolder: c:\docume~1\alison\startm~1\programs\startup\katmouse.lnk - c:\program files\katmouse\KatMouse.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\alarmm~1.lnk - c:\program files\palm\AlarmApp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\asuswi~1.lnk - c:\program files\asus wifi-ap solo\RtWLan.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231617300453
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-11 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-9 114768]
R1 mozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [2009-1-11 53752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-9 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-1-9 138680]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2009-2-25 13088]
R2 iRacingService;iRacing helper service;d:\program files\iracing\iRacingService.exe [2009-1-11 458328]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1005904]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-1-9 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-1-9 352920]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
R3 SunkFilt62;Alcor Micro Corp - 6362;c:\windows\system32\drivers\sunkfilt62.sys [2004-7-23 46536]
R3 t3;Sound Blaster X-Fi Xtreme Audio;c:\windows\system32\drivers\t3.sys [2008-10-17 735744]
R3 t3filt;t3filt;c:\windows\system32\drivers\t3filt.sys [2007-8-20 1656960]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2009-1-9 332928]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2009-1-9 13532]
S3 SunkFilt6;Alcor Micro Corp - 6360;\??\c:\windows\system32\drivers\sunkfilt6.sys --> c:\windows\system32\drivers\sunkfilt6.sys [?]

=============== Created Last 30 ================

2009-06-12 16:24 <DIR> --d----- c:\program files\Trend Micro
2009-06-11 19:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-11 19:23 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-11 19:23 <DIR> --d----- c:\docume~1\alison\applic~1\SUPERAntiSpyware.com
2009-06-11 18:33 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-11 18:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-11 18:29 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-11 18:22 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-11 18:17 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-11 18:17 <DIR> --d----- c:\program files\Lavasoft
2009-06-09 19:37 <DIR> --d----- c:\documents and settings\alison\.housecall6.6
2009-06-09 15:46 <DIR> --d----- c:\docume~1\alison\applic~1\Malwarebytes
2009-06-09 15:46 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-09 15:46 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-09 15:45 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-09 15:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-09 10:05 <DIR> --d----- c:\documents and settings\alison\Config
2009-06-02 00:57 <DIR> --d----- c:\program files\iPod
2009-06-02 00:57 <DIR> --d----- c:\program files\iTunes
2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2009-06-07 10:00 1,984 a------- c:\windows\system32\d3d9caps.dat
2009-05-29 13:36 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-05-29 13:36 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-03-26 21:28 36,224 a---h--- c:\windows\system32\mlfcache.dat
2009-03-17 12:09 6 a------- c:\windows\fonts\wfonts.key

============= FINISH: 8:31:52.28 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:12 PM

Posted 22 June 2009 - 01:33 AM

Hello and :thumbup2: to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.

-----------------------------------------------------------

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Kind regards
Net_Surfer

:)

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:12 PM

Posted 26 June 2009 - 06:37 PM

Topic reopened.

@ Alisonnic,

Please post back with the current DDS logs and an updated description of your computer issues.

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 Alisonnic

Alisonnic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 26 June 2009 - 06:57 PM

Thank you for reopening this topic. I am sorry I did not reply sooner.

Unfortunately, I am not able to produce new DDS logs. As I said in my original post, my plan was to dismantle this computer to ensure the infection was eliminated.

I waited for six days for a response to my original post, but I did not receive any response in that time. Eventually I decided that I had to go ahead with the dismantling so I could build a new computer. The machine in question is my main computer and I could not continue to do without it for an indefinite period of time.

Since the computer no longer exists, I cannot produce any more DDS logs or perform any additional diagnostic procedures.

If you can report anything of value by inspecting my original DDS log, I would very much appreciate it. If there are further measures which I can take to ensure that my data, which I copied off the infected machine after cleaning it as thoroughly as I knew how, I would be very glad to know about them.

I want to say that despite the fact that I did not receive a response before I was forced to dismantle the infected computer, I am very appreciative of the volunteer support provided here, and I am glad this is available as a resource.

Thank you!

Alisonnic

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:12 PM

Posted 28 June 2009 - 03:56 PM

Hi Alisonnic,

I will take a look at your DDS logs and see what I can find.

Be aware that not all infections will show in a log like that though. I'll do my best for you. :thumbup2:

m0le
Posted Image
m0le is a proud member of UNITE

#6 Alisonnic

Alisonnic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 29 June 2009 - 10:20 AM

Thank you, m0le!

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:12 PM

Posted 29 June 2009 - 12:06 PM

Hi alisonnic,

Nothing in the DDS log I'm afraid.

The error messages in the attach.txt seem to be non-malware related though.

Not much to go on there really. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#8 Alisonnic

Alisonnic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 29 June 2009 - 01:34 PM

Thank you so much for checking, m0le. I this is actually good news, because it helps confirm that my cleanup efforts were successful. I now have higher confidence that the data I retrieved from this machine after the cleanup is free of infections.

Thanks again!

Alisonnic

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:12 PM

Posted 29 June 2009 - 01:39 PM

You're welcome.

Just remember that some malware wouldn't show up on DDS logs. For example, DNSChanger trojan which was in your list would be one of those.
Posted Image
m0le is a proud member of UNITE

#10 Alisonnic

Alisonnic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 29 June 2009 - 01:45 PM

Ok, thanks. As I mentioned in the OP, I did run two programs which do detect DNSChanger (MalwareBytes Anti-Malware and SUPERAntiSpyware) before producing these DDS logs. MBAM detected and quarantined DNSChanger, and after that, SAS couldn't find it. So I'm fairly confident it was eliminated.

Thanks again!

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:12 PM

Posted 04 July 2009 - 04:25 AM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :thumbup2:

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users