[27068] in resnet
Re: Trojan DNS Changer Virus
daemon@ATHENA.MIT.EDU (Doughty, Marc)
Fri Dec 2 13:12:24 2011
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=f46d041705132b6fc804b31fbb01
Message-ID: <CAEPWjzuY54g9eHYF+-YZR+jv+m0kn=WRaH0C1PbxYx3v+qe9Yg@mail.gmail.com>
Date: Fri, 2 Dec 2011 12:59:32 -0500
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: "Doughty, Marc" <marc_doughty@brown.edu>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <67557041-1124-4925-a957-cd2ef696aacd@esslama.earlham.edu>
--f46d041705132b6fc804b31fbb01
Content-Type: text/plain; charset=ISO-8859-1
There's no good way to clean a machine of a modern infection if you're
booting up inside the infected OS. Just no way. If you want to clean a
machine for sure, you have to boot to a PE disk and clean from a
known-clean instance of Windows. Rootkits can run circles around any
antivirus out there.
Basically, you want to boot to WinPE and download
http://www.microsoft.com/security/scanner/en-us/default.aspx, then run it
in 'full' mode against all the attached drives on the machine.
I've personally seen two machines with 'undetectable' malware in the last
few weeks. Undetectable inside the booted system (even running Forefront
and Symantec), but clearly visible from a boot disk.
- Marc Doughty
"If you aren't sure who is the give-way vessel, you are the give-way
vessel."
On Fri, Dec 2, 2011 at 8:21 AM, Randall K. Kouns <kounsra@earlham.edu>wrote:
> We are seeing the same thing on ONE STUDENT MACHINE... the cleaning tool
> has REPORTED it works only to have the darn thing come back... this has
> been on a macbook pro...thankfully this is the only one we have seen.
>
>
> ----- Original Message -----
> From: "Carla Rounds" <cjrounds@UCSC.EDU>
> To: RESNET-L@LISTSERV.ND.EDU
> Sent: Thursday, December 1, 2011 8:53:11 PM
> Subject: Trojan DNS Changer Virus
>
> Hi Guys,
>
> I need some guidance. We have attempted to clean two of many systems
> infected with the Trojan DNSChanger Virus only to have them show up on
> the infected list again. We are using our normal arsenal of tools
> (malware bytes, super anti-spyware, combo-fix,) and I also found some
> instructions on line on how to remove this virus (PC:
> http://www.myantispyware.com/2007/11/06/how-to-remove-trojan-dnschanger/
> , MAC: http://www.macworld.com/article/60823/2007/10/trojanhorse.html )
> as well as a tool
> (http://www.macupdate.com/app/mac/26652/dnschanger-removal-tool ).
> Unfortunately none of these methods are working. Before we start
> resorting to a full system wipe and reinstall I wanted to reach out to
> see if anyone has or knows of a good fix for this virus?
>
> --
> Carla Rounds
>
> University of California, Santa Cruz
> Santa Cruz, California 95064
>
> cjrounds@ucsc.edu
> (831) 459-5757
>
> ___________________________________________________
> You are subscribed to the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives,
> go to http://LISTSERV.ND.EDU/archives/resnet-l.html
> ___________________________________________________
>
> ___________________________________________________
> You are subscribed to the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives,
> go to http://LISTSERV.ND.EDU/archives/resnet-l.html
> ___________________________________________________
>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--f46d041705132b6fc804b31fbb01
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
There's no good way to clean a machine of a modern infection if you'=
;re booting up inside the infected OS. Just no way. If you want to clean a =
machine for sure, you have to boot to a PE disk and clean from a known-clea=
n instance of Windows. Rootkits can run circles around any antivirus out th=
ere.<br>
<br>Basically, you want to boot to WinPE and download <a href=3D"http://www=
.microsoft.com/security/scanner/en-us/default.aspx">http://www.microsoft.co=
m/security/scanner/en-us/default.aspx</a>, then run it in 'full' mo=
de against all the attached drives on the machine.<br clear=3D"all">
<br>I've personally seen two machines with 'undetectable' malwa=
re in the last few weeks. Undetectable inside the booted system (even runni=
ng Forefront and Symantec), but clearly visible from a boot disk.<br><br>
- Marc Doughty<br>"If you aren't sure who is the give-way vessel, =
you are the give-way vessel."<br>
<br><br><div class=3D"gmail_quote">On Fri, Dec 2, 2011 at 8:21 AM, Randall =
K. Kouns <span dir=3D"ltr"><<a href=3D"mailto:kounsra@earlham.edu">kouns=
ra@earlham.edu</a>></span> wrote:<br><blockquote class=3D"gmail_quote" s=
tyle=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
We are seeing the same thing on ONE STUDENT MACHINE... the cleaning tool ha=
s REPORTED it works only to have the darn thing come back... this has been =
on a macbook pro...thankfully this is the only one we have seen.<br>
<div class=3D"HOEnZb"><div class=3D"h5"><br>
<br>
----- Original Message -----<br>
From: "Carla Rounds" <<a href=3D"mailto:cjrounds@UCSC.EDU">cjr=
ounds@UCSC.EDU</a>><br>
To: <a href=3D"mailto:RESNET-L@LISTSERV.ND.EDU">RESNET-L@LISTSERV.ND.EDU</a=
><br>
Sent: Thursday, December 1, 2011 8:53:11 PM<br>
Subject: Trojan DNS Changer Virus<br>
<br>
Hi Guys,<br>
<br>
I need some guidance. =A0We have attempted to clean two of many systems<br>
infected with the Trojan DNSChanger Virus only to have them show up on<br>
the infected list again. =A0We are using our normal arsenal of tools<br>
(malware bytes, super anti-spyware, combo-fix,) and I also found some<br>
instructions on line on how to remove this virus (PC:<br>
<a href=3D"http://www.myantispyware.com/2007/11/06/how-to-remove-trojan-dns=
changer/" target=3D"_blank">http://www.myantispyware.com/2007/11/06/how-to-=
remove-trojan-dnschanger/</a><br>
, MAC: <a href=3D"http://www.macworld.com/article/60823/2007/10/trojanhorse=
.html" target=3D"_blank">http://www.macworld.com/article/60823/2007/10/troj=
anhorse.html</a> )<br>
as well as a tool<br>
(<a href=3D"http://www.macupdate.com/app/mac/26652/dnschanger-removal-tool"=
target=3D"_blank">http://www.macupdate.com/app/mac/26652/dnschanger-remova=
l-tool</a> ).<br>
Unfortunately none of these methods are working. =A0 =A0Before we start<br>
resorting to a full system wipe and reinstall I wanted to reach out to<br>
see if anyone has or knows of a good fix for this virus?<br>
<br>
--<br>
Carla Rounds<br>
<br>
University of California, Santa Cruz<br>
Santa Cruz, California 95064<br>
<br>
<a href=3D"mailto:cjrounds@ucsc.edu">cjrounds@ucsc.edu</a><br>
<a href=3D"tel:%28831%29%20459-5757" value=3D"+18314595757">(831) 459-5757<=
/a><br>
<br>
___________________________________________________<br>
You are subscribed to the ResNet-L mailing list.<br>
<br>
To subscribe, unsubscribe or search the archives,<br>
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_=
blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a><br>
___________________________________________________<br>
<br>
___________________________________________________<br>
You are subscribed to the ResNet-L mailing list.<br>
<br>
To subscribe, unsubscribe or search the archives,<br>
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_=
blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a><br>
___________________________________________________<br>
</div></div></blockquote></div><br>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--f46d041705132b6fc804b31fbb01--
