[27074] in resnet
Re: Trojan DNS Changer Virus
daemon@ATHENA.MIT.EDU (Nathan Heaps)
Fri Dec 2 15:06:44 2011
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=90e6ba6e8642b76cd104b320761a
Message-ID: <CAPAb1EQYc=7u4=QnWhZpTYHM_gEKHab1x8fZjr8=v7F_TDCcxw@mail.gmail.com>
Date: Fri, 2 Dec 2011 13:51:54 -0500
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: Nathan Heaps <nsheaps@gmail.com>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <67557041-1124-4925-a957-cd2ef696aacd@esslama.earlham.edu>
--90e6ba6e8642b76cd104b320761a
Content-Type: text/plain; charset=UTF-8
Usually, when I try to fix computers like these, last resorts are a system
restore, then removal tool (what's the worst that can happen, its already
infected), and manually checking the windows shell and how window runs
exe's in regedit (fake av's tend to use this approach to make sure they are
always running). Northeastern, I know has a 'breakfix' program to help
train new technicians on common problems that they are likely to see. If
your school has such a program, I'd recommend grabbing an image of the
computer to properly train your future technicians on proper procedure
(whether it be a format, repair install, or a specific fix.
In short, I find new malware interesting and a challange to remove. If I
weren't going on vacation, I'd love to help you figure out a fix for it. If
you can, find the offending exe and zip it up and send it to me so I can
put it into a vm and watch the changes it makes, which would hopefully aid
in fixing the malware.
Hope that helps,
Nathan Heaps
Northeastern University
Senior Student Technician and Systems Administrator
College of Computer and Information Science 2014
On Dec 2, 2011 8:27 AM, "Randall K. Kouns" <kounsra@earlham.edu> wrote:
> We are seeing the same thing on ONE STUDENT MACHINE... the cleaning tool
> has REPORTED it works only to have the darn thing come back... this has
> been on a macbook pro...thankfully this is the only one we have seen.
>
>
> ----- Original Message -----
> From: "Carla Rounds" <cjrounds@UCSC.EDU>
> To: RESNET-L@LISTSERV.ND.EDU
> Sent: Thursday, December 1, 2011 8:53:11 PM
> Subject: Trojan DNS Changer Virus
>
> Hi Guys,
>
> I need some guidance. We have attempted to clean two of many systems
> infected with the Trojan DNSChanger Virus only to have them show up on
> the infected list again. We are using our normal arsenal of tools
> (malware bytes, super anti-spyware, combo-fix,) and I also found some
> instructions on line on how to remove this virus (PC:
> http://www.myantispyware.com/2007/11/06/how-to-remove-trojan-dnschanger/
> , MAC: http://www.macworld.com/article/60823/2007/10/trojanhorse.html )
> as well as a tool
> (http://www.macupdate.com/app/mac/26652/dnschanger-removal-tool ).
> Unfortunately none of these methods are working. Before we start
> resorting to a full system wipe and reinstall I wanted to reach out to
> see if anyone has or knows of a good fix for this virus?
>
> --
> Carla Rounds
>
> University of California, Santa Cruz
> Santa Cruz, California 95064
>
> cjrounds@ucsc.edu
> (831) 459-5757
>
> ___________________________________________________
> You are subscribed to the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives,
> go to http://LISTSERV.ND.EDU/archives/resnet-l.html
> ___________________________________________________
>
> ___________________________________________________
> You are subscribed to the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives,
> go to http://LISTSERV.ND.EDU/archives/resnet-l.html
> ___________________________________________________
>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--90e6ba6e8642b76cd104b320761a
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<p>Usually, when I try to fix computers like these, last resorts are a syst=
em restore, then removal tool (what's the worst that can happen, its al=
ready infected), and manually checking the windows shell and how window run=
s exe's in regedit (fake av's tend to use this approach to make sur=
e they are always running). Northeastern, I know has a 'breakfix' p=
rogram to help train new technicians on common problems that they are likel=
y to see. If your school has such a program, I'd recommend grabbing an =
image of the computer to properly train your future technicians on proper p=
rocedure (whether it be a format, repair install, or a specific fix.</p>
<p>In short, I find new malware interesting and a challange to remove. If I=
weren't going on vacation, I'd love to help you figure out a fix f=
or it. If you can, find the offending exe and zip it up and send it to me s=
o I can put it into a vm and watch the changes it makes, which would hopefu=
lly aid in fixing the malware.<br>
</p>
<p>Hope that helps,</p>
<p>Nathan Heaps<br>
Northeastern University<br>
Senior Student Technician and Systems Administrator<br>
College of Computer and Information Science 2014</p>
<div class=3D"gmail_quote">On Dec 2, 2011 8:27 AM, "Randall K. Kouns&q=
uot; <<a href=3D"mailto:kounsra@earlham.edu">kounsra@earlham.edu</a>>=
wrote:<br type=3D"attribution"><blockquote class=3D"gmail_quote" style=3D"=
margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
We are seeing the same thing on ONE STUDENT MACHINE... the cleaning tool ha=
s REPORTED it works only to have the darn thing come back... this has been =
on a macbook pro...thankfully this is the only one we have seen.<br>
<br>
<br>
----- Original Message -----<br>
From: "Carla Rounds" <<a href=3D"mailto:cjrounds@UCSC.EDU">cjr=
ounds@UCSC.EDU</a>><br>
To: <a href=3D"mailto:RESNET-L@LISTSERV.ND.EDU">RESNET-L@LISTSERV.ND.EDU</a=
><br>
Sent: Thursday, December 1, 2011 8:53:11 PM<br>
Subject: Trojan DNS Changer Virus<br>
<br>
Hi Guys,<br>
<br>
I need some guidance. =C2=A0We have attempted to clean two of many systems<=
br>
infected with the Trojan DNSChanger Virus only to have them show up on<br>
the infected list again. =C2=A0We are using our normal arsenal of tools<br>
(malware bytes, super anti-spyware, combo-fix,) and I also found some<br>
instructions on line on how to remove this virus (PC:<br>
<a href=3D"http://www.myantispyware.com/2007/11/06/how-to-remove-trojan-dns=
changer/" target=3D"_blank">http://www.myantispyware.com/2007/11/06/how-to-=
remove-trojan-dnschanger/</a><br>
, MAC: <a href=3D"http://www.macworld.com/article/60823/2007/10/trojanhorse=
.html" target=3D"_blank">http://www.macworld.com/article/60823/2007/10/troj=
anhorse.html</a> )<br>
as well as a tool<br>
(<a href=3D"http://www.macupdate.com/app/mac/26652/dnschanger-removal-tool"=
target=3D"_blank">http://www.macupdate.com/app/mac/26652/dnschanger-remova=
l-tool</a> ).<br>
Unfortunately none of these methods are working. =C2=A0 =C2=A0Before we sta=
rt<br>
resorting to a full system wipe and reinstall I wanted to reach out to<br>
see if anyone has or knows of a good fix for this virus?<br>
<br>
--<br>
Carla Rounds<br>
<br>
University of California, Santa Cruz<br>
Santa Cruz, California 95064<br>
<br>
<a href=3D"mailto:cjrounds@ucsc.edu">cjrounds@ucsc.edu</a><br>
<a href=3D"tel:%28831%29%20459-5757" value=3D"+18314595757">(831) 459-5757<=
/a><br>
<br>
___________________________________________________<br>
You are subscribed to the ResNet-L mailing list.<br>
<br>
To subscribe, unsubscribe or search the archives,<br>
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_=
blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a><br>
___________________________________________________<br>
<br>
___________________________________________________<br>
You are subscribed to the ResNet-L mailing list.<br>
<br>
To subscribe, unsubscribe or search the archives,<br>
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_=
blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a><br>
___________________________________________________<br>
</blockquote></div>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--90e6ba6e8642b76cd104b320761a--
