OK, having just recently (with forum help - thanks to essexboy :)) cleaned up my main PC I thought I’d check out another of my machines. I haven’t used this machine (a Dell Dimension 5150, Windows XP SP2) for any serious work in a while, and its only current function is to act as the connection point for my router (Sky Netgear). I attempted to update the machine’s Avast license, which had just expired, but found that I could not connect (I also can’t get on the Avast website or forum from that machine). When I did a MBAM scan it found 40 items, but on quarantining them I found I could no longer connect to the internet at all (my other computers are unaffected).
Here is the MBAM Quick Scan log:
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org
Database version: 6705
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5346.5
21/06/2011 18:20:22
mbam-log-2011-06-21 (18-20-22).txt
Scan type: Quick scan
Objects scanned: 178748
Time elapsed: 51 minute(s), 12 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 19
Registry Values Infected: 0
Registry Data Items Infected: 10
Folders Infected: 2
Files Infected: 9
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{127DF9B4-D75D-44A6-AF78-8C3A8CEB03DB} (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{A9AAE1AB-9688-42C5-86F5-C12F6B9015AD} (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{DF901432-1B9F-4F5B-9E56-301C553F9095} (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{43382522-A846-46F4-AC57-1F71AE6E1086} (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ACM.ACMFactory.1 (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ACM.ACMFactory (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{E856B973-45FD-4559-8F82-EAB539144667} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{DF058C45-CD18-453e-8745-5A77F60722AB} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{B5A33C35-7298-4D15-8753-A2E851E2EAB3} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\GTDOWNDE.GTAutoFixDLCtrl.1 (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\GTDOWNDE.GTAutoFixDLCtrl (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MyWaySearchAssistantDE.Auxiliary (Adware.MyWaySearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MyWaySearchAssistantDE.Auxiliary.1 (Adware.MyWaySearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WUSN.1 (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\ACM.DLL (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaveNow (Adware.WhenU) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Bad: (85.255.115.36) Good: () -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Bad: (85.255.112.132) Good: () -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2810EB22-763D-4D0C-9450-64BBD1758685}\DhcpNameServer (Trojan.DNSChanger) -> Bad: (85.255.115.36,85.255.112.132) Good: () -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{28CADAA1-7656-44ED-8F2A-929890F916EE}\NameServer (Trojan.DNSChanger) -> Bad: (85.255.115.36,85.255.112.132) Good: () -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{28CADAA1-7656-44ED-8F2A-929890F916EE}\DhcpNameServer (Trojan.DNSChanger) -> Bad: (85.255.115.36,85.255.112.132) Good: () -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{483891FD-2711-460A-95A6-1CB900F62714}\NameServer (Trojan.DNSChanger) -> Bad: (85.255.115.36,85.255.112.132) Good: () -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{483891FD-2711-460A-95A6-1CB900F62714}\DhcpNameServer (Trojan.DNSChanger) -> Bad: (85.255.115.36,85.255.112.132) Good: () -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A0F30003-1275-436D-854A-20A0F03D3478}\NameServer (Trojan.DNSChanger) -> Bad: (85.255.115.36,85.255.112.132) Good: () -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F84EAB08-51AD-4372-9ED3-688F2F999D50}\NameServer (Trojan.DNSChanger) -> Bad: (85.255.115.36,85.255.112.132) Good: () -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F84EAB08-51AD-4372-9ED3-688F2F999D50}\DhcpNameServer (Trojan.DNSChanger) -> Bad: (85.255.115.36,85.255.112.132) Good: () -> Quarantined and deleted successfully.
Folders Infected:
c:\program files\Save (Adware.WhenU) -> Quarantined and deleted successfully.
c:\documents and settings\Eddie\start menu\Programs\WhenU (Adware.WhenU) -> Quarantined and deleted successfully.
Files Infected:
c:\WINDOWS\system32\gtdownde_87.ocx (Adware.Gdown) -> Quarantined and deleted successfully.
c:\documents and settings\internet\local settings\Temp\D.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\program files\Save\ffext.mod (Adware.WhenU) -> Quarantined and deleted successfully.
c:\program files\Save\save.htm (Adware.WhenU) -> Quarantined and deleted successfully.
c:\documents and settings\Eddie\start menu\Programs\WhenU\customer support.lnk (Adware.WhenU) -> Quarantined and deleted successfully.
c:\documents and settings\Eddie\start menu\Programs\WhenU\learn more about whenu save.url (Adware.WhenU) -> Quarantined and deleted successfully.
c:\documents and settings\Eddie\start menu\Programs\WhenU\learn more about whenu savenow.url (Adware.WhenU) -> Quarantined and deleted successfully.
c:\documents and settings\Eddie\start menu\Programs\WhenU\uninstall instructions.lnk (Adware.WhenU) -> Quarantined and deleted successfully.
c:\documents and settings\Eddie\start menu\Programs\WhenU\whenu.com website.url (Adware.WhenU) -> Quarantined and deleted successfully.
The OTS log is also attached (I restored all quarantined items before running OTS).
I should add that I have also been unable to update MBAM via the net - I had to physically transfer the updated rules.ref file from my clean machine to the infected one. I keep getting an error with the following format:
PROGRAM_ERROR_UPDATING(11001, 0, Host not found)
No such host is known.
Googling this took me to the MBAM forum, which advises restoring the router to factory settings. I haven’t attempted this yet, as I thought it best to just post the logs before doing anything else. It seems, from what I’ve read, that the culprit is most likely the DNSChanger Trojan.
Best,
Christopher