Used unsecured wifi connection to access TomTom home web site. Co-incident with access to this web site was an unsolicited popup offering to download an application to check internet connection security. Naturally it was declined by closing the window. At this time I do not recall details of the popup.
Key symptom was erratic availability of the internet. ZoneAlarm pointed to blockage with the DNS server for the wifi local network.
AVG AV7.5, MBAM & SAS all ran clean. Out-of-date Combofix deleted 'ss.sys'.
However, there was a gap before running ComboFix. During this gap, the TomTom Navigator device and a Maxtor backup drive were connected to infected system, as well as, 3 SD memory cards for digital camera. The TomTom was updated via the internet after cleaning the infection, but the device would not function. Re-install over existing files failed to solve the problem.
The entire memory of the device was deleted (except for the 2 map files) and then reloaded from the internet. This corrected problem.
What steps and which tools are needed to check all these memory devices for infections?
I cannot prove conclusively that the popup caused the infection. One of the SD memory cards did not properly register itself as a drive with a label. Windows Explorer was able to view contents.
Windows security fixes were current with October 2008 (Microsoft Security Bulletin MS08-067 – Critical-Vulnerability in Server Service Could Allow Remote Code Execution (958644))
Submitted logs
07...HJT -- infected
09...HJT -- cleaned
Jan23 log -- deleted infected files
Jan25b log -- cleaned
Key symptom was erratic availability of the internet. ZoneAlarm pointed to blockage with the DNS server for the wifi local network.
AVG AV7.5, MBAM & SAS all ran clean. Out-of-date Combofix deleted 'ss.sys'.
However, there was a gap before running ComboFix. During this gap, the TomTom Navigator device and a Maxtor backup drive were connected to infected system, as well as, 3 SD memory cards for digital camera. The TomTom was updated via the internet after cleaning the infection, but the device would not function. Re-install over existing files failed to solve the problem.
The entire memory of the device was deleted (except for the 2 map files) and then reloaded from the internet. This corrected problem.
What steps and which tools are needed to check all these memory devices for infections?
I cannot prove conclusively that the popup caused the infection. One of the SD memory cards did not properly register itself as a drive with a label. Windows Explorer was able to view contents.
Windows security fixes were current with October 2008 (Microsoft Security Bulletin MS08-067 – Critical-Vulnerability in Server Service Could Allow Remote Code Execution (958644))
Submitted logs
07...HJT -- infected
09...HJT -- cleaned
Jan23 log -- deleted infected files
Jan25b log -- cleaned
