DNSChanger / 216.255.186.11 / kdhaq.exe?

[Guest]

[3xist]

This looks like a dangerous variant.

And probably a Reformat is worth it, It's the only way to make sure your 100% malware free.

Josh

[brithelp]

oK this is now moved into the memory ,,,,, so time to wipe....... unless someone as a magic fix i would suggest back up everything you got today because this virus is not being picked up nor deleted by anything that out there and its changing everytime you delete  or move!!!!!!!!!!!. Back up everything then reinstall
 well gl may the force be on yourside

[eXPerience]

Have you tried killing it using defence + (making it a blocked rule ?)

Xan

[UncleDoug]

This is a nasty one! I would have thought combofix and/or smitfraud, VundoFix etc.  at least one least would have found something in Safe Mode.  Sometimes I have found a tool might need to be run 3 or more times in a row after reboots and each time it found more.

I would have thought you would have been able to manually change your DNS in Safe Mode following the OpenDNS instructions.

I also found that a few times some installs do not take even Microsoft, and I found that running Reset_subinacl would change security settings to allow those installs.  Some of the programs might install in safe mode.

As you posted you have tried several programs, including anti rootkit, and you have Comodo Memory Firewall, and BoClean,  and System Resore is OFF  malware replicates from there, have you been able to run HiJack This in either normal or safe mode?

Your problem is more critical than mine but I still have not solved the problem I posted a few days ago, and I know searching and reading and trying all the different suggestions and get tiring and frustrating when the results stay the same with no changes.

Patience and Good Luck
UncleDoug

[eXPerience]

Damn I want that malware   

Uncledoug, have you tried disabling it with defense+, also, have you searched in the task manager if it uses some processes, if so,which ones ?

(he posted his Hijackthis log, it's at page 1 I think)


Xan

[brithelp]

Ok   
 ok this is what i done 
i have avast antivirus   
i downloaded the following and run rebooting every time
superantispyware 
reboot
run anti virus
a squared
reboot
run anti virus
reboot
mam malwarebytes anti malware
reboot
 mmmm and then antivirus pickedup and killed
make sure you have system restore switched off  and gl and ty  to all who helped
now i must have about 6 anti malware programes running 








Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\ (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssinit.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssmain.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssserf.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\tdssserv.sys (Rootkit.Agent) -> Delete on reboot.

[3xist]

Well done!!!

Anything else you need help with?

Josh

[grue155]

C:\WINDOWS\system32\drivers\tdssserv.sys (Rootkit.Agent) -> Delete on reboot.

From what I've observed in other malware clenaup forums, this is a very very nasty rootkit. It may say "it's gone", but it may not be. Keep scanning, as this thing may regenerate itself.

[eXPerience]

This should be a site which will help you deleting it manually

http://www.exterminate-it.com/malpedia/remove-TDSServ

Xan

[Tags:]