DNSChanger / 216.255.186.11 / kdhaq.exe?

Learn about Computer Security Virus/Malware Removal Assistance
1

I am infected with a trojan generally known as DNSChanger.
What it does is change your DNS server to its own and then uses that to display popups to you.
You will get popups no matter what browser you are using and even no matter what OS you are using since apparently there are DNSChanger versions for all operating systems.
All popups are from IP adress 216.255.186.11

I found this info about trojan with google but could not find a direct advice how to remove it.
Now it is apparent that whoever made DNSChanger is in it for big money,
I have never seen a malware that supports multiple os-es before and it seems to be constantly updated with new versions (100% organized crime)

I am using windows XP and have CFP and BOClean installed.
When inspecting startup programs with msconfig I found that c:\windows\system32\kdhaq.exe stays in startup list no matter how many times I turn it off and reboot.
The actual kdhaq.exe file does not exist on disk? (yes I know how to view hidden and system files)
I am not sure if kdhaq.exe is connected with DNSChanger trojan or if it is something completely different.

How do I get rid of all this mess?

2

Please follow this steps: https://forums.comodo.com/virusmalware_removal_assistance/what_to_do_if_you_think_youre_infected-t27334.0.html

When you are done come back and tell us about it.

3
4) Allow each program to Scan. Scan one at a time, And remove threats found. Reboot after Each Scan and Removal has taken place.

Does this mean?

  • SUPERAntispyware
  • REBOOT
  • Malwarebytes’ Ant-Malware
  • REBOOT
  • Avira Antivir
  • REBOOT
4

Hey there Cohadar, welcome to the forums (:HUG),

??? I donno who added that, not me :). It think it would be the best you boot into safe mode, run SAS, then Run MBAM, then AVIRA separately. Then REBOOT into safe mode again and let SAS run a quickscan otherwise it could perhaps recover itself again…

I’ll contact the mod who changed it to ask why he did that :slight_smile:

Xan

5

Hi cohadar

Sorry. I added that - I fixed it up now though. Scan with each program, Remove threats then FINALLY Reboot. :wink:

Josh

6

Ok, thx for quick answers guys.
I have a different problem now, SAS does not want to Check for definition Updates.
It says firewall is blicking it but it definitely is not because I defined it as trusted application, I even went crazy and turned firewall off for a sec and it stil says “There was an error trying to retrieve definitions…”

7

Does Mbam update ? IF so update it , then reboot into safe mode with networking. let is scan, delete files, reboot into safe mode with networking and try updating SAS then :slight_smile:

Xan

8

mbam and antivira updated ok, scaning…

9

Great news! Xan & I will be with you :slight_smile:

Josh

10

Keep us tuned !! I’ll make my Physics home work in the meantime ;D

Xan

11

Whoa that took some time.
11 viruses and 250+ malware…

The problem is I am still infected DNSChanger (although it was detected by mbam)
I even did ipconfig /flushdns to make sure.

Anyways SAS update is still not working so I am suspecting their database site is down.
(or maybe it does not work for free version?)

Anyways gonna try next 3 programs now.
VundoFix
SmitfraudFix
Comodo Fix XP ONLY

EDIT:
I was unable to download SmitfraudFix and Comodo Fix XP ONLY
It says sites are unavailable?
Can you people download them, maybe DNSChanger is blocking security sites?

EDIT2:

ComboFix 08-09-20.05 - Cohadar 2008-09-21 15:39:56.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.620 [GMT 2:00] Running from: C:\Documents and Settings\Damir\Desktop\Downloads\Opera\ComboFix.exe * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Dalibor\My Documents\My Documents.url
C:\Documents and Settings\Dalibor\My Documents\My Music\My Music.url
C:\Documents and Settings\Dalibor\My Documents\My Pictures\My Pictures.url
C:\Documents and Settings\Dalibor\My Documents\My Videos\My Video.url
C:\Program Files\Common Files\icroso~1.net
C:\Program Files\Common Files\icroso~1.net?icrosoft.NET
C:\windows\racle~1
C:\windows\racle~1?racle
C:\windows\racle~1\ntvdm.exe
C:\Program Files\Common Files\sks~1\n?pdb.exe . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-08-21 to 2008-09-21 )))))))))))))))))))))))))))))))
.

2008-09-21 15:29 . 2008-09-21 15:29 d-------- C:\VundoFix Backups
2008-09-21 15:11 . 2008-09-21 15:11 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-21 13:44 . 2008-09-21 13:44 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-09-21 13:04 . 2008-09-21 13:04 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-09-21 11:39 . 2008-09-21 11:39 d-------- C:\Documents and Settings\Administrator
2008-09-21 11:22 . 2008-09-21 11:22 d-------- C:\Program Files\Avira
2008-09-21 11:22 . 2008-09-21 11:22 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-09-21 11:13 . 2008-09-21 11:20 d-------- C:\Program Files\Malwarebytes’ Anti-Malware
2008-09-21 11:13 . 2008-09-21 11:13 d-------- C:\Documents and Settings\Damir\Application Data\Malwarebytes
2008-09-21 11:13 . 2008-09-21 11:13 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-21 11:13 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-21 11:13 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-21 11:04 . 2008-09-21 15:11 d-------- C:\Program Files\SUPERAntiSpyware
2008-09-21 11:04 . 2008-09-21 15:11 d-------- C:\Documents and Settings\Damir\Application Data\SUPERAntiSpyware.com
2008-09-21 11:04 . 2008-09-21 11:04 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-21 01:19 . 2008-09-21 01:23 d-------- C:\Documents and Settings\All Users\Application Data\BOC427
2008-09-21 01:19 . 2008-07-14 05:09 212,728 --a------ C:\WINDOWS\CMDLIC.DLL
2008-09-21 01:19 . 2008-07-14 05:09 205,560 --a------ C:\WINDOWS\UNBOC.EXE
2008-09-21 01:19 . 2004-08-04 14:00 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2008-09-21 01:19 . 2008-09-21 15:47 7,526 --a------ C:\WINDOWS\BOC427.INI
2008-09-20 13:07 . 2008-09-20 22:54 d-------- C:\Program Files\FreeNinjaSurfing
2008-09-14 21:33 . 2008-09-14 21:33 d-------- C:\Program Files\Real Alternative
2008-09-06 21:02 . 2008-09-06 21:02 d-------- C:\Documents and Settings\Damir\logs
2008-09-03 22:59 . 2008-09-03 22:59 d-------- C:\Program Files\uTorrent
2008-09-03 22:59 . 2008-09-20 01:55 d-------- C:\Documents and Settings\Damir\Application Data\uTorrent
2008-09-02 01:23 . 2008-09-02 01:23 d-------- C:\WINDOWS\Applian FLV Player
2008-09-02 01:23 . 2008-09-02 01:23 d-------- C:\Program Files\FLV Player
2008-08-30 17:41 . 2008-08-30 17:41 d-------- C:\WINDOWS\Eurobattle.net Installer
2008-08-30 17:25 . 2008-08-30 17:29 139,264 --a------ C:\WINDOWS\War3Unin.exe
2008-08-30 17:25 . 2008-08-30 17:39 76,941 --a------ C:\WINDOWS\War3Unin.dat
2008-08-30 17:25 . 2008-08-30 17:29 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-08-28 12:14 . 2008-08-28 12:14 d-------- C:\Program Files\Bouml
2008-08-28 11:12 . 2008-08-28 11:12 21,992 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-08-28 11:09 . 2008-08-28 11:10 d-------- C:\Program Files\Safari
2008-08-28 10:47 . 2008-08-28 10:48 d-------- C:\Program Files\QuickTime
2008-08-28 10:47 . 2008-08-28 10:47 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-28 10:18 . 2008-08-28 10:18 d-------- C:\Program Files\Apple Software Update
2008-08-28 10:18 . 2008-08-28 10:18 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-08-27 17:53 . 2008-09-06 22:10 d-------- C:\Program Files\eclipse

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-21 09:58 --------- d-----w C:\Documents and Settings\Damir\Application Data\SurfAccuracy
2008-09-21 08:34 --------- d-----w C:\Program Files\Opera
2008-09-21 00:33 --------- d-----w C:\Program Files\Google
2008-09-20 23:19 --------- d-----w C:\Program Files\Comodo
2008-09-20 21:07 87,056 ----a-w C:\windows\system32\drivers\cmdguard.sys
2008-09-20 21:07 24,208 ----a-w C:\windows\system32\drivers\cmdhlp.sys
2008-09-20 21:07 143,104 ----a-w C:\windows\system32\guard32.dll
2008-09-20 10:38 --------- d-----w C:\Program Files\Warcraft III
2008-09-14 06:54 --------- d–h–w C:\Program Files\InstallShield Installation Information
2008-08-28 09:10 --------- d-----w C:\Documents and Settings\Damir\Application Data\Apple Computer
2008-08-16 06:52 --------- d-----w C:\Documents and Settings\Damir\Application Data\THQ
2008-08-09 06:15 --------- d-----w C:\Documents and Settings\Dalibor\Application Data\THQ
2008-07-30 17:39 --------- d-----w C:\Documents and Settings\Damir\Application Data\gtk-2.0
2008-07-23 19:05 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-07-23 19:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-18 06:24 108,144 ----a-w C:\windows\system32\CmdLineExt.dll
2008-06-11 20:31 21,040 ----a-w C:\Documents and Settings\Caki\Application Data\GDIPFONTCACHEV1.DAT
2008-03-16 22:31 16,760 -c–a-w C:\Documents and Settings\Damir\Application Data\GDIPFONTCACHEV1.DAT
2008-03-09 07:55 16,760 ----a-w C:\Documents and Settings\Dalibor\Application Data\GDIPFONTCACHEV1.DAT
2008-01-19 15:32 10 -c–a-w C:\Program Files.autoreg
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Nokia.PCSync”=“C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe” [2008-03-26 1232896]
“PC Suite Tray”=“C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe” [2008-04-16 1079808]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2008-09-03 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“COMODO Firewall Pro”=“C:\Program Files\Comodo\Firewall\cfp.exe” [2008-09-20 1655552]
“BOC-427”=“C:\PROGRA~1\Comodo\CBOClean\BOC427.exe” [2008-07-14 351480]
“avgnt”=“C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe” [2008-06-12 266497]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 15360]

C:\Documents and Settings\Dalibor\Start Menu\Programs\Startup
PowerReg Scheduler V3.exe [2008-06-02 225280]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= “C:\Program Files\SUPERAntiSpyware\SASSEH.DLL” [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\monln]
2008-01-19 18:55 216576 C:\WINDOWS\system32\monln.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“AppInit_DLLs”= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“vidc.ffds”= ffdshow.ax
“msacm.ac3filter”= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 setuid

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=C:\windows\pss\Monitor Apache Servers.lnkCommon Startup

[HKLM~\startupfolder\C:^Documents and Settings^Damir^Start Menu^Programs^Startup^H3 The Shadow of Death™.lnk]
path=C:\Documents and Settings\Damir\Start Menu\Programs\Startup\H3 The Shadow of Death™.lnk
backup=C:\windows\pss\H3 The Shadow of Death™.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gqupdcqj]
C:\Program Files\Common Files??sks\n?pdb.exe [?]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\windows
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\windows\system32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
–a------ 2008-06-12 02:38 34672 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
–a–c— 2005-06-29 02:09 32768 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
–a–c— 2005-06-28 22:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\windows\system32\kdhaq.exe]
--------- 2004-08-04 14:00 52224 C:\WINDOWS\system32\kdhaq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cnfgCav]
–a------ 2008-01-19 18:55 110592 C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
–a------ 2004-08-04 14:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
–a----t- 2008-09-03 08:32 133104 C:\Documents and Settings\Damir\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 02:06 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
–a–c— 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
–a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
–a------ 2008-01-10 15:45 148888 C:\Program Files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\w3dr.exe]
–a------ 2008-08-03 16:38 61440 C:\Program Files\Warcraft III\W3DR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
–a------ 2008-01-16 00:54 37376 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
–a------ 2004-11-15 12:20 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
“StarWindService”=2 (0x2)
“rpcapd”=3 (0x3)
“JavaQuickStarterService”=2 (0x2)
“ATI Smart”=2 (0x2)
“Ati HotKey Poller”=2 (0x2)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe”=
“C:\Program Files\uTorrent\uTorrent.exe”=

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\windows\system32\DRIVERS\cmdguard.sys [2008-09-20 87056]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\windows\system32\DRIVERS\cmdhlp.sys [2008-09-20 24208]
R3 slnt;Silan SC92031 PCI Fast Ethernet Adapter;C:\windows\system32\DRIVERS\slnt.sys [2003-11-20 18004]
S3 Apache2.2;Apache2.2;C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe [2008-01-18 24635]
S3 MBAMSwissArmy;MBAMSwissArmy;C:\windows\system32\drivers\mbamswissarmy.sys [2008-09-10 38528]
S3 NPF;NetGroup Packet Filter Driver;C:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S4 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-01-10 147456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{51433668-e3df-11dc-a402-0014854d5c28}]
\Shell\Auto\command - E:\UFO.exe
\Shell\AutoRun\command - C:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{7081ca61-8718-11dc-83f6-0014854d5c28}]
\Shell\Auto\command - sxs.exe
\Shell\AutoRun\command - C:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

Newly Created Service - SASDIFSV
Newly Created Service - SASENUM
Newly Created Service - SASKUTIL
.
Contents of the ‘Scheduled Tasks’ folder
.

        • ORPHANS REMOVED - - - -

BHO-{1B369AE2-0551-0DF5-0612-5800BEC1819F} - C:\WINDOWS\system32\tfa.dll
MSConfigStartUp-Acrobat Assistant 7 - C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
MSConfigStartUp-Etaa - C:\PROGRA~1\COMMON~1\ICROSO~1.NET\scanregw.exe
MSConfigStartUp-Ncuc - C:\WINDOWS\RACLE~1\ntvdm.exe
MSConfigStartUp-PCSuiteTrayApplication - C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
MSConfigStartUp-ReJf5vH - C:\Documents and Settings\Damir\Application Data\Microsoft\Windows\lcnlfj.exe
MSConfigStartUp-runner1 - C:\WINDOWS\mrofinu1002397.exe
MSConfigStartUp-SurfAccuracy - C:\Documents and Settings\Damir\Application Data\SurfAccuracy\SAcc.exe
MSConfigStartUp-TkBellExe - C:\Program Files\Common Files\Real\Update_OB\realsched.exe

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://ldp-grocka.org/
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-21 15:47:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Comodo\CBOClean\BOCore.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Comodo\Common\CAVASpy\cavasm.exe
C:\Program Files\Comodo\Comodo AntiVirus\cavse.exe
C:\Program Files\Comodo\Comodo AntiVirus\cavse.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\wscntfy.exe
.

.
Completion time: 2008-09-21 15:53:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-21 13:52:51

Pre-Run: 3,977,572,352 bytes free
Post-Run: 5,371,207,680 bytes free

249

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:01:51 PM, on 9/21/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\windows\system32\svchost.exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\windows\system32\wscntfy.exe
C:\windows\explorer.exe
C:\windows\system32\notepad.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ldp-grocka.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM..\Run: [COMODO Firewall Pro] “C:\Program Files\Comodo\Firewall\cfp.exe” -h
O4 - HKLM..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
O4 - HKLM..\Run: [avgnt] “C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe” /min
O4 - HKCU..\Run: [Nokia.PCSync] “C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe” /NoDialog
O4 - HKCU..\Run: [PC Suite Tray] “C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe” -onlytray
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip..{8A8FE85C-FE8C-47D6-9187-E83EDC23B700}: NameServer = 85.255.116.140 85.255.112.66
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: monln - C:\windows\SYSTEM32\monln.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: CVSNT Locking Service 2.5.03.2382 (cvslock) - Unknown owner - C:\Program Files\CVSNT\cvslock.exe
O23 - Service: CVSNT Dispatch service 2.5.03.2382 (cvsnt) - March Hare Software Ltd - C:\Program Files\CVSNT\cvsservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe


End of file - 5564 bytes

I got one I could not delete.
I still have DNS problems, what now?

12

DNSChanger is blocking them I think :frowning:

Try A-squared

http://download4.emsisoft.com/a2FreeSetup.exe

Xan

13

Try running a Hijackthis log

http://download.softpedia.ro/dl/85fdd716422b80516cfd9e6d7a1e3d67/48d6545d/100005034/software/ANTIVIRUS/hijackthis.zip
Just safe it on your desktop and run it. Later post the result here

Xan

14

The log seems safe to me, however :

  • consider updating to the latest system pack
  • update your internet browser to the latest version
  • update CFP+CAVS2 to CIS

How do you know that you’re still infected ? here is a “quick” DNS testing guide

Xan

15

I posted 2 logs, first is ComboFix, second is Hijackthis.

How do you know that you're still infected ?
Sites that should work are not working == DNS not working. I checked with couple of friends who use same ISP they all see them except me.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
What does this mean?
C:\Program Files\Common Files\sks~1\n?pdb.exe . . . . failed to delete
What now?
16

I know :), I posted it and later you edited it so… np

Have you looked into A-squared and my latest post ?

Xan

17
Sites that should work are not working == DNS not working. I checked with couple of friends who use same ISP they all see them except me.
Have you tried the Guide i gave you ?
What does this mean?
No idea 88) (someone else?)
What now?
If it was still there, it should have been reported by Hijackthis, but It wasn't so don't botter yourself about it :)

Xan

18

I’ve looked over the HJT log, and it looks clean, for the most part, so far as I can tell. About the DNS settings. This line:

O17 - HKLM\System\CCS\Services\Tcpip\..\{8A8FE85C-FE8C-47D6-9187-E83EDC23B700}: NameServer = 85.255.116.140 85.255.112.66
is pointing to the typical RBN nameserver redirection. It might be possible to remove this with a tool called "Fixwareout". This tool is available for download from [url=http://downloads.subratam.org/Fixwareout.exe]here[/url]

Be aware that the tool may not work, as there may be something protecting the DNS settings. Won’t hurt to try.

Now about the Combofix log.

Disclaimer first: I’m not an expert with Combofix. I know enough to use Combofix with caution. It is not a general purpose tool, and undergoes constant revision by malware cleanup folks who see the problems daily. The Combofix you would get in a download today is different from the one of a week ago, and will be different from the one a week from now.

As you have run Combofix, and have a log, I’ve eyeballed it and found some unexpected things (unexpected to me, at least).

First, a few things to be clarified:

  • You have an Apache web server installed? (C:\program files\apache*)
  • You have a packet capture filter installed? (pcap, used with Wireshark and other utilities, also by malware)

What is your E:\ drive? You have a boot-time driver being installed from E:.

From your E:\ drive, I would like you to submit the files ufo.exe and sxs.exe to www.threatexpert.com for a malware analysis. These may be hidden files, but Combofix says there are boottime load registry settings for both of these files. A google search doesn’t look good (as in legit) for either of these files. Threatexpert might be able to identify what these are, and put a name to them. If these are a problem, then having a name will go a long way to having some idea of how to do a cleanup. And if these are legit files, we’ll know that, and can look elsewhere.

19

Yes I did. It does not help because none of standard tools can detect DNS redirection, they just give you your default DNS.

I tried this and it cleaned one DNS redirection but not all.
At least now I know IP of their bogus DNS server, it is 85.255.116.140
Someone report them to anonymous please >:-D

Anyway manual search of registry found more 85.255… instances
I deleted them (again manually) but they reapeared so I guess DNSChanger is resident in memory.

- You have an Apache web server installed? (C:\program files\apache*)
I develop websites from time to time. It is not a security breach point, my younger brother is...
- You have a packet capture filter installed? (pcap, used with Wireshark and other utilities, also by malware)
Removed.
What is your E:\ drive? You have a boot-time driver being installed from E:\.
My flash stick - Formated

Btw I installed CIS Beta.

===============================

I guess what I have here is an unknown version of DNSChanger.
I would so much like to send it for a virus signature (if I knew how)

20

Some progress. I wasn’t sure if Fixwareout would work properly. So it does seem there is something protecting the setup.

I tried this and it cleaned one DNS redirection but not all. At least now I know IP of their bogus DNS server, it is 85.255.116.140 Someone report them to anonymous please Evil
The address block 85.255.112.0 thru 85.255.127.255 is assigned to a Ukraine ISP that has been hosting these DNS redirectors for the last several years. Various people doing research have come to the unofficial conclusion that the ISP is a front company for the "Russian Business Network". On my dayjob, the pre-emptive action has been to firewall the address space in its entirety.
Anyway manual search of registry found more 85.255... instances I deleted them (again manually) but they reapeared so I guess DNSChanger is resident in memory.
That is useful information. It means that CFP Defense+ can be used to monitor those registry entries, and so build up a list of what is doing the refresh. And then go after that malware.

When CFP triggers an alert for one of the registry updates, allow it, but make note of what is trying to make the change. Then track that also with CFP Defense+. Eventually, you will track back to the original malware. It’ll be very tedious to get there, but you will wind up with an interlinked map of the malware thru memory, disk, and running processes. Then use that map to rip it all out by the roots.

My flash stick - Formated
I highly suspect there is a hidden autorun malware in the root directory of that flash stick. While it may look clean, I doubt that it is.
I would so much like to send it for a virus signature (if I knew how)
Submitting to threatexpert.com is the best known way to do that.