DNSChanger / 216.255.186.11 / kdhaq.exe?

The ■■■■ thing is now blocking forums.comodo.com
I cannot believe it, how can trojan be updating itself like this?
(I am writing this from Ubuntu)

Will continue tommorow…

That would imply either a background command&control channel, or some kind of defensive web monitoring trigger (for example, post a HJT or Combofix log (recognized format and headers), and get blocked - safe surfing in reverse).

Either of those means there is some extra stuff running around in the background that got missed in the earlier scan logs. Time to check some assumptions about what’s running, and eyeball those logs again.

Not necessarily, I just remembered it is their DNS virus forces me to use, and since I already know their DNS blocks some computer security sites I guess they just added this forum to their DNS block list.

Ok I found a way to get around the virus.

After<< you connect to the internet search a registry for 85.255.116.* address
Then instead of their DNS enter something invalid (for example “SliceAndIce” )
System will now resort to your original DNS because redirection is invalid.

This method sux since you have to do it every time you connect to internet,
you could however make a FixDNS.reg file to make it more easy on yourself.
Just export the registry key with bogust redirection after you scramble the 85.255.116.*

You should get something like this:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces{80671695-AA85-4CA4-B1C7-AFF8A1009B0E}]
“UseZeroBroadcast”=dword:00000000
“EnableDHCP”=dword:00000000
“IPAddress”=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
“SubnetMask”=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
“DefaultGateway”=hex(7):00,00
“EnableDeadGWDetect”=dword:00000001
“DontAddDefaultGateway”=dword:00000000
“NTEContextList”=hex(7):30,00,78,00,30,00,30,00,30,00,30,00,30,00,30,00,30,00,
34,00,00,00,00,00
“DhcpIPAddress”=“91.148.114.186”
“DhcpSubnetMask”=“255.255.255.255”
“Domain”=“”
“NameServer”=“SliceAndIce”
“RegistrationEnabled”=dword:00000000
“RegisterAdapterName”=dword:00000000
“DhcpClassIdBin”=hex:

It is a temporary solution but it’s better than nothing.

Anyways I tried to use CIS to lock down the
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces*
But it did not work, I don’t even get no messages when the key is modified.
A bug in CIS?

There are several “versions” of controlset. Try a more generalized pattern, like this:


*\Services\Tcpip\Parameters\Interfaces\*

It could be that the change is coming thru a Windows service, which if blocked, would pretty much freeze your machine. CFP/CIS are set up by default to avoid that kind of situation. But, another, non-system app changing the value of the registry, is another question.

At an extreme, you might be able to go into Defense+, and for “All Applications” use a Custom Policy, then edit the Access Rights, and for Protected Registry Keys click Modify, and choose the Blocked tab, and enter a more selective pattern of “*\Services\Tcpip\Parameters\Interfaces*\Nameserver”. I’m thinking that a single reg entry is more likely to have a recovery than blocking an entire branch. This might still freeze your machine. And check the D+ log also.

Can you download and install ProcessExplorer from sysinternals.com (which will redirect into microsoft.com, since they bought out sysinternals a couple of years ago)? This can give a more detailed view of what is running on your machine.

I’d suggest keeping your PC off the Internet for the time being. If there is some kind of back-channel in place, the present malware could download and install something even less desirable.

Just to confirm something, this item:

"DhcpIPAddress"="91.148.114.186" "DhcpSubnetMask"="255.255.255.255"
tells me that you are not using a NAT/router, but are connecting directly to the Internet. Is that right?

In looking back over this topic, I think that you have run MBAM, but I’m not sure. In any event, I would like you to run MBAM. Download a new version from here

Run MBAM in normal mode, not safe mode. When it finishes it’s scan, reboot your machine. Some things can only be cleaned properly by a reboot after a scan.

If you haven’t yet, download SUPERAntispyware and ATF-Cleaner

Then reboot into safe mode (use the F8 key to get to safe mode).

Run ATF-Cleaner to get rid of the excess junk on the machine.

Then run SUPERAntispyware.

Reboot back into normal mode. Let things do cleanup during the reboot as needed. Run SAS again to retrieve the log information.

Then post the logs for MBAM and SAS here. If either of those has found anything, the logs will give pointers to what kind of cleanup methods need to be used. And if they didn’t find anything, that is also information that I need to see.

OK i have the same thing , its hijacking IE or Mozzila and not allowing to connect to security or antivirus sites, i did a full scan using avast found that i had DNS CHANGER but then i cleaned it but found its now win32 bravix , i then deleted anti virus reloaded latest off of lap top ran scan and still there , deleted , turned off restore point and ran again still there and cleaned again !! and its still there !!! you cant run defrag , and it seems to hijack any IE or websites that it thinks will kill it , Now its back to drawing bored i disabled the conection for the time being , and are trying other forms or removal tools . I have seen many virus and worms , some easy to kill some hard this one is very very naughty , (:AGY) help if you any suggestion , no point in putting logs up , its the same as the other guy :frowning:

Hi brithelp.

Did you try SUPERAntispyware & Malwarebytes’ Anti-Malware?

Cheers,
Josh

Just a thought, give OpenDNS a try http://www.opendns.com/ you manually set it up and it will block many redirects. They have several features, I only setup the basic setup.

If DNSChanger blocks it, you can always copy the info from another PC, and manually change it on your PC.

There was a question about Recovery Console. This is from XP and allows you to recover back to a time when the system was working. When you boot up it will be one of your options similar if you have more than one drive to boot to. In XP there is the InPlace Upgrade /Repair and the Recovery console. The Recovery Console can be done from the boot if it is installed or from the CD when booting. There is a lot of copying and deleting.
Also be advised that System Restore information is also used. I was lucky had restore off and what I was able to do got me back in operation.

Not sure why some programs give a Warning like that? It is not an error but just a help notification that IF something should go wrong it is easier repairing from your HD instead of copying the instructions and then proceeding like I did.

If you boot from the XP CD the first R Repair is for the Recovery Console, after you accept and hit enter the next R is to repair the particular driive you choose it will highlight the drive C or D etc and you highlight that drive and select R for the InPlace Upgrade /Repair. Almost always “R” it leaves your files and settings as is.

Be Very Careful, on this second screen, if you hit Enter instead you will install a new copy of XP and wipe out all your files and settings.

Good Luck,
UncleDoug

ok i spent all day doing various downloads , let me explain the symptons firstly when you open Ie or Mozilla any website you try to get through that contain ways of killing the virus , will not let you get there ie page cannot be displayed . ok i have avast anti virus runing and when i scanned firstly it picked up dns changer then picked up bravix i moved to chest on both and then got superantispyware running to +S&d spybot anyway after i hav run scan various items it looks like its gone but then you do another scan and its still there .
ok the other thing is theres no system restore available nor can you get to defrag , need a magic fix this seems to be a new generation as it seems to replicate itself .apart from wiping system and restart :frowning: cant think of any think else i even tried sd fix . a squared+ superantispyware now trying 1 more thing then its wipe

This looks like a dangerous variant.

And probably a Reformat is worth it, It’s the only way to make sure your 100% malware free.

Josh

oK this is now moved into the memory , so time to wipe… unless someone as a magic fix i would suggest back up everything you got today because this virus is not being picked up nor deleted by anything that out there and its changing everytime you delete or move!!!. Back up everything then reinstall
well gl may the force be on yourside

Have you tried killing it using defence + (making it a blocked rule ?)

Xan

This is a nasty one! I would have thought combofix and/or smitfraud, VundoFix etc. at least one least would have found something in Safe Mode. Sometimes I have found a tool might need to be run 3 or more times in a row after reboots and each time it found more.

I would have thought you would have been able to manually change your DNS in Safe Mode following the OpenDNS instructions.

I also found that a few times some installs do not take even Microsoft, and I found that running Reset_subinacl would change security settings to allow those installs. Some of the programs might install in safe mode.

As you posted you have tried several programs, including anti rootkit, and you have Comodo Memory Firewall, and BoClean, and System Resore is OFF malware replicates from there, have you been able to run HiJack This in either normal or safe mode?

Your problem is more critical than mine but I still have not solved the problem I posted a few days ago, and I know searching and reading and trying all the different suggestions and get tiring and frustrating when the results stay the same with no changes.

Patience and Good Luck
UncleDoug

■■■■ I want that malware :slight_smile:

Uncledoug, have you tried disabling it with defense+, also, have you searched in the task manager if it uses some processes, if so,which ones ?

(he posted his Hijackthis log, it’s at page 1 I think)

Xan

Ok :THNK (J)
ok this is what i done
i have avast antivirus
i downloaded the following and run rebooting every time
superantispyware
reboot
run anti virus
a squared
reboot
run anti virus
reboot
mam malwarebytes anti malware
reboot
mmmm and then antivirus pickedup and killed
make sure you have system restore switched off and gl and ty to all who helped
now i must have about 6 anti malware programes :slight_smile: running :BNC (:CLP)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) → Data: c:\windows\system32\ → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) → Data: system32\ → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ (Trojan.Agent) → Delete on reboot.
C:\WINDOWS\system32\drivers\ (Trojan.Agent) → Delete on reboot.
C:\WINDOWS\system32\tdssinit.dll (Rootkit.Agent) → Delete on reboot.
C:\WINDOWS\system32\tdssmain.dll (Rootkit.Agent) → Delete on reboot.
C:\WINDOWS\system32\tdssserf.dll (Rootkit.Agent) → Delete on reboot.
C:\WINDOWS\system32\drivers\tdssserv.sys (Rootkit.Agent) → Delete on reboot.

Well done!!!

Anything else you need help with?

Josh

C:\WINDOWS\system32\drivers\tdssserv.sys (Rootkit.Agent) -> Delete on reboot.

From what I’ve observed in other malware clenaup forums, this is a very very nasty rootkit. It may say “it’s gone”, but it may not be. Keep scanning, as this thing may regenerate itself.

This should be a site which will help you deleting it manually

http://www.exterminate-it.com/malpedia/remove-TDSServ

Xan