Well guys

This is what happened this morning and it is hard for me to believe.On my computer i run dr web because of how well it works while in games.While cruising the net i run avg anti-spyware and redgdefend with dr web.

Last night i Uninstalled dr web and installed kaspersky 6.0 internet on my computer again to give it a try in games.Had learned what to exclude in kaspersky so hopefully my games would run better.

Updated kaspersky last night and no problems.

This morning i turn the computer on and i have a alert from kaspersky wzcs api .dll is wanting to run.I really don't know why i hit skip(ok) for the program(this was before coffee) .I was updating kaspersky at that same time and all of a sudden another kaspersky window pops up (with that loud sound kaspersky makes scaring the crap out of me)

Trojan Win32 Dns Changer .ik found delete and reboot to clean the infection.

WHAT THE HELL------

So i cleaned the infection and rebooted to a calm computer.I looked it up on the net and it was a bad one it seems.No FP.

I just can't understand why dr web or avg anti-spyware did not pick this up.


Well this is the worst trojan i have encountered.

From now own i will have my coffee before turning the computer on .
--------------------------------------------------------------------------------------------------------------------------------------------

win-xp-wzcs-information-disclosure (22524) Medium Risk


Description:

Microsoft Windows XP SP2 Professional and Home Edition could allow a local attacker to obtain sensitive information caused by a vulnerability in the Wireless Zero Configuration service. A local attacker could exploit this vulnerability to obtain sensitive information including SSID's and WEP keys.
--------------------------------------------------------------------------------------------------------------------------------------------

Trojan.Win32.DNSChanger.ikType Malware


Type Description Malware ("malicious software") consists of software with clearly malicious, hostile, or harmful functionality or behavior and that is used to compromise and endanger individual PCs as well as entire networks.
Category Trojan
Category Description Trojan is a general term for malicious software that is installed under false or deceptive pretenses or is installed without the user's full knowledge and consent. Most Trojans exhibit some form of malicious, hostile, or harmful functionality or behavior.
Level High
Level Description High risks are typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer.
Advice Type Remove
File Traces

EDIT:A very unusual day for me it seems. I was running reg supreme pro and kaspersky came up with this
Trojan .Win 32.KillAv.jr C:\...\inshelp.exe cannot delete---geez

So i reboot anyway not going into safe mode yet.After rebooting I ran AVG Anti-Rootkit 1.1.0.29 Beta and while it was running kaspersky came up with this Trojan .Win 32.KillAv.jr C:\WINDOWS\installer\1fe9c1:msi but this time kaspersky deleted it. AVG found no roots.

All this time i have not yet run a full scan using kaspersky yet.But it is running one now


While running the full scan it found Trojan Win32 KillAv .jr again
C:\Kav\Kis6.0\english\Kis6.en msi//inshelp.exe --- and claimed to delete it.Looks like it was in the kaspersky 6.0 i d/l from kaspersky--FP?

It seems i need a cyber condom over my computer

Is it mad hatter in your avatar? Well I think its one of those rare cases where a reputable AV fails to pick out one baddie. Maybe this baddie came after you uninstalled Dr.Web/AVG.

{QUOTE-> Is it mad hatter in your avatar? Well I think its one of those rare cases where a reputable AV fails to pick out one baddie. Maybe this baddie came after you uninstalled Dr.Web/AVG. <-QUOTE}

I did not do anything last night after i installed kaspersky but go to bed.And yes--that is the mad hatter as my avatar

Thank you for the information about the trojan. Well now its clear that its a vulnerability which existed in your system from a longtime and was exploited after you installed Kaspersky. It might have been exploited before also but then Dr.Web/AVG simply missed it. All i want to say is that one shouldn't base his/her entire product usage decision on such incidents. But in the end Kaspersky is better in terms of detection which is proved numerous times.

In the process of changing all my passwords to accounts

Do You really think that every antivirus on the market will detect every virus?
This is considered as a statement nothing more.

i know people are gonna expect this reply from me, but...

curious that avg AS, drweb and regdefend did not block a dll file which was infected, i suspect the threat came after, i really cant see them all missing , i mean... what are the chances. ???

If I am using one of the AVs with the best detection rates, and would get infected, I would put it down to "none will...100%." However, if I were using a lesser AV, considering detection rates, I would change it to a better one.

Somehow I cannot justify using one of the poorer AVs, and then saying that none can.. It may very well be that no AV would have prevented infection, but all I can do is use the best protection.
That is a reason that I would not use AVG free or Dr Web.
But that is just my line of thinking.

Best,
Jerry

{QUOTE-> i know people are gonna expect this reply from me, but...

curious that avg AS, drweb and regdefend did not block a dll file which was infected, i suspect the threat came after, i really cant see them all missing , i mean... what are the chances. ??? <-QUOTE}

I agree--but i do turn off avg and regdefend in games so who knows.But as much as i like dr web im am just disappointed in it.I did run a full scan early yesterday with avg 7.5 anti-spyware and nothing was found.The day before i ran a full scan with SUPERantispyware and nothing was found.But i did not install kaspersky untill late last night.There is a possibilty it could have snuck in ,but i think it is slim in that timeframe ,because after i installed kaspersky i hit the hay,but was still on the net

how, you dont even know drweb missed the threat.

but even if it did, i could send you a threat not detected by kaspersky that drweb and others do,one that can be easily caught from surfing the net. this is not hard to do, so you cant judge an av on one threat anyway.

"This morning i turn the computer on and i have a alert from kaspersky wzcs api .dll is wanting to run.I really don't know why i hit skip(ok) for the program(this was before coffee) .I was updating kaspersky at that same time and all of a sudden another kaspersky window pops up (with that loud sound kaspersky makes scaring the crap out of me)"

to me, this makes it sound that you got the threat while kaspersky was installed and kaspersky asked you if you wanted to allow it, you clicked skip... your mistake, as this caused the virus threat to show, once again this shows kasperskys lack of usefull information for its allow/deny procedure, thats my 2cents.

I only clicked skip this morning when it detected the trojan at that instant.I am usually very careful and read before accepting something.But human nature is full of mistakes.I quess i will this add this too my list of cyber experiences .After i installed kaspersky last night i put my games in exclude and entered the games to see if they worked fine without the hesitation i had previously experienced .Thats why this morning when i turned my comp on the speakers were loud enough to scare the crap out of me when kaspersky detected the trojan

EDIT:So far i have learned Trojan Win32 KillAv .jr is a FP

{QUOTE-> how, you dont even know drweb missed the threat.

but even if it did, i could send you a threat not detected by kaspersky that drweb and others do,one that can be easily caught from surfing the net. this is not hard to do, so you cant judge an av on one threat anyway.

"This morning i turn the computer on and i have a alert from kaspersky wzcs api .dll is wanting to run.I really don't know why i hit skip(ok) for the program(this was before coffee) .I was updating kaspersky at that same time and all of a sudden another kaspersky window pops up (with that loud sound kaspersky makes scaring the crap out of me)"

to me, this makes it sound that you got the threat while kaspersky was installed and kaspersky asked you if you wanted to allow it, you clicked skip... your mistake, as this caused the virus threat to show, once again this shows kasperskys lack of usefull information for its allow/deny procedure, thats my 2cents. <-QUOTE}

but did brain warp press the infomation button and read about it before
pressing skip?
also i know no av can detect 100percent of malware.
i dont think there is any need to diss PDM and kaspersky because of one user error.

@brainwarp
isthe screenshot a mock or real?
lodore

edited his post to say it was a false positive, why all the panic? lol

{QUOTE-> ......it was a false positive... <-QUOTE}
I though DrWeb was supposed to be high in FPs? Go Figure.
OK, C.S.J, you can now gloat (but just a little).

{QUOTE-> edited his post to say it was a false positive, why all the panic? lol <-QUOTE}

I learned from kaspersky only the Trojan Win32 KillAv .jr was a FP ----win-xp-wzcs and Trojan.Win32.DNSChanger.ik were not

submit them to drweb, they will tell you ;) zip it up with the password 'virus', link is in my signature to submit.

i still think it was user error allowing the dll, while drweb was not in your machine.

{QUOTE-> I agree--but i do turn off avg and regdefend in games so who knows.But as much as i like dr web im am just disappointed in it.I did run a full scan early yesterday with avg 7.5 anti-spyware and nothing was found.The day before i ran a full scan with SUPERantispyware and nothing was found.But i did not install kaspersky untill late last night.There is a possibilty it could have snuck in ,but i think it is slim in that timeframe ,because after i installed kaspersky i hit the hay,but was still on the net <-QUOTE}
U can upload it to virus total to see if Dr.Web and Ewido are detecting it or not?

{QUOTE-> submit them to drweb, they will tell you ;) zip it up with the password 'virus', link is in my signature to submit.

i still think it was user error allowing the dll, while drweb was not in your machine. <-QUOTE}

You don't seem to understand about what happened when i allowed the dll.When i allowed the dll 1 sec after that kaspersky alerted me of the trojan.It has been deleted by kaspersky

no no, i did understand that from post #1

Virus total, virus total, ......

715,112 sigs on avg 7.5

dunno on dr web because you cannot install kaspersky with dr web on the computer.

I have been using dr web for years and am still very fond of it.You will sing a different tune C.S.J if you go through something like this.But if dr web is all your running,how would you ever know?

trust me i know,

i have gone through things like this, ive tried many AVs and had licences for a few aswell, but i know... to ALWAYS deny a file if i dont know what it is.

this alone, was your problem which kicked it all off on your machine.

i can always do an online scan, once every 6 months or so with panda to make sure everything is top-top

im not a safe user all the time, drweb has kept me safe and clean, always detecting nothing on online scans etc, and yes i do get malware through the week and spam, i also get TONS of phising emails too, all which dr.web detect, next online scan, i suspect nothing to be found.

You are right.But dr web never detected it at all to kick anything off.Kaspersky did.And i'm not saying dr web is bad ,just that it seems to have missed this.And it was a bad trojan to miss

I can only speak for myself,but i am through using dr web regardless of how good or bad it is.I will be under the kaspersky flag from now on.

you dont even know that it was on your machine while dr.web was ...... how can you know this.

if it was, the dll alone was not a threat, you allowed it to 'do its buisiness' by allowing it

does not bother me one bit if you ditch drweb, but you dont even know the dll was in your machine while dr.web was, if it was... drweb would NOT have detected it as it wasnt executable on its own, you have probably done something which has executed, drweb would have most likely detected THEN.

just another theory, but like i said.. doesnt bother me one bit if you leave drweb, i'll welcome you back when you have and will have a problem or when drweb brings out something new ;)

When i uninstalled dr web i had installed kaspersky right afterwards.
Rebooted updated and put games into exclude.Went to check how the games ran.

I d/l nothing but the kaspersky updates and going to this site and dslreports only before going to bed.

Woke up turned comp on updated kaspersky again and kis proactive part warned me of the win-xp-wzcs dll and it menchined used for wireless so i ok'ed it thinking it was part of the wireless--still before coffee.That was my mistake.Just installing a program like this you get alot of alerts in the beginning anyway so i did not think much of it

Then thats when kis anitvirus warned me of the trojan and stopped it before it did any damage .But who knows--the damage could have already been in action before kaspersky i'm afraid,but it seems like the NF4 active armor firewall would have picked it up---then again who knows

PS I respect your belief in the good doctor C.S.J ,but for now i will have to let it go

{QUOTE-> you dont even know that it was on your machine while dr.web was ...... how can you know this.

if it was, the dll alone was not a threat, you allowed it to 'do its buisiness' by allowing it

does not bother me one bit if you ditch drweb, but you dont even know the dll was in your machine while dr.web was, if it was... drweb would NOT have detected it as it wasnt executable on its own, you have probably done something which has executed, drweb would have most likely detected THEN.

just another theory, but like i said.. doesnt bother me one bit if you leave drweb, i'll welcome you back when you have and will have a problem or when drweb brings out something new ;) <-QUOTE}
Why do you seem to have a problem that on this occasion your favourite AV didn't do its job?:-it happens accept it!

RUBBISH....

the dll was harmless till he unleashed it, he never would have had this problem with drweb still installed, kaspersky and its mumbo jumbo on the pop ups, he allowed it and unleashed it on his sytstem.

i dont need to justify myself to you, dont care what av you use or whatever he uses.

the dll alone was not a threat, or his registry problem would have notified of any changes or problems.

Sometimes I know KAV detects certain DLLs that are not detected by other programs. Did you notice any EXE file alert from KAV?

Because frankly speaking, nowadays I find very few trojans which are detected by KAV but not by Ewido/AVG AntiSpyware. Thats why I'm curious about this, as AVG should have picked it up (unless you were not having the real-time guard enabled).

Also, it seems KAV is having some FPs with the KillAV.jr detection. I suggest you send the files for analysis to the Kaspersky viruslab.

As for Dr.Web, I've seen it miss quite a lot of malware, but still, I've never been infected with Dr.Web on.

What firewall are you using? Maybe someone got through? Maybe a false alarm?

{QUOTE-> Sometimes I know KAV detects certain DLLs that are not detected by other programs. Did you notice any EXE file alert from KAV?

Because frankly speaking, nowadays I find very few trojans which are detected by KAV but not by Ewido/AVG AntiSpyware. Thats why I'm curious about this, as AVG should have picked it up (unless you were not having the real-time guard enabled).

Also, it seems KAV is having some FPs with the KillAV.jr detection. I suggest you send the files for analysis to the Kaspersky viruslab.

As for Dr.Web, I've seen it miss quite a lot of malware, but still, I've never been infected with Dr.Web on. <-QUOTE}

Keep in mind i turn avg realtime off while in games and many times forget to turn it back on while on the net.Dr web is always running though.

The whole thing was really strange.I find the same thing with avg 7.5 and was supprised,but the realtime was not on

Metal425
my firewall is NF4 active armor built into my chipset.But the program never had a change to reach my firewall is my guess and hopes.This will cause me not to be so relaxed about security in the future.I may even add prevx1.How are your resources running prevx1?

has anything actually happened to your machine?

it could easily just be an FP

{QUOTE-> has anything actually happened to your machine?

it could easily just be an FP <-QUOTE} It could have been--i quess i will never know

Nothing has happened.Been running very smooth and fast.This is what i built.

xp pro
939-- 3700+
1 g 2.2.2.5 ram
raptors in raid
pc power & cooling 510 sli


I will be upgrading to a amd x2 processor soon.

ok, well no problems.... dont worry too much ;)

amd x2 runs well i assure you. :D

My wifes laptop is a pentium dual-core and it runs very well

my laptop is an AMD Turion X2 dual core, dell.... and it runs any AV software swiftly, even the ones that are known to be slow, they are now fast ;)

{QUOTE->
just another theory, but like i said.. doesnt bother me one bit if you leave drweb, i'll welcome you back when you have and will have a problem or when drweb brings out something new ;) <-QUOTE}

I'm a Kaspersky user, with no problems and Dr. Web/NOD32/Anything has not leaned me away from Kaspersky yet.

{QUOTE-> I'm a Kaspersky user, with no problems and Dr. Web/NOD32/Anything has not leaned me away from Kaspersky yet. <-QUOTE}
Agreed, I'm a Kaspersky user also.

Ok I waited for the bickering over my AV is bigger than your AV to stop, but alas this may not happen. :)

DNS changers of this type tend to be infections from the good old Zlob family.

BrainWarp - since you seem to be fairly educated in computer usage security I am
assuming it wasn't you who was looking at porn and ended up installing a media codec file.

You can narrow your search down to on or around the 12-15th of March for infection, I am fairly
certain it is the 13th though.

Since it was a dll then this indicates some level of infection did occur when you were protected by AVG and DrWeb,
BUT it wasn't soley the fault of the AV software since user interaction is required to install something of that nature.
They advertise free access to porn, ripped DVDs,MP3's etc.

Thats about the time my son had his friend over for several days.It would not do any good for me to ask my son about this ,but i will have to keep tighter security with him on the computer.His computer has parental restriction software installed so probuly he and his friend got on my computer to see whatever they were looking for after i hit the hay.

He mainly stays in the local chat rooms and on my space

I'm also trying out prevx1 right now.Nice program

{QUOTE-> He mainly stays in the local chat rooms and on my space <-QUOTE}
This says a lot.

It is possible that the .dll was inactive and therefore Dr.Web did not detect it. In smart scanning mode it only detects malware if you run them/access them or if its active. Dr.Web full system scan might have detected it. ;)

{QUOTE-> It is possible that the .dll was inactive and therefore Dr.Web did not detect it. In smart scanning mode it only detects malware if you run them/access them or if its active. Dr.Web full system scan might have detected it. ;) <-QUOTE}

That is not correct, a zlob infection initiates the dll every time the computer is started usually by hklm run keys.
I know this is in some versions only.

BrainWarp - you may want to have a look at this reg key
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ "Value = NameServer"
Just make sure it is clean. ;)

{QUOTE-> It is possible that the .dll was inactive and therefore Dr.Web did not detect it. In smart scanning mode it only detects malware if you run them/access them or if its active. Dr.Web full system scan might have detected it. ;) <-QUOTE}
If the DLL was not active, KAV's PDM wouldn't have caught it trying to run. In this case, obviously Dr.Web has missed something. I'm not particularly surprised either, as I have known Dr.Web to miss quite a bit of malware.

It is possible AVG may have been turned off at that point, allowing the PC to get infected...

{QUOTE-> Ok I waited for the bickering over my AV is bigger than your AV to stop, but alas this may not happen. :)QUOTE]
Thats best line in this whole thread!(lol)

Don't know if this is the same, but Trojan.DnsChange is added in http://live.drweb.com by Alexey Olendar

{QUOTE-> It is possible that the .dll was inactive and therefore Dr.Web did not detect it. In smart scanning mode it only detects malware if you run them/access them or if its active. Dr.Web full system scan might have detected it. ;) <-QUOTE}Just remember there is no such thing as a stupid question. ;)

What do you mean by "inactive"?

If that .dll was just copied from a floppy/CD/USB drive into, say, the system32 folder, would ANY product detect it as bad?

Mike ???

{QUOTE-> Just remember there is no such thing as a stupid question.

What do you mean by "inactive"?

If that .dll was just copied from a floppy/CD/USB drive into, say, the system32 folder, would ANY product detect it as bad?
<-QUOTE}
Sorry, Mike