Trojan Win32 Dns Changer .ik -hard to believe

Discussion in 'other anti-virus software' started by BrainWarp, Mar 28, 2007.

Thread Status:
Not open for further replies.
  1. BrainWarp
    Offline

    BrainWarp Registered Member

    Well guys

    This is what happened this morning and it is hard for me to believe.On my computer i run dr web because of how well it works while in games.While cruising the net i run avg anti-spyware and redgdefend with dr web.

    Last night i Uninstalled dr web and installed kaspersky 6.0 internet on my computer again to give it a try in games.Had learned what to exclude in kaspersky so hopefully my games would run better.

    Updated kaspersky last night and no problems.

    This morning i turn the computer on and i have a alert from kaspersky wzcs api .dll is wanting to run.I really don't know why i hit skip(ok) for the program(this was before coffee) .I was updating kaspersky at that same time and all of a sudden another kaspersky window pops up (with that loud sound kaspersky makes scaring the crap out of me)

    Trojan Win32 Dns Changer .ik found delete and reboot to clean the infection.

    WHAT THE HELL------

    So i cleaned the infection and rebooted to a calm computer.I looked it up on the net and it was a bad one it seems.No FP.

    I just can't understand why dr web or avg anti-spyware did not pick this up.


    Well this is the worst trojan i have encountered.

    From now own i will have my coffee before turning the computer on .
    --------------------------------------------------------------------------------------------------------------------------------------------

    win-xp-wzcs-information-disclosure (22524) Medium Risk


    Description:

    Microsoft Windows XP SP2 Professional and Home Edition could allow a local attacker to obtain sensitive information caused by a vulnerability in the Wireless Zero Configuration service. A local attacker could exploit this vulnerability to obtain sensitive information including SSID's and WEP keys.
    --------------------------------------------------------------------------------------------------------------------------------------------

    Trojan.Win32.DNSChanger.ikType Malware


    Type Description Malware ("malicious software") consists of software with clearly malicious, hostile, or harmful functionality or behavior and that is used to compromise and endanger individual PCs as well as entire networks.
    Category Trojan
    Category Description Trojan is a general term for malicious software that is installed under false or deceptive pretenses or is installed without the user's full knowledge and consent. Most Trojans exhibit some form of malicious, hostile, or harmful functionality or behavior.
    Level High
    Level Description High risks are typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer.
    Advice Type Remove
    File Traces

    EDIT:A very unusual day for me it seems. I was running reg supreme pro and kaspersky came up with this
    Trojan .Win 32.KillAv.jr C:\...\inshelp.exe cannot delete---geez

    So i reboot anyway not going into safe mode yet.After rebooting I ran AVG Anti-Rootkit 1.1.0.29 Beta and while it was running kaspersky came up with this Trojan .Win 32.KillAv.jr C:\WINDOWS\installer\1fe9c1:msi but this time kaspersky deleted it. AVG found no roots.

    All this time i have not yet run a full scan using kaspersky yet.But it is running one now


    While running the full scan it found Trojan Win32 KillAv .jr again
    C:\Kav\Kis6.0\english\Kis6.en msi//inshelp.exe --- and claimed to delete it.Looks like it was in the kaspersky 6.0 i d/l from kaspersky--FP?

    It seems i need a cyber condom over my computer
    Last edited: Mar 28, 2007
  2. Arin
    Offline

    Arin Registered Member

    Is it mad hatter in your avatar? Well I think its one of those rare cases where a reputable AV fails to pick out one baddie. Maybe this baddie came after you uninstalled Dr.Web/AVG.
  3. BrainWarp
    Offline

    BrainWarp Registered Member

    I did not do anything last night after i installed kaspersky but go to bed.And yes--that is the mad hatter as my avatar
  4. Arin
    Offline

    Arin Registered Member

    Thank you for the information about the trojan. Well now its clear that its a vulnerability which existed in your system from a longtime and was exploited after you installed Kaspersky. It might have been exploited before also but then Dr.Web/AVG simply missed it. All i want to say is that one shouldn't base his/her entire product usage decision on such incidents. But in the end Kaspersky is better in terms of detection which is proved numerous times.
  5. BrainWarp
    Offline

    BrainWarp Registered Member

    In the process of changing all my passwords to accounts
  6. sasa843
    Offline

    sasa843 Registered Member

    Do You really think that every antivirus on the market will detect every virus?
    This is considered as a statement nothing more.
  7. C.S.J
    Offline

    C.S.J Massive Poster

    i know people are gonna expect this reply from me, but...

    curious that avg AS, drweb and regdefend did not block a dll file which was infected, i suspect the threat came after, i really cant see them all missing , i mean... what are the chances. o_O
  8. JerryM
    Offline

    JerryM Registered Member

    If I am using one of the AVs with the best detection rates, and would get infected, I would put it down to "none will...100%." However, if I were using a lesser AV, considering detection rates, I would change it to a better one.

    Somehow I cannot justify using one of the poorer AVs, and then saying that none can.. It may very well be that no AV would have prevented infection, but all I can do is use the best protection.
    That is a reason that I would not use AVG free or Dr Web.
    But that is just my line of thinking.

    Best,
    Jerry
  9. BrainWarp
    Offline

    BrainWarp Registered Member

    I agree--but i do turn off avg and regdefend in games so who knows.But as much as i like dr web im am just disappointed in it.I did run a full scan early yesterday with avg 7.5 anti-spyware and nothing was found.The day before i ran a full scan with SUPERantispyware and nothing was found.But i did not install kaspersky untill late last night.There is a possibilty it could have snuck in ,but i think it is slim in that timeframe ,because after i installed kaspersky i hit the hay,but was still on the net
    Last edited: Mar 28, 2007
  10. C.S.J
    Offline

    C.S.J Massive Poster

    how, you dont even know drweb missed the threat.

    but even if it did, i could send you a threat not detected by kaspersky that drweb and others do,one that can be easily caught from surfing the net. this is not hard to do, so you cant judge an av on one threat anyway.

    "This morning i turn the computer on and i have a alert from kaspersky wzcs api .dll is wanting to run.I really don't know why i hit skip(ok) for the program(this was before coffee) .I was updating kaspersky at that same time and all of a sudden another kaspersky window pops up (with that loud sound kaspersky makes scaring the crap out of me)"

    to me, this makes it sound that you got the threat while kaspersky was installed and kaspersky asked you if you wanted to allow it, you clicked skip... your mistake, as this caused the virus threat to show, once again this shows kasperskys lack of usefull information for its allow/deny procedure, thats my 2cents.
  11. BrainWarp
    Offline

    BrainWarp Registered Member

    I only clicked skip this morning when it detected the trojan at that instant.I am usually very careful and read before accepting something.But human nature is full of mistakes.I quess i will this add this too my list of cyber experiences .After i installed kaspersky last night i put my games in exclude and entered the games to see if they worked fine without the hesitation i had previously experienced .Thats why this morning when i turned my comp on the speakers were loud enough to scare the crap out of me when kaspersky detected the trojan

    EDIT:So far i have learned Trojan Win32 KillAv .jr is a FP
    Last edited: Mar 28, 2007
  12. lodore
    Offline

    lodore Registered Member

    but did brain warp press the infomation button and read about it before
    pressing skip?
    also i know no av can detect 100percent of malware.
    i dont think there is any need to diss PDM and kaspersky because of one user error.

    @brainwarp
    isthe screenshot a mock or real?
    lodore
    Last edited: Mar 28, 2007
  13. C.S.J
    Offline

    C.S.J Massive Poster

    edited his post to say it was a false positive, why all the panic? lol
  14. Bob D
    Offline

    Bob D Registered Member

    I though DrWeb was supposed to be high in FPs? Go Figure.
    OK, C.S.J, you can now gloat (but just a little).
  15. BrainWarp
    Offline

    BrainWarp Registered Member

    I learned from kaspersky only the Trojan Win32 KillAv .jr was a FP ----win-xp-wzcs and Trojan.Win32.DNSChanger.ik were not
  16. C.S.J
    Offline

    C.S.J Massive Poster

    submit them to drweb, they will tell you ;) zip it up with the password 'virus', link is in my signature to submit.

    i still think it was user error allowing the dll, while drweb was not in your machine.
  17. aigle
    Offline

    aigle Registered Member

    U can upload it to virus total to see if Dr.Web and Ewido are detecting it or not?
  18. BrainWarp
    Offline

    BrainWarp Registered Member

    You don't seem to understand about what happened when i allowed the dll.When i allowed the dll 1 sec after that kaspersky alerted me of the trojan.It has been deleted by kaspersky
  19. C.S.J
    Offline

    C.S.J Massive Poster

    no no, i did understand that from post #1
  20. aigle
    Offline

    aigle Registered Member

    Virus total, virus total, ......
  21. BrainWarp
    Offline

    BrainWarp Registered Member

    715,112 sigs on avg 7.5

    dunno on dr web because you cannot install kaspersky with dr web on the computer.

    I have been using dr web for years and am still very fond of it.You will sing a different tune C.S.J if you go through something like this.But if dr web is all your running,how would you ever know?
  22. C.S.J
    Offline

    C.S.J Massive Poster

    trust me i know,

    i have gone through things like this, ive tried many AVs and had licences for a few aswell, but i know... to ALWAYS deny a file if i dont know what it is.

    this alone, was your problem which kicked it all off on your machine.

    i can always do an online scan, once every 6 months or so with panda to make sure everything is top-top

    im not a safe user all the time, drweb has kept me safe and clean, always detecting nothing on online scans etc, and yes i do get malware through the week and spam, i also get TONS of phising emails too, all which dr.web detect, next online scan, i suspect nothing to be found.
  23. BrainWarp
    Offline

    BrainWarp Registered Member

    You are right.But dr web never detected it at all to kick anything off.Kaspersky did.And i'm not saying dr web is bad ,just that it seems to have missed this.And it was a bad trojan to miss

    I can only speak for myself,but i am through using dr web regardless of how good or bad it is.I will be under the kaspersky flag from now on.
  24. C.S.J
    Offline

    C.S.J Massive Poster

    you dont even know that it was on your machine while dr.web was ...... how can you know this.

    if it was, the dll alone was not a threat, you allowed it to 'do its buisiness' by allowing it

    does not bother me one bit if you ditch drweb, but you dont even know the dll was in your machine while dr.web was, if it was... drweb would NOT have detected it as it wasnt executable on its own, you have probably done something which has executed, drweb would have most likely detected THEN.

    just another theory, but like i said.. doesnt bother me one bit if you leave drweb, i'll welcome you back when you have and will have a problem or when drweb brings out something new ;)
  25. BrainWarp
    Offline

    BrainWarp Registered Member

    When i uninstalled dr web i had installed kaspersky right afterwards.
    Rebooted updated and put games into exclude.Went to check how the games ran.

    I d/l nothing but the kaspersky updates and going to this site and dslreports only before going to bed.

    Woke up turned comp on updated kaspersky again and kis proactive part warned me of the win-xp-wzcs dll and it menchined used for wireless so i ok'ed it thinking it was part of the wireless--still before coffee.That was my mistake.Just installing a program like this you get alot of alerts in the beginning anyway so i did not think much of it

    Then thats when kis anitvirus warned me of the trojan and stopped it before it did any damage .But who knows--the damage could have already been in action before kaspersky i'm afraid,but it seems like the NF4 active armor firewall would have picked it up---then again who knows

    PS I respect your belief in the good doctor C.S.J ,but for now i will have to let it go
    Last edited: Mar 28, 2007
Thread Status:
Not open for further replies.