Solved

Need Help removing DNSchanger virus.

Posted on 2008-10-20
15
1,063 Views
Last Modified: 2013-11-22
I have somehow gotten a virus on a server machine. I am fairly certain this is a DNS changer "rootkit" virus. It automatically changes my DNS servers to invalid values. I found the references in the registry to a kmgql.exe (Not the exact file spelling) file which is associated with the virus, as well as references to change the DNS servers to invalid ones. If I removed the keys they just came back.


I tried to start the machine in safe mode, and now it just restarts over and over with the error:
"When trying to update a password the return status indicates that the value provided as the current password is not correct."

Please help!!
0
Comment
Question by:tkingstl
  • 7
  • 5
15 Comments
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22760813
Hi,
Certainly sounds like a Wareout infection. Not sure if FixWareout will run on a server, but worth a try.

Download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If that won't work you can use Blacklight Beta to find and rename the rootkit file, which is likely the kmgql.exe file.

Let us know.
0
 

Author Comment

by:tkingstl
ID: 22760974
I tried FIxwareout.exe but it just times out. I think it requires an active internet connection, which I don't have because of the DNS issue. I will try and look into Blacklight Beta, never heard of it.
0
 

Author Comment

by:tkingstl
ID: 22761030
Blacklight Beta does not support the Windows SBS 2003 OS.
0
 

Author Comment

by:tkingstl
ID: 22761184
Update: I still can't even get into Windows, I get a lsass.exe - System Error, with the message in my first post.

Hellllpppp!
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22762051
Hmm....this may be trouble. Sounds like some OS damage may have been done either by the Malware or the process of trying to remove it.

Do you know the exact name and location of the "kmgql.exe (Not the exact file spelling) file"?

If so you can try renaming it and then make the DNS changes. Also, let's get a HijackThis log.
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Click on "Do a system scan and save a log file" button. Post the text from the log file. Do not have HJT fix anything at this point.

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.

0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22762057
Oh forgot to mention. Will it boot to Safe Mode?
0
Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

 

Author Comment

by:tkingstl
ID: 22762095
I can't get it to boot into any safe mode at all, it produces the lsass.exe error about an invalid password and restarts. I can't remember the exact name of the file, but Hijack this said it resided in the windows system32 folder.


0
 

Author Comment

by:tkingstl
ID: 22762183
I tried to run the restore disk, and try a system repair. When it asked me for the admin password, it is no longer valid. I am guessing that's what the worm virus destroyed last?

At this point I don't know what to do. This server holds 2 very important databases which are backed up, but information will be lost if we have to do a fresh install on the computer.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22762189
So you can't get into Windows at all? Well...at this point you may need to consider a re-install.

What is the exact message you get at startup?

You could try taking out the hard drive and scanning it on another computer with an AV and AS, but not sure how successful that will be. Or use a PE disk and do some scans from there. But if you cannot get into Windows you'll have to work outside the OS somehow.
0
 
LVL 20

Accepted Solution

by:
IndiGenus earned 250 total points
ID: 22762197
Can you slave that drive to another PC and get those databases?
0
 

Author Comment

by:tkingstl
ID: 22762527
I think that is what I will have to do (slave the drive to remove any data we need), and do a re-install of windows.

The exact error message is a dialogue box alert saying:
"When trying to update a password the return status indicates that the value provided as the current password is not correct."
 
The title of the alert says it's a lsass.exe error. This pops up at the point the windows login box should appear.
0
 
LVL 12

Expert Comment

by:ibu1
ID: 22773687
To resolve ur dns problem, try this
www.bleepingcomputer.com/files/smitfraudfix.php
0
 

Author Comment

by:tkingstl
ID: 23105090
None of the fixes were helpful at all, most were directed at different Operating Systems that wouldn't work on SBS 2003.
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

This is my 3rd article on SCCM in recent weeks, the 1st (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html) dealing with installat…
Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now