Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Need Help removing DNSchanger virus.

Posted on 2008-10-20
15
1,066 Views
Last Modified: 2013-11-22
I have somehow gotten a virus on a server machine. I am fairly certain this is a DNS changer "rootkit" virus. It automatically changes my DNS servers to invalid values. I found the references in the registry to a kmgql.exe (Not the exact file spelling) file which is associated with the virus, as well as references to change the DNS servers to invalid ones. If I removed the keys they just came back.


I tried to start the machine in safe mode, and now it just restarts over and over with the error:
"When trying to update a password the return status indicates that the value provided as the current password is not correct."

Please help!!
0
Comment
Question by:tkingstl
  • 7
  • 5
15 Comments
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22760813
Hi,
Certainly sounds like a Wareout infection. Not sure if FixWareout will run on a server, but worth a try.

Download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If that won't work you can use Blacklight Beta to find and rename the rootkit file, which is likely the kmgql.exe file.

Let us know.
0
 

Author Comment

by:tkingstl
ID: 22760974
I tried FIxwareout.exe but it just times out. I think it requires an active internet connection, which I don't have because of the DNS issue. I will try and look into Blacklight Beta, never heard of it.
0
 

Author Comment

by:tkingstl
ID: 22761030
Blacklight Beta does not support the Windows SBS 2003 OS.
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 

Author Comment

by:tkingstl
ID: 22761184
Update: I still can't even get into Windows, I get a lsass.exe - System Error, with the message in my first post.

Hellllpppp!
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22762051
Hmm....this may be trouble. Sounds like some OS damage may have been done either by the Malware or the process of trying to remove it.

Do you know the exact name and location of the "kmgql.exe (Not the exact file spelling) file"?

If so you can try renaming it and then make the DNS changes. Also, let's get a HijackThis log.
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Click on "Do a system scan and save a log file" button. Post the text from the log file. Do not have HJT fix anything at this point.

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.

0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22762057
Oh forgot to mention. Will it boot to Safe Mode?
0
 

Author Comment

by:tkingstl
ID: 22762095
I can't get it to boot into any safe mode at all, it produces the lsass.exe error about an invalid password and restarts. I can't remember the exact name of the file, but Hijack this said it resided in the windows system32 folder.


0
 

Author Comment

by:tkingstl
ID: 22762183
I tried to run the restore disk, and try a system repair. When it asked me for the admin password, it is no longer valid. I am guessing that's what the worm virus destroyed last?

At this point I don't know what to do. This server holds 2 very important databases which are backed up, but information will be lost if we have to do a fresh install on the computer.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22762189
So you can't get into Windows at all? Well...at this point you may need to consider a re-install.

What is the exact message you get at startup?

You could try taking out the hard drive and scanning it on another computer with an AV and AS, but not sure how successful that will be. Or use a PE disk and do some scans from there. But if you cannot get into Windows you'll have to work outside the OS somehow.
0
 
LVL 20

Accepted Solution

by:
IndiGenus earned 250 total points
ID: 22762197
Can you slave that drive to another PC and get those databases?
0
 

Author Comment

by:tkingstl
ID: 22762527
I think that is what I will have to do (slave the drive to remove any data we need), and do a re-install of windows.

The exact error message is a dialogue box alert saying:
"When trying to update a password the return status indicates that the value provided as the current password is not correct."
 
The title of the alert says it's a lsass.exe error. This pops up at the point the windows login box should appear.
0
 
LVL 12

Expert Comment

by:ibu1
ID: 22773687
To resolve ur dns problem, try this
www.bleepingcomputer.com/files/smitfraudfix.php
0
 

Author Comment

by:tkingstl
ID: 23105090
None of the fixes were helpful at all, most were directed at different Operating Systems that wouldn't work on SBS 2003.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Backup and host a VM 6 29
Upgrade Symantec EndPoint Protection 14 13 268
Protecting a SKY 4.0 (Android) devise 15 141
Server Backup on 2016 Essentials Box 1 61
UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question