Is 2kadiras.exe a virus?

Viruses and worms
1

My avast home detected that 2kadiras.exe as Win32:Dialer-gen. However, after doing research from internet, I found a website that say 2kadiras.exe is a valid program:
http://www.bleepingcomputer.com/startups/2kadiras.exe-10303.html

Scanning result from virustotal:
File 2kadiras.exe received on 11.20.2007 08:22:46 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.11.20.0 2007.11.20 -
AntiVir 7.6.0.34 2007.11.19 -
Authentium 4.93.8 2007.11.20 -
Avast 4.7.1074.0 2007.11.19 Win32:Dialer-gen
AVG 7.5.0.503 2007.11.19 Potentially harmful program Dialer.DVI
BitDefender 7.2 2007.11.20 Dialer.Porn.EE
CAT-QuickHeal 9.00 2007.11.19 PornDialer.Agent.bb (Not a Virus)
ClamAV 0.91.2 2007.11.20 -
DrWeb 4.44.0.09170 2007.11.19 -
eSafe 7.0.15.0 2007.11.14 -
eTrust-Vet 31.3.5311 2007.11.20 -
Ewido 4.0 2007.11.19 Dialer.Agent.bb
FileAdvisor 1 2007.11.20 -
Fortinet 3.11.0.0 2007.11.20 Dial/Agent
F-Prot 4.4.2.54 2007.11.19 W32/Dialer.EDX
F-Secure 6.70.13030.0 2007.11.20 W32/Dialer.BHHP
Ikarus T3.1.1.12 2007.11.20 not-a-virus:Porn-Dialer.Win32.Agent.bb
Kaspersky 7.0.0.125 2007.11.20 not-a-virus:Porn-Dialer.Win32.Agent.bb
McAfee 5166 2007.11.19 -
Microsoft 1.3007 2007.11.20 -
NOD32v2 2671 2007.11.20 -
Norman 5.80.02 2007.11.19 W32/Dialer.BHHP
Panda 9.0.0.4 2007.11.20 Trj/Downloader.MDW
Prevx1 V2 2007.11.20 -
Rising 20.19.02.00 2007.11.20 Trojan.Win32.Dialer.bb
Sophos 4.23.0 2007.11.20 -
Sunbelt 2.2.907.0 2007.11.20 -
Symantec 10 2007.11.20 Dialer.Generic
TheHacker 6.2.9.134 2007.11.19 Trojan/Dialer.Agent.bb
VBA32 3.12.2.5 2007.11.19 Porn-Dialer.Win32.Agent.bb
VirusBuster 4.3.26:9 2007.11.19 -
Webwasher-Gateway 6.0.1 2007.11.20 -
Additional information
File size: 32768 bytes
MD5: a10235274acf16a13758e873a9bb85cf
SHA1: c9e4a89ac2e3c56186c73936808e71e21599633a

2

2kadiras.exe is a startup item in my computer.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:43:19 PM, on 11/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\magnify.exe
C:\Program Files\The Name Technology\Dewan Eja Pro\DEProWotd.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Free Download Manager\FUM\fumoei.exe
C:\Program Files\ADSL\ADSL USB MODEM\dslmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\System32\dllhost.exe
D:\My Collections\Download\HiJackThis\Hijackzfc.exe

O2 - BHO: {BCBF738C-4891-4B9A-959A-C6BF7F608C3A} - {0B1B0D47-95F7-4bad-9309-A945B655AE61} - C:\WINDOWS\SYSTEM32\regsvr32.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: NVRIEbar.IEbar - {BCBF738C-4891-4B9A-959A-C6BF7F608C3A} - C:\Program Files\NaturalSoft\FreeVersion65\NVRIEbar.dll
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [Protect] SHVRTF.EXE
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [9xadiras] 9xadiras.exe
O4 - HKLM..\Run: [2kadiras] 2kadiras.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Dewan Eja Pro Config] C:\PROGRA~1\THENAM~1\DEWANE~1\deconfig.exe
O4 - HKLM..\Run: [DEProWotd] C:\Program Files\The Name Technology\Dewan Eja Pro\DEProWotd.exe
O4 - HKLM..\Run: [Dewan Eja Pro] C:\Program Files\The Name Technology\Dewan Eja Pro\DewanEjaPro.exe autostart
O4 - HKLM..\Run: [Google IME Autoupdater] C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
O4 - HKLM..\Run: [IMSCMIG40W] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG.EXE /SetPreload /Log
O4 - HKLM..\Run: [lxczbmgr.exe] “C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe”
O4 - HKLM..\Run: [FaxCenterServer] “C:\Program Files\Lexmark Fax Solutions\fm3032.exe” /s
O4 - HKCU..\Run: [MoneyAgent] “C:\Program Files\Microsoft Money\System\mnyexpr.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [Free Uploader Oe Integration] C:\Program Files\Free Download Manager\FUM\fumoei.exe
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: 蓝牙控制盘.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Program Files\Free Download Manager\FUM\fumiebtn.dll (file missing)
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - https://www.windowsonecare.com/install/cli/0.8.0794.38/WinSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {3FA213D6-E85F-11D3-84DA-00600836C654} (Project1.SeahMedia) - file://F:\TLM\Primary\BM\Year2\BM02U2\element\ActiveX\media\SeahMedia.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/resources/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} - http://messenger.zone.msn.com/EN-MY/a-UNO1/GAME_UNO1.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126858001537
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://filelodge.bolt.com/ImageUploader3.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.futuremark.com/global/msc37.cab
O17 - HKLM\System\CCS\Services\Tcpip..{2BBCF0FE-7F2E-4049-B091-26C94E72D879}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CS3\Services\Tcpip..{2BBCF0FE-7F2E-4049-B091-26C94E72D879}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe


End of file - 8231 bytes
Every time when i start my computer, avast standard shield always detected it, but no any warning message appear. The warning message only appear when avast is testing operating memory when i start avast.

http://i6.photobucket.com/albums/y248/zfc/2kadiras_2.jpg

So, should I delete this file?

3

It is all right saying that the ‘file name’ is valid as that is all you have to work on. But avast isn’t alone in seeing something wrong with this file.

You need to look deeper and on the link you gave it mentions some hardware that uses the legit file name, do do you have that hardware installed ?

Here is also where some of the malware names that have been given in VT (a Dialer) would seem related to the hardware mentioned above.

[b]Description:[/b] Allied_Telesyn AT series router/modem related - apparently required
.

So there is a possibility that it might be an FP (if you have that hardware installed), in which case you should submit it as a possible FP giving links to this topic.

I would try to see if there is a later version of this file that doesn’t get detected. Otherwise you are left with the decision to exclude it from scans with any associated risk, since you can’t be 100% sure it isn’t infected.

4

Hi

Those files where present before. They where in your first HJT log. I checked on google when we where cleaning out the vundo and msn. The names just looked suspicious, but came back as required.

This is from your first DSS log

“2kadiras”=“2kadiras.exe” [07/18/2003 05:53 PM C:\WINDOWS\2kadiras.exe]

From another link

Required for Allied Telesyn DSL Modem AT-AR215. This will not run without it

The other files was 9xadiras.exe

Same info as above for the other file. Both are also referenced to a router by the same manufacturer.

I’m inclined to believe it to be a FP as avast didn’t pick it up before. You can check in device manager and make sure that you do have that hardware.

By set to autorun, do you mean at startup? If you meant as a start up item, that’s where they should be.

5

Yes, I mean it is a startup item.

http://i6.photobucket.com/albums/y248/zfc/device_manager.jpg

Seem that I don’t have that modem installed. So, what should me do?

6

Hi
I’m still looking for something definate on this file. Does it seem to be causing problems, trying to gain internet access, etc?

7

It does not seem to be causing problem. I think it not trying to gain internet access.

http://i6.photobucket.com/albums/y248/zfc/pctfw.jpg

8

I don’t see anthing in the list that looks out of the ordinary.

I’ve come across a lot of HJT logs on tother forums. Those twq files where always left.

What about your ADSL(hi speed) modem, do you know the manufacturer?

9

It’s Aztech, not Allied Telesyn.

10

This isn’t the first time concern about a possible FP being raised on this file, all though it’s been with different scanners.

Can you move it to the users section of the chest and send it to avast? Send a message saying it may be a false positive and a link to this thread. Maybe alwil can analyze it and give better advise as what to do.

The file will still remain in it’s origonal location as it’s just a copy that goes to the chest.

Try resubmitting it to www.virustotal.com and see if the deections by others have changed.

In the mean time I’ll keep looking.

11

Hi zfc,

This seems a legit file, according to this info:
http://www.bleepingcomputer.com/startups/2kadiras-10303.html

pol

12

The result still the same:

File 2kadiras.exe received on 11.22.2007 07:52:57 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.11.22.1 2007.11.22 -
AntiVir 7.6.0.34 2007.11.21 -
Authentium 4.93.8 2007.11.21 -
Avast 4.7.1074.0 2007.11.21 Win32:Dialer-gen
AVG 7.5.0.503 2007.11.21 Potentially harmful program Dialer.DVI
BitDefender 7.2 2007.11.22 Dialer.Porn.EE
CAT-QuickHeal 9.00 2007.11.21 PornDialer.Agent.bb (Not a Virus)
ClamAV 0.91.2 2007.11.22 -
DrWeb 4.44.0.09170 2007.11.21 -
eSafe 7.0.15.0 2007.11.21 -
eTrust-Vet 31.3.5315 2007.11.21 -
Ewido 4.0 2007.11.21 Dialer.Agent.bb
FileAdvisor 1 2007.11.22 -
Fortinet 3.14.0.0 2007.11.22 Dial/Agent
F-Prot 4.4.2.54 2007.11.22 W32/Dialer.EDX
F-Secure 6.70.13030.0 2007.11.22 W32/Dialer.BHHP
Ikarus T3.1.1.12 2007.11.22 not-a-virus:Porn-Dialer.Win32.Agent.bb
Kaspersky 7.0.0.125 2007.11.21 not-a-virus:Porn-Dialer.Win32.Agent.bb
McAfee 5168 2007.11.21 -
Microsoft 1.3007 2007.11.22 -
NOD32v2 2677 2007.11.22 -
Norman 5.80.02 2007.11.21 W32/Dialer.BHHP
Panda 9.0.0.4 2007.11.22 Trj/Downloader.MDW
Prevx1 V2 2007.11.22 -
Rising 20.19.30.00 2007.11.22 Trojan.Win32.Dialer.bb
Sophos 4.23.0 2007.11.22 -
Sunbelt 2.2.907.0 2007.11.21 -
Symantec 10 2007.11.22 Dialer.Generic
TheHacker 6.2.9.136 2007.11.21 Trojan/Dialer.Agent.bb
VBA32 3.12.2.5 2007.11.20 Porn-Dialer.Win32.Agent.bb
VirusBuster 4.3.26:9 2007.11.21 -
Webwasher-Gateway 6.0.1 2007.11.22 -
Additional information
File size: 32768 bytes
MD5: a10235274acf16a13758e873a9bb85cf
SHA1: c9e4a89ac2e3c56186c73936808e71e21599633a

I have submitted the file to avast.

13

Ok, I’ll keep looking. Just keep an eye out for any suspicious behavior. Hopefully alwil will be able to shed some light on this quickly. If I find anything, I’ll post it in this thread.

Hi Polonus

We’re just checking. Most references to the file come back as a reguired file for a modem, router. It’s possible other manufacturers use the same software. We’re just tryig to cover all the bases, as should be.

14

if you got some troubles related to this detection, pls add the file to exclusions… i’ll tell to someone, that he should test the file under vmware with some diag tools (filemon, regmon, tcpmon) and judge what to do…