net-worm.win32.kido-ir

View previous topic View next topic Go down

net-worm.win32.kido-ir

Post by pandy34 on 1st April 2010, 5:23 am

This virus is affecting all 3 computers in my network. I can't get on antivirus sites and dns sites. Other websites are fine but very slow. A 4th computer at home can't get on net at all. Here's an example of the Hijack log for one of the computer. Should I unplug it from the network before attempting any of your fixes? Please let me know the instructions. Thanks.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 12:19:20 PM, on 4/1/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\V0350Mon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\History Sweeper\Sweeper.exe
C:\Program Files\UniKey\UniKeyNT.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\javaw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [V0350Mon.exe] C:\WINDOWS\V0350Mon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [Sweeper.exe] C:\Program Files\History Sweeper\Sweeper.exe
O4 - HKCU\..\Run: [UniKey] C:\Program Files\UniKey\UniKeyNT.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: Shortcut to Yawcam.exe.lnk = C:\Program Files\Yawcam\Yawcam.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{463B1CE5-1A86-481D-9FC8-0443A51468EF}: NameServer = 216.146.35.35,216.146.36.36
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--
End of file - 7406 bytes

pandy34
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-12-16
OS OS : vista
Points Points : 25910
# Likes # Likes : 0

View user profile

Back to top Go down

Re: net-worm.win32.kido-ir

Post by Net_Surfer on 1st April 2010, 7:15 am

Hello pandy34 and Welcome to GeekPolice Malware removal forum.

My nick is Net_Surfer and I will be helping you with your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing "your computer problems only" and by no means should be used on another computer.

I would also like to inform you that most of us here at GeekPolice offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!


Please be patient and I'd be grateful if you would note the following:

The cleaning process is not instant. Gmer, DDS, ComboFix, RSIT and hijackthis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.[/b]


  1. Please Read All Instructions Carefully and perform the steps fully and in the order they are written.

  2. If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.

  3. Do not attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.

  4. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.

  5. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  6. Please continue to review my answers until I tell you that your machine is clean and free of malware. (Absence of symptoms does not mean that everything is clear.
Just because you can't see a problem doesn't mean it isn't there.

If you can do these things, everything should go smoothly. Right On!

OK. pandy34.......If you have a Vista computer ensure that you right click on the tools and run them as an Admin. IF XP double click on the program to run them.

Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.

Please carefully follow the next set of steps:


If you can not download and run the following tools, then I would like for you to try another approach:

If you have the use of another computer please either use a Flash Drive or a CD to download the following and transfer them for use on the infected machine.
Be sure you put them on the desktop of the infected computer.


*Download ExeHelper, Rkill and Malwarebyte's to the desktop of the infected computer and disconnect from the internet all of your computers then phisically pull the Router's electrical cord from the wall. And Do NOT use the router or connect to the internet until you follow this steps:

exeHelper by Raktor.

step1. Please download: [You must be registered and logged in to see this link.] to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

step2.* After running exeHelper ("without rebooting") run Rkill and Malwarebyte's and run them using this instructions:

We need to use the RKill Tool by Grinler

[You must be registered and logged in to see this link.]

  • Please Download Rkill.com. Save it to your Desktop.
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this [You must be registered and logged in to see this link.] if you are not sure how.

  • NOTE: If you are unable to connect to the site to download rkill, then you should download it to a clean computer and copy it to the infected one via a USB flash drive or CDROM.

  • Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Rogue programs.
  • Please be patient while the program looks for various malware programs and ends them.
  • When it has finished, the black window will automatically close and you can continue with the next step.

NOTE: If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Antivirus Suite when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the rogue program. So, please try running Rkill until the malware is no longer running. You will then be able to proceed with the rest of the steps.

If you continue having problems running rkill.com, you can download:
[You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.]
which are renamed copies of rkill.com, and try them instead.

*If the tool does not run from any of the links, Please tell me about it.

Malwarebytes' Anti-Malware

step3.* Please download:[You must be registered and logged in to see this link.]
Note: If you already have Malwarebytes' Anti-Malware, just update first then run it.

  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform a Full system Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

step4.* We need to see some additional information about what is happening in your machine.
Please perform the following scan:



  • Download DDS by sUBs from one of the following links. Save it to your desktop.
    o [You must be registered and logged in to see this link.]
    o [You must be registered and logged in to see this link.]
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • When done, DDS will open two (2) logs
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.
  • The instructions here ask you to attach the Attach.txt.

  • Instead of attaching, please copy/paste both logs into your next reply.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all anti-virus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control [You must be registered and logged in to see this link.]

Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). If you don’t know the router's default password, you can look it up [You must be registered and logged in to see this link.]

However, if there are other infected machines using the same router, they will need to be cleared with the above steps before resetting the router. Otherwise, the malware will simply go back and change the router's DNS settings. You also need to reconfigure any security settings you had in place prior to the reset. Check out this site [You must be registered and logged in to see this link.] for video tutorials on how to properly configure your router's encryption and security settings. You may also need to consult with your Internet service provider
to find out which DNS servers your network should be using.

Once you have ran Malwarebytes' Anti-Malware on the infected systems, and reset the router to its default configuration you can reconnect to the internet, and router. Then return to this site to post your logs.

Summary of the logs I will need in your next reply:

  • ExeHelper log.
  • Rkill log.
  • MBAM log.
  • The two logs of DDS.

How are things your end pandy34?


The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day then I will close the topic.

Kind regards
Net_Surfer

(Gunsmoke)


Obstacles are what you see when you take you eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Net_Surfer
Intermediate
Intermediate

Posts Posts : 57
Joined Joined : 2010-03-28
Gender Gender : Male
OS OS : xp sp3, Vista, Win7
Points Points : 25225
# Likes # Likes : 0

View user profile

Back to top Go down

Re: net-worm.win32.kido-ir

Post by pandy34 on 2nd April 2010, 12:06 am

Hi Net Surfer,

First off, thank-you for your help.
I have 3 computers on the network. Should I send you the other 2 computers Hijackthis output? Should I follow the instructions for all 3 computers?
I'm worried that if I just fix one of the computer then the other 2 will re-infect it again.
Please let me know and I'll start on it asap.

thanks

pandy34
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-12-16
OS OS : vista
Points Points : 25910
# Likes # Likes : 0

View user profile

Back to top Go down

Re: net-worm.win32.kido-ir

Post by Net_Surfer on 2nd April 2010, 12:26 am

Hello again Pandy34, Honored

I suggest that you install Malwarebyte's on all three computers update the program on each one...Then.. disconnect all three computers from the router and internet and unplug the router cord from the wall.

Then........

Run a complete system scan with MBAM on all three computers........let it quarantine and delete anything that it finds....

Then re-set your router by following my instructions from my prior post.

After that connect your router to the wall and run MBAM again on all three this time do a quick scan.........then...connect to the internet and update your windows xp computer:

We also require you to install all the critical updates issued by Microsoft by visiting this site in not we will be wasting our time:
[You must be registered and logged in to see this link.]

You can read about your infection here:

[You must be registered and logged in to see this link.]

post the log of this computer....but let me know if the other scans from the other computers were infected also........but do not post the logs of those computers. After we clean this one we can clean the others one by one.

Kind regards
Net_Surfer
(Gunsmoke)


Obstacles are what you see when you take you eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Net_Surfer
Intermediate
Intermediate

Posts Posts : 57
Joined Joined : 2010-03-28
Gender Gender : Male
OS OS : xp sp3, Vista, Win7
Points Points : 25225
# Likes # Likes : 0

View user profile

Back to top Go down

Re: net-worm.win32.kido-ir

Post by pandy34 on 3rd April 2010, 5:50 am

ok i'll do that. But its the weekend and i can't access those computers until monday, so i won't be able to start on it until monday.
Thanks for the help.

pandy34
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-12-16
OS OS : vista
Points Points : 25910
# Likes # Likes : 0

View user profile

Back to top Go down

Re: net-worm.win32.kido-ir

Post by pandy34 on 3rd April 2010, 6:07 am

I cannot access the computers at work on the weekend but I also have the same virus at home.
You said not to use these instructions on another computer so should I post another Hijackthis log for you here? or should I make a new topic?

thanks

pandy34
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-12-16
OS OS : vista
Points Points : 25910
# Likes # Likes : 0

View user profile

Back to top Go down

Re: net-worm.win32.kido-ir

Post by Net_Surfer on 3rd April 2010, 6:33 am

Hi Pandy34,

I will like to keep this thread open to resolve the infected computer that you have the original problem..........you can apply the same steps to each one and save the logs and open a thread for each one, just ensure that you you put a note that is for me to answer those new topics.....

if you want to start cleaning the one at home and have the time to do before monday......lets start it then......follow the steps and open a thread with the logs and send me a Personal message so I can reply to it.

Regards
Net_Surfer


Obstacles are what you see when you take you eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Net_Surfer
Intermediate
Intermediate

Posts Posts : 57
Joined Joined : 2010-03-28
Gender Gender : Male
OS OS : xp sp3, Vista, Win7
Points Points : 25225
# Likes # Likes : 0

View user profile

Back to top Go down

Re: net-worm.win32.kido-ir

Post by pandy34 on 5th April 2010, 12:13 pm

ok i finished all the reports that you wanted.

Malwarebytes' Anti-Malware 1.45
[You must be registered and logged in to see this link.]

Database version: 3954

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

4/5/2010 11:13:35 AM
mbam-log-2010-04-05 (11-13-35).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Objects scanned: 267540
Time elapsed: 36 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

exeHelper by Raktor
Build 20100329
Run at 10:35:51 on 04/05/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as user on 04/05/2010 at 10:36:26.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\user\Desktop\virus removal\rkill.com


Rkill completed on 04/05/2010 at 10:36:30.


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/17/2007 11:34:09 AM
System Uptime: 4/5/2010 11:17:20 AM (0 hours ago)

Motherboard: Intel Corporation | | D945GNT
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | J3E1 | 2999/200mhz
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | J3E1 | 2999/200mhz

==== Disk Partitions =========================

C: is FIXED (FAT32) - 15 GiB total, 0.322 GiB free.
D: is FIXED (FAT32) - 28 GiB total, 13.147 GiB free.
E: is FIXED (FAT32) - 28 GiB total, 16.496 GiB free.
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/100 VE Network Connection
Device ID: PCI\VEN_8086&DEV_27DC&SUBSYS_30868086&REV_01\4&1E46F438&0&40F0
Manufacturer: Intel
Name: Intel(R) PRO/100 VE Network Connection
PNP Device ID: PCI\VEN_8086&DEV_27DC&SUBSYS_30868086&REV_01\4&1E46F438&0&40F0
Service: E100B

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

µTorrent
ACDSee 6.0 PowerPack
Add or Remove Adobe Creative Suite 3 Master Collection
Adobe After Effects CS3 Presets
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Creative Suite 3 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe Encore CS3 Codecs
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Fireworks CS3
Adobe Flash CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Premiere Pro CS3 Third Party Content
Adobe Reader 7.0.7
Adobe Setup
Adobe Shockwave Player 11.5
Adobe SING CS3
Adobe Soundbooth CS3
Adobe Soundbooth CS3 Codecs
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AGEIA PhysX v2.3.3
AHV content for Acrobat and Flash
Apple Mobile Device Support
Apple Software Update
ASUS nVIDIA Driver
Bonjour
Cave Management System
Creative Live! Cam Video Chat or Video IM Driver (1.02.01.00)
Creative Software AutoUpdate
Doom 3
Download Manager 2.3.6
EPSON Printer Software
Genius Scanner
Ghost Recon
Google Chrome
Heroes of Might and Magic V
High Definition Audio Driver Package - KB888111
HiJackThis
hp deskjet 5550 series
InfoWorks History Sweeper (remove only)
Intel(R) PRO Network Connections Drivers
iTunes
J2SE Runtime Environment 5.0 Update 10
Java(TM) 6 Update 6
K-Lite Codec Pack 2.87 Full
Kaspersky Anti-Virus 2009
Lexmark Software Uninstall
LimeWire 4.18.2
LQ-300+II User's Guide
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
Mega Manager
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office Professional Edition 2003
Microsoft Search Enhancement Pack
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Text-to-Speech Engine 4.0 (English)
MSVCRT
MSXML 4.0 SP2 Parser and SDK
NVIDIA Drivers
OneCare Advisor (Windows Live Toolbar)
PDF Settings
Rome - Total War(TM)
Security Update for Windows XP (KB958644)
Segoe UI
SigmaTel Audio
Smart Menus (Windows Live Toolbar)
UniKey 3.63 NT
Uninstall LAC VIET mtd2002-EVA
WebFldrs XP
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Upload Tool
Windows Media Format Runtime
Windows Media Player 10
WinRAR archiver
XP Codec Pack
Yawcam v0.3.0

==== Event Viewer Messages From Past Week ========

3/31/2010 7:12:47 PM, error: NetBT [4311] - Initialization failed because the driver device could not be created.
3/31/2010 7:12:26 PM, error: Print [19] - Sharing printer failed + 1722, Printer hp deskjet 5550 series share name Printer2.

==== End Of File ===========================


DDS (Ver_10-03-17.01) - FAT32x86
Run by user at 11:18:21.00 on Mon 04/05/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.589 [GMT 7:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\V0350Mon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\History Sweeper\Sweeper.exe
C:\Program Files\UniKey\UniKeyNT.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\javaw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\user\Desktop\virus removal\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\ievkbd.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: Web traffic protection statistics: {85e0b171-04fa-11d1-b7da-00a0c90348d6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
uRun: [Sweeper.exe] c:\program files\history sweeper\Sweeper.exe
uRun: [UniKey] c:\program files\unikey\UniKeyNT.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [AGEIA PhysX SysTray] c:\program files\ageia technologies\TrayIcon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_06\bin\jusched.exe"
mRun: [V0350Mon.exe] c:\windows\V0350Mon.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe"
StartupFolder: c:\docume~1\user\startm~1\programs\startup\shortc~1.lnk - c:\program files\yawcam\Yawcam.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
IE: Download Link Using Mega Manager... - c:\program files\megaupload\mega manager\mm_file.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - [You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
TCP: {463B1CE5-1A86-481D-9FC8-0443A51468EF} = 216.146.35.35,216.146.36.36
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-8-11 226832]
R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe [2008-11-11 208616]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
R3 VF0350Afx;VF0350 Audio FX;c:\windows\system32\drivers\V0350Afx.sys [2008-8-12 142656]
R3 VF0350Vfx;VF0350 Video FX;c:\windows\system32\drivers\V0350Vfx.sys [2008-8-12 7424]
R3 VF0350Vid;Live! Cam Video IM (VF0350);c:\windows\system32\drivers\V0350Vid.sys [2008-8-12 170368]
S3 AVPsys;AVPsys;\??\c:\windows\system32\drivers\cdaudio.sys --> c:\windows\system32\drivers\cdaudio.sys [?]

=============== Created Last 30 ================

2010-04-05 04:15:39 0 d--h--w- c:\windows\$hf_mig$
2010-04-01 05:17:33 0 d-----w- c:\program files\TrendMicro

==================== Find3M ====================

2010-04-05 04:17:04 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-04-05 04:17:04 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-04-05 04:17:04 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-04-05 04:17:04 32 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-03-29 17:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 17:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

============= FINISH: 11:18:54.28 ===============

anything else i need to do?
the dns website is working again.
has the net-worm been killed?

pandy34
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-12-16
OS OS : vista
Points Points : 25910
# Likes # Likes : 0

View user profile

Back to top Go down

Re: net-worm.win32.kido-ir

Post by Net_Surfer on 5th April 2010, 1:42 pm

anything else i need to do?
the dns website is working again.
has the net-worm been killed?
Hello again Pandy34, Honored
Code:
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
Yes... there are still some issues on this computer that you have not done just yet......I asked you to go to windows update and install all the microsoft patches for you computer, as the infection that you had it uses the holes on your windows software so, you need to patch those holes with the updates that are available for your computer.

Please do the updates after you have done the steps one to four.


Malware Removal Forum Rules

- Our help free, but we ask you do not use us to make a profit for yourself or we will refuse to help you in the future.
- We ask that all P2P programs be uninstalled before getting help, otherwise it's just a big circle and you will get infected again. If not, our help is withdrawn.
- Only Approved Staffs are allowed to help members with malware removal.
- Do not post in another member's topic, create your own. If you do so, your posts will be deleted without notice.
- Questions asked via Private Messages will be Ignored. Ask in the forums instead.
- Do not post your log at multiple websites/forums. A helper's time is precious, if you do this your topic will be closed.
OK... Pandy34,

It seems that you did not read the sticky post, where we ask that you uninstall any P2P program before you get the free help!


[You must be registered and logged in to see this link.]

Please read and take a note:

P2P (File Sharing) Warning!

P2P file sharing: [You must be registered and logged in to see this link.]

Going over your logs I noticed that you have LimeWire 4.18.2 AND µTorrent installed.

Please note that as long as you're using any form of Peer-to-Peer networking (Morpheus, Ares, Limewire, Bit Torrent etc.) and downloading files from non-documented sources, you can expect infestations of malware to occur.

Once upon a time, P2P file sharing was fairly safe. That is no longer true.
P2P programmes form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

Many of the programmes come bundled with other unwanted programmes, but even the ones free of any bundled software are not safe to use.
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

There are some very good reasons for this, and they are for your protection:


From a security standpoint, p2p forms a direct connection into your computer and circumvents or by passes most security, Anti-Malware and firewall software or hardware.

Any type of security on these programs is poor at best and non existent on some, this could lead to Malware being downloaded into your computer without your knowledge.

Additionally, in cases where the program has not been configured correctly, a lot more than your music files have finished up being shared with others.

Passwords, PIN numbers, bank accounts, and other personal details have been harvested by the unscrupulous for their own gain at your expense.

Have a read of the below article to see where that happened:

[You must be registered and logged in to see this link.]

I would recommend that you uninstall LimeWire and µTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Programs and Features if Vista or within Add or remove programs in XP.

[i]You may decide to continue P2P sharing, but keep in mind that this practice may be the source of future malware infestation. If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programmes, we may refuse to help you.


Please carefully follow my next set of steps:

Step 1. Update Software

Going over your logs I noticed that you are using an old unsupported program: OneCare Advisor (Windows Live Toolbar)

Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).

Search in the list and uninstall OneCare Advisor

Please download the newest version of Adobe Acrobat Reader from:

[You must be registered and logged in to see this link.]

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

Step 2.* JavaRa and Java update.

Your Java program is out of date.

Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
Please follow these steps to remove older version Java components and update:

Download and Run JavaRA

Please download [You must be registered and logged in to see this link.] and unzip it to your desktop.

  • Double-click on JavaRa.exe to start.
  • Use the drop down box to choose your language and click Select.
  • Select "Remove Older Versions".
  • Click Yes when asked "This will remove all older versions of the Java JRE...Are you sure you want to proceed?"
  • Click Ok when search and removal of old versions has completed.
  • A notice will appear indicating "Finished searching for all old versions...A logfile has been created...called JavaRa.log...
    JavaRa will now open its logfile.
    "
  • Click Ok and notepad will open with the log results of what was found and removed.
  • View the logfile and close notepad.
  • A copy of JavaRa.log will automatically be saved to your primary hard drive (usually C\:JavaRa.log).
  • Return to JavaRa and click the button for Additonal Tasks.
  • Select these Tasks:

    • Remove Useless JRE Files
    • Remove Startup Entry
    • Remove JavaRa Logfile (optional)

  • Click Go and then Ok when prompted "Finished searching for useless JRE files.
  • Click Ok again when prompted "Finished searching for JRE startup entries.
  • Close the Additional Tasks window, exit JavaRa and reboot your computer.

Step 3. Then download the latest version of [You must be registered and logged in to see this link.] and save it to your desktop.


  • Look for "JDK 6 Update 19 (JDK or JRE)"
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • From your desktop double-click on jre-6u19-windows-i586.exe to install the newest version.
-- The [You must be registered and logged in to see this link.] adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:

  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.
Step 4. **Note: In the event you already have old versions of Combofix, I need you to delete them, right click on the combofix icon on your desktop and delete it. This is a new version that I need you to download. It is important that it is saved directly to your desktop**


  • If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

  • For Internet Explorer:
    o Choose to save, not open the file
    o When prompted - save the file to your desktop, and rename it to commy with .exe extension on the end.


* Please download ComboFix from: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Please insert your flash drive and all usb-drives before running Combofix
    Important notes regarding ComboFix:

    ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

    ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read [You must be registered and logged in to see this link.] for an article written by dvk01 on why we disable autoruns.
  • Close any open browsers.
    WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
  • Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
    -----------------------------------------------------------
  • Click: Start>Run
    then copy paste the following command into the Run box & click: OK

    "%userprofile%\desktop\commy.exe" /stepdel

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

A word of advise if you are a lurker: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix.
It is intended by its creator to be used under the guidance and supervision of a Malware Removal Expert.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read the: [You must be registered and logged in to see this link.]

Step 5. We also require you to install all the critical updates issued by Microsoft by visiting this site in not we will be wasting our time:

[You must be registered and logged in to see this link.]

You can read about your infection here:

[You must be registered and logged in to see this link.]

Step 6. * Re-scan with DDS so we can verify nothing new is back.

Summary of the logs I will need in your next reply:


  • The report log of ComboFix
  • The report log of DDS
And a description of any remaining problems in your next post.

How are things your end Pandy34 ???.


Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks.
Kind regards
Net_Surfer



Obstacles are what you see when you take you eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Net_Surfer
Intermediate
Intermediate

Posts Posts : 57
Joined Joined : 2010-03-28
Gender Gender : Male
OS OS : xp sp3, Vista, Win7
Points Points : 25225
# Likes # Likes : 0

View user profile

Back to top Go down

Re: net-worm.win32.kido-ir

Post by pandy34 on 6th April 2010, 6:51 am

Hi

I've erased limewire and utorrent and update java and windows service pack 3 and now in the process of running combofix. However, your instructions "Please insert your flash drive and all usb-drives before running Combofix".... i think my usb-flash drive is infected should i still insert it? or does it not matter. Thought I'd ask to make sure before i started combofix.
Thanks

pandy34
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-12-16
OS OS : vista
Points Points : 25910
# Likes # Likes : 0

View user profile

Back to top Go down

Re: net-worm.win32.kido-ir

Post by Net_Surfer on 6th April 2010, 6:55 am

Go ahead and inserted and leave it there until combofix finish scanning and give you a report log.

Net_Surfer


Obstacles are what you see when you take you eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Net_Surfer
Intermediate
Intermediate

Posts Posts : 57
Joined Joined : 2010-03-28
Gender Gender : Male
OS OS : xp sp3, Vista, Win7
Points Points : 25225
# Likes # Likes : 0

View user profile

Back to top Go down

Re: net-worm.win32.kido-ir

Post by pandy34 on 7th April 2010, 4:13 am

I could not find "OneCare Advisor (Windows Live Toolbar)". Installed new adobe reader. Here are the combo fix and dds that you requested. Also is my usb still infectẻd? How will I know? Also should I use the combofix on the other computers in my local network? Thanks.

ComboFix 10-04-05.03 - user 04/07/2010 10:53:28.1.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.476 [GMT 7:00]
Running from: c:\documents and settings\user\desktop\commy.exe
Command switches used :: /stepdel
AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\windows\kdcoms.dll
c:\windows\system32\syspilog.pil
D:\Autorun.inf
E:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_AVPsys


((((((((((((((((((((((((( Files Created from 2010-03-07 to 2010-04-07 )))))))))))))))))))))))))))))))
.

2010-04-07 03:24 . 2010-04-07 03:24 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-04-07 03:22 . 2010-02-01 01:45 38784 ----a-w- c:\documents and settings\user\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2010-04-07 03:22 . 2010-02-01 01:45 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2010-04-07 03:22 . 2010-04-07 03:22 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-07 03:21 . 2010-04-07 03:21 -------- d-----w- c:\program files\Google
2010-04-07 03:21 . 2010-04-07 03:21 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-04-07 03:20 . 2010-04-07 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-06 06:22 . 2010-04-06 06:22 503808 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6700b7e9-n\msvcp71.dll
2010-04-06 06:22 . 2010-04-06 06:22 499712 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6700b7e9-n\jmc.dll
2010-04-06 06:22 . 2010-04-06 06:22 348160 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6700b7e9-n\msvcr71.dll
2010-04-06 06:22 . 2010-04-06 06:22 61440 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-11533d0c-n\decora-sse.dll
2010-04-06 06:22 . 2010-04-06 06:22 12800 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-11533d0c-n\decora-d3d.dll
2010-04-06 06:22 . 2010-04-06 06:22 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-06 03:10 . 2010-04-06 03:10 -------- d-----w- c:\documents and settings\user\.yawcam
2010-04-05 04:15 . 2010-04-05 04:15 -------- d--h--w- c:\windows\$hf_mig$
2010-04-01 05:17 . 2010-04-01 05:17 388096 ----a-r- c:\documents and settings\user\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-04-01 05:17 . 2010-04-01 05:17 -------- d-----w- c:\program files\TrendMicro
2010-03-31 12:14 . 2010-03-31 12:14 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-07 03:59 . 2009-08-11 05:51 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-04-07 03:59 . 2009-08-11 05:51 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-04-07 03:59 . 2009-08-11 05:51 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-04-07 03:59 . 2009-08-11 05:51 32 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-03-29 17:46 . 2010-01-20 02:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 17:45 . 2010-01-20 02:30 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
.

------- Sigcheck -------

[-] 2004-08-03 . 6A603809F598332DBEDD535BDBCE313E . 359040 . . [5.1.2600.2180] . . c:\windows\system32\drivers\tcpip.sys
[7] 2004-08-03 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sweeper.exe"="c:\program files\History Sweeper\Sweeper.exe" [2007-10-17 172032]
"UniKey"="c:\program files\UniKey\UniKeyNT.exe" [2005-08-16 188416]
"Google Update"="c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-10 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-07 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-13 7557120]
"AGEIA PhysX SysTray"="c:\program files\AGEIA Technologies\TrayIcon.exe" [2006-03-20 331776]
"V0350Mon.exe"="c:\windows\V0350Mon.exe" [2007-06-04 32768]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-08-11 208616]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\user\Start Menu\Programs\Startup\
Shortcut to Yawcam.exe.lnk - c:\program files\Yawcam\Yawcam.exe [2008-8-12 57344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2009-3-9 131584]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Device Detector]
2003-09-17 10:39 212992 ----a-w- c:\program files\Common Files\ACD Systems\EN\DevDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-03 15:32 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-10-01 11:57 289576 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-03 15:31 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mtd2002Svr]
2002-10-05 06:05 544768 ----a-w- c:\program files\mtd2002\mtdserver.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-02-13 13:05 7557120 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-02-13 13:05 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-02-13 13:05 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-03 15:32 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-03 15:32 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-05-06 10:10 405504 ----a-w- c:\windows\sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\mtd2002\\mtdserver.exe"=
"c:\\kav\\kav7.0\\english\\setup.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"d:\\Program Files\\DOOM3Ded.exe"=
"d:\\Program Files\\GhostRecon.exe"=
"c:\\WINDOWS\\System32\\JAVAW.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\System32\\pdbox28.exe"=
"c:\\WINDOWS\\System32\\fscagent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\utorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:*:Disabled:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:*:Disabled:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:*:Disabled:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:*:Disabled:Adobe Version Cue CS3 Server
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 5:29 PM 33808]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 5:06 PM 24592]
R3 VF0350Afx;VF0350 Audio FX;c:\windows\system32\drivers\V0350Afx.sys [8/12/2008 2:57 PM 142656]
R3 VF0350Vfx;VF0350 Video FX;c:\windows\system32\drivers\V0350Vfx.sys [8/12/2008 2:57 PM 7424]
R3 VF0350Vid;Live! Cam Video IM (VF0350);c:\windows\system32\drivers\V0350Vid.sys [8/12/2008 2:57 PM 170368]
.
Contents of the 'Scheduled Tasks' folder

2010-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 05:34]

2010-04-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-583907252-602609370-682003330-1003Core1cac66920a6eb1a.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-10 03:35]
.
.
------- Supplementary Scan -------
.
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
mDefault_Search_URL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
IE: Download Link Using Mega Manager... - c:\program files\Megaupload\Mega Manager\mm_file.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
TCP: {463B1CE5-1A86-481D-9FC8-0443A51468EF} = 221.133.1.2,221.133.0.2
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-igndlm.exe - c:\program files\Download Manager\DLM.exe
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-Flashget - c:\program files\FlashGet\FlashGet.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_10\bin\jusched.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
AddRemove-Download Manager - c:\program files\Download Manager\uninst.exe
AddRemove-Winamp - c:\program files\Winamp\UninstWA.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(180)
c:\program files\UniKey\UKHook35.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\SigmaTel\C-Major Audio\WDM\STacSV.exe
c:\windows\system32\wdfmgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-04-07 11:02:57 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-07 04:02

Pre-Run: 453,156,864 bytes free
Post-Run: 1,051,959,296 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\ = "Recovery Windows"

- - End Of File - - 395F77D10FECBB4498D0DB7FCF2AFA2D


DDS (Ver_10-03-17.01) - FAT32x86
Run by user at 11:07:06.00 on Wed 04/07/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.524 [GMT 7:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\WINDOWS\V0350Mon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\History Sweeper\Sweeper.exe
C:\Program Files\UniKey\UniKeyNT.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\WINDOWS\system32\ctfmon.exe
D:\virus removal\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\ievkbd.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: Web traffic protection statistics: {85e0b171-04fa-11d1-b7da-00a0c90348d6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
uRun: [Sweeper.exe] c:\program files\history sweeper\Sweeper.exe
uRun: [UniKey] c:\program files\unikey\UniKeyNT.exe
uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [AGEIA PhysX SysTray] c:\program files\ageia technologies\TrayIcon.exe
mRun: [V0350Mon.exe] c:\windows\V0350Mon.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\user\startm~1\programs\startup\shortc~1.lnk - c:\program files\yawcam\Yawcam.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
IE: Download Link Using Mega Manager... - c:\program files\megaupload\mega manager\mm_file.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - [You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
TCP: {463B1CE5-1A86-481D-9FC8-0443A51468EF} = 221.133.1.2,221.133.0.2
Notify: klogon - c:\windows\system32\klogon.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-8-11 226832]
R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe [2008-11-11 208616]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
R3 VF0350Afx;VF0350 Audio FX;c:\windows\system32\drivers\V0350Afx.sys [2008-8-12 142656]
R3 VF0350Vfx;VF0350 Video FX;c:\windows\system32\drivers\V0350Vfx.sys [2008-8-12 7424]
R3 VF0350Vid;Live! Cam Video IM (VF0350);c:\windows\system32\drivers\V0350Vid.sys [2008-8-12 170368]
UnknownUnknown vkquwexg;vkquwexg; [x]

=============== Created Last 30 ================

2010-04-07 03:51:49 0 d-sha-r- C:\cmdcons
2010-04-07 03:47:40 98816 ----a-w- c:\windows\sed.exe
2010-04-07 03:47:40 77312 ----a-w- c:\windows\MBR.exe
2010-04-07 03:47:40 261632 ----a-w- c:\windows\PEV.exe
2010-04-07 03:47:40 161792 ----a-w- c:\windows\SWREG.exe
2010-04-07 03:37:17 0 d-----w- C:\commy
2010-04-06 06:22:31 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-06 03:10:12 0 d-----w- c:\documents and settings\user\.yawcam
2010-04-05 04:15:39 0 d--h--w- c:\windows\$hf_mig$
2010-04-01 05:17:33 0 d-----w- c:\program files\TrendMicro

==================== Find3M ====================

2010-04-07 03:59:22 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-04-07 03:59:22 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-04-07 03:59:22 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-04-07 03:59:22 32 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-03-29 17:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 17:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

============= FINISH: 11:07:47.25 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/17/2007 11:34:09 AM
System Uptime: 4/7/2010 10:59:37 AM (1 hours ago)

Motherboard: Intel Corporation | | D945GNT
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | J3E1 | 2999/200mhz
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | J3E1 | 2999/200mhz

==== Disk Partitions =========================

C: is FIXED (FAT32) - 15 GiB total, 0.957 GiB free.
D: is FIXED (FAT32) - 28 GiB total, 18.195 GiB free.
E: is FIXED (FAT32) - 28 GiB total, 16.333 GiB free.
F: is CDROM ()
G: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/100 VE Network Connection
Device ID: PCI\VEN_8086&DEV_27DC&SUBSYS_30868086&REV_01\4&1E46F438&0&40F0
Manufacturer: Intel
Name: Intel(R) PRO/100 VE Network Connection
PNP Device ID: PCI\VEN_8086&DEV_27DC&SUBSYS_30868086&REV_01\4&1E46F438&0&40F0
Service: E100B

==== System Restore Points ===================

RP1: 4/7/2010 10:47:40 AM - System Checkpoint

==== Installed Programs ======================

ACDSee 6.0 PowerPack
Acrobat.com
Add or Remove Adobe Creative Suite 3 Master Collection
Adobe After Effects CS3 Presets
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Creative Suite 3 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe Encore CS3 Codecs
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Fireworks CS3
Adobe Flash CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Premiere Pro CS3 Third Party Content
Adobe Reader 9.3
Adobe Setup
Adobe Shockwave Player 11.5
Adobe SING CS3
Adobe Soundbooth CS3
Adobe Soundbooth CS3 Codecs
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AGEIA PhysX v2.3.3
AHV content for Acrobat and Flash
Apple Mobile Device Support
Apple Software Update
ASUS nVIDIA Driver
Bonjour
Cave Management System
Creative Live! Cam Video Chat or Video IM Driver (1.02.01.00)
Creative Software AutoUpdate
EPSON Printer Software
Genius Scanner
Ghost Recon
Google Chrome
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HiJackThis
hp deskjet 5550 series
InfoWorks History Sweeper (remove only)
Intel(R) PRO Network Connections Drivers
iTunes
Java Auto Updater
Java(TM) 6 Update 19
K-Lite Codec Pack 2.87 Full
Kaspersky Anti-Virus 2009
Lexmark Software Uninstall
LQ-300+II User's Guide
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
Mega Manager
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office Professional Edition 2003
Microsoft Search Enhancement Pack
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Text-to-Speech Engine 4.0 (English)
MSVCRT
MSXML 4.0 SP2 Parser and SDK
No-IP.com DUC (remove only)
NVIDIA Drivers
OneCare Advisor (Windows Live Toolbar)
PDF Settings
Security Update for Windows XP (KB958644)
Segoe UI
SigmaTel Audio
Smart Menus (Windows Live Toolbar)
UniKey 3.63 NT
Uninstall LAC VIET mtd2002-EVA
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Upload Tool
Windows Media Format Runtime
Windows Media Player 10
WinRAR archiver
XP Codec Pack
Yawcam 0.3.3

==== Event Viewer Messages From Past Week ========

4/5/2010 12:06:08 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
4/5/2010 11:36:08 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
4/5/2010 11:21:08 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
4/5/2010 1:06:08 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 120 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
3/31/2010 7:12:47 PM, error: NetBT [4311] - Initialization failed because the driver device could not be created.
3/31/2010 7:12:26 PM, error: Print [19] - Sharing printer failed + 1722, Printer hp deskjet 5550 series share name Printer2.

==== End Of File ===========================

pandy34
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-12-16
OS OS : vista
Points Points : 25910
# Likes # Likes : 0

View user profile

Back to top Go down

Re: net-worm.win32.kido-ir

Post by Net_Surfer on 9th April 2010, 9:22 am

Hello again Pandy34, Honored

Sorry for the delay!

Please follow my next set of steps:


Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost. Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.
----------------*----------------
Step 1. Rerun ComboFix with some additional directives.

Complex Malware removal is to be performed by trained personnel, as they’re capable of doing a surgical cleanup without affecting other components of the Operating System.
:

  1. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on [You must be registered and logged in to see this link.] link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.

  2. Make sure that combofix.exe that you downloaded is on your Desktop but do NOT run it!
    o *If it is not on your Desktop, the below will not work.
  3. Go to Start -> Run... and in the "Open:" box that opens type Notepad and press Enter (alternatively, navigate to Start -> Accessories -> Notepad).
  4. Copy the entire contents inside the CODE box below into Notepad (do NOT copy the word "CODE"!) - don't use any other text editor than Notepad or the script will fail.
    Code:
    Fcopy::
    c:\windows\system32\dllcache\tcpip.sys | c:\windows\system32\drivers\tcpip.sys

    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "d:\\utorrent.exe"=-
    DDS::
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
    Driver::
    UnknownUnknown vkquwexg
  5. Go to File -> Save and save as CFScript.txt in the same location as ComboFix.exe.

  6. Close all applications and windows so that you have nothing open and are at your Desktop.
  7. Drag CFScript.txt on top of ComboFix.exe. This will start ComboFix again. Please follow the prompts.

    NOTE: Do NOT mouseclick ComboFix's window whilst it's running. That may cause your system to hang!
    CAUTION!
    Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!
  8. When finished, ComboFix shall produce a log for you at C:\ComboFix.txt. Please post the entire contents of that report in your next reply for further review.

step 2. * Malwarebytes' Anti-Malware (MBAM)

Because some malware can be easily removed, we recommend Malwarebytes Anti-Malware be run. It's an advanced piece of software which should get a lot of what's on this machine. These guys are so on top of the latest infections it's amazing.

You already have Malwarebytes' Anti-Malware installed.

  • Open MBAM
  • Go to the updates tab, and click Update to update to the latest version
  • Once the program has updated, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: if you can not run a full system scan then retry with a quick scan.
    * Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Summary of the logs I will need in your next reply:


  • The report log of ComboFix
  • The report log of MBAM
And a description of any remaining problems in your next post.

How are things your end Pandy34 ???.


Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks.
Kind regards
Net_Surfer



Obstacles are what you see when you take you eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Net_Surfer
Intermediate
Intermediate

Posts Posts : 57
Joined Joined : 2010-03-28
Gender Gender : Male
OS OS : xp sp3, Vista, Win7
Points Points : 25225
# Likes # Likes : 0

View user profile

Back to top Go down

Re: net-worm.win32.kido-ir

Post by pandy34 on 12th April 2010, 2:31 pm

I am currently in hong kong and won't be back until this weekend. Please keep the thread open as I need some time thank-you.

pandy34
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-12-16
OS OS : vista
Points Points : 25910
# Likes # Likes : 0

View user profile

Back to top Go down

Re: net-worm.win32.kido-ir

Post by pandy34 on 16th April 2010, 10:15 am

Here's the report you requested.
ComboFix 10-04-05.03 - user 04/09/2010 20:07:04.2.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.694 [GMT 7:00]
Running from: c:\documents and settings\user\Desktop\commy.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((( Files Created from 2010-03-09 to 2010-04-09 )))))))))))))))))))))))))))))))
.

2010-04-09 12:53 . 2010-04-09 12:53 -------- d-----w- C:\FOUND.000
2010-04-07 03:37 . 2010-04-07 03:37 -------- d-----w- C:\commy
2010-04-07 03:24 . 2010-04-07 03:24 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-04-07 03:22 . 2010-02-01 01:45 38784 ----a-w- c:\documents and settings\user\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2010-04-07 03:22 . 2010-02-01 01:45 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2010-04-07 03:22 . 2010-04-07 03:22 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-07 03:21 . 2010-04-07 03:21 -------- d-----w- c:\program files\Google
2010-04-07 03:21 . 2010-04-07 03:21 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-04-07 03:20 . 2010-04-07 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-06 06:22 . 2010-04-06 06:22 503808 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6700b7e9-n\msvcp71.dll
2010-04-06 06:22 . 2010-04-06 06:22 499712 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6700b7e9-n\jmc.dll
2010-04-06 06:22 . 2010-04-06 06:22 348160 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6700b7e9-n\msvcr71.dll
2010-04-06 06:22 . 2010-04-06 06:22 61440 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-11533d0c-n\decora-sse.dll
2010-04-06 06:22 . 2010-04-06 06:22 12800 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-11533d0c-n\decora-d3d.dll
2010-04-06 06:22 . 2010-04-06 06:22 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-06 03:10 . 2010-04-06 03:10 -------- d-----w- c:\documents and settings\user\.yawcam
2010-04-05 04:15 . 2010-04-05 04:15 -------- d--h--w- c:\windows\$hf_mig$
2010-04-01 05:17 . 2010-04-01 05:17 388096 ----a-r- c:\documents and settings\user\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-04-01 05:17 . 2010-04-01 05:17 -------- d-----w- c:\program files\TrendMicro
2010-03-31 12:14 . 2010-03-31 12:14 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-07 16:59 . 2009-08-11 05:51 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-04-07 16:59 . 2009-08-11 05:51 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-04-07 16:59 . 2009-08-11 05:51 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-04-07 16:59 . 2009-08-11 05:51 32 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-03-29 17:46 . 2010-01-20 02:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 17:45 . 2010-01-20 02:30 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sweeper.exe"="c:\program files\History Sweeper\Sweeper.exe" [2007-10-17 172032]
"UniKey"="c:\program files\UniKey\UniKeyNT.exe" [2005-08-16 188416]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-07 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-13 7557120]
"AGEIA PhysX SysTray"="c:\program files\AGEIA Technologies\TrayIcon.exe" [2006-03-20 331776]
"V0350Mon.exe"="c:\windows\V0350Mon.exe" [2007-06-04 32768]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-08-11 208616]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\user\Start Menu\Programs\Startup\
Shortcut to Yawcam.exe.lnk - c:\program files\Yawcam\Yawcam.exe [2008-8-12 57344]
No-IP DUC.lnk - c:\program files\No-IP\DUC20.exe [2010-4-5 1172992]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2009-3-9 131584]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Device Detector]
2003-09-17 10:39 212992 ----a-w- c:\program files\Common Files\ACD Systems\EN\DevDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-03 15:32 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-03 15:31 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mtd2002Svr]
2002-10-05 06:05 544768 ----a-w- c:\program files\mtd2002\mtdserver.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-02-13 13:05 7557120 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-02-13 13:05 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-02-13 13:05 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-03 15:32 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-03 15:32 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-05-06 10:10 405504 ----a-w- c:\windows\sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\mtd2002\\mtdserver.exe"=
"c:\\kav\\kav7.0\\english\\setup.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"d:\\Program Files\\DOOM3Ded.exe"=
"d:\\Program Files\\GhostRecon.exe"=
"c:\\WINDOWS\\System32\\JAVAW.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\System32\\pdbox28.exe"=
"c:\\WINDOWS\\System32\\fscagent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:*:Disabled:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:*:Disabled:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:*:Disabled:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:*:Disabled:Adobe Version Cue CS3 Server
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 5:29 PM 33808]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 5:06 PM 24592]
R3 VF0350Afx;VF0350 Audio FX;c:\windows\system32\drivers\V0350Afx.sys [8/12/2008 2:57 PM 142656]
R3 VF0350Vfx;VF0350 Video FX;c:\windows\system32\drivers\V0350Vfx.sys [8/12/2008 2:57 PM 7424]
R3 VF0350Vid;Live! Cam Video IM (VF0350);c:\windows\system32\drivers\V0350Vid.sys [8/12/2008 2:57 PM 170368]
.
Contents of the 'Scheduled Tasks' folder

2010-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-07 16:59]
.
.
------- Supplementary Scan -------
.
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
TCP: {463B1CE5-1A86-481D-9FC8-0443A51468EF} = 221.133.1.2,221.133.0.2
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(620)
c:\windows\system32\msi.dll
.
Completion time: 2010-04-09 20:13:52
ComboFix-quarantined-files.txt 2010-04-09 13:13
ComboFix2.txt 2010-04-07 04:03

Pre-Run: 573,947,904 bytes free
Post-Run: 558,841,856 bytes free

- - End Of File - - 424D6ABCBDA5B7B91731B6A6B5383BC5

Malwarebytes' Anti-Malware 1.45
[You must be registered and logged in to see this link.]

Database version: 3972

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

4/9/2010 8:42:43 PM
mbam-log-2010-04-09 (20-42-43).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 260276
Time elapsed: 21 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

pandy34
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-12-16
OS OS : vista
Points Points : 25910
# Likes # Likes : 0

View user profile

Back to top Go down

Re: net-worm.win32.kido-ir

Post by Net_Surfer on 16th April 2010, 5:17 pm

Malwarebytes' Anti-Malware 1.45
[You must be registered and logged in to see this link.]

Database version: 3972

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

4/9/2010 8:42:43 PM
mbam-log-2010-04-09 (20-42-43).txt
Hello again Pandy34, Honored

Glad that your are back!

I need you to update me when you reply back in how your computer is reacting each step of the way, I need the information so I can think of what tool to use to fix your problem.

Your report log of MBAM shows that you have not updated your system to xpsp3 and your browser still IE6
You need to update your system before you do my next set of steps!.

Also Hackers are exploiting some new holes on adobe and java and there is new version for you to download again. So please update java and adobe you can read more about this here:


[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Carefully follow my next set of steps:

Step 1.

  • Download: [You must be registered and logged in to see this link.] to your desktop.
    if you have problems, try this download link:
    [You must be registered and logged in to see this link.]
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check
.

.


    Now copy the lines below.

    netsvcs
    msconfig
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    CREATERESTOREPOINT



  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.


    .
  • Click the Run Scan button.



  • Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.


We need to Scan for Rootkits.

Credit to Quietman for this speech canned.
The speed and ability to complete a scan depends on a variety of factors.

  • The program itself and how its scanning engine is designed to scan: using a signature database vs heuristic scanning for suspicious behavior or a combination of both.
  • Options to scan for spyware, adware, riskware and potentially unwanted or unsafe programs (PUPs).
  • Options to scan memory, boot sectors, registry and alternate data streams (ADS).
  • Type of scan performed: Deep, Quick or Custom scanning.
  • What action has to be performed when malware is detected.
  • A computer's hard drive size.
  • Disk used capacity (number of files to include temporary files) that have to be scanned.
  • Types of files (.exe, .dll, .sys, .cab, archived, compressed, packed, email, etc) that are scanned.
  • Whether external drives are included in the scan.
  • Competition for and utilization of system resources by the scanner.
  • Other running processes and programs in the background.
  • Interference from malware.
  • Interference from the user.
Before performing an anti-rootkit (ARK) scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.

  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • [You must be registered and logged in to see this link.].
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • [You must be registered and logged in to see this link.] your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
Note: Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Both Legitimate programs and rootkits can hook into and alter this table. You should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

If you are using a CD Emulator ([You must be registered and logged in to see this link.], [You must be registered and logged in to see this link.], [You must be registered and logged in to see this link.], [You must be registered and logged in to see this link.], etc) be aware that they use rootkit-like techniques to hide from other applications. When dealing with a malware infection, CD Emulators can interfere with investigative or anti-rootkit (ARK) tools. This interference can produce misleading or inaccurate scan results, [You must be registered and logged in to see this link.] of legitimate file, cause unexpected crashes, [You must be registered and logged in to see this link.], and general dross. This 'dross' often makes it hard to differentiate between genuine malicious rootkits and the legitimate drivers used by CM Emulators. In some cases, the drivers related to such tools can cause crashes or system hanging when attempting to boot into safe mode.

Since CD Emulators use a hidden driver which can be seen as a rootkit and interfere with providing accurate results or cause other problems, it is recommended that they be removed or disabled until disinfection is completed.

Step 2. * Disable CD-ROM Emulation Software.

DeFogger - Disable


  1. Please download [You must be registered and logged in to see this link.] to your desktop.

    Double click DeFogger to run the tool.

    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Step 3. * Rootkit Scan with Gmer.

Please download GMER from one of the following locations and save it to your desktop:

  • [You must be registered and logged in to see this link.]
    This version will download a randomly named file (Recommended)
  • [You must be registered and logged in to see this link.]
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

  • Disconnect from the Internet and close all running programs.
  • Temporarily [You must be registered and logged in to see this link.] so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


    Ensure that the SECTIONS option is checked!
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in [You must be registered and logged in to see this link.].


Some ARK scanners have settings which you can adjust if the scan hangs or freezes while others do not. If that's the case and you still cannot complete a scan, then try another ARK.
Summary of the logs I will need in your next reply:


  • The report logs of OTL: OTL.Txt and Extras.Txt

  • Gmer rootkit report log.

How are things your end Pandy34???


Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Again, Please DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean and free of malware!!!

Kind regards
Net_Surfer



Obstacles are what you see when you take you eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Net_Surfer
Intermediate
Intermediate

Posts Posts : 57
Joined Joined : 2010-03-28
Gender Gender : Male
OS OS : xp sp3, Vista, Win7
Points Points : 25225
# Likes # Likes : 0

View user profile

Back to top Go down

Re: net-worm.win32.kido-ir

Post by Dr Jay on 21st April 2010, 5:14 am

Hello.

Net_Surfer will be not be here, so I have agreed to help you now.

Please understand the following:
  • Nothing has changed. Our expertise is similar.
  • Feel free to ask any questions.
  • Tell me how your computer is running now, and post the logs that Net_Surfer has asked you to do, in the post above mine.


Thanks!


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: net-worm.win32.kido-ir

Post by pandy34 on 1st June 2010, 4:14 pm

Sorry, for leaving this open, I was sent away for awhile. And i noticed now that the computers have been used while i was away, and reading the steps nets surfer posted "Again, Please DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean and free of malware!!!" we might not be able to continue with the fixes. Or should I continue.

pandy34
Novice
Novice

Posts Posts : 32
Joined Joined : 2009-12-16
OS OS : vista
Points Points : 25910
# Likes # Likes : 0

View user profile

Back to top Go down

Re: net-worm.win32.kido-ir

Post by Dr Jay on 1st June 2010, 5:46 pm

Let's start over.

Just do step 1 of Net Surfer's post 16.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum