Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Net-worm.Win32.Kido.ih [Solved]

Started by Flegias , Feb 12 2009 04:45 AM

This topic is locked

#16
Flegias

Posted 16 February 2009 - 10:19 AM

Member

Topic Starter
Member
32 posts

Hello fenzodahl512,

I run Kaspersky Online Scanner 3 times but I had an error about the connection on its server.
However it seems to me that Kaspersky online scanner goes in conflict with Kaspersky Anti virus that is installed on my pc even if I disabled it!
Should I run an alternative online scanner?

At the moment no issues are on my pc

Thank you!

#17
fenzodahl512

Posted 16 February 2009 - 10:35 AM

Malware Removal
9,863 posts

Ah.. sorry about that.. Lets do this instead..

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.

Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

#18
Flegias

Posted 16 February 2009 - 11:04 AM

Member

Topic Starter
Member
32 posts

I'm sorry but I have a crash of IE everytime I launch the Eset Online scanner.

Should I try with another one?

#19
fenzodahl512

Posted 16 February 2009 - 11:18 AM

Malware Removal
9,863 posts

Uh.. Lets try this one

Please download Dr.Web CureIt to the Desktop:

Please reboot into Safe Mode
Once you are in Safe Mode, double-click the launch.exe or cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, please do a re-scan.. This time, choose Complete Scan
Click the green arrow button at the right, and the scan will start.
After the scan finished, click Select all
Click on Cure and choose Move incurable
When the scan has finished, in the menu, click File and choose Save report list
Save the report to your Desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit. Reboot your PC in Normal Mode, and post DrWeb.csv in your next reply (Open it as Notepad)

#20
Flegias

Posted 19 February 2009 - 09:11 AM

Member

Topic Starter
Member
32 posts

PSEXESVC.EXE;C:\WINNT;Program.PsExec.170;Incurabile.Spostato.;
dwfvqwxb.dll;C:\WINNT\system32;Win32.HLLW.Shadow.based;Cancellato.;
pskill.exe;D:\Software_Gaz-de-France\Missione_ottobre2001\Gate_PITGAM\sseserver;Tool.Prockill;Incurabile.Spostato.;

#21
fenzodahl512

Posted 19 February 2009 - 09:21 AM

Malware Removal
9,863 posts

Please show hidden files and folders

Please find and delete this file manually... C:\WINNT\system32\dwfvqwxb.dll

How's the computer now?

Edited by fenzodahl512, 19 February 2009 - 09:21 AM.

#22
Flegias

Posted 19 February 2009 - 10:02 AM

Member

Topic Starter
Member
32 posts

Darn!

On the Tools menu, clicking on Folder Options some entries are missed like:

"Hide file extensions for known file types".
"Hide protected operating system files (Recommended)

Can I resume them?

#23
fenzodahl512

Posted 19 February 2009 - 11:25 AM

Malware Removal
9,863 posts

Do this first..

Please download Flash_Disinfector by sUBs and save it to your desktop.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Then, can you enable the "show hidden files/folders" option?

#24
Flegias

Posted 20 February 2009 - 03:58 AM

Member

Topic Starter
Member
32 posts

Please see the picture,
At the moment the folder option is this:

Previously the Folder option was different, like this:

Posted Image

.

I'd like to resume the previous visualization of the folder option tool.

However, unchecking "Superhidden" I can see hidden protected operating system files but there isn't dwfvqwxb.dll in C:\WINNT\system32\
I'm not sure about what I'm going to tell you but after the scan of CureIt I forgot to disable Kaspersky Anti Virus and it deleted dwfvqwxb.aop in C:\WINNT\system32\ and now it detect and remove C:\WINNT\system32\x ramdomly and often.

Should I disable the Antivirus? I'm afraid about it...

#25
fenzodahl512

Posted 20 February 2009 - 04:32 AM

Malware Removal
9,863 posts

Please go to Start >> Run >> Copy/Paste command below >> Press Enter

REGEDIT /E "%USERPROFILE%\Desktop\result.txt" "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"

A new textfile result.txt will be created on your Desktop. Please post its content in your next reply..

#26
Flegias

Posted 20 February 2009 - 04:54 AM

Member

Topic Starter
Member
32 posts

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"ShowCompColor"=dword:00000000
"HideFileExt"=dword:00000000
"DontPrettyPath"=dword:00000000
"ShowInfoTip"=dword:00000001
"HideIcons"=dword:00000000
"MapNetDrvBtn"=dword:00000000
"WebView"=dword:00000001
"Filter"=dword:00000000
"SuperHidden"=dword:00000001
"SeparateProcess"=dword:00000000
"StartButtonBalloonTip"=dword:00000001
"StartMenuInit"=dword:00000003
"ClassicViewState"=dword:00000000
"ShowSuperHidden"=dword:00000000
"StartMenuChevron"=dword:00000000
"IntelliMenus"="No"
"CascadeControlPanel"="NO"
"CascadeMyDocuments"="NO"
"CascadeNetworkConnections"="NO"
"CascadePrinters"="NO"
"StartMenuScrollPrograms"="NO"
"StartMenuLogoff"=dword:00000000
"StartMenuFavorites"=dword:00000000
"StartMenuAdminTools"="NO"
"DisableThumbnailCache"=dword:00000000
"FolderContentsInfoTip"=dword:00000001
"FriendlyTree"=dword:00000001
"NoNetCrawling"=dword:00000000
"PersistBrowsers"=dword:00000000
"WebViewBarricade"=dword:00000000

#27
fenzodahl512

Posted 20 February 2009 - 06:07 AM

Malware Removal
9,863 posts

Lets do this...

The steps that I am about to suggest involve modifying the registry. Modfying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot perform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry

Go HERE and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
Make sure that at least the first two check boxes are ticked
Press OK
Press YES to create the folder.

For detailed instruction on how to back-up registry via ERUNT, please visit HERE

NEXT

Please copy and paste the following into a Notepad

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ServerAdminUI"=dword:00000000
"Hidden"=dword:00000001
"ShowCompColor"=dword:00000001
"DontPrettyPath"=dword:00000000
"ShowInfoTip"=dword:00000001
"HideIcons"=dword:00000000
"MapNetDrvBtn"=dword:00000000
"WebView"=dword:00000001
"Filter"=dword:00000000
"SeparateProcess"=dword:00000000
"ListviewAlphaSelect"=dword:00000001
"ListviewShadow"=dword:00000001
"ListviewWatermark"=dword:00000001
"TaskbarAnimations"=dword:00000001
"StartMenuInit"=dword:00000002
"StartButtonBalloonTip"=dword:00000002
"NoNetCrawling"=dword:00000000
"FolderContentsInfoTip"=dword:00000001
"FriendlyTree"=dword:00000001
"WebViewBarricade"=dword:00000001
"DisableThumbnailCache"=dword:00000000
"ClassicViewState"=dword:00000000
"PersistBrowsers"=dword:00000000
"TaskbarGlomming"=dword:00000001
"LoosenRudeAppCheck"=dword:00000001
"HideFileExt"=dword:00000001
"SuperHidden"=dword:00000000
"CascadeNetworkConnections"="YES"
"TaskbarSizeMove"=dword:00000001
"ShowSuperHidden"=dword:00000000
"Start_ShowNetConn_ShouldShow"=dword:00000042

Save it in desktop as Fix.reg and in Save as type: choose All Files

A new registry file will then created on your desktop. It should look like this: Posted Image

Just double-click the file and choose Yes at prompt.

Reboot your computer and then look at your "Hidden Files/Folders" option

#28
Flegias

Posted 20 February 2009 - 07:43 AM

Member

Topic Starter
Member
32 posts

I wanted the folder option menu come back like this:
Posted Image

Even after I've followed your instructions, the option folder menu is still this:

But don't worry about that! I can view hidden and protected files unchecking "superhidden" option.

We can go on with the clean process!

#29
fenzodahl512

Posted 20 February 2009 - 08:53 AM

Malware Removal
9,863 posts

Run ComboFix once again for my review.. If ComboFix asked for an update, just update it

#30
Flegias

Posted 20 February 2009 - 10:05 AM

Member

Topic Starter
Member
32 posts

ComboFix 09-02-19.01 - Administrator 20/02/2009 16.52.18.4 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1040.18.511.345 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-01-20 to 2009-02-20 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-20 15:48 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab
2009-02-20 13:07 --------- d-----w c:\programmi\ERUNT
2009-02-16 16:59 410,984 ----a-w c:\winnt\system32\deploytk.dll
2009-02-16 11:08 --------- d-----w c:\programmi\Google
2009-02-16 10:09 --------- d-----w c:\programmi\Microsoft.NET
2009-02-16 09:45 --------- d-----w c:\programmi\Hewlett-Packard
2009-02-11 08:18 --------- d-----w c:\programmi\Trend Micro
2009-02-04 14:44 33,808 ----a-w c:\winnt\system32\drivers\klbg.sys
2009-02-04 07:58 89,601 ----a-w c:\winnt\system32\drivers\klick.dat
2009-02-04 07:58 101,287 ----a-w c:\winnt\system32\drivers\klin.dat
2009-01-23 16:05 --------- d--h--w c:\programmi\InstallShield Installation Information
2009-01-23 16:05 --------- d-----w c:\programmi\File comuni\InstallShield
2009-01-12 16:30 --------- d-----w c:\programmi\OpenVPN
2009-01-09 14:11 --------- d---a-w c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-01-09 13:49 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2009-01-09 13:49 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Malwarebytes
2009-01-09 10:19 --------- d-----w c:\programmi\Kaspersky Lab
2008-12-23 13:52 --------- d-----w c:\programmi\File comuni\Adobe
2007-04-18 15:22 271 ---h--w c:\programmi\desktop.ini
2007-04-18 15:22 22,075 -c-h--w c:\programmi\folder.htt
1999-12-23 00:00 32,528 -c--a-w c:\winnt\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((( SnapShot_lun 2009-02-16_12.13.56.67 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 11:02:28 163,328 ----a-w c:\winnt\ERDNT\20-02-2009\ERDNT.EXE
+ 2009-02-20 13:08:35 4,075,520 ----a-w c:\winnt\ERDNT\20-02-2009\Users\00000001\NTUSER.DAT
+ 2009-02-20 13:08:37 221,184 ----a-w c:\winnt\ERDNT\20-02-2009\Users\00000002\UsrClass.dat
+ 2009-02-16 16:59:18 144,792 ----a-w c:\winnt\system32\java.exe
+ 2009-02-16 16:59:18 144,792 ----a-w c:\winnt\system32\javaw.exe
+ 2009-02-16 16:59:18 148,888 ----a-w c:\winnt\system32\javaws.exe
+ 2009-02-20 15:41:54 16,384 ----atw c:\winnt\system32\Perflib_Perfdata_238.dat
+ 2009-02-20 13:13:24 16,384 ----atw c:\winnt\system32\Perflib_Perfdata_23c.dat
+ 2009-02-20 07:40:12 16,384 ----atw c:\winnt\system32\Perflib_Perfdata_240.dat
+ 2009-02-19 14:58:04 16,384 ----atw c:\winnt\system32\Perflib_Perfdata_244.dat
+ 2009-02-20 15:51:04 16,384 ----atw c:\winnt\system32\Perflib_Perfdata_2d0.dat
+ 2004-12-07 09:11:34 258,352 ----a-w c:\winnt\system32\unicows.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [04/02/09 15.44 206088]
"SunJavaUpdateSched"="f:\programmi\Java\jre6\bin\jusched.exe" [16/02/09 17.59 148888]
"Synchronization Manager"="mobsync.exe" [19/06/03 11.05 111376 c:\winnt\system32\mobsync.exe]
"AtiPTA"="atiptaxx.exe" [27/09/01 00.39 245760 c:\winnt\system32\atiptaxx.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\programmi\Internet Explorer\Connection Wizard\icwconn1.exe" [19/06/03 11.05 188176]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

R?2 geedozb;Shell Boot;c:\winnt\system32\svchost.exe -k netsvcs [1999-12-23 7952]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\winnt\system32\drivers\klbg.sys [2008-01-29 33808]
R2 eugss;EUTRON SmartKey GSS2 Driver;c:\winnt\system32\drivers\eugss2k.sys [2008-01-21 63336]
R2 eusk2par;EUTRON SmartKey Parallel Driver;c:\winnt\system32\drivers\eusk2par.sys [2008-01-21 30656]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\winnt\system32\drivers\klim5.sys [2008-04-30 24592]
S2 XipConnect;Xway TCP/IP;c:\xwaydrv\XIPCONNECT.EXE --> c:\xwaydrv\XIPCONNECT.EXE [?]
S3 Duntlw;UNTLW device;c:\winnt\system32\Drivers\DuntlwNT.sys --> c:\winnt\system32\Drivers\DuntlwNT.sys [?]
S3 gpibclsb;GPIB Board Class Driver;c:\winnt\system32\Drivers\gpibclsb.sys --> c:\winnt\system32\Drivers\gpibclsb.sys [?]
S3 gpibclsd;GPIB Device Class Driver;c:\winnt\system32\Drivers\gpibclsd.sys --> c:\winnt\system32\Drivers\gpibclsd.sys [?]
S3 HPFLASH0;HPFLASH0;\??\c:\swsetup\SP30221\HPFlash.sys --> c:\swsetup\SP30221\HPFlash.sys [?]
S3 skeyusb;SmartKey USB;c:\winnt\system32\drivers\skeyusb.sys [2008-01-21 43968]
S3 tap0801;TAP-Win32 Adapter V8;c:\winnt\system32\drivers\tap0801.sys [2004-06-24 23552]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
geedozb
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.it/
uInternet Settings,ProxyOverride = <local>
IE: Converti destinazione link in Adobe PDF - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti destinazione link in file PDF esistente - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Converti i link selezionati in Adobe PDF - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Converti i link selezionati in file PDF esistente - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Converti in Adobe PDF - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti nel file PDF esistente - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Converti selezione in Adobe PDF - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti selezione in file PDF esistente - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
TCP: {C34AF2CE-F228-47F9-8D01-5AEDBF139AFA} = 151.99.125.1
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-20 16:56:41
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\geedozb]
"ServiceDll"="c:\winnt\system32\dwfvqwxb.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(264)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(1376)
c:\winnt\AppPatch\AcLayers.DLL
c:\progra~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\programmi\File comuni\Microsoft Shared\Web Components\10\1040\OWCI10.DLL
c:\progra~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\programmi\File comuni\Microsoft Shared\Web Components\11\1040\OWCI11.DLL
c:\winnt\system32\SETUPAPI.DLL
.
Completion time: 20/02/2009 17.01.04
ComboFix-quarantined-files.txt 2009-02-20 16:00:34
ComboFix2.txt 2009-02-16 13:37:09
ComboFix3.txt 2009-02-16 11:17:29
ComboFix4.txt 2009-02-16 09:49:43

Pre-Run: 81.526.784 byte disponibili
Post-Run: 73,261,056 byte disponibili

133 --- E O F --- 2008-07-14 08:19:41