IPB

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> kidkemfaaaa and Win32.Delf.ajw, Can't clear infection processes
Barum_mike
post 31.12.2007 04:31
Post #1


Newbie
*

Group: Members
Posts: 5
Joined: 31.12.2007




My wife's PC has just stopped firing up about one week after an infection with Win32/Delf.ajw. The computer is a Pentium 4 running Win XP Prof SP2.
About a week ago we picked up suspicious pop-ups. The resident anti-virus program, ESET NOD32, did not identify a virus but task manager showed an application "Kidkemfaaaa" was running at start up. A Google search revealed mentions of Kidkemfaaaa on forums in Chinese and Spanish. One post mentioned Kaspersky. An on-line scan by KAV picked up Trojan.Win32.Delf.ajw
I uninstalled NOD32, installed 30 day trial version of KAV, and deleted the Trojan. It reappeared the next day, but by switching off system restore, clearing all temp files etc, and then re-running KAV I thought I had got rid of the Trojan. However Kidkemfaaaa kept reappearing as a running application on restarting the computer, and I found files "mscol.exe" and "wordict.exe" had appeared in folder program files/Windows NT. Each is about 150kb If deleted they reappeared. These files are linked in the forum postings to Kidkemfaaaa. If I end tasked Kidkemfaaaa it did not reappear until the next start of Windows, that is until today. A few hours ago I could not stop Kidkemfaa, the PC behaved oddly, I closed it down and now will not start properly, calling up a series of script debugging pop ups. I closed it down, fearing further damage to the files on my wife's PC.
Nothing on Kidkemfaaaa, wordict.exe, mscol.exe on several antivirus supplier sites, nor any English language sites. Nothing specific on Win32.Delf.ajw other than it exists.
I have Win32.delf.ajw on a USB stick. I have the HTML log of the first KAV on-line scanner report, which I attach. I believe Worm.Win32.Huhk.c is a false alarm. Did the Trojan drop a payload which I have not not got rid of? What is the payload and how to clear the PC?
I am typing this e-mail using my PC, which is networked to my wife's. No sign of infection on mine.

Help please.

Attached File(s)
Attached File  Kaspersky_virus_report_20.12.doc ( 112K ) Number of downloads: 7
 
Go to the top of the page
 
+Quote Post
dawgg
post 31.12.2007 12:41
Post #2


Forum Elite
**************

Group: Moderators
Posts: 9300
Joined: 6.04.2006
From: London




Yes, unfortunatly, worm.win32.huhk.c was a false alarm.
Read here about recovering the explore.exe files if you removed it: http://support.kaspersky.com/viruses/computers?qid=208279581

This post has been edited by dawgg: 31.12.2007 12:42
Go to the top of the page
 
+Quote Post
aroon7651
post 31.12.2007 20:55
Post #3


Advanced Member III
*****

Group: Members
Posts: 526
Joined: 28.08.2006
From: usa




about Kidkemfaaaa this procces its Malicious can some motherator request a HiJackThis log ?? because i dont think i m allow to do this ... unsure.gif

This post has been edited by aroon7651: 31.12.2007 20:56


--------------------
Security Expert



DO NOT POST your problem in someone elses thread, even though you are having the same problems. This to avoid confusion.
Start a new thread instead and someone will help you asap.
Go to the top of the page
 
+Quote Post
Lucian Bara
post 31.12.2007 22:02
Post #4


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




sure
hijackthis: http://www.trendsecure.com/portal/en-US/_d.../HiJackThis.exe
download, execute, choose do a scan and save logfile and save the log.
i would also request a combofix log: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
download, execute, follow the intructions, when it's done it creates c:\combofix.txt

and the detected log from the kaspersky full scan. some delf variants are hard to remvoe and have files which don't appear in hjt
attach all files here (rather then just copy and paste), it will make the topic easier to follow

This post has been edited by Lucian Bara: 31.12.2007 22:02
Go to the top of the page
 
+Quote Post
dawgg
post 31.12.2007 22:08
Post #5


Forum Elite
**************

Group: Moderators
Posts: 9300
Joined: 6.04.2006
From: London




Sorry about my incomplete reply before, I was in a rush.
Can you please submit "mscol.exe" and "wordict.exe" to Kaspersky's VirusLab if they're not detected. Instructions shown here: http://forum.kaspersky.com/index.php?showtopic=13881


Edit: Lucian beat me to it about combofix smile.gif

This post has been edited by dawgg: 31.12.2007 22:09
Go to the top of the page
 
+Quote Post
Barum_mike
post 1.01.2008 17:41
Post #6


Newbie
*

Group: Members
Posts: 5
Joined: 31.12.2007




Thanks for the prompt replies. The problem has been resolved by a friend who came round. He found processes in the the registry which he has disabled. There was an executable file ravsvrs.exe which was part of the malicious behaviour. I have sent mscol.exe and wordict.exe to Kaspersky's VirusLab. I will follow the link about recovering the Internet Explorer files related to clearing the false alarm worm.win32.huhk.c. Thanks again

Go to the top of the page
 
+Quote Post
Lucian Bara
post 1.01.2008 18:00
Post #7


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




could you post those logs anyway, just to make sure your friend got everything?
Go to the top of the page
 
+Quote Post
Barum_mike
post 1.01.2008 18:08
Post #8


Newbie
*

Group: Members
Posts: 5
Joined: 31.12.2007




QUOTE(dawgg @ 31.12.2007 08:41) *
Yes, unfortunatly, worm.win32.huhk.c was a false alarm.
Read here about recovering the explore.exe files if you removed it: http://support.kaspersky.com/viruses/computers?qid=208279581


Tried this, following instructions. One glitch. In the Backup tab the file infected with worm.win32.huhk.c which I should restore is listed as explorer.exe\Explorer.EXE . This, I am told when I restore it, is an invalid path. Should I restore it to C:\Windows\explorer.exe ?

Thanks
Go to the top of the page
 
+Quote Post
Lucian Bara
post 1.01.2008 19:04
Post #9


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




hello
yes, but also... are you missing the task bar and icons on your desktop?
Go to the top of the page
 
+Quote Post
Barum_mike
post 1.01.2008 19:11
Post #10


Newbie
*

Group: Members
Posts: 5
Joined: 31.12.2007




QUOTE(Lucian Bara @ 1.01.2008 14:00) *
could you post those logs anyway, just to make sure your friend got everything?



Attached the Threatfix and Combofix logs. Not sure how to find and attach the KAV detection log.

Cheers

Mike
Attached File(s)
Attached File  Combofix_log_2008.01.01.txt ( 8,46K ) Number of downloads: 2
Attached File  hijackthis_logfile_2008.01.01.txt ( 11,11K ) Number of downloads: 3
 
Go to the top of the page
 
+Quote Post
Barum_mike
post 2.01.2008 04:10
Post #11


Newbie
*

Group: Members
Posts: 5
Joined: 31.12.2007




QUOTE(Lucian Bara @ 1.01.2008 15:04) *
hello
yes, but also... are you missing the task bar and icons on your desktop?



No, taskbar and icons ok.
Go to the top of the page
 
+Quote Post
dawgg
post 2.01.2008 15:33
Post #12


Forum Elite
**************

Group: Moderators
Posts: 9300
Joined: 6.04.2006
From: London




Dont worry about restoring explore.exe then
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic

 



Lo-Fi Version Time is now: 22.08.2014 03:57