Mikeo

kidkemfaaaa and Win32.Delf.ajw

12 posts in this topic

My wife's PC has just stopped firing up about one week after an infection with Win32/Delf.ajw. The computer is a Pentium 4 running Win XP Prof SP2.

About a week ago we picked up suspicious pop-ups. The resident anti-virus program, ESET NOD32, did not identify a virus but task manager showed an application "Kidkemfaaaa" was running at start up. A Google search revealed mentions of Kidkemfaaaa on forums in Chinese and Spanish. One post mentioned Kaspersky. An on-line scan by KAV picked up Trojan.Win32.Delf.ajw

I uninstalled NOD32, installed 30 day trial version of KAV, and deleted the Trojan. It reappeared the next day, but by switching off system restore, clearing all temp files etc, and then re-running KAV I thought I had got rid of the Trojan. However Kidkemfaaaa kept reappearing as a running application on restarting the computer, and I found files "mscol.exe" and "wordict.exe" had appeared in folder program files/Windows NT. Each is about 150kb If deleted they reappeared. These files are linked in the forum postings to Kidkemfaaaa. If I end tasked Kidkemfaaaa it did not reappear until the next start of Windows, that is until today. A few hours ago I could not stop Kidkemfaa, the PC behaved oddly, I closed it down and now will not start properly, calling up a series of script debugging pop ups. I closed it down, fearing further damage to the files on my wife's PC.

Nothing on Kidkemfaaaa, wordict.exe, mscol.exe on several antivirus supplier sites, nor any English language sites. Nothing specific on Win32.Delf.ajw other than it exists.

I have Win32.delf.ajw on a USB stick. I have the HTML log of the first KAV on-line scanner report, which I attach. I believe Worm.Win32.Huhk.c is a false alarm. Did the Trojan drop a payload which I have not not got rid of? What is the payload and how to clear the PC?

I am typing this e-mail using my PC, which is networked to my wife's. No sign of infection on mine.

 

Help please.

Kaspersky_virus_report_20.12.doc

Share this post


Link to post
Share on other sites

about Kidkemfaaaa this procces its Malicious can some motherator request a HiJackThis log ?? because i dont think i m allow to do this ... :unsure:

Edited by aroon7651

Share this post


Link to post
Share on other sites

sure

hijackthis: http://www.trendsecure.com/portal/en-US/_d.../HiJackThis.exe

download, execute, choose do a scan and save logfile and save the log.

i would also request a combofix log: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

download, execute, follow the intructions, when it's done it creates c:\combofix.txt

 

and the detected log from the kaspersky full scan. some delf variants are hard to remvoe and have files which don't appear in hjt

attach all files here (rather then just copy and paste), it will make the topic easier to follow

Edited by Lucian Bara

Share this post


Link to post
Share on other sites

Sorry about my incomplete reply before, I was in a rush.

Can you please submit "mscol.exe" and "wordict.exe" to Kaspersky's VirusLab if they're not detected. Instructions shown here: http://forum.kaspersky.com/index.php?showtopic=13881

 

 

Edit: Lucian beat me to it about combofix :)

Edited by dawgg

Share this post


Link to post
Share on other sites

Thanks for the prompt replies. The problem has been resolved by a friend who came round. He found processes in the the registry which he has disabled. There was an executable file ravsvrs.exe which was part of the malicious behaviour. I have sent mscol.exe and wordict.exe to Kaspersky's VirusLab. I will follow the link about recovering the Internet Explorer files related to clearing the false alarm worm.win32.huhk.c. Thanks again

 

 

Share this post


Link to post
Share on other sites

could you post those logs anyway, just to make sure your friend got everything?

Share this post


Link to post
Share on other sites
Yes, unfortunatly, worm.win32.huhk.c was a false alarm.

Read here about recovering the explore.exe files if you removed it: http://support.kaspersky.com/viruses/computers?qid=208279581

 

Tried this, following instructions. One glitch. In the Backup tab the file infected with worm.win32.huhk.c which I should restore is listed as explorer.exe\Explorer.EXE . This, I am told when I restore it, is an invalid path. Should I restore it to C:\Windows\explorer.exe ?

 

Thanks

Share this post


Link to post
Share on other sites

hello

yes, but also... are you missing the task bar and icons on your desktop?

Share this post


Link to post
Share on other sites
hello

yes, but also... are you missing the task bar and icons on your desktop?

 

 

No, taskbar and icons ok.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now