Hi to all i am new here i am not much good on english so i hope u will undustand ,
last day formated my computer and instaled drivers from cd then i inserted cable from modem into computer and got alert from kaspersky internet security 2009 alert of that treat :
Operating system is Windows XP Service Pack 3
Only had kaspersky internet security 2009 full updated beacuze yust formated my computer
got 2 computers conected by cable no ruther,formated both computers after that but i think he alredy done whot he had to done cuz internet dont working corectly computer when wee both on internet wee lose conection need to restart modem every time i tested modem i tought mybe its prob. with modem but is nothing with modem .readed abaut it on net abaut that kido but dont know how to remove it complitly from computer and i am afraid is he infected my driver cds formated usb 2.
and formated my other particion 2.my question does he stay on computer even after formated it and how corect mess whot he done?
Thanx to All.
Kaspersky supply a tool to remove this KidoKiller
The link for the zip file and instructions are about half way down the page.
Dennis
Thanx Dennis yes i downloaded that tool but it cant find nothing and i formated my computer already but i think that he is coming back somehow and his services runing.Does comodo internet Security protect from it?
Here is another link from Kaspersky viruslist.
Quote:- Net-Worm.Win32.Kido exploits a critical vulnerability (MS08-067) in Microsoft Windows to spread via local networks and removable storage media.
Dennis
Thanx for help Dennis.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:37, on 16.3.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\Quick Heal\Quick Heal Total Security\opssvc.exe
C:\PROGRA~1\Quick Heal\Quick Heal Total Security\EMLPROXY.EXE
C:\PROGRA~1\Quick Heal\Quick Heal Total Security\quhlpsvc.exe
C:\PROGRA~1\Quick Heal\Quick Heal Total Security\scanwscs.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\PROGRA~1\Quick Heal\Quick Heal Total Security\EMLPROUI.EXE
C:\PROGRA~1\Quick Heal\Quick Heal Total Security\UPSCHD.EXE
C:\PROGRA~1\Quick Heal\Quick Heal Total Security\SCANMSG.EXE
C:\PROGRA~1\Quick Heal\Quick Heal Total Security\OnlineNT.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM..\Run: [Email Protection] C:\PROGRA~1\Quick Heal\Quick Heal Total Security\EMLPROUI.EXE
O4 - HKLM..\Run: [Scanner Reminder] C:\PROGRA~1\Quick Heal\Quick Heal Total Security\remind.exe
O4 - HKLM..\Run: [Update Scheduler] C:\PROGRA~1\Quick Heal\Quick Heal Total Security\UPSCHD.EXE /CHECK
O4 - HKLM..\Run: [On-Line Protection] C:\PROGRA~1\Quick Heal\Quick Heal Total Security\CATEYE.EXE
O4 - HKLM..\Run: [Messenger] C:\PROGRA~1\Quick Heal\Quick Heal Total Security\SCANMSG.EXE
O4 - HKLM..\Run: [Startup Scan] C:\PROGRA~1\Quick Heal\Quick Heal Total Security\sensor.exe /loadrun
O4 - HKLM..\Run: [ResumeQuickupDownload] C:\PROGRA~1\Quick Heal\Quick Heal Total Security\acappaa.exe
O4 - HKLM..\Run: [Quick Heal Monitor] C:\PROGRA~1\Quick Heal\Quick Heal Firewall Pro\op_mon.exe /tray /noservice
O4 - HKLM..\RunOnce: [Startup Scan] C:\PROGRA~1\Quick Heal\Quick Heal Total Security\sensor.exe /check
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\Windows Live\Messenger\msnmsgr.exe” /background
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O20 - AppInit_DLLs: c:\progra~1\quick heal\quick heal firewall pro\wl_hook.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Quick Heal Client Security Service (acssrv) - Quick Heal Technologies (P) Ltd. - C:\PROGRA~1\Quick Heal\Quick Heal Firewall Pro\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Defragmentation-Service (DfSdkS) - mst software GmbH, Germany - C:\Program Files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Online Protection System - Quick Heal Technologies (P) Ltd. - C:\PROGRA~1\Quick Heal\Quick Heal Total Security\opssvc.exe
O23 - Service: Quick Heal Total Security Mail Protection - Quick Heal Technologies (P) Ltd. - C:\PROGRA~1\Quick Heal\Quick Heal Total Security\EMLPROXY.EXE
O23 - Service: Quick Update Service - Quick Heal Technologies (P) Ltd. - C:\PROGRA~1\Quick Heal\Quick Heal Total Security\quhlpsvc.exe
O23 - Service: Total Security Helper Service WSC (ScanWscS) - Quick Heal Technologies (P) Ltd. - C:\PROGRA~1\Quick Heal\Quick Heal Total Security\scanwscs.exe
O23 - Service: Quick Heal Total Security Startup Handler (Startup Handler) - Quick Heal Technologies (P) Ltd. - C:\PROGRA~1\Quick Heal\Quick Heal Total Security\strtsvc.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
–
End of file - 5531 bytes
No sign of Kaspersky on your computer, only Quick Heal which I never heard of. If that is a reliable antivirus and firewall there are no signs of problems in the HJT log.
Quickheal is a known Indian (If i remember right) antivirus. It lacks western detections, so I sujest you move on to another antivirus if you live in Europe / America.
formatting, nothing can, as far as I know, survive it. So you should be safe.
Xan