Showing posts with label virus removal. Show all posts
Showing posts with label virus removal. Show all posts

Thursday, August 27, 2009

removal instructions for kido virus

To prevent all workstations and file servers from being infected with the worm, you are recommended to do the following.
  • Install the patch from Microsoft that covers the vulnerability MS08-067, MS08-068, MS09-001 (on these pages you will have to select which operating system is installed on the infected PC, download corresponding patch and install it)
  • Make sure the password of the local administrator account is not obvious and cannot be hacked easily – the password should contain 6 letters minimum; use a mixture of uppercase and lowercase, numbers and non-alphanumeric characters such as punctuation marks
  • Disable autorun of executable files from removable drives
  • Block access to TCP ports number 445 and 139 using a network screen (You need to block these ports only while you perform the disinfection. As soon as you have the entire red disinfected, feel free to unblock the ports)
remove kido virus with kk.exe tool (provided by kaspersky)
  • First download kk.exe (click here to download)
  • Extract the contents into a folder on the infected PC
  • Now you need to disable antivirus for a while
  • Run file KK.exe
  • Wait till the scanning is complete
  • Now re-enable your virus guard, update as necessary and Perform a full scan of your computer.
additional information about removing kido virus and remove from admin kit - click here

security patches from microsoft - click here to visit the site, and select appropriate package for your pc.

impact of kido virus

kido is a worm, A worm is a type of virus that replicates by resending itself as an e-mail attachment or as part of a network message. Unlike a regular computer virus, a worm is self-contained and does not need to be part of another program to duplicate itself. A worm hides in active memory and performs malicious acts, such as using parts of the computer’s system resources. Worms are usually invisible to the user and are designed to affect the computer’s performance. A worm take control of remote systems without any help from the users and can delete files, send documents via email, or encrypt files.

once you infected with kido the following things can happen
  • compromise your privacy by transmitting your personal information and downloading popup advertisements.
  • It can tracks which websites you visited or what terms you’ve typed. Spyware uses your information to deliver targeted ads to you. Also, data of your surfing activities may be sold to third parties.
  • Slow computer performance. A sluggish computer is one of the easiest signs that you have been infected with Kido. Kido and other unwanted sofware use your computer’s resources to do its nasty tasks such as displaying popups or tracking your surfing activities. If you see your computer is slowing down dramatically or crashing a lot, you may be infected with an unwanted software.
Sings of network infection
  • Network traffic volume increases if there are infected PCs in the network, because network attack starts from these PCs.
  • Anti-Virus product with enabled Intrusion Detection System informs of the attack Intrusion.Win.NETAPI.buffer-overflow.exploit
  • It is impossible to access websites of the majority of anti-virus companies, e.g. avira, avast, esafe, drweb, eset, nod32, f-secure, panda, kaspersky, etc. (and the list keep go on)
Termination of services
  • Windows Security Center Service (wscsvc) – notifies users of security settings (e.g. Windows update, Firewall and Antivirus)
  • Windows Update Auto Update Service (wuauserv)
  • Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
  • Windows Defender (WinDefend)
  • Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
  • Windows Error Reporting Service (wersvc)
Short description of the Net-Worm.Win32.Kido family
  • It creates files autorun.inf and RECYCLED\{SID<....>}\RANDOM_NAME.vmx on removable drives (sometimes on public network shares)
  • It stores itself in the system as a DLL-file with a random name, for example, c:\windows\system32\zorizr.dll
  • It registers itself in system services with a random name, for example, knqdgsm.
  • It tries to attack network computers via 445 or 139 TCP port, using MS Windows vulnerability
  • It tries to connect to the sites of http://www.getmyip.org, http://getmyip.co.uk, http://www.whatsmyipaddress.com, http://www.whatismyip.org, http://checkip.dyndns.org, in order to learn the external IP address of the infected computer (recommended action is configuring a rule to monitor connection attempts to these sites it network firewall)
Note - if you cant access website due to kido infection, there is a small thing to try to access webistes, follow these steps
  • open miscosoft services window (start>run>type services.msc>press enter)
  • in the services find DNS Client service
  • now stop the service (right click on the service>click stop)
  • now try to open website (hope this helps, it really works for me in a kido infection case study)

Friday, June 26, 2009

remove autorun.inf virusus using command prompt

use "attrib" to check for Viruses or Malware

"attrib" is a very useful tool to check if your hard drives even your usb disks have been infected by a virus.

You will know if a Malware is inside your hard drive just by looking at the attributes of each files and the file that has the attributes of +s +h +r

The function of attrib is to set and remove file attributes (read-only, archive, system and hidden).


start attrib

To start attrib

  1. Go to Start Menu > Run

  2. Type cmd (cmd stands for command prompt)

  3. Press Enter key

The Command Prompt will appear showing us where is our location in the directory.


using attrib

To use attrib

Go to command prompt

1 then Go to the root of the directory first by typing cd\ then press enter.(because this is always the target of Malware / Virus)

2. Type attrib and press Enter key

+s - meaning it is a system file (which also means that you cannot delete it just by using the delete command)

+h - means it is hidden (so you cannot delete it)

+r - means it is a read only file ( which also means that you cannot delete it just by using the delete command)

Now we need to set the attributes of autorun.inf to -s -h -r (so that we can manually delete it)

  1. Type attrib -s -h -r autorun.inf in command prompt and press enter.( be sure to include -s -h -r because you cannot change the attributes using only -s or -h or -r alone)

  2. Type attrib again to check if your changes have been commited

  3. If the autorun.inf file has no more attributes, you can now delete it by typing del autorun.inf

Repeat these steps for removing virusus from the other partitions,external hard disks or usb drives.

NOTE : when autorun.inf keeps coming back even if you already deleted it, be sure to check your Task Manager by pressing CTRL + ALT + DELETE ( a virus is still running as a process. that’s why you cannot delete it. KILL the process first by selecting it and clicking End Process.use process killing softwares like runscanner or autoruns to view suspected process.you can find these softwares in here

Thursday, June 11, 2009

Remove heap41a virus

How to Remove heap41a virus

  1. Press CTRL+ALT+DEL to open task manager

  2. Go to the processes tab and look for svchost.exe under the "image name". There will be many but look for the ones which have your username under the "username".

  3. Press DEL to kill these files. It will give you a warning, simply press Yes

  4. Repeat for other svchost.exe files with your username. Note: Do not kill svchost.exe under system, local service or network service.

  5. Type C:\heap41a in Start Menu > run.. and press enter. You need to do this because it is a hidden folder.

  6. Delete all files inside this folder.

  7. Again go to Start Menu > Run and type in Regedit

  8. Go to the menu Edit > Find

  9. Type "heap41a" here and press enter. You will get something like this "[winlogon] C:\heap41a\svchost.exe C:\heap(some number)\std.txt"

  10. Select that and Press DEL. It will ask "Are you sure you wanna delete this value", click Yes

  11. Now close the registry editor and you are done.

Make sure to delete the autorun.inf file and any unrecognized file ends with .exe in your pen drives and other external hard drives otherwise it will replicate itself again.