How to remove this "worm"?

• silvercap

  23 Mar 07, 00:30

  My Kaspersky Antivirus sometimes will detect this fellow, but I have no ideal how did I get this worm?
  
  How can I remove it?
  
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  
  3/22/2007 11:40:38 AM Intrusion.Win.MSSQL.worm.Helkern! Attacker's IP address: 202.100.109.213. Protocol/service: UDP on local port 1434. Time: 3/22/2007 11:40:38 AM
  
• Master -_-

  23 Mar 07, 00:31

  erm wake up early? so the early bird can...erm nvm
• gigabyte14

  23 Mar 07, 00:33

  see the location, did u try to manually delete it?
• ndmmxiaomayi

  23 Mar 07, 00:38

  Looks more than hacker attack than a virus attack.
  
  I don't know since when antivirus report port number, protocol used and IP address.
  
  That's the job of a firewall, not antivirus.
• alvin-ncs

  23 Mar 07, 00:50

  firewall...
  
  stop all internet connection den scan computer...
• silvercap

  23 Mar 07, 00:55

  I just checked the IP address, it's the fucking chinaman try to hack my computer!
  
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  
  OrgName: Asia Pacific Network Information Centre
  OrgID: APNIC
  Address: PO Box 2131
  City: Milton
  StateProv: QLD
  PostalCode: 4064
  Country: AU
  
  ReferralServer: whois://whois.apnic.net
  
  NetRange: 202.0.0.0 - 203.255.255.255
  CIDR: 202.0.0.0/7
  NetName: APNIC-CIDR-BLK
  NetHandle: NET-202-0-0-0-1
  Parent:
  NetType: Allocated to APNIC
  NameServer: NS1.APNIC.NET
  NameServer: NS3.APNIC.NET
  NameServer: NS4.APNIC.NET
  NameServer: TINNIE.ARIN.NET
  NameServer: NS-SEC.RIPE.NET
  NameServer: DNS1.TELSTRA.NET
  Comment: This IP address range is not registered in the ARIN database.
  Comment: For details, refer to the APNIC Whois Database via
  Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
  Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
  Comment: for the Asia Pacific region. APNIC does not operate networks
  Comment: using this IP address range and is not able to investigate
  Comment: spam or abuse reports relating to these addresses. For more
  Comment: help, refer to http://www.apnic.net/info/faq/abuse
  Comment:
  RegDate: 1994-04-05
  Updated: 2005-05-20
  
  OrgTechHandle: AWC12-ARIN
  OrgTechName: APNIC Whois Contact
  OrgTechPhone: 7 3858 3100
  OrgTechEmail: [email protected]
  
  # ARIN WHOIS database, last updated 2007-03-21 19:10
  # Enter ? for additional hints on searching ARIN's WHOIS database.
  % [whois.apnic.net node-2]
  % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
  
  inetnum: 202.100.96.0 - 202.100.127.255
  netname: CHINANET-NX
  descr: CHINANET ningxia province network
  descr: China Telecom
  descr: A12,Xin-Jie-Kou-Wai Street
  descr: Beijing 100088
  country: CN
  admin-c: CH93-AP
  tech-c: ZL127-AP
  mnt-by: APNIC-HM
  mnt-lower: MAINT-CHINANET-NINGXIA
  changed: [email protected] 20020115
  changed: [email protected] 20020225
  status: ALLOCATED PORTABLE
  changed: [email protected] 20041210
  source: APNIC
  
  person: Chinanet Hostmaster
  nic-hdl: CH93-AP
  e-mail: [email protected]
  address: No.31 ,jingrong street,beijing
  address: 100032
  phone: 10-58501724
  fax-no: 10-58501724
  country: CN
  changed: [email protected] 20051212
  mnt-by: MAINT-CHINANET
  source: APNIC
  
  person: zhaolong li
  address: 44 jiefangdong street,ningxia,750001,
  address: china
  country: CN
  phone: 951-6018000
  fax-no: 951-6019000
  e-mail: [email protected]
  nic-hdl: ZL127-AP
  mnt-by: MAINT-NEW
  changed: [email protected] 20010220
  source: APNIC
  
• ndmmxiaomayi

  23 Mar 07, 01:00

  Looks like a Chinese hacker.
  
  

  inetnum: 202.100.96.0 - 202.100.127.255
  netname: CHINANET-NX
  descr: CHINANET ningxia province network
  descr: China Telecom
  descr: A12,Xin-Jie-Kou-Wai Street
  descr: Beijing 100088
  country: CN
  admin-c: CH93-AP
  tech-c: ZL127-AP
  mnt-by: APNIC-HM
  mnt-lower: MAINT-CHINANET-NINGXIA
  changed: [email protected] 20020115
  changed: [email protected] 20020225
  status: ALLOCATED PORTABLE
  changed: [email protected] 20041210
  source: APNIC
  
  person: Chinanet Hostmaster
  nic-hdl: CH93-AP
  e-mail: [email protected]
  address: No.31 ,jingrong street,beijing
  address: 100032
  phone: +86-10-58501724
  fax-no: +86-10-58501724
  country: CN
  changed: [email protected] 20051212
  mnt-by: MAINT-CHINANET
  source: APNIC
  
  person: zhaolong li
  address: 44 jiefangdong street,ningxia,750001,
  address: china
  country: CN
  phone: +86-951-6018000
  fax-no: +86-951-6019000
  e-mail: [email protected]
  nic-hdl: ZL127-AP
  mnt-by: MAINT-NEW
  changed: [email protected] 20010220
  source: APNIC

  Kaspersky reports port number 1434 as well. Are you using Microsoft SQL on your PC? More info at Link Logger
  
  Kaspersky info about the Helkern worm - http://www.kaspersky.com/news?id=970183
  
  If you are indeed using Microsoft SQL, please shut it down.
  
  If unsure, download Get Services and HijackThis.
  
  Generate a log and I will be able to tell which processes and services are related to Microsoft SQL.
• silvercap

  23 Mar 07, 01:06

  removed!
• silvercap

  23 Mar 07, 01:08

  removed!
• ndmmxiaomayi

  23 Mar 07, 01:13

  Go to Start > Run and type in services.msc
  
  Locate this service - ASP.NET State Service and double click on it.
  
  Select Manual from the drop-down menu for Startup Type. Then click on Stop.
  
  Click OK to apply the settings. Restart the PC and check that it's not being started.
• hiphop2009

  23 Mar 07, 01:21

  Originally posted by silvercap:

  I just checked the IP address, it's the fucking chinaman try to hack my computer!
  
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  
  OrgName: Asia Pacific Network Information Centre
  OrgID: APNIC
  Address: PO Box 2131
  City: Milton
  StateProv: QLD
  PostalCode: 4064
  Country: AU
  
  ReferralServer: whois://whois.apnic.net
  
  NetRange: 202.0.0.0 - 203.255.255.255
  CIDR: 202.0.0.0/7
  NetName: APNIC-CIDR-BLK
  NetHandle: NET-202-0-0-0-1
  Parent:
  NetType: Allocated to APNIC
  NameServer: NS1.APNIC.NET
  NameServer: NS3.APNIC.NET
  NameServer: NS4.APNIC.NET
  NameServer: TINNIE.ARIN.NET
  NameServer: NS-SEC.RIPE.NET
  NameServer: DNS1.TELSTRA.NET
  Comment: This IP address range is not registered in the ARIN database.
  Comment: For details, refer to the APNIC Whois Database via
  Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
  Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
  Comment: for the Asia Pacific region. APNIC does not operate networks
  Comment: using this IP address range and is not able to investigate
  Comment: spam or abuse reports relating to these addresses. For more
  Comment: help, refer to http://www.apnic.net/info/faq/abuse
  Comment:
  RegDate: 1994-04-05
  Updated: 2005-05-20
  
  OrgTechHandle: AWC12-ARIN
  OrgTechName: APNIC Whois Contact
  OrgTechPhone: 7 3858 3100
  OrgTechEmail: [email protected]
  
  # ARIN WHOIS database, last updated 2007-03-21 19:10
  # Enter ? for additional hints on searching ARIN's WHOIS database.
  % [whois.apnic.net node-2]
  % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
  
  inetnum: 202.100.96.0 - 202.100.127.255
  netname: CHINANET-NX
  descr: CHINANET ningxia province network
  descr: China Telecom
  descr: A12,Xin-Jie-Kou-Wai Street
  descr: Beijing 100088
  country: CN
  admin-c: CH93-AP
  tech-c: ZL127-AP
  mnt-by: APNIC-HM
  mnt-lower: MAINT-CHINANET-NINGXIA
  changed: [email protected] 20020115
  changed: [email protected] 20020225
  status: ALLOCATED PORTABLE
  changed: [email protected] 20041210
  source: APNIC
  
  person: Chinanet Hostmaster
  nic-hdl: CH93-AP
  e-mail: [email protected]
  address: No.31 ,jingrong street,beijing
  address: 100032
  phone: 10-58501724
  fax-no: 10-58501724
  country: CN
  changed: [email protected] 20051212
  mnt-by: MAINT-CHINANET
  source: APNIC
  
  person: zhaolong li
  address: 44 jiefangdong street,ningxia,750001,
  address: china
  country: CN
  phone: 951-6018000
  fax-no: 951-6019000
  e-mail: [email protected]
  nic-hdl: ZL127-AP
  mnt-by: MAINT-NEW
  changed: [email protected] 20010220
  source: APNIC
  

  how to check? using wad program?....hmm...
• silvercap

  23 Mar 07, 01:22

  Originally posted by ndmmxiaomayi:

  Go to Start > Run and type in services.msc
  
  Locate this service - ASP.NET State Service and double click on it.
  
  Select Manual from the drop-down menu for Startup Type. Then click on Stop.
  
  Click OK to apply the settings. Restart the PC and check that it's not being started.

  Thanks, but my default setting is "Stop".
• silvercap

  23 Mar 07, 01:24

  Originally posted by hiphop2009:

  how to check? using wad program?....hmm...

  This one
  
  http://checkip.narak.com/
• ndmmxiaomayi

  23 Mar 07, 01:25

  HijackThis log shows one infection.
  
  http://www.sophos.com/security/analyses/trojdowdecg.html
  
  Line that shows this infection is O2 - BHO: (no name) - {7ACB5731-5839-13AB-EABC-124791194525} - C:\WINDOWS\system32\msindeo.dll
  
  You are also using FlashGet, a spyware-infected download manager. For more info, read this article.
  
  There are non-infected alternatives being suggested, with Download Express being my favourite.
  
  Fix
  
  Locate this O2 line, put a tick against this entry and click Fix Checked.
  
  Then you will need to show hidden files.
  
  Go to My Computer. Click on Tools > Folder Options.
  
  Select the View tab. Scroll all the way down to Hidden files and folders.
  
  Select Show hidden files and folders radio button.
  
  Untick this box: Hide extensions for known file types.
  
  Click OK.
  
  Now go to C:\Windows\system32 and delete this file: msindeo.dll
  
  Download ATF Cleaner or CCleaner to clear your temporary files (this trojan creates temporary files).
• hiphop2009

  23 Mar 07, 01:26

  Originally posted by silvercap:

  This one
  
  http://checkip.narak.com/

  thanx! i increased my computer knowledge by +1 =D
• ndmmxiaomayi

  23 Mar 07, 01:26

  Originally posted by silvercap:

  Thanks, but my default setting is "Stop".

  Then you better use stealth... you can be "seen".
• silvercap

  23 Mar 07, 01:30

  Originally posted by ndmmxiaomayi:

  Then you better use stealth... you can be "seen".

  How to stealth?
• ndmmxiaomayi

  23 Mar 07, 01:34

  Originally posted by silvercap:

  How to stealth?

  Your firewall... there should one option about hiding you... Drag that slider up to high.
• ndmmxiaomayi

  23 Mar 07, 01:36

  See this article by Kaspersky:
  
  http://www.kaspersky.com/faq?chapter=170708527&qid=172510910
• silvercap

  23 Mar 07, 03:14

  Thanks for ur help!
  
  Good night.
• silvercap

  23 Mar 07, 10:44

  Deleted "msindeo.dll" already, but still receiving attack
  
  3/23/2007 9:32:19 AM
  Intrusion.Generic.TCP.Flags.Bad.Combine.attack! Attacker's IP address: 58.24.17.44. Protocol/service: TCP on local port 8014. Time: 3/23/2007 9:32:19 AM
  
• ndmmxiaomayi

  23 Mar 07, 15:04

  Attacker is from China.
  
  

  inetnum: 58.24.0.0 - 58.25.255.255
  netname: COLNET
  descr: Oriental Cable Network Co., Ltd.
  descr: 9/F, Broadcasting&TV Building, No.651 Nanjing Rd.(W)
  descr: Shanghai, P.R.China 200041
  country: CN
  admin-c: GP192-AP
  tech-c: YY135-AP
  mnt-by: MAINT-CNNIC-AP
  mnt-lower: MAINT-CNNIC-AP
  changed: [email protected] 20060725
  status: ALLOCATED PORTABLE
  source: APNIC
  
  person: Guifei Pang
  nic-hdl: GP192-AP
  e-mail: [email protected]
  address: NO 2860,jinke RD, pudong new area
  address: Shanghai, P.R.China, 201203
  phone: +86-021-51196000-61368
  fax-no: +86-021-51196000-61339
  country: CN
  changed: [email protected] 20060725
  mnt-by: MAINT-CNNIC-AP
  source: APNIC
  
  person: Yuening Yin
  nic-hdl: YY135-AP
  e-mail: [email protected]
  address: NO 2860,jinke RD, pudong new area
  address: Shanghai, P.R.China, 201203
  phone: +86-021-51196000-61323
  fax-no: +86-021-51196000-61339
  country: CN
  changed: [email protected] 20060725
  mnt-by: MAINT-CNNIC-AP
  source: APNIC
  
  inetnum: 58.24.0.0 - 58.25.255.255
  netname: COLNET
  descr: Oriental Cable Network Co., Ltd.
  descr: No. 2860, Jinke Road, Zhangjiang Hi-tech Area
  descr: Shanghai, P.R.China
  country: CN
  admin-c: GP2-CN
  tech-c: YY135-CN
  mnt-by: MAINT-CNNIC-AP
  mnt-lower: MAINT-CN-COLNET
  changed: [email protected] 20060725
  status: ALLOCATED PORTABLE
  source: CNNIC
  
  person: Guifei Pang
  nic-hdl: GP2-CN
  e-mail: [email protected]
  address: NO 2860,jinke RD, pudong new area
  address: Shanghai, P.R.China, 201203
  phone: +86-021-51196000-61368
  fax-no: +86-021-51196000-61339
  country: CN
  changed: [email protected] 20060725
  mnt-by: MAINT-CNNIC-AP
  source: CNNIC
  
  person: Yuening Yin
  nic-hdl: YY135-CN
  e-mail: [email protected]
  address: NO 2860,jinke RD, pudong new area
  address: Shanghai, P.R.China, 201203
  phone: +86-021-51196000-61323
  fax-no: +86-021-51196000-61339
  country: CN
  changed: [email protected] 20060725
  mnt-by: MAINT-CNNIC-AP
  source: CNNIC

  TCP port 8000 onwards ports are for Internet. Are you running some server? Like IIS or Apache? What about P2P programs?
• silvercap

  23 Mar 07, 15:20

  Originally posted by ndmmxiaomayi:

  Attacker is from China.
  
  TCP port 8000 onwards ports are for Internet. Are you running some server? Like IIS or Apache? What about P2P programs?

  Dun know what is IIS or Apache? I think "no".
  
  Sometime I use Bitcomet, but not always open, the problem is eventhough I only run Photoshop, the attack still occur.
  
  My question is, if some one want to hack my PC, he must install a spyware into my PC first, but I did a full scanning already, no virus or spyware found.
• ndmmxiaomayi

  23 Mar 07, 15:24

  Originally posted by silvercap:

  Dun know what is IIS or Apache? I think "no".
  
  Sometime I use Bitcomet, but not always open, the problem is eventhough I only run Photoshop, the attack still occur.
  
  My question is, if some one want to hack my PC, he must install a spyware into my PC first, but I did a full scanning already, no virus or spyware found.

  IIS and Apache are servers.
  
  I don't think they managed to hack you, because Kaspersky already blocked it.