Got infected but can't remove it

[LunarWolf]

Hi,

I need your help again. I am running KIS 09 8.0.0.506.If I were not mistaken, this morning my PC got infected with this worm which KIS could not do anything. It told me to skip (Do not perform any actions) which was recommend. I think was from my father's pendrive. He didn't opened the pendrive. Just copied some file containing his photos he had taken and transfered it to the pendrive. I personally set my KIS proactive defences (Files and memory) to scan :
a) all removeable drive
b) all hard drives
c) system memory
d) disk boot sectors
e) startup objects.

My scan for it is a) Heuristic Analysis
b) Deep scan

I have runned a full scan and it found another virus of the same type in the C:\Documents and Settings\Network Service\Local Settings\Temporary Internet Files\Content.IE5\0YWUMNO7\nwlco[1].jpg and KIS successfully deleted it away.
But the same virus cannot be deleted in another place. The details are as follow :
Name of virus :Net-Worm.Win32.Kido.ed
Location : C:\windows\system32\rkrnab.dll
Reasons cannot Disinfect or Delete : write access is denied

What does this Net-Worm.Win32.Kido.ed virus does?

What should I do? I know if I manually remove it, I will be touching my system32 files which I know is the core of the computer. When that happens, the running process of my computer will be affected. If I do delete it, it will be like leaving a gaping hole in my system which I don't want.

This are the actions I am thinking of taking.
a) Uninstall KIS and go for NIS. Hopefully Nis will be able to remove it.
b) Stick to KIS and and don't do anything as my computer is running smoothly. No clues a virus is present.
c) Stick to KIS and deleting it manually. My last resort as I know somehow the running of my computer will be affected.

Please advice me as I do not like this kind of things. Powerless to do anything.

P.S Happy Chinese New Year to those who celebrates Chinese New Year. Do enjoy the abundance gorgeous food. Hehe...


Thank you in advance for helping me out.

[brayden]

Download FileAssasin and delete the file with it. Virus creators use the WINDOWS folder to drop in viruses because they know most users would think "Oh it must be important" and freak out.
The file doesn't sound legitimate to me too.

[Odie]

It seems as if you are infected with the conficer worm. Ceyfer covered it in detail here.

[Ceyfer √]

U might probably infected by the Worm:Win32/Conficker.B

------

Analysis

http://www.threatexpert.com/report.a...369e232704fa4d
http://www.microsoft.com/security/po...32/Conficker.B

------

DOWNLOAD THESE REMOVERS

• Malicious Software Removal Tool
• K7Downadup
• W32.Downadup
• W32.Downadup.B

Goodluck!

[laylow21]

will it/theworm let you download them A/Ss onto infected machine ceyfer.

[Ceyfer √]

will it/theworm let you download them A/Ss onto infected machine ceyfer.

On ur own infected Pc the worm might blocked those AV/AS sites - It depends how the worm penetrated ur system?

So the best thing is download the said remover on the other Pc

[softcrack]

If u have windows fully updated then type mrt in run command box and follow the instructions and remember Kis is best but u have to update it daily.

[Rekhyt]

I got infected about 3 weeks ago with a virus or worm or something, ( i forgot the name, will post the print Screen of Malwarebyte when detected it, if i still have it :d) the symptom was that my computer show Windows Error Reporting Services very frequently, the Windows automatic updates is disable,unable to browse any AV or anti spyware website, unable to update my KIS. every time i update my windows my IE show Google main page eventhouhg the link in the address bar is windowsupdate.

KIS 2009 Detect Nothing, Spybot S&D detect one trojan called IPChanger.W32. but still the same symptom after reboot, my computer cleaned after i scanned with Malwarebyte's, but you need to turn off system restore.

Do not uninstall KIS 2009,stay with it, but you can download Malwarebyte's and install it together withs KIS, my KIS 2009 just fine with Malwarebyte's.

i don't know if my computer was infected with Conficker, i hope it was not. :d.

Ps: i just uploaded the screen show the detected file by Malwarebyte's.

[ahmadmaher]

i googled the worm name and found this for you :

Step 1: Use Windows File Search Tool to Find kvnab.dll Path

1. Go to Start > Search > All Files or Folders.
2. In the "All or part of the the file name" section, type in "kvnab.dll" file name(s).
3. To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.
4. When Windows finishes your search, hover over the "In Folder" of "kvnab.dll", highlight the file and copy/paste the path into the address bar. Save the file's path on your clipboard because you'll need the file path to delete kvnab.dll in the following manual removal steps.


Step 2: Use Windows Command Prompt to Unregister kvnab.dll Files

1. Open the Windows Command Prompt, go to Start > Run > type cmd and then click the "OK" button.
2. Type "cd" in order to change the current directory, press the "space" button, enter the full path to where you believe the kvnab.dll DLL file is located and press the "Enter" button on your keyboard. If don't know where kvnab.dll DLL file is located, use the "dir" command to display the directory's contents.
3. To unregister "kvnab.dll" DLL file, type in the exact directory path + "regsvr32 /u" + [DLL_NAME] (for example, :C\folder\> regsvr32 /u kvnab.dll.dll) and press the "Enter" button. A message will pop up that says you successfully unregistered the file.
4. Type in "dir /A name_of_the_folder" (for example, C:\folder), which will display the folder's content even the hidden files.
5. To change directory, type in "cd name_of_the_folder".
6. Once you have the file you're looking for type in del "name_of_the_file".
7. To delete a file in folder, type in "del name_of_the_file".
8. To delete the entire folder, type in "rmdir /S name_of_the_folder".

Step 3: Detect and Delete Other kvnab.dll Files

1. Select the "kvnab.dll" process and click on the "End Process" button to kill it.


- Restart and that should do it ... but i recommend you check also by safe mode

[Rekhyt]

Just Google type name of worm you mentioned above and Google find this link, i hope this will give you more information to help you more :

http://www.threatexpert.com/report.aspx?md5=7bb455ea4a77b24478fba4de145115eb

good luck man

Uuppss.... , I just realized that Ceyfer already posted the link i provided above, sorry everyone,specialy ceyfer.