Helkern worm need help!!

Discussion in 'Malware Help (A Specialist Will Reply)' started by Big T, Feb 26, 2006.

  1. Big T

    Big T Private E-2

    I have recently found out that I have this worm, ( I had to reformate recently due to a stupid error on my part ) I loaded Kaspersky virus scan trial version and started to get this notification that Kaspersky had stopped an attack from the internet that Helkern was blocked from accessing the internet and it gave an IP that it was trying to connect to. Kaspersky stopped it.

    Report:
    Helkern;Attack via protocol UDP from address 61.185.98.176 to local port 1434 was successfully repelled.;24/02/2006 3:53:42 AM

    Now, I downloaded the fix from microsoft ( Q317748 ) that was supposed to fix the problem, when I tried to install it it asks me where I want to extract the files to but I havent a freaking clue as to where I'm supposed to put it. So I try a different route, I go to the microsoft site again and find out that if I dowload the Microsoft SQL Server 2000 SP3a it already has the fix in it and it should correct my problem. I install 3 diffrent files, sql2kasp3,sql2kdesk3 and sql2kasp3...rebooted the files installed and hoped everything was good.

    15 mins later Kaspersky pops up saying it has stopped Helkern again, fix didnt work. I have read also that if I can get to the Microsoft SQL Server 2000 and disable it this will also stop this problem, but I cant find it!!!. Also if I can get to and shut down UDP port 1434 then Helkern wont beable to access the internet, but again I cant find it. I tried going into the firewall and it only has settings to add a port not shut one off.

    Now also from what I understand Helkern isnt destroying or wrecking my comp but it is just KILLING my internet connection...making it slow as hell and tying up my ram ( I'm a big gamer and I need a clean internet connection to run the game I play..BF2 and BF2 SF ). I have a 1mb connection and normally I test to my provider at the max I can get ( bandwidth test )..normally I get 1.05 or 1.15 Mbps speeds and lateley all I can get is about 300- 500 kbps..my bandwidth is just getting robbed!!.

    Pls..ooo...Pls I hope some one can help me:confused:

    My computer info is as follows:

    Computer:
    Operating System Microsoft Windows XP Home Edition
    OS Service Pack Service Pack 2
    Internet Explorer 6.0.2900.2180
    Computer Name CPQ11490317379 (Ironman)
    User Name Sean
    Logon Domain CPQ11490317379

    Motherboard:
    CPU Type Intel Pentium 4A, 2000 MHz (5 x 400)
    Motherboard Name Compaq Presario 6030CA
    Motherboard Chipset Intel Brookdale i845D
    System Memory 1024 MB (DDR SDRAM)
    BIOS Type Compaq (02/27/02)
    Communication Port Communications Port (COM1)
    Communication Port Communications Port (COM2)
    Communication Port ECP Printer Port (LPT1)

    Display:
    Video Adapter NVIDIA GeForce FX 5500 (256 MB)
    Monitor Compaq 7550 (12092908489814)

    Multimedia:
    Audio Adapter Intel 82801BA(M) ICH2 - AC'97 Audio Controller [B-5]

    Storage:
    Floppy Drive Floppy disk drive
    Disk Drive ST380021A (80 GB, 7200 RPM, Ultra-ATA/100)
    Optical Drive COMPAQ DVD-ROM GDR8160B (16x/48x DVD-ROM)
    Optical Drive HL-DT-ST CD-RW GCE-8320B (32x/10x/40x CD-RW)

    Partitions:
    C: (NTFS) 76316 MB (58064 MB free)

    Input:
    Keyboard Compaq Easy Access PS2 Internet Keyboard
    Keyboard HID Keyboard Device
    Mouse Logitech-compatible Mouse PS/2
    Game Controller Microsoft PC-joystick driver

    Network:
    Primary IP Address xxxxxxx personal info removed
    Primary MAC Addressxxxxxxx personal info removed
    Network Adapter Intel(R) PRO/100 VM Network Connection xxxxxxx personal info removed
    Network Adapter WAN (PPP/SLIP) Interface xxxxxxx personal info removed
    Modem Conexant HSFi V90 V92 56K PCI Modem

    Peripherals:
    Printer hp deskjet 920c
    USB Device Microsoft SideWinder Force Feedback 2
    USB Device USB Printing Support
     
    Last edited by a moderator: Feb 26, 2006
    Big T, Feb 26, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to MGs!

    You should not post personal info like your IP address etc in public forums. I delete them for you.

    What firewall are you referring too? If you mean WinXP SP2, it is not useful as a real firewall and does not block any outgoing traffic. You need a real firewall like ones mentioned in the below:

    How to Protect yourself from malware!

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

    - Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

    Make sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


    After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

    Downloading, Installing, and Running HijackThis


    When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
    • Bitdefender
    • Panda Scan
    • HijackThis
    .
     
    chaslang, Feb 26, 2006
    #2
  3. Big T

    Big T Private E-2

    Ran all the tests and everything clean but 4 tracking cookies panda found.
     

    Attached Files:

    Big T, Feb 27, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log is clean but you can fix the below minor items with HijackThis:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)sinst.cab
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    Why are you using the below?
    O4 - HKCU\..\Run: [AntiWindowsMessenger] C:\Program Files\Bitsum Technologies\Anti-Windows Messenger\AntiMsMsg.exe

    You can just permanently uninstall or disable Windows Messenger and not have to waste resource on another application that is running unnecessarily. See the below:

    Disable/Remove Windows Messenger

    If you are still having malware problems, you may have to dig deeper using some other scanning tools like the ones mentioned in the below link which is mentioned in step 8 of the READ & RUN ME:

    Alternative Scans
     
    chaslang, Feb 28, 2006
    #4
  5. Big T

    Big T Private E-2

    I have cleaned up the 4 items you suggested and I have removed windows messenger and anti windows messenger. With everything clean now , is there a way you can tell me how to get ride of this Helkern (slammer) worm. I have tried and searched and I cant find away to get to the Microsoft SQL Server 2000 to disable it and I cant find away to close UDP ports 1434 and possibly 1433. This worm is killing my bandwidth, I'm only running at 40 % of what it was and I fear soon it will eat it down more..lol.. I'm getting back to the speeds when I had dial-up :eek:
     
    Big T, Feb 28, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you run the Alternative Scans? I did not see any infections in your other logs.
     
    chaslang, Feb 28, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    click Start/Run and type netstat -p udp -a 100 then click OK. Copy the output from this pack here. You can copy that window by using the Edit menu that is seen when right clicking on the top bar of the window. First you Mark then you Copy. Then you paste it into a message here.

    Also here is some info and something to run from F-Secure
     
    chaslang, Feb 28, 2006
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds