only "possible" malware infection; not sure

mentioned this in my other thread: http://forums.majorgeeks.com/showthread.php?t=201685

Win.MSSQL.worm.Helkern notification is coming from Kaspersky Internet Security 2010 as a popup "udp instrusion blocked at port #### (port & attacking IP are different each time). may be a spoofed address" when i go to look at the details, they all show different "geocities" urls which i know don't exist anymore since Yahoo got rid of that service.

nothing came up in a deep scan, except for a couple trojans in System Volume Information (let KIS delete them) and no related files are sitting where other info says they would be. my hosts file is locked up tight (original is zipped/passworded & other is read only & hidden.

i haven't tried any other things (have read the Sticky) but do have all the installers (with detailed instructions on what to do) ready to go. my hesitation has been the date of the info; anywhere between 2000 and 2005 on all the places i looked at in a Google of the worm.

i'm really having no other issues (no popups, ads, no funky processes showing in task manager - i actually know what each and every one of them are - no weird software showing up anywhere, nothing different when i play any particular game or load any particular software) other than a little slowness on my browser loading...i think that may have to do with how i have Kaspersky Internet Security 2010 set up...and VERY occasional, momentary disconnect of my cable connection.

it's just the one thing, but it's happened 3 times while i've been on site and haven't really been anywhere else today. has been happening for the last week or so, but not continually, just every couple hours or so...haven't really paid that much attention. obviously it's happening often enough to have me post.

so, i guess i need to know if using those older programs (SDFix, ComboFix, HijackThis, etc.) is definitely the way i need to go before doing anything else. just need a yes, if so. have all the other info i need (programs, how-to, etc.).

thanks

 

still having issues with Win.MSSQL.worm.Helkern

i have NOT gone through all the steps suggested here, yet, because i Googled for mine, "Win.MSSQL.worm.Helkern," found the instructions to fix at bleepingcomputer.com, followed them & wasn't happy with the results. i did follow the instructions, to the letter.

nothing was found by Kaspersky Internet Security 2010, Spyware Blaster, Spybot, Malwarebytes, SuperAntiSpyware, etc. (no worms, trojans, keyloggers, adware, viruses).

ComboFix quarantined a perfectly legitimate Western Digital autorun.inf belonging to my external hard drive software, 3 items in add/remove that hung when i uninstalled them (AutoFX plugins for Adobe Photoshop - this has happened before & is no biggie), a perfectly good icon library file i'm using with legitimate software (TuneUp Utilities 2009 Styler; icons are from their website) & a link in my favorites for those same icons. it also quarantined a completely blank lmhosts file. what's up with that?

ComboFix also "fixed" (= disabled) some startup items which i had to manually re-configure (ClockX, Iconoid, NetStat Live, FreePOPs) and screwed with my printer (HP Photosmart 5500) software so much that i had to uninstall completely (haven't re-installed yet).

i think SDFix found something in my system restore for some ad website, but no clue if it may have found it in my Firefox AdBlock Plus subscriptions.

had a problem for the last 24 hours with my cable internet connection (their issue; took them a day to fix whatEVER), but still couldn't get access until i did a system restore i had saved from the 19th (a manual checkpoint of mine since the system checkpoint tends to be spotty - only get one every 3 or 4 days - and i do them whenever i install something new). forget which, but either SDFix or ComboFix "said" they were creating a system restore point, but it didn't happen.

i completely reset my system restore (turned off on my external drive) & they're empty. i'm still getting popups from KIS 2010, maybe 3 or 4 times a day (paraphrasing):

my system is now back to normal except for those popups from KIS on the flippin' worm. i have a bunch of garbage left over from SDFix & ComboFix that i just archived to my D: root (external drive) & deleted from my C: root.

i'm attaching them here to see if less-stressed heads than mine can make any sense of them. i'm not willing to try anything more until i feel reasonably certain none of the suggested programs will screw with my system like SDFix & ComboFix did.

i just registered at bleepingcomputer forums to see if there's a how-to to undo what got done, but may be a moot point since i already did a system restore & fixed my missing startups.

grrrrrrrrrrrrrrrrrr!!!!!!! just went to right-click extract/unrar the folders with the logs and "someone's" screwed with my context menu items.

i'll shut up now & just attach the logs. let me know if you need anything else. i have several things i can turn into .txt files if needed; no clue what they are/did/for. and i WILL redo any recommended fixes suggested in the sticky, if the info i have isn't enough.

oh, i'm on WinXP SP3, hotfixes are current as of 4 days ago & will go check now for any updates.

 

belay everything i've posted, except for my continuing issue with not being able to access SVI. have that question posted at Kaspersky forums & it may well be a KIS 2010 function (waiting on a response).

i re-did deep scans with KIS 2010, Malwarebytes, SuperAntiSpyware, SpybotS&D & whatever the heck else i could think of. even (sigh) went through all the "fixes" suggested here & at bleepingcomputers (undoing those since they only "fixed" some things that weren't broken in the first place).

i am not now, nor have i ever been, infected with that worm. i just finished at Kaspersky forums & disabled notifications of the worm so i'm no longer annoyed by the popups. it's a worm that is randomly looking for vulnerable PCs (mine isn't one of them), most likely coming from PCs that are infected.

so, i don't have ANY malware issues. i'll wait to hear from Kaspersky forums about my "access denied" issue on SVI (which are empty after i did the Microsoft thing, toggled System Restore with a reboot before re-enabling & i still can't access unless KIS finds something & lets me in so i can choose to ignore or have KIS kill it).

caveat: this is not to say no one else does/did have this worm problem, i'm just saying it doesn't/didn't apply to me. my pc is spotless.

thanks

 

final resolution:

KIS 2010 Helkern worm popups:

solution: disable the specific popup if too annoying

fixing access denied on SVI for WinXP Home:

Code:

http://support.microsoft.com/kb/308421

implemented & i'm all fixed.

thanks for all the other suggestions, here.