puter resets each boot

  eric_bloodaxe 21:38 29 May 2009
Locked

Hi;
using a XP PRO 120 day evaluation OS which may be coming to the end of it's life but hasn't said anything, i am having a strange happening! after a night of downloads i shut the puter down and when i re booted it had lost the Kaspersky intrusion detection service and had corrupt database files. It also seems to have re set my user settings to some sort of default ones and continues to do so each boot. I have repaired Kas' and scans reveal no viruses nor does malwarebytes software, but I have just noticed in the security tab of My Documents/Nigel, my user account personal documents folder, a user who appears to only exist for this one folder. it has a question mark icon and is an alphanumeric string name which may well tie in to the RECYCLERS folder on the D: drive. This is a usb Seagate drive and has a copy of Kido.ih hiding in it apparently. This has so far resisted all efforts to remove it even from the command line. The strange user profile cannot be denied full control permissions without removiung its inheritance from parent folders. I can take control of the folder as either myself or as the administrator but i get all sorts of warnings about denying everyone access to the folder if i do. Can anyone tell me what is going on here and can i safely give control to The administrators group without locking myself out of the folder completely? and remove the alien user profile? or at least deny it all permissions to be going on with.

  MAT ALAN 23:39 29 May 2009

click here

might help...

  lotvic 23:46 29 May 2009

Information from viruslist.com click here

Net-Worm.Win32.Kido.ih Removal instructions
If your computer does not have an up-to-date antivirus solution, or does not have an antivirus solution at all, you can either use a special removal tool (which can be found click here or follow the instructions below:

1. Delete the following system registry key:

[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]

2. Delete “%System%\<rnd>.dll” from the system registry key value shown below:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs"

3. Reboot the computer.
4. Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
5. Delete copies of the worm:

%System%\<rnd>dir.dll
%Program Files%\Internet Explorer\<rnd>.dll
%Program Files%\Movie Maker\<rnd>.dll
%All Users Application Data%\<rnd>.dll
%Temp%\<rnd>.dll
%System%\<rnd>tmp
%Temp%\<rnd>.tmp

<rnd> is a random string of symbols.
6. Delete the files shown below from all removable storage media:

<X>:\autorun.inf
<X>:\RECYCLER\S-<%d%>-<%d%>-%d%>-%d%>-%d%>-%d%>-%d%>\<rnd>.vmx,

7. Download and install updates for the operating system: Patch, choose your OS from this page

click here

  eric_bloodaxe 22:31 01 Jun 2009

Hi
Thanks, but... nothing is working. I've tried running KK... and it doesn't find anything. i have been into the registry using regedit from the cmd prompt, was that the right reg edit tool to use? and neither of the keys you list is there at all. I have tried running del and erase on both all file and the RECYCLER folder with /S but i get the following; D:\RECYCLERS\S-5-3-~1\jwgkvsq.vmx, Access denied. cannot delete the file because it is in use by another process.The spoof user in the security list of the my docs subfolder has the name starting S-5-3-~1 which suggests it is a creation of the Kido.ih worm but it is not being found by any scan and once again i can't apparently delete it because it keeps saying it is inheriting permissions from the parent object but if i untick the inherit permissions box on the advanced tab it reticks it as soon as i return to the security tab. is there any way out of this except by a complete re format of both drives? Bearing in mind the spoof user does not appear in the Users folder in computer management so i can't manage it from anywhere except the folder security tab.

  phono 00:45 02 Jun 2009

Try downloading Unlocker from ttp://ccollomb.free.fr/unlocker/ install it and follow the instructions on the web page, see if you can now delete those files.

Alternatively, download, install and run the conficker removal tool from click here

  eric_bloodaxe 21:25 09 Jun 2009

Hi'
well I finally appear to have killed Kido.ih. Yipee! it took some serious shit from Kaspersky to finally nobble it; they are very helpful and have some very big guns when need arises. However, I still appear to have the reset problem, which is that every time i boot up the puter starts as if for the first time asking me if i want to do the xp tour and losing all my settings in folder options and internet explorer. It keeps going back to the default msn homepage. when i launch aol i get the silly window saying make aol my default player of cd;s et al.It also unloads, or fails to load at startup skype. When i go to hotmail it doesn,t remember my e mail address. It may sound daft but can a user profile change to or be changed to Mandatory by anything? How would i check?

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

WPA2 Hack Latest News: How Secure is your Wi-Fi?

Photoshop CC 2018 released with new Curvature Pen and better brush tools

Best kids apps for iPhone & iPad

Comment utiliser Twitter ?