virus regenerating

[Guest]

I am having a problem with a virus regenerating every time I start or restart
my HP laptop. In the Task Manager window, under Processes,
activexdebugger32.exe keeps showing up and using processing power. And, I
believe related to that one, I also get a warning from my antivirus every
time I start or restart for a file called ktkbdhk3.dll, which I was able to
figure somehow links to the site http//smartsite.cjb.net. How can I find out
where the file is that keeps regenerating these files and delete them for
good? These files have also shown up on other computers in our office, and I
don't know if they have been infected individually, or if it could be from
the use of a commonly used flash drive in our office. Thanks for any help!

 

[Guest]

I am having a problem with a virus regenerating every time I start or restart
my HP laptop. In the Task Manager window, under Processes,
activexdebugger32.exe keeps showing up and using processing power. And, I
believe related to that one, I also get a warning from my antivirus every
time I start or restart for a file called ktkbdhk3.dll, which I was able to
figure somehow links to the site http//smartsite.cjb.net. How can I find out
where the file is that keeps regenerating these files and delete them for
good? These files have also shown up on other computers in our office, and I
don't know if they have been infected individually, or if it could be from
the use of a commonly used flash drive in our office. Thanks for any help!

http://www.fbmsoftware.com/spyware-net/Process/KTKbdHk3_DLL/741/

http://www.symantec.com/security_response/writeup.jsp?docid=2007-062905-2723-99&tabid=2
http://www.sophos.com/security/analyses/w32amcaa.html
activexdebugger32.exe
http://www.sophos.com/security/blog/2007/06/295.html

Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Taps:
General | Security | Privacy | Content | Connections | Programs |
Advanced
Under General Tab clear your History, Internet Files and Cookies.
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
Then click on Programs Tab and click Manage Add-Ons and Disable all non
Verified Add-Ons (You should Renable them later one-by-one and see the
culprit and update it or remove it.
How to manage Add-Ons:
http://support.microsoft.com/kb/883256

2... You need to be sure your system is clean from malware and Viruses by
scanning for them
Scan for malwares from here:
http://onecare.live.com/site/en-gb/default.htm?s_cid=sah
http://onecare.live.com/standard/en-gb/default.htm
Run a scan from here on-line:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Lots of tools to download and disinfect your machine:
http://www.bitdefender.co.uk/site/Downloads/browseFreeRemovalTool/
http://free.grisoft.com/doc/5390/lng/us/tpl/v5
Then download these tools to see the running processes in real-time and you
can search them to make sure they are Legit.
"Process Explorer for Windows v10.21"
http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx

"AutoRuns for Windows v8.61 By Mark Russinovich and Bryce Cogswell"
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/Autoruns.mspx

HTH.
Let us know.
Regards,
nass

 

[Carey Frisch [MVP]]

Cleaning a Compromised System
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

"The only way to clean a compromised system is to flatten and rebuild.
That’s right. If you have a system that has been completely compromised,
the only thing you can do is to flatten the system (reformat the system disk)
and rebuild it from scratch (reinstall Windows and your applications)."


--
Carey Frisch
Microsoft MVP
Windows - Shell/User

---------------------------------------------------------------------------­-----

:

I am having a problem with a virus regenerating every time I start or restart
my HP laptop. In the Task Manager window, under Processes,
activexdebugger32.exe keeps showing up and using processing power. And, I
believe related to that one, I also get a warning from my antivirus every
time I start or restart for a file called ktkbdhk3.dll, which I was able to
figure somehow links to the site http//smartsite.cjb.net. How can I find out
where the file is that keeps regenerating these files and delete them for
good? These files have also shown up on other computers in our office, and I
don't know if they have been infected individually, or if it could be from
the use of a commonly used flash drive in our office. Thanks for any help!

 

[Ron Martell]

Cleaning a Compromised System
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

"The only way to clean a compromised system is to flatten and rebuild.
That’s right. If you have a system that has been completely compromised,
the only thing you can do is to flatten the system (reformat the system disk)
and rebuild it from scratch (reinstall Windows and your applications)."

Balderdash.

Cleaning can sometimes be difficult but usually is not impossible.
Sometimes a reformat and reinstall is the quickest solution, but in
other cases it can be gross overkill, the equivalent of "capital
punishment for jaywalking".

Ron Martell Duncan B.C. Canada
--
Microsoft MVP (1997 - 2008)
On-Line Help Computer Service
http://onlinehelp.bc.ca
Syberfix Remote Computer Repair

"Anyone who thinks that they are too small to make a difference
has never been in bed with a mosquito."

 

[Ron Martell]

I am having a problem with a virus regenerating every time I start or restart
my HP laptop. In the Task Manager window, under Processes,
activexdebugger32.exe keeps showing up and using processing power. And, I
believe related to that one, I also get a warning from my antivirus every
time I start or restart for a file called ktkbdhk3.dll, which I was able to
figure somehow links to the site http//smartsite.cjb.net. How can I find out
where the file is that keeps regenerating these files and delete them for
good? These files have also shown up on other computers in our office, and I
don't know if they have been infected individually, or if it could be from
the use of a commonly used flash drive in our office. Thanks for any help!

What anitivirus software do you have installed? Is it fully up to
date and have you done a full system scan with it recently?

What antispyware software do you have installed? Is it fully up to
date and have you done a full system scan with it recently?

Go to at least two of the following free scanning sites and do their
free online scans. Some of them will actually remove the malware
they find, others will just identify it and report what the find:

Bit Defender http://www.bitdefender.com/scan8/ie.html
Trend Micro http://housecall.trendmicro.com
Kaspersky Online Scanner http://www.kaspersky.com/virusscanner
Panda ActiveScan http://www.pandasoftware.com/activescan
WindowSecurity.com TrojanScan http://windowssecurity.com/trojanscan
Webroot http://www.webroot.com/

Good luck

Ron Martell Duncan B.C. Canada
--
Microsoft MVP (1997 - 2008)
On-Line Help Computer Service
http://onlinehelp.bc.ca
Syberfix Remote Computer Repair

"Anyone who thinks that they are too small to make a difference
has never been in bed with a mosquito."

 

[Bruce Chambers]

Balderdash.

Cleaning can sometimes be difficult but usually is not impossible.
Sometimes a reformat and reinstall is the quickest solution, but in
other cases it can be gross overkill, the equivalent of "capital
punishment for jaywalking".

Ron Martell Duncan B.C. Canada

Agreed. Formatting the hard drive to solve a virus or spyware problem
is rather like using an axe to trim one's fingernails. Sure, it'll
probably get the job done, but it's rather messy...., and almost always
unnecessary.

I will concede that there are times when data integrity is absolutely
mission- and/or business-critical, and that under such circumstances,
formatting the hard drive is by far the surest way to ensure that
system's integrity. But such situations are the exception, rather than
the norm, even on a great many business or government systems. And, of
course, such an agency will have been making frequent and thorough
back-ups of its critical data. There's also the "Time is Money" factor
involved; it's often quicker to rebuild a machine, particularly if
partition imaging tools are used, than it might be to clean the hard drive.

However, such data criticality and the need for system integrity
only very rarely apply to the home computer user, although his personal
data is no doubt important to him. Furthermore, the home consumer is
much less likely to have backed up his data frequently or recently, or
to have any rapid recovery tools available. There's no real, immediate
need to certify his hard drive as 100% clean; further measures can be
always taken, as needed, should initial attempts to clean the hard drive
fail. Therefore, formatting the hard drive is, relatively speaking, a
much more catastrphic event. It should only be recommended as a last
resort, once other, less draconian measures have failed.


--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

Many people would rather die than think; in fact, most do. -Bertrand Russell

 

[Carey Frisch [MVP]]

The OP stated:

"These files have also shown up on other computers in our office, and I
don't know if they have been infected individually, or if it could be from
the use of a commonly used flash drive in our office."

It appears the virus has infested other computers in his office already.
Any astute IT administrator would have prevented this catastrophe by
following prudent security measures which include reformatting the
hard drive of an infected, and now compromised, computer.

--
Carey Frisch
Microsoft MVP
Windows - Shell/User

---------------------------------------------------------------------------­-----

Balderdash.

Cleaning can sometimes be difficult but usually is not impossible.
Sometimes a reformat and reinstall is the quickest solution, but in
other cases it can be gross overkill, the equivalent of "capital
punishment for jaywalking".

Ron Martell Duncan B.C. Canada

Agreed. Formatting the hard drive to solve a virus or spyware problem
is rather like using an axe to trim one's fingernails. Sure, it'll
probably get the job done, but it's rather messy...., and almost always
unnecessary.

I will concede that there are times when data integrity is absolutely
mission- and/or business-critical, and that under such circumstances,
formatting the hard drive is by far the surest way to ensure that
system's integrity. But such situations are the exception, rather than
the norm, even on a great many business or government systems. And, of
course, such an agency will have been making frequent and thorough
back-ups of its critical data. There's also the "Time is Money" factor
involved; it's often quicker to rebuild a machine, particularly if
partition imaging tools are used, than it might be to clean the hard drive.

However, such data criticality and the need for system integrity
only very rarely apply to the home computer user, although his personal
data is no doubt important to him. Furthermore, the home consumer is
much less likely to have backed up his data frequently or recently, or
to have any rapid recovery tools available. There's no real, immediate
need to certify his hard drive as 100% clean; further measures can be
always taken, as needed, should initial attempts to clean the hard drive
fail. Therefore, formatting the hard drive is, relatively speaking, a
much more catastrphic event. It should only be recommended as a last
resort, once other, less draconian measures have failed.


--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

Many people would rather die than think; in fact, most do. -Bertrand Russell

 

[Leythos]

Balderdash.

Cleaning can sometimes be difficult but usually is not impossible.
Sometimes a reformat and reinstall is the quickest solution, but in
other cases it can be gross overkill, the equivalent of "capital
punishment for jaywalking".

LOL - If you clearly understood "Security" then you would know that
Carey is 100% correct. The only proven way to "Clean" a compromised
machine is to flatten it and rebuild it in a clean environment.

To just "Clean" it with tools and such means that you removed all the
things that you could find and that the tools could find. As any good
security person knows, the tools are "Reactionary" and that they only
find what they know about - typically lagging the new infections by
days.

So, lear a little about security and understand that to "Certify" a
machine as clean, you must wipe/flatten it to be sure.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(e-mail address removed) (remove 999 for proper email address)

 

[cquirke (MVP Windows shell/user)]

On Tue, 10 Jul 2007 13:04:26 -0500, "Carey Frisch [MVP]"

Cleaning a Compromised System
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

"The only way to clean a compromised system is to flatten and rebuild.
That’s right. If you have a system that has been completely compromised,
the only thing you can do is to flatten the system (reformat the system disk)
and rebuild it from scratch (reinstall Windows and your applications)."

You don't mention formal scanning, i.e. without running the infected
code base at all. That will allow scanners to catch everything they
can recognise... which still leaves you with what they miss.

But the bigger picture is this - your wonderfully clean new build has
lost all patches and protections, and is even more likely to be
infected than the infected installation was.

So while you can argue that cleaning a system may fail to clean it
completely, one can just as easily argue that a system environment
that got infected is just as likely to do so again if all one does is
"just" wipe and rebuild (and patch, and install av, and etc.).

Then there's the question of restoring data backups and apps...

http://cquirke.mvps.org/reinst.htm refers.

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.

 

[cquirke (MVP Windows shell/user)]

On Tue, 10 Jul 2007 18:48:28 -0500, "Carey Frisch [MVP]"

The OP stated:

"These files have also shown up on other computers in our office, and I
don't know if they have been infected individually, or if it could be from
the use of a commonly used flash drive in our office."

It appears the virus has infested other computers in his office already.
Any astute IT administrator would have prevented this catastrophe by
following prudent security measures which include reformatting the
hard drive of an infected, and now compromised, computer.

You're not just dealing with one infected PC anymore.

I'd want to know about:
- networking, hidden admin shares, password "band-aids"
- WiFi exposure
- sneakernet, i.e. USB sticks, CDRs, off-site server storage

You can't begin to talk about "cleaning a PC" unless you can isolate
it from others, and you can't begin to talk about "cleaning the
network" unless you isolate PCs from each other, ensure that cleaned
and uncleaned PCs never co-exist on the LAN, and know that your LAN is
bounded from the outside world.

In that broader context, "just" wiping and rebuilding one particular
PC just isn't relevant anymore.

 

[Leythos]

But the bigger picture is this - your wonderfully clean new build has
lost all patches and protections, and is even more likely to be
infected than the infected installation was.

Utter BS, sorry, but that's not true. The new clean machine, since it's
not been used for anything at this point, only needs to sit behind a
NAT, which every user should have already learned to install, and can be
patched, updated, AV updated, etc... All without being compromised
again. Now, if you're going to download porn while you do your updates,
well, that's another story.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(e-mail address removed) (remove 999 for proper email address)