Spyware, Viruses, & Security forum

General discussion

malware on my system..detected: intrusion.Win.MSSQL.worm.Hel

by MOHAMMED UMAR10 / April 26, 2010 7:46 AM PDT

my system is suffering from frequnt network attacks (detected kaspersky firewall 2010 legally bought)....
also ..i use firefox 3.6 browser ,any file i download does not appear in the folder it is supposed to( for instance if we set in firefox as "X:\ASD" it shud appear ther but in my case it does not!!!)..whereas if i access it through firefox using file>>open>>(browse to the file ....then its there safe & sound!!!!)similiarly i cam access the downloaded file using tools>>downloads>>(right click>>open file))

how do i get my system back o normal...i have kaspersky installed (only after realizing the presence of the virus
a monobot and a back door trojan are on my system previously they were only on a particular drive i formatted the drive but BOTH got transfered to the all other drives on my system affecting system and firefox now my download speed is around 10kbps(previously 200kps)
please help me ...

i am using...
microsoft windows sp3
intel pentium 4 2.66 ghz
1 gb ram
gigabyte mother board

the following viruses were detected..

trojan program: trojan.win32.sasfis.aehm

kaspersky detected the virus but could not remove them and recommended skip action(not to do anything to them but i formatted the drive)

kaspersky firewal warning action taken by kaspersky is NIL
detected: intrusion.Win.MSSQL.worm.Helkern
UDP from to local part 1434

Discussion is locked
You are posting a reply to: malware on my system..detected: intrusion.Win.MSSQL.worm.Hel
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: malware on my system..detected: intrusion.Win.MSSQL.worm.Hel
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
have previously tried ang,aviranti virus

they both detected but did not delete...pls help !!!:(

Collapse -
Then Please Try This...
by Grif Thomas Forum moderator / April 26, 2010 8:49 AM PDT

Download ALL of the tools below on a friend or family member's, CLEAN computer and copy them to a CD or flash drive, then transfer them to the problem machine.

First, after transferring it to the problem machine, run the following tool to help allow the removal programs below to run. (courtesy of Grinler at BleepingComputer.com)
There are 4 different versions. If one of them won't run then try to run the other one. Be patient.... as a black window should open, then close after finding all the background programs.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

Rkill.exe http://download.bleepingcomputer.com/grinler/rkill.exe
Rkill.com http://download.bleepingcomputer.com/grinler/rkill.com
Rkill.scr http://download.bleepingcomputer.com/grinler/rkill.scr
Rkill.pif http://download.bleepingcomputer.com/grinler/rkill.pif

IMMEDIATELY after running the "Rkill" tool above, run/install the Malwarebytes and SuperAntispyware installer and update files from the links below which you've also copied to a CD or flash drive, and transfered to the problem machine. Do NOT restart the computer after running Rkill.

Once downloaded and before transferring Malwarebytes and SuperAntispyware to the problem machine, rename the program installer "mbam-setup.exe" file to something else like "Gogetum.exe", then copy the installer file and the update file to a CD or flash drive.. Transfer the file to the problem machine, then install the "Gogetum.exe" file, then run the update to get the program current.. After that, run a full system scan and delete anything it finds.

Malwarebytes Installer Download Link (Clicking on the links below will immediately start the download dialogue window.)

Malwarebytes Manual Updater link

Next, install and run a full system scan with the SuperAntispyware program and the manual updater from the links below. As before, you may need to rename the installer file to get the program to install.:


SuperAntispyware Manual Updater

In a few situations, in order for the program to run, it was also necessary to rename the main "mbam.exe" file also after installing it.. It resides in the C:\Programs Files\Malwarebytes Antimalware folder....

Hope this helps.......


Collapse -
malware anti malware
by MOHAMMED UMAR10 / April 30, 2010 11:24 AM PDT

i already have malware anti malware and i re started my system after installing a dialog box appeared asking me to restart now do i have to re install malware or continue with the other instructions given also i read that malware anti malware cannot be removed Sad

Collapse -
If Malwarebytes Will Update and Run Correctly After Rkill...
by Grif Thomas Forum moderator / May 1, 2010 3:04 AM PDT
In reply to: malware anti malware

..then there's no need to reinstall it. If it doesn't run correctly, then and uninstall/reinstall may be necessary. In addition, please install SuperAntispyware as well. You'll want the "second opinion that it gives during its scan. It frequently finds things that Malwarebytes doesn't.

Hope this helps.


Collapse -
auperantispyware did the job but i dont know why ....

thanks yes it helped bu a problem Sad after rebooting the files go invisible again and old files whih i downloaded previously are still invisible (i did not delete them)

the name of virus detected


Collapse -
You'll Want To Temporarily Disable System Restore
by Grif Thomas Forum moderator / May 2, 2010 5:23 AM PDT

It's a little strange that the files are found in the D: drive, (usually a recovery partition and it explains why they're hidden because such are usually hidden partitions), but either way, the System Volume folders contain files for your System Restore tool.. Those particular folders are "locked" by System Restore and as such, removal tools have difficulty getting rid of them.. So, to be sure they're gone, try temporarily disabling System Restore, restart the computer, then re-enable SR again.. Use the instructions in the link below to accomplish the task.

How To Disable System Restore

Hope this helps.


Collapse -
by MOHAMMED UMAR10 / May 2, 2010 7:50 PM PDT

uninstalled both security software and disabled system restore

restarted system , ran rkill.exe
installed and updated both programs scanned pc no virus detected Happy
did a test download of 700 mb using mtorrent ,went fine till 690 mb after which browser(firefox),utorrent restarted and download list disappered and the file being downloaded vanished into ????????

previously downloaded files (after spywares presence was felt) are still missing and torrent files are not accessible via firefox Sad

Collapse -
Well, Torrents Are Problems In General
by Grif Thomas Forum moderator / May 3, 2010 5:54 AM PDT
In reply to: :).....:(

First, such downloads have a high rate of infection..

Second, if Firefox doesn't work right, try uninstalling it, then reinstalling it.. Or try a different browser.. Does Internet Explorer work find? If not infection is being found, the computer may be clean but damage may have been done to a variety of programs. Some have found it necessary to perform a full reformat and reinstall of everything. Others are able to narrow down the specific issues and fix them one by one.. Only time will tell which path you will need to take.

Hope this helps.


Collapse -
thank you
by MOHAMMED UMAR10 / May 3, 2010 8:05 PM PDT

thank you will reinstall them Happy

Collapse -
log in page of yahoo is different
by MOHAMMED UMAR10 / May 3, 2010 8:15 PM PDT

i have 3 browsers google chrome,firefox, ie8, and firefox shows

This Connection is Untrusted

You have asked Firefox to connect
securely to login.yahoo.com, but we can't confirm that your connection is secure.

Normally, when you try to connect securely,
sites will present trusted identification to prove that you are
going to the right place. However, this site's identity can't be verified.
What Should I Do?

If you usually connect to
this site without problems, this error could mean that someone is
trying to impersonate the site, and you shouldn't continue.
Technical Details
login.yahoo.com uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is not trusted.
(Error code: sec_error_untrusted_issuer)

till yesterday yahoo had wrong appearence then i sent a report to mozilla about apearence of yahoo now chrome shows yahoo properly but firefox shows the above WHAT do i do??

Collapse -
Wait It Out... Or A Few Things To Try..
by Grif Thomas Forum moderator / May 4, 2010 2:02 AM PDT

There may be a couple of reasons you're experiencing the certficate error.(Yahoo's login works fine in the latest Firefox 3.6.3 version here.) Try the suggestions below:

First, try emptying all Cookies, History, and Cache from the Firefox, "Tools-Options-Privacy tab".


Try using the link below to log into Yahoo:


Does it work correctly?

Or troubleshoot the issue using the Mozilla link below:


Hope this helps.


Collapse -
ONLY in Regard to Win.MSSQL.worm.Helkern
by Carol~ Moderator / April 26, 2010 10:40 AM PDT


It is noted here at the Kaspersky Lab Forum: 'This kind of intrusion is dangerous only for those using "Microsoft SQL Server 2000". However KIS automatically blocks the attack'. Are YOU using "Microsoft SQL Server 2000"?

From Frequently encountered messages at the Kaspersky Lab Forum:


1)What is Helkern?
Helkern is an internet worm, that exploits a vulnerability in Microsoft SQL server 2000.
You can find more about it here or here

2)Who is attacking me and why?
These attacks are made by the malware which tries to infect other vulnberable PCs. They are automated and target random PCs. The so called attacking PCs are mostly victims of the malware themselves.

3)How can i protect myself?
First of all the Intrusion Detection System (IDS) in KIS blocks it, so you are safe. When the IDS blocks such an attack you will get a notification like this one:


Even without the IDS to block the attack only some PCs are vulnerable to it, PCs running SQL Server 2000 that aren't patched against this vulnerability.

This is why you should keep your pc updated. Not only against this form of malware but also others.

4)How can i get rid of this notification?
If you find this notification annoying then you can easily disable it, by clicking on the arrow pointing downwards in the notification and selecting "Disable this notification".



Collapse -
thank you
by MOHAMMED UMAR10 / April 30, 2010 11:21 AM PDT

thanks a million for the response Happy

Popular Forums
Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions

Does BMW or Volvo do it best?

Pint-size luxury and funky style

Shopping for a new car this weekend? See how the BMW X2 stacks up against the Volvo XC40 in our side-by-side comparison.