Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! I think I have the conficker worm!..........


  • This topic is locked This topic is locked
11 replies to this topic

#1 jmccracky

jmccracky

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 05 April 2009 - 11:01 PM

I'm pretty sure it's the Conficker worm. I got up this morning, and there was some sort of "fake" antivirus program running. So I tried to run all of my anti-spyware programs, and all of them have been disabled. I cannot run any of them. I tried to reboot in normal mode, but before the computer would fully boot, right as I sign in, that fake scanner came up and wouldn't let me get past it. I could not close it out.

So, I reboot again into safe mode, and there are 3 different sign ins. One is "Kenny and Amber" for me an my girlfriend, "Arianna" for her daughter, and "Administrator". There was NEVER "Administrator" there before. It had always been "Brennan and Roxanne" for her son and my daughter. Now that is gone.

So I go under Administrator, and I remove two programs that were not installed by me. It got rid of the scanner, but I still cannot run my antivirus programs.

I also cannot restore my computer to an earlier date.

I tried "hijack this" and it said I had 4 hijackers (the beginning code was O17). I "fixed them" and rebooted my computer. Well I couldn't get past my sign in. So, I had to reboot again, and did it by "the last normal settings". It let me sign in then.

So, I run Hijack this, and the 4 hijackers that I deleted, showed up again, PLUS TWO MORE!!!!!!!

I tried hijack this one more time. Hijack this deleted the 6 "hijackers" this time, and when I rebooted, it said that it got rid of all 6. However, I still have the worm. I tried going onto the malwarebytes website, and I keep getting redirected to other pages. I was directed to Amazon.com the first time, then Yahoo!Jobs.com the second time. But if I put the address site in, I can get to the website.

I also tried the help page with conficker on this website. http://www.bleepingcomputer.com/malware-re...nadup-conficker I could not run the windows update. I tried it with Internet Explorer, but I usually browse with Mozilla. I basically could not do the instructions on the help page.

I have malwarebytes, Norton, Hijack This, Ad-Aware, Spybot, SuperAntiSpyware, and SpywareBlaster. I had all of them updated before this happened. I ran scans with everything I had. Everything looked great! Then I get up this morning, and find out that there is something wrong with my computer. The only thing that lets me scan is Norton. But it will only scan a few thousand files. Then it says that my system is fine.

I also tried doing everything in safe mode. I can't run any of the programs still. When I reboot, at the sign in, there should be 3 different sign ins. They are "Brennan and Roxanne", "Ariana", and "Kenny and Amber". Sometimes "Brennan and Roxanne" is replaced with "Administrator", and I cannot log in under "Kenny and Amber".

I hope someone can help. Thanks!

BC AdBot (Login to Remove)

 


#2 jmccracky

jmccracky
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 05 April 2009 - 11:02 PM

Also, I'm not sure what make the computer is. It is a home built model. I have Windows XP. That's about all I know about it, because I just got it from my brother a few months ago.

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:51 PM

Posted 06 April 2009 - 12:49 PM

Some types of malware will disable Malwarebytes Anti-Malware and other security tools. If MBAM will not run, try renaming it and changing the file extension.
  • Open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on the mbam.exe file, rename it to myscan and change the .exe extension to .scr, .com, .pif, or .bat.
  • Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.

Be sure to update MBAM through the program's interface (preferable method) or manually download the definition updates and just double-click on mbam-rules.exe to install. Then perform a Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Note: Mbam-rules.exe is not updated daily. Another way to get the most current database definitions is to install MBAM on a clean computer, launch the program, update through MBAM's interface, copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 jmccracky

jmccracky
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 06 April 2009 - 02:53 PM

I opened the program file for malwarebytes. I cannot find anything with mbam.exe I only have the "mbam" icon, and some other icons. Any help with this? I'm computer illiterate. I even tried the steps to the link.



Again, thanks for your patience and help.

#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:51 PM

Posted 06 April 2009 - 02:56 PM

Show Hidden Folders/Files
  • Open My Computer.
  • Go to Tools > Folder Options.
  • Select the View tab.
  • Scroll down to Hidden files and folders.
  • Select Show hidden files and folders.
  • Uncheck (untick) Hide extensions of known file types.
  • Uncheck (untick) Hide protected operating system files (Recommended).
  • Click Yes when prompted.
  • Click OK.
  • Close My Computer.

Chewy

No. Try not. Do... or do not. There is no try.

#6 jmccracky

jmccracky
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 06 April 2009 - 03:03 PM

Show Hidden Folders/Files

  • Open My Computer.
  • Go to Tools > Folder Options.
  • Select the View tab.
  • Scroll down to Hidden files and folders.
  • Select Show hidden files and folders.
  • Uncheck (untick) Hide extensions of known file types.
  • Uncheck (untick) Hide protected operating system files (Recommended).
  • Click Yes when prompted.
  • Click OK.
  • Close My Computer.


Ok, now I'm scanning! That worked. You guys/gals are phenomenal. I'll post what happens.

#7 jmccracky

jmccracky
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 06 April 2009 - 04:03 PM

Here is my log-

Malwarebytes' Anti-Malware 1.35
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/6/2009 4:54:52 PM
mbam-log-2009-04-06 (16-54-52).txt

Scan type: Quick Scan
Objects scanned: 91203
Time elapsed: 6 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.




I actually scanned and rebooted 3 times. I had a lot of infections The last file infected in the log, the gaodpxcounter, showed up on my second scan, and it showed up in the log I presented in this post. Also, when I do a search in yahoo or google, I still get redirected to other sites.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:51 PM

Posted 07 April 2009 - 08:45 AM

MBAM has been updated to v1.36. Please download and install the most current version from here.
You may have to reboot after updating in order to overwrite any "in use" protection module files.

Update the database through the program's interface (preferable method) or manually download the definition updates and just double-click on mbam-rules.exe to install. Then perform a new Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

IMPORTANT NOTE: One or more of the identified infections (gaopdxcounter) was related to a rootkit component which includes gaopdxserv.sys, gaopdx[random characters].dll and other malicious files. This is a nasty variant of the TDSSSERV rootkit . Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 jmccracky

jmccracky
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:51 PM

Posted 07 April 2009 - 12:30 PM

Ok, I updated to the newest version of malwarebytes. Did the scan, rebooted, scanned again, and got the same results. I am still redirected to other sites when I do a search in yahoo or google. The sites are always something that might be useful, like Yahoo!Jobs, or automobile repair sites. Argh! Here are my scan results-

Malwarebytes' Anti-Malware 1.36
Database version: 1948
Windows 5.1.2600 Service Pack 3

4/7/2009 1:25:54 PM
mbam-log-2009-04-07 (13-25-54).txt

Scan type: Quick Scan
Objects scanned: 91386
Time elapsed: 6 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.



Is there anything else I can do without reformatting? I need a recovery disc, and my recovery disk is with a friend of mine 2 states over. I guess he can mail it back to me? I appreciate the help, even if there is nothing else I can do.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:51 PM

Posted 07 April 2009 - 12:42 PM

Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is hidden piece of malware which has not been detected by your security tools that protects malicious files and registry keys (which have been detected) so they cannot be permanently deleted. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS/HijackThis log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 rbhambha

rbhambha

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southwest
  • Local time:05:51 PM

Posted 07 April 2009 - 05:44 PM

Hey all,

I stumbled across this thread after I figured out I had a ton of malware on my computer. I wasn't sure how I got it, but I'm sure I caught it immediately. I ran a MBAM scan yesterday, and it came out clean. Today, after suspecting my computer had picked up some malware, I tried to open MBAM, and it wouldn't open. Spybot wouldn't open either, and everytime I tried to google solutions to the problem, I would be redirected to some yahoo!jobs site or something similar. I followed your instructions here and I was able to update and run MBAM! Thank you so much for your help.

Here are the logs from the scans I ran. I ran it twice just to make sure everything was cleaned out, and apparently it wasn't. Any clue why this is? I restarted my computer the first time, so I figured there would be nothing left over. Should I run a full scan tonight?

Number 1:

Malwarebytes' Anti-Malware 1.35
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/7/2009 5:21:53 PM
mbam-log-2009-04-07 (17-21-53).txt

Scan type: Quick Scan
Objects scanned: 86202
Time elapsed: 6 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{298c8a09-b906-4eb9-aacd-9efe31b73f15} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csiqpayh (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{298c8a09-b906-4eb9-aacd-9efe31b73f15} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nsvkkbqo (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\nsvkkbqo (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nsvkkbqo (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{298c8a09-b906-4eb9-aacd-9efe31b73f15} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvatoyuy (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Spyware.StolenData) -> Delete on reboot.

Files Infected:
c:\WINDOWS\system32\bfspfuu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\UACeeynkncc.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\UACvaearrja.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\UACdhalxwxd.dll (Trojan.TDSS) -> Delete on reboot.
C:\Documents and Settings\Family\Local Settings\Temp\UACa40a.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Spyware.StolenData) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Spyware.StolenData) -> Delete on reboot.
C:\WINDOWS\uhanekulemuna.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\UAChngyruuf.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\UACmhuecsat.log (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\UACumcbesmk.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\UACuxyqgvxk.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\UACtrjkwhph.sys (Trojan.Agent) -> Delete on reboot.


Number 2:

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/7/2009 5:31:44 PM
mbam-log-2009-04-07 (17-31-44).txt

Scan type: Quick Scan
Objects scanned: 85658
Time elapsed: 5 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qvatoyuy (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: kbjaelol.dll -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\kbjaelol.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\ivovolovolovo.dll (Trojan.Agent) -> Delete on reboot.


Any recommendations? Thank you in advance for your help!

Edited by rbhambha, 07 April 2009 - 05:45 PM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:51 PM

Posted 08 April 2009 - 10:09 AM

Welcome to BC rbhambha

If you have an issue or problem you would like to discuss, please start your own topic. Doing that will help to avoid the confusion that often occurs when trying to help two or more members at the same time in the same thread. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using and the presence of other malware. Further, posting for assistance in someone else's topic is not considered proper forum etiquette.

Thanks for your cooperation.
The BC Staff


jmccracky, your DDS/Hijackthis log is posted here and you are already getting assistance.

After posting a log, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

The HJT Team should be the only members that you take advice from, until they have verified your log as clean.

To avoid confusion, I am closing this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users