Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Had a Conficker Worm


  • Please log in to reply
1 reply to this topic

#1 LindyB

LindyB

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 02 December 2009 - 06:14 AM

On 8.11.09 my sister wanted me to transfer some photographs from her camera's SD card to my computer. She asked if I was 100% certain that my computer had no viruses. Apparently, the SD card had previously been infected and had been cleaned by the computer technician at her place of work. The only computers the card had previously been used with were mine, hers, and the one at her place of work. As hers and the one at work were clean, she suspected that the virus had come from mine. I assured her that my computer was clean. I am rigorous about it and was 100% sure.

As she was certain that the SD card was now clean, I inserted it into my card reader and connected it to my computer. I was horrified when an AVG window popped up to say a folder on the card was infected. It gave me some options but I did not have a clue which I should choose. Why does AVG just not sort things out without asking for input?

I rang someone more computer literate than me for advice and asked what I should do. He said as long as I had not transferred the files to my computer, I could just remove the card reader and ignore the AVG message.

Afterwards, my sister suddenly remembered that, on a recent trip to Poland, she had left her camera overnight with someone she knew. She said he may have connected the camera to his computer. That was after the technician had cleaned it.

I was worried and did an AVG scan to make sure nothing had been transferred to my computer and a Trojan Horse was found. It was Agent.ASKJ and it was located in System32\brmifo.dll

I then did a Spybot Search and Destroy scan, which found nothing.

The next morning I did a Malwarebytes Anti-Malware scan and another Trojan Horse was found, exactly the same as the other one. It was immediately picked up by AVG and placed in quarantine there. It also found something called Hijack.System.Hi… (that was as much as I could read in the Quarantine section).

It wasn’t until today that I found the log for the scan and saw that I’d had a Worm.Conficker. This is the log:

Malwarebytes' Anti-Malware 1.41
Database version: 3130
Windows 5.1.2600 Service Pack 3

09/11/2009 00:09:06
mbam-log-2009-11-09 (00-09-06).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 221259
Time elapsed: 1 hour(s), 38 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\brmifo.dll (Worm.Conficker) -> Quarantined and deleted successfully.

After doing the Malwarebytes scan I was very worried. I checked System Restore and found that all restore points prior to 8.11.09 had disappeared. I deleted the one created on 8.11.09 and created a new one for 9.11.09. It’s worked OK since then.

On 9.11.09 (the day after the infection), I noticed a new error in the Event Viewer. It’s been there every day on startup ever since. The error is listed in ‘Computer management’ -> ‘System Tools’-> ‘Event Viewer’ -> ‘System’ and it says:

Source: Service Control Manager
Category: None
Type: Error
Event ID: 7023
User: N/A
Description: The Task Universal Service terminated with the following error: The specified module could not be found.

I then looked for ‘Task Universal’ in ‘Services’ in ‘Computer Management’ and the properties for it say:

Service name: ggncadpja
Display name: Task Universal
Description: Enables support for NetBIOS over TCP/IP (NetBT) Service and NetBIOS name resolution.
Path to executable: c:\\WINDOWS\Sustem32\svchost.exe -k netvcs
Startup Type: Automatic
Service Status: Stopped

I Googled ‘Task Universal’ as a computer service and got no results, except for logs posted on various sites, which were no help. I asked a friend who runs Windows XP Pro with SP3 like me to look if he had a service called ‘Task Universal’ and he hadn’t. He said as the service was stopped, it was OK to ignore the error.

To be sure, I ran Hijack This and posted the log file on the Hijack This website for analysis. All items were ticked in green and there was nothing that looked suspicious.

My computer seemed to be running with no problems, so I put the infection to the back of my mind.

Then, on the 18th November, I had a phone call from my bank querying a topup payment to O2 made on 13th. It turned out to be fraudulent. I had no idea how they had got hold of my debit card details as I never use the card in shops, or at ATMs. I only use it for shopping on trusted internet sites, such as Amazon and PayPal. My bank cancelled the card and sent me a new one.

I didn’t connect the fraud to my computer until I received a phone call from my Building Society on 27th November. They told me they had stopped a credit card transaction to O2 topup and cancelled my card. Alarm bells were now ringing as I never use that card in shops or ATMs either. The only two sites that had both card details stored were PayPal and Amazon. The woman from the Building Society said they are both very secure sites and asked me if my computer might have been hacked into.

I was now very worried that my computer had been hijacked and I tried to disable the ‘Task Universal’ service by changing the Startup Type to ‘Disabled’. But when I checked the Event Viewer I found an error:

Source: Service Control Manager
Category: None
Type: Error
Event ID: 7028
User: N/A
Description: The ggncadpja Registry key denied access to SYSTEM account programs so the Service Control Manager took ownership of the Registry key.


I then ran an online Trend Micro Housecall scan. It found a Mal VundoG virus. The file was mooYayay.ini. I Googled that and got no results. There were no results for ggncadpja either.

Yesterday I started to run an online Panda Security scan but gave up after 4 hours when only 24% of the scan had been completed.

I am now at a loss as to whether my computer is clean or still infected, and if my computer may sill be vulnerable to credit/debit card theft. I do online banking and don’t know if it’s safe to log on.

I don’t think I’ll be happy until the 'Task Universal' error stops appearing in the event viewer.

Any help you can give me will be very much appreciated. I haven’t posted this message on any other forum or website.

Thanks!

P.S. I forgot to say I'm on Windows XP Pro with SP3.

Edit - Sorry about the symbols that appear in my text in place of inverted commas. I don't know why that has happened! I'm reposting to try to fix it.

Also, I didn't mention that I keep losing my internet connection. I don't know if this is due to my service provider, or the infection I had/have.

Edited by LindyB, 02 December 2009 - 08:02 AM.


BC AdBot (Login to Remove)

 


#2 LindyB

LindyB
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 02 December 2009 - 11:03 AM

Hi,

I'm sorry to have to bump this, but I really am desperate!

Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users