Conficker infection

Discussion in 'ESET NOD32 Antivirus' started by josh718, Apr 30, 2010.

Thread Status:
Not open for further replies.
  1. josh718

    josh718 Registered Member

    Joined:
    Apr 30, 2010
    Posts:
    1
    Hello everyone,

    I have reason to believe I've been infected with Conficker virus, I've tried a lot of anti virus/malware scanners but still the problem persist. I just purchased nod32 last night in hopes of a paid anti virus program could yield better results but after scan and removal - the problem still persist after reboot.

    Below is a list of things I've tried, do take note each time I did a scan and if it detected something and got it removed. The virus just kept coming back and then I use another scanner/program to remove it (again and again using different programs)

    Malwarebytes
    Did 2 scan, one in normal mode and the other in Safe mode
    Result: Found Conficker and deleted

    Microsoft's Malicious Software Removal Tool
    Did 2 scan, one in normal mode and the other in Safe mode
    Result: Found Conficker B and partially deleted (as stated in the scanner)

    Avast anti virus
    Did scan in normal mode (normal windows)
    Result: Found Conficker and deleted

    Sophos Conficker removal tool
    Did scan in normal mode
    Result: Found Conficker and deleted

    Bit Defender Conficker removal tool (bdtools.net)
    Did scan in normal and safe mode
    Result: Found nothing (This was after a removal and then Avast starts picking up weird activity again (virus came back) so I clicked this but still found nothing)

    Enigma Software - Conficker removal tool
    Did scan in normal and safe mode
    Result: Found nothing (This was after a removal and then Avast starts picking up weird activity again (virus came back) so I clicked this but still found nothing)

    EConfickerRemover.exe (ESET)
    Did scan in normal mode
    Result: Found nothing

    After installing nod32 and updated it to Update 5073 (20100429). I did a scan and I will list the infected files below (red ones).

    C:\Qoobox\Quarantine\[4]-Submit_2010-04-25_12.37.53.zip » ZIP » jgwyggm.exe » UPX v12_m2 - a variant of Win32/Kryptik.DYL trojan - was a part of the deleted object
    C:\Qoobox\Quarantine\[4]-Submit_2010-04-25_12.37.53.zip » ZIP » jvadfn.exe » UPX v12_m2 - a variant of Win32/Kryptik.DYL trojan - was a part of the deleted object
    C:\Qoobox\Quarantine\[4]-Submit_2010-04-25_12.37.53.zip » ZIP » MsCbClient.exe - a variant of Win32/Injector.BMP trojan - was a part of the deleted object
    C:\Qoobox\Quarantine\C\WINDOWS\system32\prkfbjro.dll.vir - Win32/Conficker.AA worm - cleaned by deleting - quarantined [1]
    C:\Qoobox\Quarantine\D\Documents and Settings\josh\tierq.exe.vir » UPX v12_m2 - a variant of Win32/Kryptik.DYL trojan - was a part of the deleted object
    C:\Qoobox\Quarantine\D\Documents and Settings\josh\uqbr.exe.vir » UPX v12_m2 - a variant of Win32/Kryptik.DYL trojan - was a part of the deleted object
    C:\Qoobox\Quarantine\D\WINDOWS\system32\02.scr.vir - Win32/Injector.BMP trojan - cleaned by deleting - quarantined [1]
    C:\Qoobox\Quarantine\D\WINDOWS\system32\qxzv6.exe.vir - a variant of Win32/Injector.BMP trojan - cleaned by deleting - quarantined [1]
    C:\Qoobox\Quarantine\D\WINDOWS\system32\_zplcbsxz_.dll.zip » ZIP » zplcbsxz.dll - Win32/Conficker.AE worm - was a part of the deleted object
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2XWNG7GL\ldyudzvq[1].jpg - Win32/Conficker.AN worm - cleaned by deleting - quarantined [1]
    C:\_OTL\MovedFiles\04292010_213235\d_windows\system32\config\systemprofile\jveht.exe - a variant of Win32/Kryptik.AK trojan - cleaned by deleting - quarantined [1]
    D:\Documents and Settings\josh\DoctorWeb\Quarantine\jar_cache1585869531879005311.tmp » ZIP » myf/y/AppletX.class - Java/TrojanDownloader.Agent.NAG trojan - was a part of the deleted object
    D:\Documents and Settings\josh\DoctorWeb\Quarantine\jar_cache1585869531879005311.tmp » ZIP » myf/y/LoaderX.class - Java/TrojanDownloader.Agent.NAG trojan - was a part of the deleted object
    D:\Documents and Settings\josh\DoctorWeb\Quarantine\jar_cache1585869531879005311.tmp » ZIP » myf/y/PayloadX.class - Java/TrojanDownloader.Agent.NAG trojan - was a part of the deleted object
    D:\Documents and Settings\josh\DoctorWeb\Quarantine\jar_cache3785955225965492700.tmp » ZIP » AppletPanel.class - probably a variant of Win32/Agent trojan - was a part of the deleted object
    D:\Documents and Settings\josh\DoctorWeb\Quarantine\jar_cache3785955225965492700.tmp » ZIP » Main.class - probably a variant of Win32/Agent trojan - was a part of the deleted object
    D:\WINDOWS\system32\cmos32.exe@ - a variant of Win32/Injector.BMP trojan - cleaned by deleting - quarantined [1]
    D:\WINDOWS\system32\wmcvrts.exe - Win32/Injector.BMP trojan - cleaned by deleting - quarantined [1]

    I have 2 partition and each have a version of windows xp sp2, after both partition was infected. I backup all my files to D drive and formatted C and install a fresh copy, In fact I formatted over 5 times on C: but the virus just kept coming back. I suspect because D: still is infected, it may re-infect C: after the reformat.

    Usually after being connected to the internet the scanner will pick up a list of the following:

    4/30/2010 2:12:26 PM Real-time file system protection file C:\WINDOWS\system32\iu82.exe a variant of Win32/AutoRun.IRCBot.FC worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\system32\ftp.exe.
    4/30/2010 2:08:06 PM Real-time file system protection file C:\WINDOWS\system32\asr_lbjxfm.exe a variant of Win32/Hatob.E worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\system32\ftp.exe.
    4/30/2010 2:07:27 PM Real-time file system protection file C:\WINDOWS\system32\iu82.exe a variant of Win32/AutoRun.IRCBot.FC worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\system32\ftp.exe.
    4/30/2010 1:40:56 PM Real-time file system protection file C:\WINDOWS\system32\iu82.exe a variant of Win32/AutoRun.IRCBot.FC worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\system32\ftp.exe.
    4/30/2010 1:39:16 PM Real-time file system protection file C:\WINDOWS\system32\iu82.exe a variant of Win32/AutoRun.IRCBot.FC worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\system32\ftp.exe.
    4/30/2010 2:28:03 AM Startup scanner file C:\WINDOWS\System32\iexplore.exe a variant of Win32/Injector.BMG trojan cleaned by deleting - quarantined

    After a while I can't click on my internet connection (the 2 monitor) and I can't bring up task manager (both ctrl alt del and run -> taskmgr). When this occurs my computer will act weirdly and I can't shut down properly and I had to press the reset button to restart.

    I've pretty much spent almost a week trying on different scanners and solutions but the virus just kept coming back. I really hope you guys can help me out..
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Please refer to this blog dealing with Conficker infection. It is crucial to install the appropriate hotfixes from Microsoft as well as change passwords for admin accounts to prevent further infections.
     
  3. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,736
    Help: I Got Hacked. Now What Do I Do?
    http://technet.microsoft.com/de-de/library/cc512587(en-us).aspx
    take your time to deal with a setup from scratch or image/backup
     
  4. SolidState

    SolidState Registered Member

    Joined:
    Dec 18, 2007
    Posts:
    92
    Well...

    I'd give SAS a try!!!

    www.superantispyware.com

    It's an interesting test for it as so many others have failed!

    I'd run it in safemode.
     
  5. SolidState

    SolidState Registered Member

    Joined:
    Dec 18, 2007
    Posts:
    92
    OK now that I've really read your post you're gunna need a BartPE disk pal and use all the methods outlined here

    -http://www.youtube.com/user/mrizos#p/search/5/G7qBzYctfqs-

    To make the disk watch these videos!!


    -http://www.youtube.com/watch?v=OYIktyeIKqI-

    Hat's off to Matt!!!
     
    Last edited by a moderator: Apr 30, 2010
  6. SolidState

    SolidState Registered Member

    Joined:
    Dec 18, 2007
    Posts:
    92

    That's really of no help moderator...

    Look at his eset log !!!

    They guy has a lot more going on than just Conflicker!!!

    His only last hope for idiot removal is SAS.

    Outside that BartPE disk is really only way to remove that mess.

    Why would anyone in there right mind be still running SP2 !!!
     
  7. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Simple answer: Buy First Defense-Rescue, no matter what frigging product you use to catch malware.

    Pub answer: What is your point. He got hit. Tough but reality. I had F-Secure installed and koobface blew right past it. Did I fly to Finland to blast the malware writers.

    I dont believe in layers but I do think that even as stupid as I may appear,;) , a solid backup is your first line of defense.

    I play all the time and when it is time for Daddy to clean the house I just create a new snapshot. Duh!!
     
  8. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  9. SolidState

    SolidState Registered Member

    Joined:
    Dec 18, 2007
    Posts:
    92
    I've never heard of First Defence Rescue. I'm a missing something good here? I take it it's backup software.
     
  10. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  11. SolidState

    SolidState Registered Member

    Joined:
    Dec 18, 2007
    Posts:
    92
    great stuff guys...

    But as you can see he's totally infected with a lot more than just that!!!

    I thought my post with Matt's videos would help him best but I'm willing to bet a 100 spot that the kid never even comes back LOL

    PS I've seen SAS remove EVERYTHING on a machine like that if it's xp win32. I sure hope the kid comes back and tries it as I actually CARE enough to not give a canned response.
     
  12. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    The OP has all the tools she/he needs to get disinfected, the onus is to use them. :ouch:

     
Thread Status:
Not open for further replies.