Windows Have I win32.conficker.c virus? Hijack log posted

Hi Guys,

Thank you for taking the time to read my post, i hope someone out there can help me end a very very frustrating weekend. I used to regularly revert to the custom pc website forums for help as there were so many helpful members on it.

Saturday evening while surfing i got a windows firewall warning telling me that it was preventing a virus it considered dangerous from accessing my network. The virus it said was win32.conficker.c. As soon as i got the message my browser crashed and i have been mostly unable to relaunch firefox since. In the immediate aftermath i was also unable to launch IE - only the 64 bit version that came with my system would work.

When i have been able to relauch firefox it usually directs me to update my systems spyware security by directing me to a site www.proofdefender.com. This site i have since discovered is a sham and exists for the purpose of ripping people off with fake spyware products. Unfortunately i installed this product without really thinking, i only realised my error when it asked me for payment to use it. I uninstalled it via the programs add/remove option in control panel after this.

Since this happened my browser has been repeatedly failing and has been laggy, firefox won't work for the most part and IE will not open all pages i ask it to, i can access a lot of info on the virus via microsoft and other anti spyware sites but not all pages will load.

I was running avg antivirus software which i have since updated but it shows nothing on scans, i have also installed and/or run spybot search and destroy and microsofts maleware removal program. As far as i can see the problem still exists. I get intermittant warnings that i have the virus and am unable to play any online games - these crash shortly after launch. I am also now unable to use Windows media player or divx player either, i tries to use itunes a while ago and i get a similar crashed message with this aswell.. My system feels overall very slow and laggy.

I followed the directions regarding the hijackthis file and this is the result of my scan with it below.

If you have read all i have posted and can offer any insight into this I would be very very grateful.

Thanks and regards
John

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:43:55, on 06/09/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~2\AVG\AVG8\avgwdsvc.exe
C:\Program Files (x86)\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\SysWOW64\PnkBstrB.exe
C:\Program Files (x86)\Spyware Doctor\pctsAuxs.exe
C:\Program Files (x86)\Spyware Doctor\pctsSvc.exe
C:\PROGRA~2\AVG\AVG8\avgemc.exe
C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files (x86)\AVG\AVG8\avgcsrvx.exe
C:\Program Files (x86)\MSN Messenger\msnmsgr.exe
C:\Users\John Healy\AppData\Roaming\Gmail\mstime.exe
C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files (x86)\Pure Networks\Network Magic\nmapp.exe
C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
C:\Program Files (x86)\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\AVG\AVG8\avgtray.exe
C:\Windows\SysWOW64\CTHELPER.EXE
C:\Windows\SysWOW64\CTXFIHLP.EXE
C:\Program Files (x86)\Spyware Doctor\pctsTray.exe
C:\Windows\SysWOW64\CTXFISPI.EXE
C:\Program Files (x86)\iPod\bin\iPodService.exe
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Program Files (x86)\Registry Mechanic\regmech.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\QuickTime\QuickTimePlayer.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files (x86)\AVG\AVG8\Toolbar\IEToolbar.dll
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files (x86)\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files (x86)\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files (x86)\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Gainward] C:\Windows\TBPanel.exe /A
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files (x86)\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [LiveMonitor] "C:\Program Files (x86)\MSI\Live Update 3\LMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\SysWOW64\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~2\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AsioThk32Reg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ISTray] "C:\Program Files (x86)\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files (x86)\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files (x86)\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [realtekc] "C:\Users\John Healy\AppData\Roaming\Gmail\mstime.exe" 2
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files (x86)\Registry Mechanic\RMTray.exe /H
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'Default user')
O4 - Global Startup: DualCoreCenter.lnk = C:\Program Files (x86)\MSI\DualCoreCenter\StartUpDualCoreCenter.exe
O4 - Global Startup: DualCoreCenterSideBar.lnk = C:\Users\John Healy\AppData\Local\MSI\DualCoreCenterSideBar\StartDualCoreNow.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://asia.msi.com.tw
O15 - Trusted Zone: http://global.msi.com.tw
O15 - Trusted Zone: http://www.msi.com.tw
O15 - Trusted Zone: http://global.msi.com.tw
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1206389615086
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobio...ne/install.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG8\avgpp.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgwdsvc.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files (x86)\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: Google Update Service (gupdate1ca1541d8bb053e) (gupdate1ca1541d8bb053e) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files (x86)\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files (x86)\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files (x86)\Spyware Doctor\pctsSvc.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
--
End of file - 12238 bytes

 

Try this.

 

You could also try the Malwarebytes software to see if that finds anything.

Are you using the free version of AVG? If so you might want to try and use another AV program as AVG isn't known for having the best for detection rates, and are often slow to release new virus definitions. Avast and Avira are probably the two most recommended ones. If all else fails then you'll have to back up your data and do a clean Windows install.

Do you regularly perform Windows updates? If so you shouldn't be having this problem at all as they patched this flaw about 6 months ago IIRC, although you could have been infected earlier than that. In any case, you might want to invest in a decent internet security suite which should prevent you from getting viruses and help remove them if you do - my version of Kaspersky Internet Security stopped me even visiting the site you were redirected to that you linked above and flagged it up as a phishing attack, so all this could easily have been avoided. However, always remember that safe browsing habits are the first line of defence against viruses, so be careful about what sites you visit and you shouldn't have any problems.

 

Hi guys,

Thank you for the quick replies.

I do regularly perform windows updated and according to my log the patch to close off the weakness to this virus was downloaded and installed automatically a number of weeks ago. The one major update I was unable to install was actually SP1 for vista, this would not correctly install for me repeatedly over a number of months till it got to the point where I basically gave up. When i went to windows update centre yesterday to make sure i had everything it installed correctly first time.

One side effect of this is that I have no system restore points to revert to earlier than yesterday, however I have since read that the conficker virus also wipes old restore points as a means of self preservation so I cannot tell you if this is why I have none.

I was using AVG free edition as I thought it was considered the best of the freeware security programs, I will replace it with one of the others you recommended.

I currently have malewarebytes running a full scan as we speak but was unable to launch the symantec one as it says I do not have permission to do so? (I am the administrator and am using the only account on the PC so this is incorrect). It was all a little rushed as I was on lunchbreak from work but I will try again tonight and revert to here with an update.

Again, my sincere thanks for your time and effort guys

John

 

You might find some useful info here
http://www.confickerworkinggroup.org/wiki/

 

Sounds about right, the Conficker worm (as with many other viruses) often lock you out of administrator privileges to stop you doing anything to remove it.

AVG used to be considered one of the best free AV programs a while ago but it has performed poorly in recent tests so I would no longer recommended.

Do you have the original Vista install disc that came with the PC? If none of the options above work you might want to consider doing a fresh Windows install. I know it may seem like a hassle, but aside from getting rid of the virus (as well as other crap that may have found its way onto your computer) its a great way to improve the general responsiveness of the system if its becoming a bit sluggish.

 

Hmmm.

So far no good.

I have uninstalled avg and installed avast but it is also failing to locate the virus.

I am thinking that for the sake of my sanity i may just reinstall vista again, I have the original install disk.

I have to ask a question though, I have about 100 gigs of music and movies on my pc, am i safe to move all this stuff to an external harddrive and then move it back again after i do the fresh install of Vista?

Am i right in assuming that the only stuff i lose in the long run is various updates, programs and drivers etc that i have installed over the past year? I'm assuming all these will be wiped when i opt for the reinstall?

Also do i literally just insert the installation disk into my current system and click reinstall? or do i have to reformat the old drive first?

Thanks again for any help
John

ps: i just wanna get back to playing EVE

 

If you want to try one last ditched attempt at ridding this terrible virus, have a look at this link.

 

Yep, the virus won't be located within any of those files so you'll be safe to just transfer them across.

Yep. Your new installation will revert back to the revision on the installation disk (i.e. in your case, pre-SP1), so make sure you download all available updates for both Windows and your AV utility before you do anything else. You'll also have to get the latest drivers from the relevant hardware manufacturer's website.

You could use a something like KillDisk to completely remove all data on the drive but that's probably going a bit over the top. Just put the installation disk in, go into your BIOS and set the CD/DVD drive to first in the boot order, then when it boots up there will be an option to format the whole drive/partition, or you could use the command line utility (more help on that here).

 

Wow.. thanks for that link, it makes for very interesting reading. When i was running the scan it was with my PC connected to our home network, the internet and with my iPod plugged in. I'll have to try it again tonight with all these plugged out as directed.

While I certainly have a number of the syptoms in that article described I have had better luck accessing windows and other patch sites over the last 24 hours. I still cant run the symantec removal tool due to a (fake?) administrator access problem. Firefox is also basically unusable despite being reintsalled again. I also continue to get random disconnects when i try to play any online game.

Also, thank you for the directions on reinstalling my Vista, in the linked article provided to me above it notes that the infection spreads easily via any removalable media (the author spread it drom a workstation to a laptop via digital camera) such as USB pen drives etc (it copies and auto run version of itself to the drive when its connected?). As such if I do reinstall Vista, patch everything and reinstall and activate Avast will i then be protected enough to plug my portable harddrive back in and start transferring all my movies/music etc back to my main drive?

In short, from what I've read in the linked articles it seems I am essentially guaranteed that the virus will spread to my portable hard drive upon connection and then attempt to move back to my main system when I reconnect same. Will having my system fully patched and with Avast free edition running be enough to stop it and hopefully allow me to remove it from the portable hard drive aswell?

Thanks for any help again guys
(a hopeful)John

 

dance puppet dance! XD j/k johnny you should be ok once you get reinstalled and back up

the av should pick up the infection on your external when it's plugged in and scanned.. assuming your on vista

 

Realise it's a little late but can totally recommend malwarebytes, another good free one is superantispyware.

And another free online scanner (requires a download but works well) eset

Good luck, it sucks when this sort of thing happens, fingers crossed for you

 

Yep... agree with hippo here.
I had a similar experience months ago where nothing worked to get rid of a virus.

I copied all essential files to a external drive, re-installed XP and then copied the data back.
AVG picked up any problems and it's been running fine since.

Sometimes the easiest thing is always a re-install