Conficker problems..

[achiman]

hi all..
i have caught the bug my avg stopped updating and cant get into avg site or any anti spyware sites ,nothing will update...
microsoft.com for updates nothing..
i have installed nod 32 because it seems to be the only one updating for me...

you guys helped me in the past and it looks like its busy times at the moment so no worries any help would be great ...

my logs are below   

[attachment deleted by admin]

[evilfantasy]

Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

• Scroll down to “Non-plug and Play Drivers” and click the plus icon to open those drivers.
  
• Then search for TDSSserv.sys
  
• Let me know if you find this or not.
• If you do find it, right click on it, and select “Disable”. Do not try to uninstall it.
  
• Now reboot.

.
Let me know if you found and disabled this.

[achiman]

glad to see your still about mate
and no i cant find TDSSserv.sys

[evilfantasy]

glad to see your still about mate

I just happened to pop in...

See if this will run please.

Download random's system information tool (RSIT) by random/random from and save it to your Desktop.

• Double click on RSIT.exe to run.
  
• Click Continue at the disclaimer screen.
  
• Once it has finished, two logs will open.
• log.txt <will be maximized and info.txt <will be minimized
  
• Please post the contents of both logs in the next reply.

[achiman]

when i click on link i get error page this is wreckin me head have to download from my pc to stick to run on laptop back soon...

[achiman]

here ya go

[attachment deleted by admin]

[evilfantasy]

Don't worry we'll start making progress soon.

Not sure if you installed VistaDrive but it's a nasty program. See here > http://www.systemlookup.com/Startup/13906-VistaDrive_exe.html

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
- O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code: [Select]

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"VistaDrive"=-
Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Delete the fixme.reg from the Desktop.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

[achiman]

getting there ..thanks again

[attachment deleted by admin]

[evilfantasy]

Scan Suspicious File(s)

Please go to VirusTotal.com
(If more than one file needs scanned they must be done separately and logs posted for each one)

1. Copy the file path in the below Code box:

Code: [Select]

c:\windows\system32\wb.exe2. At the upload site, click once inside the window next to Browse.
3. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
4. Next click Send File
Your file will possibly be entered into a queue which normally takes less than a minute to clear.
This will perform a scan across multiple different virus scanning engines.
Important: Wait for all of the scanning engines to complete.
5. Copy and then Paste the link to the results in the next reply.

----------

Do you know what this is?

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7017:TCP"= 7017:TCP:bgbccdmg

[achiman]

no dont know what it is...[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7017:TCP"= 7017:TCP:bgbccdmg

cant open that link getting the error page...??

[achiman]

no cant open the link..problem on my side .
any other options

[evilfantasy]

OK. I think it's a clean file but am not 100% sure. We will deal with it later if needed.

This is really testing my skills by the way. The Conficker worm is a pretty nasty piece of malware! But I think I have found all of it. We will run a special tool after ComboFix just to be sure.

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
 It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Driver::
sqdhuvyqs

File::
c:\windows\system32\sgnofqyb.dll

Registry::

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sqdhuvyqs]
"ServiceDll"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7017:TCP"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs sqdhuvyqs]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

After posting the ComboFix log please run the Win32/Conficker.A Removal Tool by Symantec. See this page if needed.

Follow these steps to download and run the tool:

• Download the FixDownadup.exe file from: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDownadup.exe.
  
• Save the file to a convenient location, such as your Windows desktop.
• Optional: To check the authenticity of the digital signature, refer to the "Digital signature" section later in this writeup.

Note: If you are sure that you are downloading this tool from the Security Response Web site, you can skip this step. If you are not sure, or are a network administrator and need to authenticate the files before deployment, follow the steps in the "Digital signature" section before proceeding with step 4.

• Close all the running programs.
• If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
• If you are running Windows Me or XP, turn off System Restore. For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
• Locate the file that you just downloaded.
• Double-click the FixDownadup.exe file to start the removal tool.
• Click Start to begin the process, and then allow the tool to run.

.
---

Let me know when that is done. And how the computer is acting now.

,

[achiman]

evilfantasty...im lookin good can get into avg site and microsoft...

combofix and downedup logs below...thanks mate for your help and support once again
 




[attachment deleted by admin]

[evilfantasy]

OK looks better. Still some work to do.

Save the below Attached file to your desktop.

    * Right Click on the attached file fix.zip
    * Click Open
    * Double-click on fix.bat and allow it to run.
    * A Notepad file will open. Please post the contents of that file, Log.txt, in your next reply.

-----

Next:

Run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

• Click on SCAN NOW
  
• Click Accept.
  
• The program will then begin downloading the latest definition files.
• Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
  
• The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

• Next, in the Save as prompt, Save in area, select: Desktop.
  
• In the File name area use KScan, or something similar.
  
• In Save as type: click the drop arrow and select: Text file [*.txt]
  
• Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


[attachment deleted by admin]

[achiman]

here you go...sorry for delay online scanner scanned forever

[attachment deleted by admin]