Virus attack

S

saumilsingh

Skilled
Here's the deal.
Our PC hardware guy connected his thumb drive to one of my office PC's and as it turned out, he had 2 worms sitting in it :mad:.

Conficker
Fujacks

AVG was installed and had been updated the day before so this took care of Fujacks.

For Conficker, I wasn't so sure since this is usually a b**ch to recover from.
So I downloaded and ran the Malicious Software Removal Tool from Microsoft, which after running a full system scan reported that there were no malicious files on the system.

The PC has been working normally with no suspicious internet activity.
I also don't have any of the symptoms of Conficker (blocking of security websites, remote scheduled tasks, etc.).

But I am still not satisfied :|.
Did my network just dodge a bullet or am I still infected?
Is there any possibility at all that the MSRT scanner might have been given the slip by Conficker?
 
Run a scan from a diff AV to make sure, boot into safe mode and then run the scan. I am having a pretty good run with ESET NOD32, AVG atleast the free version was a POS in detecting worms..
 
I think Fujacks managed to screw with the Security Center alerts. As a result, Windows no longer alerts me if I disable the firewall.

As you can see, the option to control alerts is greyed out. How can I fix this?
78893543.gif
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:03:07 PM, on 04-Mar-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\RefreshLock\RefreshLock.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\RivaTuner v2.09\RivaTuner.exe
C:\Program Files\RivaTuner v2.09\Tools\RivaTunerStatisticsServer\RivaTunerStatisticsServer.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\3RVX\3RVX.exe
C:\Program Files\DL Software\D-Color\dcolor.exe
C:\Program Files\LClock\lclock.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\nHancer\nHancer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\PROGRAM FILES\FRAPS\FRAPS.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Y'z Shadow\YzShadow.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [RefreshLock] C:\Program Files\RefreshLock\RefreshLock.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.09\RivaTuner.exe" /T
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.09\RivaTuner.exe" /S
O4 - HKLM\..\Run: [RivaTunerStatisticsServer] "C:\Program Files\RivaTuner v2.09\Tools\RivaTunerStatisticsServer\RivaTunerStatisticsServer.exe" /s
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [3RVX.exe] C:\Program Files\3RVX\3RVX.exe
O4 - HKCU\..\Run: [D-Color] C:\Program Files\DL Software\D-Color\dcolor.exe
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [nHancer] "C:\Program Files\nHancer\nHancer.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Fraps] C:\PROGRAM FILES\FRAPS\FRAPS.EXE
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: YzShadow.exe.lnk = C:\Program Files\Y'z Shadow\YzShadow.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{822319C1-3656-41D6-8519-B9FB9AAE4F04}: NameServer = 218.248.255.146 218.248.255.139
O17 - HKLM\System\CCS\Services\Tcpip\..\{82FFB339-6EC6-41B9-AC16-C82F01B4A787}: NameServer = 61.1.96.69,61.1.96.71
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 5945 bytes
 
mallik said:
I suggest you do a registry clean, and post your hijack this log
Click to expand...

I agree with, do registry clean, this way all registered files of virus on your PC will got deleted and it remains safe
 
Ok, an update.

Even though this PC works alright, one can never dare disable the firewall.
Because the moment the firewall is disabled, Security Center is once again locked down so I can't re-enable the firewall and also all internet activity completely stops, i.e. all web browsers and messengers stop working.

The strange part is that a reboot fixes this. Security Center is unlocked as well and I can re-enable the firewall.

What is going on? I have scanned and rescanned and there is no malware on this PC.
I have quarantined this PC from the network for the time being.
 
Back
Top