0

HI, anyone please help.

below are the log after scanning but after restart pc, the conficker still appear.

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

17/09/2009 17:36:28
mbam-log-2009-09-17 (17-36-28).txt

Scan type: Full Scan (C:\|)
Objects scanned: 4812
Time elapsed: 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
S:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665 (Trojan.Conficker.H) -> Delete on reboot.

Files Infected:
S:\autorun.inf (Trojan.Conficker.H) -> Delete on reboot.
S:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx (Trojan.Conficker.H) -> Delete on reboot.

4
Contributors
13
Replies
14
Views
7 Years
Discussion Span
Last Post by tiger86
0

Your MBA-M program was not updated prior to the scan. Your database shows as 2775 which is at least 4 days out of date. Current database version is 2818.

BUT you must have a major problem there. Your log clearly shows the following;
Scan type: Full Scan (C:\|)
Objects scanned: 4812
Time elapsed: 9 second(s)

What in the world was scanned? No computer only has 4812 files! And NO MBA-M full scan would only take 9 seconds!

0

oh....because after full scan, reboot pc, re-scan again. within 9 second, the same virus detected again... that's why i stop the scanning... anyway, i reattach a full scan log.

this time the scanning only detected 1 virus (autorun.inf)
the other 2 virus has been removed by me manually by giving full permission and audit authority on that folder and it manage to delete the RECYCLER folder.
S:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665 (Trojan.Conficker.H)
S:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx (Trojan.Conficker.H)

logs attached
Malwarebytes' Anti-Malware 1.41
Database version: 2814
Windows 5.1.2600 Service Pack 2

18/09/2009 14:39:39
mbam-log-2009-09-18 (14-39-39).txt

Scan type: Full Scan (C:\|)
Objects scanned: 195658
Time elapsed: 1 hour(s), 12 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
S:\autorun.inf (Trojan.Conficker.H) -> Delete on reboot.

0

Okay... let's make sure this is conficker... a few ways to test if you have the conficker virus is to try to go to legitimate websites like microsoft updates or an anti-virus site. If you can't get in you've been confickered. I have to agree with the above poster no computer in this day and age has only 4812 files... the operating system alone must consist of at least 30,000 files... that's just a guess.

0

i still able to update Windows Genuine Advantage Validation Tool (KB892130) from Microsoft Update just now.

Notice that, when i scan the C drive, the logs actually detect the Conficker in S: Drive.

S Drive is actually one of my server.

I had run fully scan in S drive (the server itself) with Malware, no virus detected

0

i still able to update Windows Genuine Advantage Validation Tool (KB892130) from Microsoft Update just now.

Notice that, when i scan the C drive, the logs actually detect the Conficker in S: Drive.

S Drive is actually one of my server.

I had run fully scan in S drive (the server itself) with Malware, no virus detected

I hope this isn't a server that hosts data available on the net... I hope you are an expert at removing files without deleting DLLS .... you do not want torn DLLs. Your whole system could fail if you deleted a vital DLL.

0

I hope this isn't a server that hosts data available on the net... I hope you are an expert at removing files without deleting DLLS .... you do not want torn DLLs. Your whole system could fail if you deleted a vital DLL.

i did not delete any DLL.

0

See if you can upload S:\autorun.inf for analysis here: http://virusscan.jotti.org/en

Please post back with the results.

PP :)

Here you go ... :)

Additional info
File size: 95034 bytes
Filetype: Unknown
MD5: 2c29248d7b2ee96a8f3d516dae36c310
SHA1: 0e73e5f50253e821fd87bb845aea0983ccfae404

Scanners
2009-09-17 Worm.Kido.ix 2009-09-18 Worm.Autorun.VHG
2009-09-18 Worm.Win32.Conficker!IK 2009-09-18 Worm.Win32.Conficker
2009-09-17 BV:AutoRun-S 2009-09-18 Net-Worm.Win32.Kido.ix
2009-09-17 Worm/Generic_c.ZS 2009-09-17 Found nothing
2009-09-17 WORM/Kido.IX 2009-09-17 Found nothing
2009-09-18 Worm.Autorun.VHG 2009-09-17 W32/Conficker.C.worm
2009-09-17 Worm.Autorun-1838 2009-09-17 Found nothing
2009-09-18 W32.Net.W.Kido.ix 2009-09-18 Mal/ConfInf-A
2009-09-17 Win32.HLLW.Autoruner.5601 2009-09-17 Found nothing
2009-09-17 JS/AutoRun 2009-09-17 INF.Conficker.F
2009-09-18 Worm:W32/Downaduprun.A

0

The server is MOST DEFINITELY infected, 7 out of 11 say so. But jotti uses 22 scanners, why are there only 11 showing?

0

The server is MOST DEFINITELY infected, 7 out of 11 say so. But jotti uses 22 scanners, why are there only 11 showing?

They are all showing, Judy - look more closely :)

That rules out any sort of false-positive.
Frankly, MBA-M should remove this, so something is restoring it: either the drive is infected or you have an infected pen drive(s).

There are a number of different ways to attack this - I'm sure Judy or tiger86 can help you on that front.

Best Luck :)
PP

0

They are all showing, Judy - look more closely :)

That rules out any sort of false-positive.
Frankly, MBA-M should remove this, so something is restoring it: either the drive is infected or you have an infected pen drive(s).

There are a number of different ways to attack this - I'm sure Judy or tiger86 can help you on that front.

Best Luck :)
PP

I have never seen a jotti log look like that. No scanner names, just a header Scanner then just dates. 11 lines.

Edited by jholland1964: n/a

0

The server is MOST DEFINITELY infected, 7 out of 11 say so. But jotti uses 22 scanners, why are there only 11 showing?

it is actually 22 scanner, left and right...

i realign it as below.
2009-09-17 Worm.Kido.ix
2009-09-18 Worm.Autorun.VHG
2009-09-18 Worm.Win32.Conficker!IK
2009-09-18 Worm.Win32.Conficker
2009-09-17 BV:AutoRun-S
2009-09-18 Net-Worm.Win32.Kido.ix
2009-09-17 Worm/Generic_c.ZS
2009-09-17 Found nothing
2009-09-17 WORM/Kido.IX
2009-09-17 Found nothing
2009-09-18 Worm.Autorun.VHG
2009-09-17 W32/Conficker.C.worm
2009-09-17 Worm.Autorun-1838
2009-09-17 Found nothing
2009-09-18 W32.Net.W.Kido.ix 2
009-09-18 Mal/ConfInf-A
2009-09-17 Win32.HLLW.Autoruner.5601
2009-09-17 Found nothing
2009-09-17 JS/AutoRun
2009-09-17 INF.Conficker.F
2009-09-18 Worm:W32/Downaduprun.A

since identify the server infected, what should i do next

0

Hey sorry I haven't posted in a while. I did some quick research. Your log is very, well bad. You appear to be confickered majorly. If the conficker virus doesn't stop you from going to microsofts support page please follow the link http://support.microsoft.com/kb/962007 also on that page to see if your clean of conficker theres a link to http://safety.live.com and here is the Manual... yes a manual on removing conficker http://support.microsoft.com/kb/962007#Manualsteps
I hope that is helpful.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.