Topic: Conficker made my IEXPLORE disappear!

[Savage Belief]

Hey all,

I'm working on my in-laws PC today and we re-installed XP because their system was bogged down with all kinds of crap so a clear and install was the quickest solution.  Granted, my mom in-law did the reinstall so I don't know if she deleted the partition before the install, but when I tried to activate Windows it wouldn't connect to their servers (or anyother Microsoft site for that matter).  So I figured it had the conficker.  So I downloaded the bd tools cleaner and rebooted.  When it came back up and I tried to connect to the internet it told me it couldn't find IEXPLORE and asked me if I wanted to fix it, so I did.  Then the IE shortcut I was using disappeared.

So now I'm stuck.  What now?

[Samker]

Hi Savage Belief,

Don't worry we will help you with this, please follow next instruction so we can do that ASAP:

1. Provide us all possible details related to yours problems / infection.

2. Run Kaspersky Online AntiVirus Scan: http://scforum.info/index.php/topic,734.0.html

3. Download & run HijackThis: http://scforum.info/index.php/topic,785.0.html

4. Provide us logs from HijackThis & AntiVirus Online Scan


We will wait your reply (with logs).

Regards,

SCF Team

[Savage Belief]

I can't get to the Kapersky site to DL the software but here's the hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:44:02 PM, on 4/5/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\eAcceleration\Station\station_bk.exe
C:\WINDOWS\System32\wpabaln.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Airlink101 Airlink101 WLAN Monitor] C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6F6F8F8-7545-4A00-8343-2A1EF5E4B202}: NameServer = 72.223.11.96
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: DelSrv Service Controler - Unknown owner - C:\WINDOWS\system32\drivers\DelSrv.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: eAcceleration Notification Service (eac_notifysvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
O23 - Service: eAcceleration Product Manager Service (eac_productsvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\System32\imapi.exe (file missing)
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\System32\msiexec.exe (file missing)
O23 - Service: Network DDE (NetDDE) - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Network DDE DSDM (NetDDEdsdm) - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\System32\locator.exe (file missing)
O23 - Service: QoS RSVP (RSVP) - Unknown owner - C:\WINDOWS\System32\rsvp.exe (file missing)
O23 - Service: Smart Card Helper (SCardDrv) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: StopSign Antivirus Security Center Provider (sstsmonsvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: Windows Hosts Controller - Unknown owner - C:\WINDOWS\Fonts\unwise_.exe

--
End of file - 4700 bytes

[Savage Belief]

Oh, BTW I ran a StopSign scan and this PC also has Win32.Virut.30

Since Stop Sign wants money to clean it I attempted to load Avira but it will not install.  It runs through the start of the install process but then stops.

[Savage Belief]

Ok, I managed to find Kapersky on cnet but it will not install.  The same situation as Avira.  I hope the hijackthis log helps.

[Samker]

Thanks SB,

We will analyze your HJT log in the next few hours and provide you new instructions.

Regards,

S.

[Samker]

SB, please follow my next instructions and after them provide us new fresh logs (try again Kaspersky):


1. Download and Run Full Scan with Microsoft Removal Tool: http://scforum.info/index.php/topic,4510.0.html

2. Download, Install, Update and Run Full Scan with Malwarebytes' Anti-Malware: http://scforum.info/index.php/topic,2201.0.html

3. My recommendation is also to uninstall current AntiVirus and install AVG (Free Version): http://free.avg.com/download-avg-anti-virus-free-edition
After that, Update your AntiVirus and also run Full Scan.


That's all for now, I'll wait your next reply (logs).

Best Regards,

Samker

[Savage Belief]

It's kinda funny.  I can't get to any of those pages to download any of those tools.  I get page load errors in Mozilla.  Well, it's funny because it's not my PC.  If it was mine I'd be pissed.

So what next?  I'm thinking replace the HDD.  I could probably pick up a 40 gig one for about $20 at Fry's.

[Savage Belief]

Boy, this is nasty.  I can't even pull up task manager.  Or services.  When I try to run services.msc I get an error that it can't find mmc.exe. 

The plot thickens...

[Samker]

SB, this is very difficult "infection".

Try to install and run at least this Microsoft Tool via memory stick.

I also need new HJT log.