Persistent Conficker Infection

[sm625]

Ok this is a wierd one. I had this conficker infection that I removed using malwarebytes. Everything seemed fine, repeated scanned showed no infection. But at some unknown point it became reinfected. Malwarebytes would no longer remove it, it says it did but it jsut kept coming back. I tried TDSSKiller and that got rid of it. For a while. But it always comes back.

It seems to spawn from one particular file. That file name is random. On my machine lets just say it is called "ghydw.sjq". This file kept being recreated somehow. After a while it would spawn another file, the same name but a dll, ghydw.dll. After that file is created it gets flagged by my antivirus software. It quarantines it, but it keeps coming comes back until I run TDSSKiller again.

I thought I would be clever so I wrote a simple script to delete ghydw.sjq and ghydw.dll and set that script to run every minute via task manager. Problem solved eh? Nope. Here is where it gets weird. One day I ran TDSSKiller just for giggles, and it turned up 18 infections. They were all services with random names. There was also 18 scheduled tasks, all of which were starting the aforementioned services.

Has anyone seen anything like that?

I try using procmon to capture the very first instance of ghydw but procmon crashes after about 10 minutes. Either this worm is crashing it, or it is just running out of memory or whanot. So I cant really trust procmon to catch anything if it cant stay running.

 

[Chiefcrowe]

I haven't. that is bizarre. I wonder if it is a new variant of conficker?

You're probably best off to just wipe it all out and start over in the end.

 

[PliotronX]

I agree, reload is best but if you wish to salvage the install, run a custom scan with Rootkits checked in Malwarebytes under safe mode. It may take 1-3 hours to scan but it is worth it. You may want to include any secondary hard drives or often used thumb drives in the scan which would be housing the bug. I would also uninstall any Java runtimes because I have seen older versions misreported as the latest that are used as a trojan to keep letting crap on. You may have to dip into local group policy to remove any pointers to proxies in internet options. Also if that random file keeps spawning in AppData, I would run CryptoPrevention to disable file execution from within it which would be a bandaid but it would work to keep it from bringing more nasties onto your machine. Check this and this out too.

Oh and, last ditch effort would be ComboFix.

 

[Ketchup]

Random names is something I have seen several times. The fact that it keeps coming back is a bit bizarre, but that just tells me that:
1. the task/link created for getting the infection has not been removed, or
2. you keep going to the site/downloading the material that is causing the infection.

If #1, I would suggest you look at msconfig for the entry that is starting the application, and remove the file (or all files if in a temp folder), possibly from safe mode. Then go to the registry location listed and remove it from there.

 

[denis280]

I would suggest you look at msconfig for the entry that is starting the application, and remove the file (or all files if in a temp folder), possibly from safe mode. Then go to the registry location listed and remove it from there.

Agree. in the search box type in %TEMP% then delete all.and in registry like Ketchup mention.(but better make a back up first)better be safe.

 

[PliotronX]

Good point on startup items, Autoruns will enable access to more than Msconfig can show and sometimes Task Scheduler will show something fishy.

 

[sm625]

Using procmon, I caught that sucker in the process of creating ghydw.sjq. Right before it creates the file it accesses

HKLM\System\CurrentControlSet\Control\Power\PowerRequestOverride

Does anyone know what this key is for?

 

[vailr]

A bootable antivirus CD may be the best method.
There are several free bootable CD antivirus programs listed at MajorGeeks.com.

http://www.majorgeeks.com/files/details/avira_antivir_rescue_system.html
http://www.majorgeeks.com/files/details/kaspersky_rescue_disk.html

Run one of those, then boot back into Windows and run Malwarebytes.
"Junkware Removal Tool" has also caught a few items that Malwarebytes missed:

http://www.majorgeeks.com/files/details/junkware_removal_tool.html

 

[Ketchup]

From wikipedia: http://en.wikipedia.org/wiki/Powercfg

Sets a Power Request override for a particular Process, Service, or Driver. If no parameters are specified, this command displays the current list of Power Request Overrides.

Caller_type - Specifies one of the following caller types: PROCESS, SERVICE, DRIVER. This is obtained by calling the powercfg /requests command.
Name - Specifies the caller name. This is the name returned from calling powercfg /requests command.
Request - Specifies one or more of the following Power Request Types: Display, System, Awaymode.

BTW - the laptop I am currently on has no values here, so that can be removed IMO. Of course you still would need to find the startup source that is starting the process.

You may need a rootkit removal tool if the methods I listed above fail. I have used Kaskersky's before, and it works well:
http://usa.kaspersky.com/downloads/TDSSKiller

 

[Iron Woode]

Malwarebytes has a rootkit removal tool as well.

https://www.malwarebytes.org/downloads/#tools

 

[compman25]

You can also try using Roguekiller

 

[sm625]

Here are the names of the scheduled tasks:

%WINDIR%\Tasks\At1.job
%WINDIR%\Tasks\At2.job
%WINDIR%\Tasks\At3.job
%WINDIR%\Tasks\At4.job
%WINDIR%\Tasks\At5.job
%WINDIR%\Tasks\At6.job
%WINDIR%\Tasks\At7.job
%WINDIR%\Tasks\At8.job
%WINDIR%\Tasks\At9.job
%WINDIR%\Tasks\At10.job
%WINDIR%\Tasks\At11.job
%WINDIR%\Tasks\At12.job
%WINDIR%\Tasks\At13.job
%WINDIR%\Tasks\At14.job
%WINDIR%\Tasks\At15.job
%WINDIR%\Tasks\At16.job
%WINDIR%\Tasks\At17.job
%WINDIR%\Tasks\At18.job

Google searching yields many results. Apparently this is quite common. I can get rid of it easily enough. But the problem for me is that this keeps coming back. I am seeing tcpip traffic on one of the servers on my domain just before ghydw.sjq is created. I had assumed the server has protection but maybe it is inadequate.

 

[vailr]

There's also Malicious Software Removal Tool, which can be run via clicking:
Run: MRT , select "full scan".
New version for the November monthly update, just released:
https://www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx

 

[sm625]

I added the server to my firewall and now it is a different server that is talking to my pc just before ghydw.sjq is created. wtf. It is like all our servers are infected. I guess I will add this second server to my firewall and see if a third infected server tries to infect me.

 

[VirtualLarry]

Good point on startup items, Autoruns will enable access to more than Msconfig can show and sometimes Task Scheduler will show something fishy.

FreeFixer will show services and Scheduled tasks too.

 

[vailr]

I added the server to my firewall and now it is a different server that is talking to my pc just before ghydw.sjq is created. wtf. It is like all our servers are infected. I guess I will add this second server to my firewall and see if a third infected server tries to infect me.

OK; so are you talking about a corporate environment, with you as the system administrator? And do you have physical access to whatever servers, where you could just take it offline and run an AV/anti-malware scan on it? Have you checked for possible router firmware updates?

Edit:
Sophos Conficker Removal Tool
http://www.sophos.com/en-us/support/knowledgebase/110381.aspx
Sophos Virus Removal Tool
http://www.sophos.com/en-us/products/free-tools/virus-removal-tool.aspx

 

[denis280]

OK this guy got the same problem.but the folder is on is desktop.so from windows 7 forums this is what they say.

• Create a "System Restore" point, or even better, a backup HDD image of your System partition
• Open "Regedit"
• Back up the Registry (File > Export)
• Copy 0875DCB6-C686-4243-9432-ADCCF0B9F2D7 into the "Find what:" box (Edit > Find)
• "Search and Destroy" all occurrences