AUTORUN-GEN and WIN32:CONFI defeated?

Viruses and worms
1

first i apologize fo my english.

i’ve avast 6.0 freware version, updated today, on a portatile pc with wondows XP professional.

Making a complete scan Avast detected Autorun-gen

I put it in trash bin as suggested.
Then Avast suggested me a boot scan that detected Win32:Confi. I canceled it as suggested

then… in my rescue folder i had Combofix. I updated it and make it run. I know i sould have to ask someone before… but the last time my pc was infected i did it an so…

Do you think Avast alone defeated those malwares?

i can attach the log report file is requested…

Thanks in advance to anyone would like to help me.
Simone

2

Could you attach the combofix log please and I will have a look see ;D

3

dear essexboy, hallo.

here the file

thanks

ps. i have renamed file in “logCombofix”…

4

Just one port to close by the looks of it. Are you experiencing any problems ?

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:

Registry:: [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "4198:TCP"=-

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

5

before my Avast scan slowness in all apps
And a strange error opening control panel of windows (it seemed don’t find the control panel folder)

the second log file is attached

i hope i ddi all correctly

thank you

6

That looks good, are you unable to open control panel ?

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

7

sorry, i didn’t check it again after Avast cleaning… now control panel seems working.

Download and run OTS anyway?

thanks

8

Yes please - just to make sure ;D

9

done

10

Nope looks OK there are a few traces to go but that is all… This will also empty your temporary folders which seem to be a tad full

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Win32 Services - Safe List]
YN -> (Comodo Anti-Virus and Anti-Spyware Service) Comodo Anti-Virus and Anti-Spyware Service [Disabled | Stopped] -> 
[Driver Services - Safe List]
YY -> (catchme) catchme [Kernel | On_Demand | Running] -> 
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {9AA2F14F-E956-44B8-8694-A5B615CDF341} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-1659004503-287218729-839522115-1003\] > -> HKEY_USERS\S-1-5-21-1659004503-287218729-839522115-1003\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
[File - Lop Check]
NY ->  Avg7 -> C:\Documents and Settings\All Users\Dati applicazioni\Avg7
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

11

well :cry: i guess something went wrong.

After Run fix, a few seconds working … BLUE SCREEN for a second! :o and Windows re-start automatically…

No OTS log file.

???

12

Now that is not normall

Lets check deeper

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the “Scan” button to start scan

http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply

http://public.avast.com/~gmerek/aswMBR2.png

13

sorry, i needed to be offline for householding duties :slight_smile:

this is the log

thank you… i guess “i see you” tomorrow

14

try to scan your system using this one to remove the conficker:

http://www.bdtools.net/

15

@ emantoyaks,

While we appreciate your help, Essexboy is in the middle of malware removal. Some tools are already on the OP’s machine that he will eventually need to remove or instruct the OP how to remove. Therefore we will let Essexboy continue his malware removal on his own for now. Thank you. :slight_smile:

16

Could I have a fresh OTS log please also I assume your computer is a dell

17

her i am essexboy… thank for your patience.
i attach here new Ots scan log.

A few notes:

  • i’ve a HP laptop
  • this evening again pc going slow
  • at windows start, avast did not start automatically as usual

Thanks

18

A quick question whilst I look at the log - did you set the proxies in Firefox and IE ?

19

i use only FF4
but… what are proxies??? ::slight_smile:

20

I think that answers my question ;D

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Win32 Services - Safe List]
YN -> (Comodo Anti-Virus and Anti-Spyware Service) Comodo Anti-Virus and Anti-Spyware Service [Disabled | Stopped] -> 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> 
YN -> HKEY_CURRENT_USER\: "ProxyServer" -> 192.168.0.22:61380
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\user\Dati applicazioni\Mozilla\FireFox\Profiles\7rdnl2j2.default\prefs.js
YN -> network.proxy.backup.ftp -> "192.168.0.22"
YN -> network.proxy.backup.ftp_port -> 61380
YN -> network.proxy.backup.gopher -> "192.168.0.22"
YN -> network.proxy.backup.gopher_port -> 61380
YN -> network.proxy.backup.socks -> "192.168.0.22"
YN -> network.proxy.backup.socks_port -> 61380
YN -> network.proxy.backup.ssl -> "192.168.0.22"
YN -> network.proxy.backup.ssl_port -> 61380
YN -> network.proxy.ftp -> "192.168.0.22"
YN -> network.proxy.ftp_port -> 61380
YN -> network.proxy.gopher -> "192.168.0.22"
YN -> network.proxy.gopher_port -> 61380
YN -> network.proxy.http -> "192.168.0.22"
YN -> network.proxy.http_port -> 61380
YN -> network.proxy.no_proxies_on -> "localhost,127.0.0.1"
YN -> network.proxy.share_proxy_settings -> true
YN -> network.proxy.socks -> "192.168.0.22"
YN -> network.proxy.socks_port -> 61380
YN -> network.proxy.ssl -> "192.168.0.22"
YN -> network.proxy.ssl_port -> 61380
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {9AA2F14F-E956-44B8-8694-A5B615CDF341} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
YN -> CmdMapping\\"{CCA281CA-C863-46ef-9331-5C8D4460577F}" [HKLM] -> [@btrez.dll,-4015]
[File - Lop Check]
NY ->  Avg7 -> C:\Documents and Settings\All Users\Dati applicazioni\Avg7
[Custom Items]
:Files 
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.