Avast Pro found worm. After cleaning and reboot the same worm will back again. Is there any chance to clean this completely?
The avast says: Sign of “Win32:Confi [Wrm]” has been found in. Usually it in system32\x[UPX] file and also in IE temp catalog.
Didnot found any help with search.
Thanks.
it’s a Conficker worm… we’ve added the detection for the executive part of it…
EDIT: fully updated windows should be immune against this attack except the machines with weak passworsd in network…
Hi dolbyest,
There is also a removal tool for this worm: ftp://ftp.f-secure.com/anti-virus/tools/beta/fsmrt.zip
Latest news about the aggressive propagation of this worm: https://forums.symantec.com/t5/Malicious-Code/W32-Downadup-Infection-Statistics/ba-p/376744
polonus
polonus, this tool is not necessary - avast is able to delete the nasty from boot-time scan… it can’t be simply removed from user mode (not even after restart), cause it is well protected (this makes a serious removal problem to many antiviruses)… the boot-time scan is a cure 
Boot time scan did nothing for me. It found the following:
File C:\WINDOWS\system32\gydenoun.dll[UPX] is infected by Win32:Confi [Wrm]
I first tried repair and got:
Repair: Error 42060 {The file was not repaired.}
So I tried some other options and got:
Move to chest: Error 0xC0000034 {Object Name not found.}
Delete: Error 0xC0000034 {Object Name not found.}
I ended up having to ignore it just to get the scan to continue.
My avast! version 4.8 Home Edition is
Build: Dec2008 (4.8.1296), Xtreme Toolkit version: 1.9.4.0, Using ActiveSkin version 4.2.7.3
Vps file: Compilation Date: 01/08/2009 File Version: 090108-0
I’m gonna try that tool Polonus posted and see if it fixes the problem.
Hi forum; today I received 7 reports from our service desk about Win32:Confi virus, we did this to solve the issue:
1.- Apply the right fix, according to the windows version and sp level
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
2…- Deactivated System Restore
3.- Scheduled a boot time scan, and deleted the infected files
4.- Activated System Restore
Check this links:
http://www.f-secure.com/weblog/archives/00001574.html
http://news.softpedia.com/news/Vulnerable-Windows-Machines-Sitting-Ducks-for-the-Conficker-Worm-98832.shtml
http://www.infospyware.eu/gusanos-ms08-067-se-retuercen-en-libertad.html
I hope it will help you
Best Regards!
Sergio
Puck, it’s really strange… what’s your file system? NTFS or FAT32? does switching raw disk access (in program settings → troubleshooting) make any difference?
We have 250 PC in our network. Avast Server and 250 clients.
we already did following:
1.- Applied the right fix (kb958644), according to the windows version and sp level
3.- Scheduled a boot time scan, and deleted the infected files
2 and 4 step not needed because system restore is disabled manually on all computers.
After some times VIRUS comes back on the same computers.
So we can not delete it!
We tried to use Norton Antivirus on the same computers. NAV deleted virus (W32.Downadup.B) and virus never come back.
Is any another ideas how remove it using Avast?
p.s. We also tried removal tool but virus comes back again and again :‘( :’(
I really don’t wont remove AVAST clients from 250 computers and install NAV to 250 computers. It’ll take a lot of time!
Please Help us.
SOS :‘( :’(
how about some trivial passwords on the machines in the network? there’s a possibility to get re-infected even when the MS hotfix is installed, cause the worm tries the attack against weak passwords to get the control of victim computers (in same network)… can you post the corresponding lines from warning.log or error.log, if the file was really not removed by avast? we’ve killed hundreds of this worm from the boot-time scan, so it’s very strange to not be able get rid of it on all machines…
btw: what’s the exact version of avast installations on the client machines?
Has avast! added the dropper yet?
https://www.virustotal.com/analisis/82ec3f2cddcc75685af9cf63307db928
it is not the dropper in fact… the scanning was performed a day before our detection was released (VPS nr. 090106-1)… i believe the file is well detected now, you can try a rescan
All the infected computers had no password, so we set up passwords on the computers, remember if you have the hotfix, but a weak password, it is mentionated in this link
http://www.f-secure.com/weblog/archives/00001574.html
We use NTFS on all our computers, just on external usb hard drives, may be FAT32
Maxx_original
We have strong password politic in our network, so all users has no trivial passwords.
I think, posibilities to virus comes back on the clean computers is from terminal servers in local network, which was also infected and logged on as domain admin. IS it possible? So anyway, if some domain admin logged on infected computers, so this comuter can infect all other computers and in this case it’s not depend from last updates KB and Service PAcks. Computers which logged on as domain admin will infect other computers in all cases even windows is fully updated?
Avast version 4.8.1005
VPS file 08/01/2009
screenshots from logs:
http://pic.ipicture.ru/uploads/090110/qS7kweOC4R.jpg
http://pic.ipicture.ru/uploads/090110/m5CVUXGKNZ.jpg
mannen: yes, it’s possible to get reinfected from the machine, where domain admin is logged, cause he don’t need to exploit anything, he has the rights by default… other way is the autorun hole in windows (autorun.inf is processed everywhere by default)… collect all USB sticks which got in touch with any infected PC… plug these flash drives to some safe machine (windows with disabled autoruns or linux) and delete the autorun.inf and the SID folder or let avast do that…
I have a client with 3 Windows XP SP3 computers. We are running Point of Sale Software where the password and Administrator must automaticly login though user controlpasswords2 in cmd. All must have the same password. Avast detects Win32: Confi [Wrm] it detects and deletes the file then i scan again once the computer is booted. It them detects the virus again and deletes or moves to the chest. The again and again and again does the same thing.
Any suggestions?
Thank You in advance!
HELP! I’ve:
Result… Avast still keeps popping up telling me the worm has been found. What do I do???
Worm win32:confi also named worm.win32.kido or downadup.
Virus infiltrate via removable drive (autorun.inf file) or net server service.
They corrupt work dns client, if your computer have is virus, you can not connect to avast or anower antivir sites and microsoft.
For erase worm you mast:
Hi zepete,
Yes, we know of this worm spreading like wildfire, within Intranets the spreading is mainly through autorun.inf on USB sticks, people should disable this or use the autorun disinfector from here: http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe
Because the worm disable various av solutions and MS update service, try the Microsoft Malicious Removal Tool from here:
http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
But be reassured avast has a very good detection rate of this and protects the user from getting infected, but as your computer has not been infected yet the best policy will be to install the out-of-band patch to prevent this worm from infecting:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
polonus
Another removal tool
http://www.symantec.com/norton/security_response/writeup.jsp?docid=2009-011316-0247-99
HELP! I've: 1. Updated windows. 2. Run the MSRT -- it finds and "removes" the Conficker worm 3. Shut off system restore. 4. Running Avast Pro 4.8.1296 with 12/18/09 VPS 5. Shut down all shared drives. 6. Updated passwords to 13 characters with caps, alpha, and numbers 7. Scanned attached USB drive and renamed autorun.inf to autorun.bak 8. Run Avast boot scan and delte baddiesResult… Avast still keeps popping up telling me the worm has been found. What do I do???