Hi,
I recently plugged in a USB Drive and Avast! (Latest and updated) cautioned me about this:
Sign of “Win32:Confi [Wrm]” has been found in “C:\WINDOWS\system32\npznkim.dll” file
I instantly deleted that file from the Avast Caution window and its not there anymore.
1-I immediately removed the USB drive.
2-I then went to Windows Explorer->Tools->Folder Options>Views and saw that I could not view hidden files.
3-I edited a DWORD value in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden
Changed value to 1.
4-Now in Folder Options>Views, I get blank radio buttons in both show hidden files and do not show hidden files. See attached Image: hidden.jpg
5-If i try to change that hide/show files setting and click apply, it automatically switches back to “Do not show hidden files and folders” but at this time, I can see all hidden files.
Im using Sysinternals Utilities and I haven’t seen ANY suspicious processes running. I can identify all legitimate tasks even by looking at the list of active ones.
Here’s a copy/paste from Avast Log right after the incident:
12/10/2009 10:11:18 PM SYSTEM 1632 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\WINDOWS\system32\0F1.tmp (C:\WINDOWS\system32\0F1.tmp) returning error, 00000005.
12/10/2009 10:11:18 PM SYSTEM 1632 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\WINDOWS\system32\0F1.tmp (C:\WINDOWS\system32\0F1.tmp) returning error, 00000005.
12/10/2009 10:10:56 PM SYSTEM 1632 Sign of “Win32:Confi [Wrm]” has been found in “C:\WINDOWS\system32\npznkim.dll” file
There are no suspicious files being loaded at start-up as I checked with Sysinternals-Autoruns utility.
Additionally I have disabled system restore.
It looks like the Conficker worm but I cannot say for sure as my PC is working perfectly fine. Although, there is still something abnormal about this ‘hidden files’ problem. It means something isn’t quite right.
This was the first part of the problem. The second part is about unknown TCP connections from my machine.
ashWebSv.exe:2100 TCP xrenditi-b424fd:1595 74.125.99.18:http ESTABLISHED
[System Process]:0 TCP xrenditi-b424fd:2596 79.140.80.35:http TIME_WAIT
ashWebSv.exe:2100 TCP xrenditi-b424fd:2925 74.125.5.29:http ESTABLISHED
I cannot justify why my PC is connected to these (and similar addresses) IP Lookup didn’t provide sufficient info. However, there is no abnormal data transfer observed over my connection.
Please help me with the first part of the question related to Avast prior to addressing the second one.
Kind Regards.