"Win32:Confi [Wrm]" has been found in "C:\WINDOWS\system32\npznkim.dll"

Hi,
I recently plugged in a USB Drive and Avast! (Latest and updated) cautioned me about this:
Sign of “Win32:Confi [Wrm]” has been found in “C:\WINDOWS\system32\npznkim.dll” file
I instantly deleted that file from the Avast Caution window and its not there anymore.

1-I immediately removed the USB drive.
2-I then went to Windows Explorer->Tools->Folder Options>Views and saw that I could not view hidden files.
3-I edited a DWORD value in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden
Changed value to 1.
4-Now in Folder Options>Views, I get blank radio buttons in both show hidden files and do not show hidden files. See attached Image: hidden.jpg

5-If i try to change that hide/show files setting and click apply, it automatically switches back to “Do not show hidden files and folders” but at this time, I can see all hidden files.

Im using Sysinternals Utilities and I haven’t seen ANY suspicious processes running. I can identify all legitimate tasks even by looking at the list of active ones.

Here’s a copy/paste from Avast Log right after the incident:

12/10/2009 10:11:18 PM SYSTEM 1632 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\WINDOWS\system32\0F1.tmp (C:\WINDOWS\system32\0F1.tmp) returning error, 00000005.
12/10/2009 10:11:18 PM SYSTEM 1632 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\WINDOWS\system32\0F1.tmp (C:\WINDOWS\system32\0F1.tmp) returning error, 00000005.
12/10/2009 10:10:56 PM SYSTEM 1632 Sign of “Win32:Confi [Wrm]” has been found in “C:\WINDOWS\system32\npznkim.dll” file

There are no suspicious files being loaded at start-up as I checked with Sysinternals-Autoruns utility.
Additionally I have disabled system restore.

It looks like the Conficker worm but I cannot say for sure as my PC is working perfectly fine. Although, there is still something abnormal about this ‘hidden files’ problem. It means something isn’t quite right.

This was the first part of the problem. The second part is about unknown TCP connections from my machine.
ashWebSv.exe:2100 TCP xrenditi-b424fd:1595 74.125.99.18:http ESTABLISHED
[System Process]:0 TCP xrenditi-b424fd:2596 79.140.80.35:http TIME_WAIT
ashWebSv.exe:2100 TCP xrenditi-b424fd:2925 74.125.5.29:http ESTABLISHED

I cannot justify why my PC is connected to these (and similar addresses) IP Lookup didn’t provide sufficient info. However, there is no abnormal data transfer observed over my connection.

Please help me with the first part of the question related to Avast prior to addressing the second one.

Kind Regards.

UPDATE: Just ran a boot-time scan. Nothing detected.

First - Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate. Although in this case the detection seems good, but you have to exercise care.

The C:\WINDOWS\system32\0F1.tmp error 00000005 is access denied, so may have been created and protected by another file (or in use, etc.), possibly the one detected and deleted by you…

Have you been able to find this .tmp file now and remove it ?

Some malware does change system functions to try and prevent you from dealing with malware. Although you have been able to see hidden files as you say, it is hard to test a negative as if a file is truly hidden how do you tell.

If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

The first of these MBAM should be able to detect and bad system settings and correct them.

The second of these SAS has a Repair functionality, which can restore some system settings.

Edit: Is your system fully up to date as I thought the conficker worm vulnerability had been closed by windows update some months ago.

Thank you so much for your reply. It saved me an infinite amount of anguish.

None of the infected files were ever found again. I followed all the steps delineated by you and here’s the MBAM log

Malwarebytes’ Anti-Malware 1.42
Database version: 3345
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

12/11/2009 10:48:57 PM
mbam-log-2009-12-11 (22-48-57).txt

Scan type: Full Scan (C:|)
Objects scanned: 237350
Time elapsed: 28 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command(default) (Broken.OpenCommand) → Bad: (“regedit.exe” “%1”) Good: (regedit.exe “%1”) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) → Bad: (0) Good: (1) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

And no, I haven’t yet installed the update patch yet. I know I should have done that.
Once again, I’d like to thank you for your valuable assistance :slight_smile:

You’re welcome.

As you know now is the time to download that update and ensure that your system is clean before installing SP3.

I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.

If you haven’t already done so you should also run an SAS scan and report the findings too.

Hmm…Secunia seems to be a great service and they’re right about the importance of patching over anti-virus programs and firewalls. Will test my system on this site.

I’ll run the SAS scan too as soon as I find a vacant time slot for it. That would be in 2 or 3 days.

P.S: No wonder you’re called the Überevangelist :slight_smile: