Avast found virus. (Win32:Confi [Wrm]) Help needed!

[dolbyest]

Avast Pro found worm. After cleaning and reboot the same worm will back again. Is there any chance to clean this completely?
The avast says: Sign of "Win32:Confi [Wrm]" has been found in. Usually it in system32\x\[UPX] file and also in IE temp catalog. 

Didnot found any help with search.

Thanks.

[Maxx_original]

it's a Conficker worm.. we've added the detection for the executive part of it...

EDIT: fully updated windows should be immune against this attack except the machines with weak passworsd in network..

[polonus]

Hi dolbyest,

There is also a removal tool for this worm: ftp://ftp.f-secure.com/anti-virus/tools/beta/fsmrt.zip

Latest news about the aggressive propagation of this worm: https://forums.symantec.com/t5/Malicious-Code/W32-Downadup-Infection-Statistics/ba-p/376744

polonus

[Maxx_original]

polonus, this tool is not necessary - avast is able to delete the nasty from boot-time scan... it can't be simply removed from user mode (not even after restart), cause it is well protected (this makes a serious removal problem to many antiviruses)... the boot-time scan is a cure

[Puck The Joker]

Boot time scan did nothing for me. It found the following:

File C:\WINDOWS\system32\gydenoun.dll\[UPX] is infected by Win32:Confi [Wrm]

I first tried repair and got:
Repair: Error 42060 {The file was not repaired.}

So I tried some other options and got:
Move to chest: Error 0xC0000034 {Object Name not found.}
Delete: Error 0xC0000034 {Object Name not found.}

I ended up having to ignore it just to get the scan to continue.

My avast! version 4.8 Home Edition is
Build: Dec2008 (4.8.1296), Xtreme Toolkit version: 1.9.4.0, Using ActiveSkin version 4.2.7.3
Vps file: Compilation Date: 01/08/2009 File Version: 090108-0

I'm gonna try that tool Polonus posted and see if it fixes the problem.

[sariza]

Hi forum; today I received 7 reports from our service desk about Win32:Confi virus, we did this to solve the issue:

1.- Apply the right fix, according to the windows version and sp level
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

2..- Deactivated System Restore

3.- Scheduled a boot time scan, and deleted the infected files

4.- Activated System Restore

Check this links:
http://www.f-secure.com/weblog/archives/00001574.html
http://news.softpedia.com/news/Vulnerable-Windows-Machines-Sitting-Ducks-for-the-Conficker-Worm-98832.shtml
http://www.infospyware.eu/gusanos-ms08-067-se-retuercen-en-libertad.html

I hope it will help you

Best Regards!
Sergio

[Maxx_original]

Puck, it's really strange... what's your file system? NTFS or FAT32? does switching raw disk access (in program settings -> troubleshooting) make any difference?

[mannen]

We have 250 PC in our network. Avast Server and 250 clients.
we already did following:
1.- Applied the right fix (kb958644), according to the windows version and sp level
3.- Scheduled a boot time scan, and deleted the infected files
2 and 4 step not needed because system restore is disabled manually on all computers.

After some times VIRUS comes back on the same computers.
So we can not delete it!

We tried to use Norton Antivirus on the same computers. NAV deleted virus (W32.Downadup.B)  and virus never come back.

Is any another ideas how remove it using Avast?

p.s. We also tried removal tool but virus comes back again and again  :'( :'(

I really don't wont remove AVAST clients from 250 computers and install NAV to 250 computers. It'll take a lot of time!
Please Help us.
SOS  :'( :'(

[Maxx_original]

how about some trivial passwords on the machines in the network? there's a possibility to get re-infected even when the MS hotfix is installed, cause the worm tries the attack against weak passwords to get the control of victim computers (in same network)... can you post the corresponding lines from warning.log or error.log, if the file was really not removed by avast? we've killed hundreds of this worm from the boot-time scan, so it's very strange to not be able get rid of it on all machines..

btw: what's the exact version of avast installations on the client machines?

[FreewheelinFrank]

Has avast! added the dropper yet?

https://www.virustotal.com/analisis/82ec3f2cddcc75685af9cf63307db928

[Maxx_original]

it is not the dropper in fact... the scanning was performed a day before our detection was released (VPS nr. 090106-1).. i believe the file is well detected now, you can try a rescan

[sariza]

All the infected computers had no password, so we set up passwords on the computers, remember if you have the hotfix, but a weak password, it is mentionated in this link

http://www.f-secure.com/weblog/archives/00001574.html

We use NTFS on all our computers, just on external usb hard drives, may be FAT32

[mannen]

Maxx_original
We have strong password politic in our network, so all users has no trivial passwords.
I think, posibilities to virus comes back on the clean computers is from terminal servers in local network, which  was also infected and logged on as domain admin. IS it possible? So anyway, if some domain admin logged on infected computers, so this comuter can infect all other computers and in this case it's not depend from last updates KB and Service PAcks. Computers which logged on as domain admin will infect other computers in all cases even windows is fully updated?
Avast version 4.8.1005
VPS file 08/01/2009
screenshots from logs:
http://pic.ipicture.ru/uploads/090110/qS7kweOC4R.jpg
http://pic.ipicture.ru/uploads/090110/m5CVUXGKNZ.jpg

[Maxx_original]

mannen: yes, it's possible to get reinfected from the machine, where domain admin is logged, cause he don't need to exploit anything, he has the rights by default.. other way is the autorun hole in windows (autorun.inf is processed everywhere by default)... collect all USB sticks which got in touch with any infected PC.. plug these flash drives to some safe machine (windows with disabled autoruns or linux) and delete the autorun.inf and the *SID* folder or let avast do that...

[multivac]

I have a client with 3 Windows XP SP3 computers. We are running Point of Sale Software where the password and Administrator must automaticly login though user controlpasswords2 in cmd. All must have the same password. Avast detects Win32: Confi [Wrm] it detects and deletes the file then i scan again once the computer is booted. It them detects the virus again and deletes or moves to the chest. The again and again and again does the same thing.

Any suggestions?
Thank You in advance!