Author Topic: Downadup/Conficker worm? Or what?  (Read 14090 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Downadup/Conficker worm? Or what?
« on: December 24, 2015, 12:56:02 PM »
Trying to resolve a problem with my 76-year-old mother's antique Windows Vista machine. I'm attempting to do this via Teamviewer remote control, since I'm 700 miles away from her (and she's relatively helpless as far as computers go). This problem cropped up almost immediately after she re-registered her free version of Avast and it subsequently updated to Avast 2016.

Here are the symptoms:
Can't connect to Avast for any kind of updates (engine, virus or program).
Avast SecureLine: Disconnected.
Can't download anything from the Avast website - or any other antivirus website. Most other non-antivirus websites still seem to load just fine (Yahoo, Google, Facebook, etc.).
Can't open/save email attachments (although she can still send/receive email via her Windows Mail).

These symptoms led me to believe it might possibly be the Downadup/Conficker worm. So I've tried various supposed 'fixes' for that particular infection, including:
Avast full scan (showed no infections)
Microsoft Windows Malicious Software Removal Tool (showed clean computer with no malicious software)
Sophos Virus Removal Tool (clean, nothing to remove)
F-Downadup.exe
EConfickerRemover (nothing found)

I've also read that this sort of problem could be fixed by clearing the DNS cache. Tried that to no avail.

I'd be ever so grateful if someone had other suggestions I could try. Thanks in advance.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37597
  • Not a avast user
Re: Downadup/Conficker worm? Or what?
« Reply #1 on: December 24, 2015, 01:00:24 PM »
follow instructions here  https://forum.avast.com/index.php?topic=53253.0
we need Malwarebytes and Farbar Recovery Scan Tool logs, attach the logs, 3 logs total

see below the box you write in ... Attachments and other options

since it is christmas there may be some waiting time, have not seen Malware removal team online today



« Last Edit: December 24, 2015, 01:02:06 PM by Pondus »

REDACTED

  • Guest
Re: Downadup/Conficker worm? Or what?
« Reply #2 on: December 24, 2015, 01:03:08 PM »
Thanks. I'll get to work on it. And I totally understand about any xmas delays.

Oh, by the way, I forgot to mention that I DID run Malwarebytes Anti-Malware and it didn't find anything, either. Also, whatever is blocking the computer would not allow Malwarebytes to update the database. So I just ran a scan using the existing database and it drew a blank. But I'll run it again...
« Last Edit: December 24, 2015, 01:07:33 PM by xntryk1 »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37597
  • Not a avast user
Re: Downadup/Conficker worm? Or what?
« Reply #3 on: December 24, 2015, 01:10:38 PM »
Quote
Oh, by the way, I forgot to mention that I DID run Malwarebytes Anti-Malware and it didn't find anything, either
If Malwarebytes don detect anything, you can dropp that log

The two diagnostic logs from FRST are the important ones. They are the ones used for creating a fix




REDACTED

  • Guest
Re: Downadup/Conficker worm? Or what?
« Reply #4 on: December 24, 2015, 01:12:39 PM »
Thanks. Working on it...

REDACTED

  • Guest
Re: Downadup/Conficker worm? Or what?
« Reply #5 on: December 24, 2015, 01:39:48 PM »
FRST and Addition logs attached.

Offline TwinHeadedEagle

  • Malware Removal Expert
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2987
    • Zemana
Re: Downadup/Conficker worm? Or what?
« Reply #6 on: December 24, 2015, 01:43:18 PM »
Hello,

I'll be working with you.


Scan with ComboFix

This is a very powerful tool that should be used only if advised by Malware Analyst.
Do not run ComboFix on your own!


Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Right-click on icon and select Run as Administrator to start the tool.
  • Accept the disclaimer and agree if prompted to install Recovery Console.
  • Do not take any actions while ComboFix goes through your System - it may cause it to stall!
  • This scan may take some time!
  • When finished - it will display a logfile (located also on your main drive, usually C:\ComboFix.txt).

Include that log in your next reply.
If you'll encounter any issues with internet connection after running ComboFix, please visit this link.
If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.
« Last Edit: December 24, 2015, 01:47:58 PM by TwinHeadedEagle »
My help is free, however if you'd like to show your appreciation by leaving a donation, it will be much appreciated ------> DONATE

REDACTED

  • Guest
Re: Downadup/Conficker worm? Or what?
« Reply #7 on: December 24, 2015, 01:46:38 PM »
OK, will do. Thanks.

REDACTED

  • Guest
Re: Downadup/Conficker worm? Or what?
« Reply #8 on: December 24, 2015, 02:56:11 PM »
Just for the record, here is the Malwarebytes log (below). Next, I'll do aswMBR.exe . And finally (for now), I'll scan with ComboFix.

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/24/2015
Scan Time: 5:35:24 AM
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.12.18.03
Rootkit Database: v2015.12.18.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: Monalynn

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 298516
Time Elapsed: 29 min, 51 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

REDACTED

  • Guest
Re: Downadup/Conficker worm? Or what?
« Reply #9 on: December 24, 2015, 03:21:59 PM »
aswMBR log:

aswMBR version 1.0.1.2290 Copyright(c) 2014 AVAST Software
Run date: 2015-12-24 06:59:06
-----------------------------
06:59:06.426    OS Version: Windows 6.0.6002 Service Pack 2
06:59:06.426    Number of processors: 2 586 0x209
06:59:06.429    ComputerName: MONALYNN-PC  UserName: Monalynn
06:59:10.669    Initialize success
06:59:10.693    VM: initialized successfully
06:59:10.698    VM: Intel CPU virtualization not supported
06:59:16.269    AVAST engine defs: 15122102
06:59:49.138    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
06:59:49.167    Disk 0 Vendor: WDC_WD1200BB-22DWA0 15.05R15 Size: 114473MB BusType: 3
06:59:49.347    Disk 0 MBR read successfully
06:59:49.370    Disk 0 MBR scan
06:59:49.415    Disk 0 Windows VISTA default MBR code
06:59:49.446    Disk 0 Partition 1 00     12    Compaq diag NTFS         5130 MB offset 63
06:59:49.577    Disk 0 Partition 2 80 (A) 07      HPFS/NTFS NTFS        15366 MB offset 10506510
06:59:49.604    Disk 0 Partition - 00     0F   Extended LBA             93973 MB offset 41977845
06:59:49.654    Disk 0 Partition 3 00     07      HPFS/NTFS NTFS        93973 MB offset 41977908
06:59:49.712    Disk 0 scanning sectors +234436545
06:59:50.000    Disk 0 scanning D:\Windows\system32\drivers
07:00:07.330    Service scanning
07:00:57.814    Modules scanning
07:00:57.851    Disk 0 trace - called modules:
07:00:57.899    ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
07:00:57.950    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85ceb3c0]
07:00:58.011    3 CLASSPNP.SYS[891b48b3] -> nt!IofCallDriver -> [0x85638520]
07:00:58.053    5 acpi.sys[88a566bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x84c827d8]
07:00:58.784    AVAST engine scan D:\Windows
07:01:01.059    AVAST engine scan D:\Windows\system32
07:05:32.790    AVAST engine scan D:\Windows\system32\drivers
07:05:57.860    AVAST engine scan D:\Users\Monalynn
07:16:15.336    AVAST engine scan D:\ProgramData
07:19:19.736    Disk 0 statistics 2464292/0/0 @ 1.41 MB/s
07:19:19.738    Scan finished successfully
07:20:15.227    Disk 0 MBR has been saved successfully to "D:\Users\Monalynn\Downloads\MBR.dat"
07:20:15.281    The log file has been saved successfully to "D:\Users\Monalynn\Downloads\aswMBR.txt"



Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37597
  • Not a avast user
Re: Downadup/Conficker worm? Or what?
« Reply #10 on: December 24, 2015, 03:54:03 PM »
attach logs, not copy and paste ... see my first post
you dont have to redo the ones posted   ;)


REDACTED

  • Guest
Re: Downadup/Conficker worm? Or what?
« Reply #11 on: December 24, 2015, 04:02:59 PM »
I did that (attach) with the big logs, but I didn't think it was verboten with the smaller ones. Sorry!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37597
  • Not a avast user
Re: Downadup/Conficker worm? Or what?
« Reply #12 on: December 24, 2015, 04:38:59 PM »
Quote
was verboten
No it is not verboten   ;D    just for ease

this forum dont like long logs as they wont go in one post, copy and paste of frst logs may be 20 posts   :o   




Offline TwinHeadedEagle

  • Malware Removal Expert
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2987
    • Zemana
Re: Downadup/Conficker worm? Or what?
« Reply #13 on: December 24, 2015, 04:40:34 PM »
Can you focus only on getting ComboFix report?
My help is free, however if you'd like to show your appreciation by leaving a donation, it will be much appreciated ------> DONATE

REDACTED

  • Guest
Re: Downadup/Conficker worm? Or what?
« Reply #14 on: December 24, 2015, 04:43:34 PM »
Yep, that's what I have been focusing on. Just takes a little while via remote control. Combofix log attached.