Author Topic: Win32:Confi - Does it compromise a local network?  (Read 8319 times)

0 Members and 1 Guest are viewing this topic.

ZStorm

  • Guest
Win32:Confi - Does it compromise a local network?
« on: April 16, 2009, 08:06:08 PM »
Hiya

I was asked to give a hand to a relative... she has 3 computers, 2 printers and a DSL connection - all linked by a 8 ports hub.

Her ISP had emergency maintanance so no internet for few hours. This small network was toll functional before the ISP went down. After connection was reestablished the main puter which works as server and holds the 2 printers was restarted and AVG 8.0 detected DOWNADUP WORM on file C:\WINDOWS\system32\hdfwkapu.dll under the process SVCHOST.EXE; it was selected to be moved to Vault. After that, this main puter wasn't able to recognise the 2 other puters as well the DSL modem.

I took a look at the forum for references to this malware and I found this link of BitDefender for scan and removal (http://www.bdtools.net/). The removal tool was downloaded and I ran it on main puter... again AVG pointed the threat but this time the process involved was the removal tool itself, I select to IGNORE and the scan result was CLEAR, not detecting or starting up the disinfection at all. The malware was still active but no way BD tool would get it.

I installed then Avast Home 4.8 at main puter and ran the boot-time scan. The malware was detected under the same file and path by the alias of Win32:Confi, was moved to Chest and as Windows started again, it pointed for missing driver for the one printer and still no network, even tho the locations are still visible and mapped but not accessible.

Does this malware has anything to do with this network mess or was it just a coincidence?

Im attaching the Avast boot log and a HJT file.

Thank you in advance for your attention and support.

ZStorm

PS: About the hardware, I tested all the cables and ports, plus the modem and HUB. All are ok only leaving me the suspect of the network PCI card of the main puter to have got damaged physically somehow.

ZStorm

  • Guest
Re: Win32:Confi - Does it compromise a local network?
« Reply #1 on: April 16, 2009, 09:35:27 PM »
Checking the hardware devices for the Ethernet card... it was disabled. Once Enabled the network was back. I still wonder if the malware would have caused it or not.

I downloaded Malwarebytes and Im going to scan puter with it too.

Offline RZPogi

  • Sr. Member
  • ****
  • Posts: 237
Re: Win32:Confi - Does it compromise a local network?
« Reply #2 on: April 16, 2009, 09:49:19 PM »

Does this malware has anything to do with this network mess or was it just a coincidence?


Yeah,
Avast detects conficker but can't fully prevent the damage. Conficker poisoned my internet connection so I can't connect for so long or not all. It also has effects on firewalls like comodo that it prevents the pc to connect to the internet.

Note: Did you updated your computer with MS Updates? Since I updated, all returned to normal except for my damaged firewall. I had to reinstall it.
Read also MS descriptions on Conficker
http://technet.microsoft.com/en-us/security/dd452420.aspx
« Last Edit: April 16, 2009, 09:51:02 PM by RZPogi »
DESKTOP: Win 10, Avast 20 Free, Windows firewall, Malwarebytes free

LAPTOP: Win 10, Windows Defender, Malwarebytes free, Windows Firewall, Mcshield

Offline RZPogi

  • Sr. Member
  • ****
  • Posts: 237
Re: Win32:Confi - Does it compromise a local network?
« Reply #3 on: April 16, 2009, 10:03:21 PM »
you can also download that patch itself

http://www.microsoft.com/downloads/details.aspx?familyid=0D5F9B6E-9265-44B9-A376-2067B73D6A03&displaylang=en

When installing, make sure that you are not connected to the internet because this might affect the installation. Also, restart the computer afterwards.

But, it is better if have fully updated your system.
DESKTOP: Win 10, Avast 20 Free, Windows firewall, Malwarebytes free

LAPTOP: Win 10, Windows Defender, Malwarebytes free, Windows Firewall, Mcshield

CharleyO

  • Guest
Re: Win32:Confi - Does it compromise a local network?
« Reply #4 on: April 17, 2009, 01:28:07 PM »
***

An analysis of your HJT log shows the following :

We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
We recommend you to use a firewall. 


The following entries were rated by HJT as either BAD or Questionable. But, I suggest that it is your option whether or not to let HJT fix these entries. The reason for this is that my research shows some sources consider ASK to not be a threat. I have given only a sample of the resources below.

http://www.bleepingcomputer.com/startups/ASKService-24245.html

http://www.backgroundtask.eu/Systeemtaken/Taakinfo.php?ID=21253

http://www.prevx.com/filenames/X1407699305712174442-X1/ASKSERVICE.EXE.html
( Prevx does state the following : "This Process tampers with Vulnerable System Files and Settings" )

However, one resource rates ASK as being 50% dangerous.

http://www.file.net/process/askservice.exe.html
( "The application listens for or sends data on open ports to LAN or Internet. AskService.exe is able to monitor applications." )

C:\Arquivos de programas\AskBarDis\bar\bin\AskService.exe
rated BAD by HJT
C:\Arquivos de programas\AskBarDis\bar\bin\ASKUpgrade.exe
rated Questionable by HJT
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q=
rated BAD by HJT
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q=%s
rated BAD by HJT
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Arquivos de programas\AskBarDis\bar\bin\askBar.dll
rated Questionable by HJT
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Arquivos de programas\AskBarDis\bar\bin\askBar.dll
rated Questionable by HJT
O23 - Service: ASKService - Unknown owner - C:\Arquivos de programas\AskBarDis\bar\bin\AskService.exe
rated BAD by HJT
O23 - Service: ASKUpgrade - Unknown owner - C:\Arquivos de programas\AskBarDis\bar\bin\ASKUpgrade.exe
rated Questionable by HJT


One other entry does need to be fixed by HJT :

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Unnecessary (deactivated) entry that can be fixed.
http://www.spyandseek.com/Search.php?search_for=7E853D72-626A-48EC-A868-BA8D5E23E045&search=SAS-Search   (First 5 on listing are relevant)


***

ZStorm

  • Guest
Re: Win32:Confi - Does it compromise a local network?
« Reply #5 on: April 17, 2009, 08:40:13 PM »
RZPogi

Thank you for your feedback. I downloaded the patch just in case and im gonna run it. The updates were a bit outta date but since i got the connection back (just by enabling back the Ethernet hardware device) im getting them all done.

I ran also Malwarebytes and it pointed only 4 threats being 3 from MS Secutiry System (AV, Firewall and Updates) and 1 from HJT program. I selected to ignore and now im proceeding a boot-time scan once again.

As soon it will be done i will go for running the patch and checking MS updates being ok. Apparently the malware was removed... but you said urself it wasnt dat easy to remove but for me it went away since first boot-time scan with Avast. Lets hope it will keep like that.

Thanks a lot for your posts and have a terrific weekend.

ZStorm

ZStorm

  • Guest
Re: Win32:Confi - Does it compromise a local network?
« Reply #6 on: April 17, 2009, 08:52:33 PM »
Hiya CharleyO

The firewall in use is Windows one.

About the HJT report, I will follow your suggestions and select those to be fixed by HJT as I will run it again. It seems my cousin downloaded ASK (hell knows why) just the day before the infection or at the same day before our ISP went down for maintanance. I never liked ASK so it will be uninstalled anyway and HJT will fix the rest. :)

Once i proceed with those by running once again MB, the MS patch and HJT i will get post the results.

Thank you very much for ur support and have a great weekend.


ZStorm

  • Guest
Re: Win32:Confi - Does it compromise a local network?
« Reply #7 on: April 29, 2009, 01:32:47 AM »
Hiya

Sorry for the delay but our friend CONFI made more damage than expected. The main puter was formatted last friday, the 24th - and the clever techinician (wasnt me!) didnt install absolutely NOTHING for security or update... even Windows Firewall was disabled till today late afternoon when I asked a person to check that out. I aint sure but I also believe the genius user used AGAIN the damn pendrive which was already identified as infected and files moved to Avast Chest last week.

Format done, network was back late friday but yesterday, the 27th, during day... the 2nd puter of the network went pestered with CONFICKER... I aint sure if the genius user decided to hook the pendrive AGAIN in another puter or if the malware was already spread as the clever technician DIDNT FORMAT or even checked ANYTHING on puters 2 and 3. Gotta love professionalism...

I did zillion boot-time scans with Avast, followed letter by letter the instructions at the popup notice of infection, used MS patch many times, puter was unhooked from network during those procedures and still... nada! It was a matter of minutes or just to hook Ethernet cable and pfff... there he was again and again.

The same genius user used AGAIN the pendrive from hell on this puter Im using now (puter 3) - which was barely touched during this hell of a week to scan it using Avast, AVG, Malwarebytes etc. No wonder he found the malware...

So... after reading really interesting material about how bad CONFICKER has been spread all over the world... please check this thread - http://forum.avast.com/index.php?topic=44608.msg374355#msg374355 - ITS REALLY WORTHED - I downloaded tons of tools so to try to check if the malware was spread to other 2 puters or not... ran most of them on this puter (3) and the 'pc2'.

All logs of all tools I downloaded, upgraded, updated, ran and so on are attached - identified by pc1 (for main which was formatted), pc2 (recently infected) and pc3 (this one the genius user hooked today the damn pendrive).

Sophos claimed to have 'the' removal tool... and so after scans and stuff I just finished to run it on pc2... result was a simple popup box saying "CONFICKER WAS NOT DETECTED". According to their instructions, tool should be downloaded by a non infected puter... I aint sure about if this pc3 or pc1 are contaminated yet (and maybe bugged the tool) or if the tool doesnt work (before running it I unhooked pc2 from LAN).

Links for Sophos solution:
http://www.sophos.com/products/free-tools/conficker-removal-tool.html
http://www.sophos.com/support/knowledgebase/article/51169.html


I really would love to hear from you, anything at all... I believe the logs will help to visualise the mess here.

Thanks all of you again for your interest, support and attention.

ZStorm

ZStorm

  • Guest
Re: Win32:Confi - Does it compromise a local network?
« Reply #8 on: April 29, 2009, 01:38:58 AM »
BTW, this puter and the main one ARE NOT ALLOWING TO CONNECT AVAST SITE... took me ages to get a break from CONFICKER so to post my thread today... ugh

ZStorm

  • Guest
Re: Win32:Confi - Does it compromise a local network?
« Reply #9 on: April 29, 2009, 07:55:56 AM »
hiya again

sorry for an extra post... ive been banging my head for the last 10 hours tks to CONFICKER - i dun expect sympathy but just for ya info I started by 20090428 1600 (my time) to try working the mess out and its nothing but 20090429 0206 now. Im at home, had a hell of o bad time to get home and worse, to get the link from Sophos tool downloaded - the same very link I used earlier.

Im using a lappy (borrowed one) which wasnt in touch with the malware so to burn the removal tool file to a CD. I didnt run a scan for the last week but it's standalone, I barely used this lappy lately apart weekends, in addition NO USB DEVICES were used apart minimodem ones for connection to internet.

the connection Im using atm sux big time but anyhow, when clicking for the download the response from FLASHGET was like the link didnt exist and so task canceled itself, showin as deleted. I tried it over and over, thinking the issue was the conex speed and for many times, same result or sum popup saying the task was already on schedule... till ... I got a first lifetime popup saying the URL had changed address and if I wanted to use it. Ya may call me stupid but the link looked valid to me , even if I had just 1 eye open.

Here goes the info from the download done a few ago using Flashget (sorry but I cant compare to the one used before by now for obvious reasons):

URL: http://www.sophos.com/support/updates/91X9+OHPKg0veh+0oyG0igbGlua3R5cGU9ZW50ZXJwcmlzZSZ1Y2lkPTYxODQ3NiZleHBpcmVzPTIwMDktMDUtMDdUMDA6MDA6MDA=/dp/full/ssconftool_107_sfx.exe
Referrer:
https://secure.sophos.com/products/free-tools/conficker-removal-tool/download

I scanned this downloaded file with Avast, Malwarebytes and AVG 8.5 and all came clear. I burnt the file into a non bootable CD with open session.

I hope that will work at least to make sure tool was downloaded from safe puter so to fix the mess they have over there.

However, I didnt see at all anything related about HOW TO SCAN, DETECT, HEAL/FIX/DELETE, IMMUNISE an USB DEVICE - which is one of the fave ways to spread the malware. Once the pendrive, for instance is infected... how to deal with it?

Im stuffed with doubts concerning:

- what are the real damages by being infected by CONFICKER, standalone or using a home network with couple peers;
- how does it affect the data files (document files, exe files etc);
- how to deal with it - from prevention to heal/sure/safety
- is it safe to copy a working file (*.DWG for instance) on CD/DVD media and use it safely even if under an infected puter?
- how to transfer files when ya need them updated (working files like project ones more than 1 person from different stations and locations deal with them?
- Is emailing files of any sort - specially working ones - safe from sender and recipient?
- malware tools are still being updated about this malware (some give notice of it, others dont at all or maybe once) but how to be sure and prevent ya not gonna get a clear puter infected by sending a simple working file by email or on a CD?



Sorry mates, I know those are many questions and I should have searched for more info but I was called to put out a fire as in a favour and with very few resources and empowerment. I know those ppl need those machines working and Im just trying to help. You see, Im awake for no less than 21hs and working since... no sleep, no rest, not a penny for my assistance on that matter. My concern goes for the other side who will turn on puter and get again a messed up network, malware popups, impossibility to use pendrives etc.. I got myself a BEAGGLE an year ago and THANKS TO YOU ALL I got my (defunct now) puter working with no damage to my files or system.

Once again, I can only thank you... and lay on bed for 3hs of sleep till I will wake up again for another day of work.

Gentle breezes and a good day/nite

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: Win32:Confi - Does it compromise a local network?
« Reply #10 on: May 03, 2009, 04:10:09 AM »
Hey there ZStorm. Sorry bout delay in reply. Sometimes cant put solutions too quick out there because dont know exactly what target problem and dont want too easy be responsible if solution wrong.

Anyway here's few things I do and are safe to put out there. May post more, with bit of overkill to ensure that enough to cover most malware complications.

First USB devices. This post probably  as good as needed.

http://forum.avast.com/index.php?topic=44689.msg374575#msg374575.


Quote
“they talk about the damages but not at all about the 'cure' or proper solution for infected puters and devices.”

As as far as damages go, there is quite a bit to talk about. Conficker has turned out to be a lot larger than life in regards to its many faces and many avenues for infection and infestation. A single-headed monster with pre-determined cause and effect would probably have made solutions easier. But Conficker is turning out to be multi-faced, and many sided. Lots variant.

What may be required is a series of cleansing agents (antivirus tools) that allow the tech repair to cover as many options as possible while ensuring malware has hopefully no options left (but quarantine).

As well, Conficker worm is constantly mutating, through manipulation of web services by a malware perp, and also much likely by way of its own mutant properties. So really bit of a lottery when it comes to deciding which line of attack to take, which tools to use, and in what sequence, when you want to get rid of virus. So in that way, you are right, you really have to work out you own ‘cure’ and proper solution.

Fortunately anti-malware also know lots about those mutant properties of virus and in fact most malware properties and also most means at disposal to deviant hacks. With the right information, anti-malware hacks can most times accurately predict a solution without actually being there.

When I have to go out check a virus for someone who has no idea about how computers work, what I do is take a best possible range of tools to work with that will help close out most options available to the virus.

Here is example for range of cleansing and enhancing tools:

http://forum.avast.com/index.php?topic=39311.msg330024#msg330024


You cannot avoid constantly updating of web services, particularly for Microsoft software components, especially IE, and any antivirus packages and defence facilities, and also services like Java and other apps or programs. Lots of must do stuff now - like updates - that come under system protection.

This tech refers to a layered defense.

http://forum.avast.com/index.php?topic=43658.msg365399#msg365399
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: Win32:Confi - Does it compromise a local network?
« Reply #11 on: May 04, 2009, 12:27:35 AM »
So what about cleaning out virus?

I have posted a mockup of what I might do when begin cleaning on a repair job that similar to your computer problem. And close to what has been my standard repair routine. Bit overkill though, just for good measure.

I hope other tech contributors to Avast forum will comment if they think better way or extra help for these anti-malware issues, I just give example of what I might do.

The main tool that I use in this respect is the latest version of Avast (normally Avast Home for home computer). So say I’m heading out to do the biz on your computer, so say I download to a clean CD the latest version of Avast Home ready to upload onto your computer - if and when is needed. I don’t often resort to CDs, but I always keep some at ready because they are cheap enough to buy. Cheap enough to throw away after if I want

I noticed on your HijackThis log that you had AVG installed. I usual uninstall AVG for have Avast running instead. Normal I would uninstall AVG after I have install and run Avast engine to quick wash out operating system, but since you already have a version of Avast on your system, I would want firstly to uninstall that as well. Then load my latest version of Avast for antivirus wash.

So I would also load an uninstaller to my clean CD to help if need rid of unneeded software. In my case, this would be  http://www.revouninstaller.com/ which works for me. Or get AVG uninstaller direct from the makers if want. Or Windows Add/Remove Programs.

I usual also want to uninstall other stuff - like in your case the ASK program that CharleyO refers to –

http://forum.avast.com/index.php?topic=44319.msg371172#msg371172

Usual I see whatever software the computer owner has, and which can be reloaded after uninstall and then I know what programs can be safely re-installed. I have found virus can play havoc once amongst Adobe, amongst downloaded toolbars, amongst anything that has been downloaded to desktop rather than in storage (its own Folder), in add-on viewers and/or players, and so on. So usual for to be some uninstalling needed (again, this usual reduce options available to malware to evade when wash starts up).

So on clean CD I have latest version of Avast as well as a third party uninstaller facility. In this case, I would add latest Mbam http://malwarebytes.org/mbam.php to the CD for quick initial scan to open up cleansing process (Superantispyware will not run in Safe Mode). The purpose of clean CD is to have at ready any tools for run offline or Safe Mode or any contrived condition/state where anti-malware can work while malware is being kept suspended (Safe Mode good example – malware penned in, unable to run).


PC is unhooked from internet. When I first turn on infected PC I go Safe Mode and copy set-up facilities of all these tools to Program Files, and from there I will install them as and if they is needed. So all my tools in place on computer and virus still asleep.

Often if owner was agreed that computer was definitely infected and so willing to run with Avast, I would immediate install and run latest version Avast from command line in Safe Mode / offline, and so have bootscan doing biz before virus even can start to move. This is what I mean by latest version Avast being my main tool. Often malware will come out in the first quick wash and am halfway home from the very start. This has worked for me. I saved lots of time and effort by going straight for jugular while malware still unable to get going.

Anyway, back to clean out virus

Say with your computer, this time I am going to do a few things with some of the PC’s programs having to run. So that malware will actually be able to get going a bit. But first I also install and launch either MBAM (or other, maybe try http://www.freedrweb.com/cureit/).

(Edit: - I was thinking of doing uninstall in normal mode, but probably best try do all in Safe Mode)

This might mean have to go through restart at times, so be sure to keep in Safe Mode with each restart. This routine delivers whammy to malware hopefully, and enough of a headstart to get some tidying up done, which at moment will mainly be uninstall unwanted software. Each uninstall may require restart but go through with job anyway until done – should still be able to do all this in Safe Mode, denying malware any avenues to initialize their deviant script.

All goes well, system be well-prepared for scan with Avast antivirus. Turn off System Restore in Safe Mode. (You don’t have to turn off System Restore if don’t want, and don’t forget backups. Don’t want to go too far into this issue because post is already getting too long).

Lets say MBAM has whammy enough to give tech some room to move, messy or unneeded software has been uninstalled, important data has been backed up, and System Restore been turned off. And computer is still in Safe Mode.

So install and launch latest version of Avast from where it has been stored in Program Files. And let bootscan run after restart. (Note that on any occasions where bootscan only runs quick tally then boots to Windows bypassing the scan procedure, you will have to scan using the graphic interface and you will almost certainly detect the malware that is preventing bootscan from running properly – so I have found). That said, the bootscan will usual run proper.

After which computer boots through to Windows enabling all systems ready to run in normal mode. Once startup completed, run the Avast engine and decide on settings you want – I usual set local drives to ‘thorough’ and check box to ‘scan archive’ to begin with (overkill, really). Then I run a scan via full graphic interface on these settings (again, overkill, but doesn’t hurt). The outcome should be a clean operating system with any malware safely quarantined in Avast Chest.

If not, then infection has been nasty. Very expert support is needed. Even then, the best prep has been put in place were a major decontamination job to be decided upon. And for myself, this routine has always worked. What actually counts more is how well you set up your defense to protect your computer from any re-infection.

Once booted into normal mode, time to disk cleanup, to make sure temp caches are emptied, and to defrag. These tasks to be done with Windows tools or with third party.

Turn System Restore back on. Set check-point

Connect to the internet

Sort range of tools you want and the roles they will play  http://forum.avast.com/index.php?topic=39311.msg330024#msg330024

Set up your layered defense to protect your computer  http://forum.avast.com/index.php?topic=43658.msg365399#msg365399.
« Last Edit: May 05, 2009, 06:51:54 AM by mkis »
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.