Persistent Conficker problem

Good evening. A week or two ago I received an e-mail from my ISP advising that network activity indicated that one of the computers showed signs of the Conficker virus. I was surprised because we have Windows Update set to automatic and were running AVG 8.0, Spyware Blaster and Ad-Aware (and updating regularly). When I ran scans on the various computers, I found that one of them (while indicating that Windows Update was set to Automatic) had NOT been updating.

I ensured that all critical Windows Updates were done and installed Windows Defender. I received a pop-up box stating that the system had recovered from a serious infection after rebooting. I ran our scans again and thought the problem had been addressed.

Over the last few days, one of our laptops has been shutting itself off after flashing a very fleeting message that a threat was detected. The message appeared to be from MS, not from our AV or AS programs. On three occasions (including today), I again received the message that the system had recovered from a serious infection.

It occurred to me that a U3 Smart Drive might be the re-infection culprit, so I downloaded Avast (and removed AVG) since it allowed me to scan external drives as well. The deep scan came back clean, as did the scan of the external drives. Ten minutes later, I got another message that the system had recovered yet again.

I've now followed all of the steps in the 'Read First' post and am attaching the logs for your review. While the scans revealed a couple of items (notably, ComboFix removed the Autorun.inf I'd been unable to locate in a search), I'm not confident that this problem is actualy gone, since it seems to reappear every couple of days.

I'd greatly appreciate someone's time in reviewing the logs to determine if this beast has indeed been slain. I'm still not sure how it got through in the first place, but I don't want to begin using this laptop again until I'm sure it's gone for good.

I'm also concerned that the U3 Smart Drive might be infected (although the Avast scan indicates that it isn't). Is there a way to test for that specifically?

Thank you so much for your assistance.

 

Here is the final log. I really hope I've done everything correctly. If I've messed up, it wasn't because I tried to cut corners, honest. :-o

 

Hi Tim,

Which message? The one that appeared before the system shut itself down? I was never able to copy that one (or even read it right through), since it never appeared for more than a second before the laptop shut itself off.

I'm not sure what any of those items are. I'd be happy to dig into the system to look for them if you let me know how. (Search on My Computer)? I apologize for my lack of technical expertise.

Thank you very much for taking a look at this for me. I greatly appreciate it.

One final note: When I got up this morning, the system had either restarted itself (or my husband powered it off despite me asking him not to). When I rebooted this morning, the following message appeared:

"AD-AWARE WARNING

Ad-Watch Live has detected ntvdm.exe (4696) as a suspicious low process. We recommend blocking it."

I did so, but had to click through it five or six times. I hope that was the right thing to do.

 

Thanks for your patience. Ok:

C\c95a03ae2bb84dd2402d: Size: 6.09bm, Folders: amd64, i386

C\c373a35779287550924d3029: Size: 15.0mb, Files 115): baseline.dat, deffactory.dat, Deletetemp.exe, dllmgr.dll, DW20.exe, DWintl20.dll, eula.#.rtf (lots of these), gencomp.dll, HtmlLite.dll, locdata.#.ini (lots), setup.exe, setup.sdb, setuppres.#.dll (lots), vs_setup.MS_, vs_setup.pdi, vsbasereqs.dll, vsscenario.dll; WapRes.#.dll (lots), WapUI.dll

C\cb68c3ab65c89c7b3045da0c: Size: 240mb, Folders: wcu

Shall I uninstall Ad-Aware, or wait until we're done with this?

Thanks again.

 

I've removed Ad-Aware. This time the restart did not generate the 'ntvdm.exe' warning.

The system defaulted to restarting in 'Windows Media Edition' and not 'Recovery'. I didn't change that - hope that was correct.

I'm not seeing any issues, but I wasn't before either (until the system shut itself off abruptly). I see that ComboFix removed D:\Autorun.inf. Was that the removal of Conficker (if in fact that was the problem)?

I ran all of the scans with my U3 Smart Drive. Should I be doing additional scans of some sort to determine if the stick is infected?

Thanks again for your assistance and patience.

 

Thank you very much for your assistance today, Tim. I greatly appreciate it. I'd been trying to fix this on my own for days, and I clearly wasn't getting anywhere.

I've now followed the final steps. All that remains is replacing Windows Firewall with a different one, and I thought I'd read up on that a bit first.

A final question: Do I need to leave msconfig in Normal Start-Up mode? If not, what do I restore it to?
Hopefully, this problem has been dealt with and I won't have any further issues. I'd actually thought I was doing a decent job protecting the household computers (no infections in four years), but I obviously let this one slip through somehow.

BTW - While I was never able to read the warning that the system was about to shut down, this the infection that Microsoft Windows removed three times (presumably through the Malicious Software Removal Tool):

Microsoft Windows detected a serious virus and has removed it.

c:/Documents~1\Debbie\Locals~1\Temp\\WER97de.dir00\Mini012499.01.dmp
c:/Documents~1\Debbie\Locals~1\Temp\\WER97de.dir00\systdata.xml

If this happens again in the next few days, I'll be back. Thanks again, very much.