win32/conficker.x on every machine ?

hello to all.
on thursday and friday i started updateing all the machines on my network to version 3.0.695 for 3.0.650 since i had been putting it off for a while now. on saturday i notice a ton of errors in event viewers and i have hunted down the fact that eset is trapping a file created by svchost on every machine on my network since friday sometime. it is claiming theat i have win32/conficker.x on every machine in my network but i am thinking this has to be a false positive. i downloaded the exclusive conficker tool and ran it on a few machines but it is not found. anyone else using the corp version seeing something like this ?

 

any symptoms as listed? did you use Eset tool?
http://www.eset.eu/encyclopaedia/win32_conficker_x_net_worm_kido_iq_downadup_c_worm_gen_c

 

that's just it no symptoms on any of the machines.
when i run the eset tool nothing is found yet in the logs it says it found it in a file over and over again all day long.

 

maybe submit that file
http://kb.eset.com/esetkb/index?page=content&id=SOLN141

 

now i have been looking around and the file it is flagging is creat by a scheduled task AT1 on every machine. i am still not convinced this is an infection but i am unsure what the At1 task is for on each machine.
i did find one pc that the eset tool said it was in mem but no files are found.

 

i have deleted the at1 job and rebooted only for it to be recreated on reboot.
the eset tool continues to say machine is not infected but it flags the file created by the task as conficker.x so i am at a loss at the moment and i just checked here on my home machine and there are files being quarentined and flagged as conficker.x even though my own home machine has been clean up untill the eset signature update today. there must be something wrong in the current signature updates that is flagging something wrong. i submitted a few of the files from work and now from home so hopefully they are either correct in finding all these infestions probably around the world or they have a misconfigured signature running around flagging the wrong files as conficker.x

 

What are the results of the Conficker Stand-alone removal tool ?

More information on protecting yourself from Conficker.

Have you run a scan in Safe Mode, Post back your event viewer findings for our perusal.

 

so far on most machines just logging the finding and quarentine of that file seems to indicate there is a machine on the network attempting to infect the other machines. i am going through machine by machine to try and isolat the one if this is true. we have been running eset for over 2 years now with no infections that is why i am suspicious of this infection ?
the standalone on any machine that has nod32 on it says nothing found.

i did run in to two machines on the network that say it was found in memory with the standalone so i i am getting confused on if this is legit or not.

 

I think at this point you need to contact ESET Support Inbox for professional help and send them the link to this thread to give them ahead start since your network is infected and sounds like it's reinfecting itself! http://www.eset.com/support/contact#

HTH,

TH

 

Please respond to the queries asked, until then, we will not be able to help you further.

 

i have submitted a help ticket at this point.

 

Hope things work out for you Please let us know how it goes!

Cheers,

TH

 

i think i have put a stop to it at this point but i am waiting to talk to eset support when they call me to confirm my assumptions. the last logged instance on my pc's was over 2 hours ago and i have checked each machine with the manual tool 2x over and each one shows not in mem and the log shows no further catches of it for over 2hrs. not really shure why or how it started at this point but i have one machine i know that was placed on the network around the right time frame and i have instructed it be left off the network until i have had a chance to test it off the network.now i am hoping i have all the right exclusions for the servers i had to put nod32 on but i will be asking the tech to maybe review with me. what makes it look bad is like i said i have relied on eset to protect us for over two years now and it has other than this incident so knock on wood we should be good now.

 

so far i have located the original infector
i have a few machines that come up clean then on a full in depth scan it finds it somewhere else. i will have to call eset and see if any more help as i am out of ideas. i had to disable autoplay via gpo to stop it and i put the eset tool in the login.bat for everyone so i have put a stop to it but i am not confident it has been completely erradicated. i have tried a couple free enterprise conficker scan tools but it is not found until i watch for domain errors from machines. i have 2 machines at this point seem to be clean then bang it is found on another manual scan. what a pain this is.

 

More info about Conficker here. In the event of an infection, it's crucial to reset admin passwords to non-trivial ones in addition to installing the appropriate hotfixes from MS. Also you can disable admin shares as part of security measures that should prevent Conficker from spreading via LAN.