Alert message keep showing to me.

Hello everybody,

The following message keep showing but I don't know why:
2013/1/9 13:30:19 Real-time file system protection file C:\Windows\System32\dawmw.lh a variant of Win32/Conficker.X worm cleaned by deleting Event occurred on a newly created file.
2013/1/9 10:50:21 Real-time file system protection file C:\Windows\System32\dawmw.lh a variant of Win32/Conficker.X worm cleaned by deleting Event occurred on a newly created file.
2013/1/9 9:30:26 Real-time file system protection file C:\Windows\System32\dawmw.lh a variant of Win32/Conficker.X worm cleaned by deleting Event occurred on a newly created file.
2013/1/8 16:13:00 Real-time file system protection file C:\Windows\System32\dawmw.lh a variant of Win32/Conficker.X worm cleaned by deleting Event occurred on a newly created file.

I couldn't find any information about this file "dawmw.lh" on the website. I also cannot find a file in quarantine area. I want to know what is this and why I will get infected? is this a FP?

best regards.

Galaxy

 

1. Conficker is worm you can find more info about in Google.
2. Make sure your Windows OS is fully up-to-date or at least install the specific "anti-Conficker" patches:
http://technet.microsoft.com/en-us/security/bulletin/ms08-067
http://technet.microsoft.com/en-us/security/bulletin/ms08-068
http://technet.microsoft.com/en-us/security/bulletin/MS09-001

3. Download Microsoft Safety Scanner or Microsoft Malicious Software removal tool and save them somewhere.
4. Disconnect from the Internet or the network temporaty and run the Microsoft tool, scan and get rid of Conficker
5. Reboot and connect back to the network/Internet
6. Make sure you are updated by applying all Windows updates, make sure your antivirus is the very latest version (e.g. for ESET -> version 5.2 with pre-release updates installed), make sure you are running a firewall (for e.g. Windows Firewall or ESS), install additional protection such as Malwarebytes' Anti-Malware , Autorun Eater and Web Of Trust WOT. Make sure your administrator account password is strong enough.

 

It is not a false positive. You get the message because Conficker must be removed (a bit more special way).

You get infected because most likely security should be improved or Windows is not up-to-date and Conficker exploits and vulnerability in Windows (vulnerability patched years ago). Read my post above to get rid of it and to protect better.

 

You must also reset administrator account passwords to non-trivial ones to prevent Conficker from spreading via shares (admin$ share in this case).

 

Using the Windows 8 Pro with latest hotfix. It seems there is a source in my computer for this conficker. I don't know how to find it out.

 

I'm sorry. I couldn't understand. Could you please be specified?

 

Although I use Windows 8, my experience particularly with Windows 8 is not that big and I have never seen Windows 8 machines affected by Conficker worm. This would be totally strange if it is present on the system in system32 directory even this drive or the director itself is not shared, if there is a strong Administrator password on all account (password that can't be g via guessed via brute-force attack). Perhaps you can restore the file dawmw.lh from quarantine and submit it to VirusTotal to confirm 100% if it is not a false positive alarm. In addition, ensure maximum protection (what was posted in posts #2 and #4 - above). Did you already scan with Microsoft Safety Scanner or Microsoft Malicious Software removal tool ?

 

If your computer is connected to a network, malware can spread via shares. Admin$ shares are accessible to admin users so if an admin password is weak or the malware was able to determine it, it may keep copying to the windows folder or its subfolders over network easily.

 

Hello,

The following article explains how to scan a network for Conficker using freely-available tools:

ISC Diary: Locate Conficker infected hosts with a network scan!

Regards,

Aryeh Goretsky