Alert message keep showing to me.

Discussion in 'ESET Smart Security' started by Galaxykiss, Jan 9, 2013.

Thread Status:
Not open for further replies.
  1. Galaxykiss

    Galaxykiss Registered Member

    Joined:
    Mar 23, 2007
    Posts:
    167
    Location:
    China
    Hello everybody,

    The following message keep showing but I don't know why:
    2013/1/9 13:30:19 Real-time file system protection file C:\Windows\System32\dawmw.lh a variant of Win32/Conficker.X worm cleaned by deleting Event occurred on a newly created file.
    2013/1/9 10:50:21 Real-time file system protection file C:\Windows\System32\dawmw.lh a variant of Win32/Conficker.X worm cleaned by deleting Event occurred on a newly created file.
    2013/1/9 9:30:26 Real-time file system protection file C:\Windows\System32\dawmw.lh a variant of Win32/Conficker.X worm cleaned by deleting Event occurred on a newly created file.
    2013/1/8 16:13:00 Real-time file system protection file C:\Windows\System32\dawmw.lh a variant of Win32/Conficker.X worm cleaned by deleting Event occurred on a newly created file.

    I couldn't find any information about this file "dawmw.lh" on the website. I also cannot find a file in quarantine area. I want to know what is this and why I will get infected? is this a FP?

    best regards.

    Galaxy
     
  2. er34

    er34 Guest

    1. Conficker is worm you can find more info about in Google.
    2. Make sure your Windows OS is fully up-to-date or at least install the specific "anti-Conficker" patches:
    http://technet.microsoft.com/en-us/security/bulletin/ms08-067
    http://technet.microsoft.com/en-us/security/bulletin/ms08-068
    http://technet.microsoft.com/en-us/security/bulletin/MS09-001

    3. Download Microsoft Safety Scanner or Microsoft Malicious Software removal tool and save them somewhere.
    4. Disconnect from the Internet or the network temporaty and run the Microsoft tool, scan and get rid of Conficker
    5. Reboot and connect back to the network/Internet
    6. Make sure you are updated by applying all Windows updates, make sure your antivirus is the very latest version (e.g. for ESET -> version 5.2 with pre-release updates installed), make sure you are running a firewall (for e.g. Windows Firewall or ESS), install additional protection such as Malwarebytes' Anti-Malware , Autorun Eater and Web Of Trust WOT. Make sure your administrator account password is strong enough.
     
    Last edited by a moderator: Jan 9, 2013
  3. er34

    er34 Guest

    It is not a false positive. You get the message because Conficker must be removed (a bit more special way).

    You get infected because most likely security should be improved or Windows is not up-to-date and Conficker exploits and vulnerability in Windows (vulnerability patched years ago). Read my post above to get rid of it and to protect better.
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    You must also reset administrator account passwords to non-trivial ones to prevent Conficker from spreading via shares (admin$ share in this case).
     
  5. Galaxykiss

    Galaxykiss Registered Member

    Joined:
    Mar 23, 2007
    Posts:
    167
    Location:
    China
    Using the Windows 8 Pro with latest hotfix. It seems there is a source in my computer for this conficker. I don't know how to find it out.
     
  6. Galaxykiss

    Galaxykiss Registered Member

    Joined:
    Mar 23, 2007
    Posts:
    167
    Location:
    China
    I'm sorry. I couldn't understand. Could you please be specified?
     
  7. er34

    er34 Guest

    Although I use Windows 8, my experience particularly with Windows 8 is not that big and I have never seen Windows 8 machines affected by Conficker worm. This would be totally strange if it is present on the system in system32 directory even this drive or the director itself is not shared, if there is a strong Administrator password on all account (password that can't be g via guessed via brute-force attack). Perhaps you can restore the file dawmw.lh from quarantine and submit it to VirusTotal to confirm 100% if it is not a false positive alarm. In addition, ensure maximum protection (what was posted in posts #2 and #4 - above). Did you already scan with Microsoft Safety Scanner or Microsoft Malicious Software removal tool ?
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If your computer is connected to a network, malware can spread via shares. Admin$ shares are accessible to admin users so if an admin password is weak or the malware was able to determine it, it may keep copying to the windows folder or its subfolders over network easily.
     
  9. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
Thread Status:
Not open for further replies.