Need advise on removing W32/Conficker.worm.gen.a permanently?

Discussion in 'malware problems & news' started by cryon, Aug 5, 2009.

Thread Status:
Not open for further replies.
  1. cryon

    cryon Registered Member

    Joined:
    Apr 7, 2006
    Posts:
    45
    Hi Wilders Experts,

    I really need advice on how to permanently remove W32/Conficker.worm.gen.a from group of systems that has no reported case of W32/Conficker.worm.gen.a for the past 5 months. And suddenly today, McAfee ePO start flagging the system to be infected with Action "Access Denied".

    Here's the history of what I did:
    1. Previously the system has been infected with W32/Conficker.worm.gen.a and been cleaned.
    2. System has been patched with all critical patches
    3. Password was changed to AlphaNumberic with symbols
    4. I have set McAfee to block port 139 and 445

    Here's what I found so far...
    1. Most system shows Delete failed (Clean failed) thru the username "NT AUTHORITY\NETWORK SERVICE" via McAfee log
    2. Seems that the file that is "generating" the worm was "\WINDOWS\system32\wbem\wmiprvse.exe"

    I'm lost as of what to do. Any ideas besides not cloning or re-imaging back? o_O :'(
     
  2. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Was this the initial cleaner, McAfee's W32/Conficker Stinger - http://vil.nai.com/vil/averttools.aspx?

    Educated guess here .... if you have, open sitemgr.ini, word has it she resides in Macs autoupdate folder. There a status string in there equaling 1? This Macs a payfer right? Open a support ticket .... they'll probably feed you over to a kb article addressing your "access denied" message.
     
    Last edited: Aug 5, 2009
  3. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Hi, wmiprvse.exe - is NOT a worm; is a part of the Windows Management Instrumentation and deals with WMI operations ... with Windows Update after restart of computer for example.

    It's OK.!:argh:


    P.:thumb:
     
  4. cryon

    cryon Registered Member

    Joined:
    Apr 7, 2006
    Posts:
    45
    Thanks guys. But how does wmiprvse.exe could generate files like wjwju.w under \windows\system32 is beyond me....
     
  5. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Fair to say your unwillingness to fallback on a previous image is due to lack of diligence?
    Sounds to me like the sys-admin needs to tighten the reins on your operation.

    Open an incident report with the good folks @ McAfee.
     
  6. cryon

    cryon Registered Member

    Joined:
    Apr 7, 2006
    Posts:
    45
    I have voiced my concerns to the management team and to our regional endpoint teams. Thanks.
     
  7. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Mo pow'a to'ya! Fresh images in a timely fashion are imperative for a successful re-deployment.
     
  8. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Check for any extra partitions that may have been created. May also persist in memory, making it difficult to clean.
    Don't connect any usb, it loves them.
    If you were a home user, I'd say wipe, pull power cord, reset the router
     
Loading...
Thread Status:
Not open for further replies.