win32/conficker.x on every machine ?

Discussion in 'ESET NOD32 Antivirus' started by jjenni, Jul 18, 2010.

Thread Status:
Not open for further replies.
  1. jjenni

    jjenni Registered Member

    Joined:
    Sep 5, 2007
    Posts:
    11
    Location:
    Pen Argyl, PA
    hello to all.
    on thursday and friday i started updateing all the machines on my network to version 3.0.695 for 3.0.650 since i had been putting it off for a while now. on saturday i notice a ton of errors in event viewers and i have hunted down the fact that eset is trapping a file created by svchost on every machine on my network since friday sometime. it is claiming theat i have win32/conficker.x on every machine in my network but i am thinking this has to be a false positive. i downloaded the exclusive conficker tool and ran it on a few machines but it is not found. anyone else using the corp version seeing something like this ?
     
    Last edited: Jul 18, 2010
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  3. jjenni

    jjenni Registered Member

    Joined:
    Sep 5, 2007
    Posts:
    11
    Location:
    Pen Argyl, PA
    that's just it no symptoms on any of the machines.
    when i run the eset tool nothing is found yet in the logs it says it found it in a file over and over again all day long.
     
  4. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  5. jjenni

    jjenni Registered Member

    Joined:
    Sep 5, 2007
    Posts:
    11
    Location:
    Pen Argyl, PA
    now i have been looking around and the file it is flagging is creat by a scheduled task AT1 on every machine. i am still not convinced this is an infection but i am unsure what the At1 task is for on each machine.
    i did find one pc that the eset tool said it was in mem but no files are found.
     
  6. jjenni

    jjenni Registered Member

    Joined:
    Sep 5, 2007
    Posts:
    11
    Location:
    Pen Argyl, PA
    i have deleted the at1 job and rebooted only for it to be recreated on reboot.
    the eset tool continues to say machine is not infected but it flags the file created by the task as conficker.x so i am at a loss at the moment and i just checked here on my home machine and there are files being quarentined and flagged as conficker.x even though my own home machine has been clean up untill the eset signature update today. there must be something wrong in the current signature updates that is flagging something wrong. i submitted a few of the files from work and now from home so hopefully they are either correct in finding all these infestions probably around the world or they have a misconfigured signature running around flagging the wrong files as conficker.x
     
  7. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  8. jjenni

    jjenni Registered Member

    Joined:
    Sep 5, 2007
    Posts:
    11
    Location:
    Pen Argyl, PA
    so far on most machines just logging the finding and quarentine of that file seems to indicate there is a machine on the network attempting to infect the other machines. i am going through machine by machine to try and isolat the one if this is true. we have been running eset for over 2 years now with no infections that is why i am suspicious of this infection ?
    the standalone on any machine that has nod32 on it says nothing found.

    i did run in to two machines on the network that say it was found in memory with the standalone so i i am getting confused on if this is legit or not.
     
  9. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    I think at this point you need to contact ESET Support Inbox for professional help and send them the link to this thread to give them ahead start since your network is infected and sounds like it's reinfecting itself! http://www.eset.com/support/contact#

    HTH,

    TH
     
    Last edited: Jul 18, 2010
  10. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Please respond to the queries asked, until then, we will not be able to help you further.

     
    Last edited: Jul 18, 2010
  11. jjenni

    jjenni Registered Member

    Joined:
    Sep 5, 2007
    Posts:
    11
    Location:
    Pen Argyl, PA
    i have submitted a help ticket at this point.
     
  12. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Hope things work out for you Please let us know how it goes! ;)

    Cheers,

    TH
     
  13. jjenni

    jjenni Registered Member

    Joined:
    Sep 5, 2007
    Posts:
    11
    Location:
    Pen Argyl, PA
    i think i have put a stop to it at this point but i am waiting to talk to eset support when they call me to confirm my assumptions. the last logged instance on my pc's was over 2 hours ago and i have checked each machine with the manual tool 2x over and each one shows not in mem and the log shows no further catches of it for over 2hrs. not really shure why or how it started at this point but i have one machine i know that was placed on the network around the right time frame and i have instructed it be left off the network until i have had a chance to test it off the network.now i am hoping i have all the right exclusions for the servers i had to put nod32 on but i will be asking the tech to maybe review with me. what makes it look bad is like i said i have relied on eset to protect us for over two years now and it has other than this incident so knock on wood we should be good now.
     
  14. jjenni

    jjenni Registered Member

    Joined:
    Sep 5, 2007
    Posts:
    11
    Location:
    Pen Argyl, PA
    so far i have located the original infector
    i have a few machines that come up clean then on a full in depth scan it finds it somewhere else. i will have to call eset and see if any more help as i am out of ideas. i had to disable autoplay via gpo to stop it and i put the eset tool in the login.bat for everyone so i have put a stop to it but i am not confident it has been completely erradicated. i have tried a couple free enterprise conficker scan tools but it is not found until i watch for domain errors from machines. i have 2 machines at this point seem to be clean then bang it is found on another manual scan. what a pain this is.
     
  15. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    More info about Conficker here. In the event of an infection, it's crucial to reset admin passwords to non-trivial ones in addition to installing the appropriate hotfixes from MS. Also you can disable admin shares as part of security measures that should prevent Conficker from spreading via LAN.
     
Thread Status:
Not open for further replies.