How to discover the infected computer on a network

Posted on 2009-07-01
Last Modified: 2013-11-22
I had virus attack a couple of days ago. That was Conficker.B worm. Fortunately most computers on the LAN had updated anti virus and could detect it. But apparently some other machines couldn't detect the worm and therefore they are infected by the worm.

Every now and then, clients receive a virus detection warning on their computer that says Conficker.B is detected and removed/cured.

The question is how I can find the computer that is infected by this virus and is the source of infection on my LAN. I can not check computers one by one. I want a way/tool that gives me the infected machine.
Question by:behterami
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +3
LVL 38

Expert Comment

ID: 24758982
It will help us if you give us all of the details of the Enterprise AV solution you are running - then we can give you particulars.

If you aren't running an Enterprise solution, then that is your answer.

Author Comment

ID: 24759002
I am using CA eTrust ITM r8.1
LVL 14

Expert Comment

ID: 24759005

I thought the conflicker virus was using a vulnerability of the Microsoft OS to proliferate.  If you have been updating your computers on a regular basis, you shouldn't have a problem.  Are your clients getting the updates they need from Windows update or a server at your site?
Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.


Author Comment

ID: 24759014
uucknaa - clients are getting updates from a WSUS server. But one or two are infected now for sure. The question is how I can find the source of infection on the LAN?

Expert Comment

ID: 24759053
If you want to find computer is infected with Conficker worm virus or not. simple is try to open windows update website or try opening Symantec, McAfee or any anti virus software website. if it open website then its not infected with Conficker.B. We use Symantec EndPoint and i can check all the computer status form server or management console for virus defination push or virus report.
LVL 14

Expert Comment

ID: 24759055
To help narrow it down, do you know from the WSUS server which computers aren't getting updates?
LVL 76

Expert Comment

by:Alan Hardisty
ID: 24759057
I have found a link to a site that has a tool to actively scan for conficker infected machines which meets your requirment of not having to visit every machine.
Hope you can get it running - you need Impacket Python Library to get this running and this can be found here:
Good luck.
LVL 14

Accepted Solution

uucknaaa earned 500 total points
ID: 24759104
LVL 76

Expert Comment

by:Alan Hardisty
ID: 24759131
Here's an EE question previously asked about the same question:
Nice link uucknaaa ;-)

Expert Comment

ID: 24760330
One of the signs of the conficker was the absence of a registry key.  We wrote this script to return all systems that had the absence of this key which helped us determine which systems needed attention before the big date that conficker was to destroy the world.
On Error Resume Next
Const HKLM = &H80000002
Const ReportFile = "C:\RegQuery Results.txt"
Const KeyPath = "SYSTEM\CurrentControlSet\Control\SafeBoot\"
Const ValueName = "AlternateShell"
Const PresentKeyString = " contains the registry value."
Dim objFSO : Set objFSO = CreateObject("Scripting.FileSystemObject")
Dim objFile : Set objFile = objFSO.CreateTextFile(ReportFile)
Dim objConnection : Set objConnection = CreateObject("ADODB.Connection")
Dim objCommand : Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Dim objRoot : Set objRoot = GetObject("LDAP://RootDSE")
Dim objDomain : Set objDomain = GetObject("LDAP://" & objRoot.Get("defaultNamingContext"))
Set objCommand.ActiveConnection = objConnection
With objCommand
  .CommandText = "SELECT Name From '" & objDomain.ADsPath & "' Where objectClass='computer' And OperatingSystemVersion='5.1 (2600)'"
  .Properties("Page Size") = 1000
  .Properties("Searchscope") = ADS_SCOPE_SUBTREE
End With
Dim objRecordSet : Set objRecordSet = objCommand.Execute
Do Until objRecordSet.EOF
  CheckReg (objRecordSet.Fields("Name").Value)
Set objRecordSet = Nothing 
Set objCommand = Nothing
Set objDomain = Nothing
Set objRoot = Nothing
Set objConnection = Nothing
Set objFile = Nothing
Set objFSO = Nothing
Sub CheckReg (strComputer)      
  Dim oReg : Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
  oReg.GetStringValue HKLM, KeyPath, ValueName, strValue
  If IsNull(strValue) Then
    objFile.WriteLine strComputer & MissingKeyString
	objFile.WriteLine strComputer & PresentKeyString
  End If
  Set oReg = Nothing
  End Sub

Open in new window


Author Comment

ID: 24760368
Thank you every one. Appreciate it.

I am investigating/applying all these methods you guys sent to me. I'll let you know the results as soon as I can.

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

731 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question