?
Solved

Virus: locate infected machine

Posted on 2011-09-06
11
Medium Priority
?
710 Views
Last Modified: 2012-05-12
Hi,
We have Trend Micro Installed on our network PC's. Does anyone know how I can Identify the source of the infection (see attached).
The messages are popping up on lots of PC's.
Trend-Micro.bmp
0
Comment
Question by:HKFuey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +2
11 Comments
 
LVL 49

Expert Comment

by:dbrunton
ID: 36487815
Looks like Conflicker.

See http://esupport.trendmicro.com/solution/en-us/1039145.aspx

Not sure if their advice will apply to your network system or not.
0
 
LVL 38

Expert Comment

by:BillDL
ID: 36487962
When you say "source of the infection", are you trying to establish which of the computers was infected first before it proliferated through the network (ie. find out what user opened a bad email or inserted a usb flash drive), OR do you mean as dbrunton has assumed (ie. what the actual name of the virus is)?
0
 
LVL 9

Expert Comment

by:Ashok Dewan
ID: 36488029
you can see the path in that infected column looks like C:\windows\system32\
scan that file online.
www.virustotal.com or virscan.org  you will get the name of virus then you can find more information on that virus and also removal instructions.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Assisted Solution

by:HKFuey
HKFuey earned 0 total points
ID: 36488300
We have used Wireshark to identify the IP of the machine that is proliferating the virus.

This PC is used by a machine in the Factory and is supported externally so the engineers have been called in.
0
 
LVL 38

Expert Comment

by:BillDL
ID: 36488303
Downad.AD is the Conficker Worm (as stated by dbrunton), and Mal_DownadJ is the part of it that created the scheduled task so it could execute at a scheduled time and date.
0
 
LVL 63

Accepted Solution

by:
☠ MASQ ☠ earned 1000 total points
ID: 36488308
This is a worm using a Windows exploit that was patched some time ago. Are you using any other active AV scanning on your network?

Guide to network removal here
http://www.bdtools.net/how-to-remove-downadup.php
0
 
LVL 63

Expert Comment

by:☠ MASQ ☠
ID: 36488318
Too slow!  Good you found the culprit but still could do with closing this particular door to stop it arriving via a different route.
0
 
LVL 38

Expert Comment

by:BillDL
ID: 36488328
Good call with WireShark.  I was actually just in the process of checking out Network Sniffers after reading up again on the details of the number of URLs and Servers that it connects to/with.  I was looking for a Video on the Sophos site by their chief engineer demonstration WireShark at work so I could post back here with the link.  Seems you beat me to it ;-)
0
 
LVL 38

Assisted Solution

by:BillDL
BillDL earned 1000 total points
ID: 36488370
".... Good you found the culprit but still could do with closing this particular door to stop it arriving via a different route" ..... and perhaps also close the front door firmly behind or onto the person who (probably) introduced it with a USB Flash Drive, and who definitely needs to be summarily dismissed with loss of wages, pension, and company car ;-)
0
 

Author Closing Comment

by:HKFuey
ID: 36518356
Thanks for the help!

If you have the same problem, try this: -
http://www.wireshark.org/download.html
0
 
LVL 38

Expert Comment

by:BillDL
ID: 36518681
Thank you HKFuey, even though I was too late in suggesting the same utility you actually used yourself to pin down the source.  Just for completeness, if anyone else happens upon this question, the Sophos video that I was originally looking for is here:
http://www.youtube.com/user/SophosLabs#p/u/48/nPKYubm7yeA
Or a better version from the Main Menu > "Adobe Reader Vulnerability Demo" here:
http://www.sophos.com/en-us/security-news-trends/anatomy-of-an-attack.aspx
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question