I'm the admin on a small business network. All my computers have been patched and running Symantec Endpoint protection 11.
It's a mix of xp/vista/2003 server.
About 15 machines total.
A user recently started complaining of slowness... The first thing I do is bring up taskmanager and see there's 20 run32dlls. I kill them and tell her to get back to work. It comes back an hour later.
I start digging around more, and found that she's getting this in syslog
Security Risk Found!W32.Downadup.B in File: C:\Windows\System32\ysdviuf.n by: Auto-Protect scan. Action: Delete succeeded : Access denied. Action Description: The file was deleted successfully.
This worried me. While researching this, I happen to bring up MY taskanager and I get the same things.
Looking around, they all are doing this... repeated logs and lots of run32dlls (with each having it's own random dll being run.
I downloaded norton's remover, malwarebites and bitdefender... They all 3 tell me I'm NOT infected, nothing to clean. Same results on each computer.
I go to the eyechart, and I can see all the logos... great.
I put this on one of my linux machines, and scan the network...
Apparently some stupid employee has plugged an infected machine on the network. I checked the eyechart, and sure enough, Conficker B. (I need someone to help me to remove the body now)
So, now the infected machine is removed, but now every machine on my network has a bunch of run32dll's and a message in syslog for each like above. Computers are running pretty slow...
Oh, and I'm attaching the logs off MY computer.
Edited by Orange Blossom, 11 February 2013 - 04:45 AM.
Deactivate link. ~ OB