Skip navigation.
Home

Advise Analysis infected network by conficker

Hi all, a week ago my network got infected by conficker, just 1 pc not patched
by security windows is 2000 prof and all pc's use Avira AV, i've clean all conficker on all pc using symantec conficker removal, but i've tested using one xp pc unpatched to connect to network in just few minutes the AV warned about conficker but when i scan that new pc using symantec or other conficker removal is not found anything. So i think the conficker not gone at all from my network, i've used wireshark on my new pc XP Unpatched and this the packet
i've got but can anyone give me some advise or clue about this packet:

* source=192.168.0.72(New XP Unpatched) dest=192.168.0.60(2000 Prof) ->
[TCP_Window_Update] brvread(1054) > 5458
(colour rule name is Bad TCP)
* source=192.168.0.69(XP Patched) dest=192.168.0.72(New XP Unpatched) ->
d2000webserver(3120) > coqnex-insight(1069)
(colour rule name TCP)
* source=192.168.0.72(New XP Unpatched) dest=192.168.0.69(XP Patched) ->
coqnex-insight(1069) > d2000webserver(3120)
(colour rule name TCP)
* source=192.168.0.72(New XP Unpatched) dest=192.168.0.69(XP Patched) ->
[TCP_Window_Update] coqnex-insight(1069) > d2000webserver(3120)
(colour rule name is Bad TCP)
From that some packet when that packet referring to the wireshark the AV on
that pc is pop up so i've just guess that is maybe the New XP unpatched is the infector to that 2 pc(2000prof & 192.168.0.69) but i've seen some weird registry on that 2 pc(2000prof & 192.168.0.69) on:
HKLM\System\CurrentControlSet(1&2)\Services\Bits & Tapisrv the image path is
%systemroot%\system32\svchost.exe -k tapisrv and BITSgroup.

Could anyone give me some advise or explain about this and the way i to do this may not right or wrong, please give me some advise or criticsm.

thanks a lot.

Regards,
Nubie