Active Directory
--
Questions
--
Followers
Top Experts
How to get rid of Conficker virus in LAN?
Hi,
we have a problem with one of our customer's IT network. Somehow Conficker/Kiko worm infiltrated into LAN and infected ALL computers and servers in network, which is over 200 computers. And we simply cannot get rid of it. Nice.
Situation
Customer's network consists of 8 phisicaly distant locations, each of 10-50 users and 2 data centers with 9 servers in AD 2003 domian environment.
Servers are all 64-bit and mixed, some 2003, some 2008 and 1 2008R2.
Clients are 32-bit XP and 64-bit Windows 7.
Router is Cisco 1800 on one side, and one Linux firewall/router/proxy on the other side (2 inbound internet lines).
AntiVirus is NOD32 version4 business Edition, centrally managed.
Per-Client firewall is default Windows firewall, managed via GPO.
With exception of 1 DC, which is virtual server on ESXi, all other computers and servers have some version of Conficker virus. All of them have virus-created SYSTEM Scheduled Task, which is trying to deploy virus; if I delete this task with AT \\computername 1 /DELETE command, task reappears back in few seconds, even after reboot.
If I scan compuiter with ANY tool, ANY AntiVirus, even in Off-Line or Safe mode, which cleans computer, it gets infected back via network within an hour.
Due to large number of computers and mixed shifts, where some computers are criucal for continuous workflow, we cannot say, ok guyz, go home for 1 week and we'll clean the system.
The other reason we cannot clean is that we have no relaible method to PREVENT reinfection after cleanup!
We cannot restrict USB memory devices usage, because they are needed for work to be done.
Also we cannot remove hundreds of shares, because people are used to use them. We might change system in a year or two, but we need some quick fix.
What I am looking for:
- Any PROVEN idea which AntiVirus solution would be best for this company?
- Except of disabling AutoPlay on all clients (via GPO) and to tighten Firewall (also via GPO), what else could be done to get rid of this nasty beast?
- And of course, if anybody knows of some tool or Conficker remover, which works?
Ideas welcome.
we have a problem with one of our customer's IT network. Somehow Conficker/Kiko worm infiltrated into LAN and infected ALL computers and servers in network, which is over 200 computers. And we simply cannot get rid of it. Nice.
Situation
Customer's network consists of 8 phisicaly distant locations, each of 10-50 users and 2 data centers with 9 servers in AD 2003 domian environment.
Servers are all 64-bit and mixed, some 2003, some 2008 and 1 2008R2.
Clients are 32-bit XP and 64-bit Windows 7.
Router is Cisco 1800 on one side, and one Linux firewall/router/proxy on the other side (2 inbound internet lines).
AntiVirus is NOD32 version4 business Edition, centrally managed.
Per-Client firewall is default Windows firewall, managed via GPO.
With exception of 1 DC, which is virtual server on ESXi, all other computers and servers have some version of Conficker virus. All of them have virus-created SYSTEM Scheduled Task, which is trying to deploy virus; if I delete this task with AT \\computername 1 /DELETE command, task reappears back in few seconds, even after reboot.
If I scan compuiter with ANY tool, ANY AntiVirus, even in Off-Line or Safe mode, which cleans computer, it gets infected back via network within an hour.
Due to large number of computers and mixed shifts, where some computers are criucal for continuous workflow, we cannot say, ok guyz, go home for 1 week and we'll clean the system.
The other reason we cannot clean is that we have no relaible method to PREVENT reinfection after cleanup!
We cannot restrict USB memory devices usage, because they are needed for work to be done.
Also we cannot remove hundreds of shares, because people are used to use them. We might change system in a year or two, but we need some quick fix.
What I am looking for:
- Any PROVEN idea which AntiVirus solution would be best for this company?
- Except of disabling AutoPlay on all clients (via GPO) and to tighten Firewall (also via GPO), what else could be done to get rid of this nasty beast?
- And of course, if anybody knows of some tool or Conficker remover, which works?
Ideas welcome.
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
ps. If you have a way to push out all the Windows Updates I would do that ASAP as well.
SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Have you had a look at the removal tools from F-Secure?
http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml
As far as an AV solution, we currently use Symantec Endpoint Protection v11 at the company I'm at now, the network threat protection works very well and we even turn off the Windows firewall on the client PC's. In the past I've also used the commercial/professional version of AVG from Grisoft, but that was at least 3 years ago. It did work very well then, however.
http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml
As far as an AV solution, we currently use Symantec Endpoint Protection v11 at the company I'm at now, the network threat protection works very well and we even turn off the Windows firewall on the client PC's. In the past I've also used the commercial/professional version of AVG from Grisoft, but that was at least 3 years ago. It did work very well then, however.
SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Here is a symantec removal tool maybe you can use on all the systems.
http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99
http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Hi,
Thank you all for tips and shared experience.
Most of use was of:
- network detection tool from McAfee, which helped me to pinpoint infection sources
- Then I wrote BATCH script, which scanned whole network for Scheduled Tasks, created by Conficker virus, and removed this Scheduled Tasks from all computers in network. This batch was also indicator whether virus came back or not (code below)
- Then to remove Conficker from network computers, there was very usefull BitDefender Conficker removal tool. Simply deploy tool to multiple computers, then all is done automatically.
- Then GPO came into play, where I created Group policy object with rule to disable AutoPlay / AutoStart (autorun.inf) for all domain computers.
It is weekend now, all computers are up and running, and all are clean.
We'll see what first working days will bring.
Thank you all for tips and shared experience.
Most of use was of:
- network detection tool from McAfee, which helped me to pinpoint infection sources
- Then I wrote BATCH script, which scanned whole network for Scheduled Tasks, created by Conficker virus, and removed this Scheduled Tasks from all computers in network. This batch was also indicator whether virus came back or not (code below)
- Then to remove Conficker from network computers, there was very usefull BitDefender Conficker removal tool. Simply deploy tool to multiple computers, then all is done automatically.
- Then GPO came into play, where I created Group policy object with rule to disable AutoPlay / AutoStart (autorun.inf) for all domain computers.
It is weekend now, all computers are up and running, and all are clean.
We'll see what first working days will bring.
Ups, sorry...
I promised my batch script code, which I sucesfully use to remove unwanted Scheduled Task which is created by Conficker virus from all computers on network.
Here are all needed files. Tested on Windows XP/2003/2008/2008R2/7 both, 32 and 64 bit.
Save all 4 files in same folder, and run rct.bat
If you want to scan whole network, run rct
If you want to scan only particula computer, add IP ir NAME of computer, like rct localhost
Main file, named rct.bat:
Helper files, first one named rct1.bat:
Second helper file, named rct2.bat:
Third helper file, named SetFile.bat:
I promised my batch script code, which I sucesfully use to remove unwanted Scheduled Task which is created by Conficker virus from all computers on network.
Here are all needed files. Tested on Windows XP/2003/2008/2008R2/7 both, 32 and 64 bit.
Save all 4 files in same folder, and run rct.bat
If you want to scan whole network, run rct
If you want to scan only particula computer, add IP ir NAME of computer, like rct localhost
Main file, named rct.bat:
@ECHO OFF
ECHO.
ECHO ###########################################################
ECHO # #
ECHO # Conficker Scheduled Task network removal tool #
ECHO # * by Labsy * #
ECHO # (C)Copyright or (C)Copyleft or (C)CopyPaste no problemo #
ECHO # #
ECHO ###########################################################
ECHO.
REM # Let's include some colors, too
SETLOCAL DisableDelayedExpansion
FOR /F "tokens=1,2 delims=#" %%a IN ('"prompt #$H#$E# & ECHO ON & FOR %%b IN (1) DO REM"') DO (
SET "DEL=%%a"
)
IF NOT "%1"=="" GOTO SINGLESCAN
REM # Ask for IP range for scanning
ECHO Please, enter start and end IP for scanning:
ECHO.
IF "%XSubnetStart%"=="" GOTO INPUTVALUES
ECHO Previous settings were set to scan the following range:
ECHO.
CALL :ColorText 0a "%XSubnetStart%%XScanStart% - %XSubnetStop%%XScanStop%"
ECHO.
CHOICE /C YN /M "Accept this range?"
IF NOT ERRORLEVEL 2 GOTO SKIPINPUT
:INPUTVALUES
ECHO Enter new values:
ECHO.
SET /P XSubnetStart=Start IP :
SET /P XSubnetStop=Stop IP :
ECHO.
FOR /f "tokens=1,2,3,4 delims=." %%a IN ("%XSubnetStart%") DO SET xa=%%a&SET xb=%%b&SET xc=%%c&SET XScanStart=%%d
SET "XSubnetStart=%xa%.%xb%.%xc%."
FOR /f "tokens=1,2,3,4 delims=." %%a IN ("%XSubnetStop%") DO SET xa=%%a&SET xb=%%b&SET xc=%%c&SET XScanStop=%%d
SET "XSubnetStop=%xa%.%xb%.%xc%."
:SKIPINPUT
IF NOT "%XSubnetStart%"=="%XSubnetStop%" CALL :ColorText 0C "Wrong start or stop IP! Both must be in same subnet C Class." && GOTO FIN
REM # By default, scan whole network.
ECHO.
ECHO Scanning range %XSubnetStart%%XScanStart% - %XSubnetStop%%XScanStop% for unwanted Scheduled
ECHO Task created by Conficker virus. Scaning can take more than an
ECHO hour, depending of how many machines are off-line.
ECHO.
ECHO For each computer you have 10 seconds to review the task
ECHO and to cancel deletion, otherwise it will be deleted
ECHO automatically (recommended).
ECHO.
CHOICE /C YN /M "Should I begin?"
IF ERRORLEVEL 2 GOTO FIN
REM # Set looping for Class C subnet (first IP, step, last IP)
FOR /L %%A IN (%XScanStart%,1,%XScanStop%) DO (
SET XComputer=%XSubnetStart%%%A
CALL rct1.bat
)
GOTO FIN
REM # Else, scan single computer
:SINGLESCAN
ECHO.
SET XComputer=%1
CALL rct1.bat
ECHO.
ECHO Finished!
PAUSE
:FIN
SET XSubnet=
SET XComputer=
SET xa=
SET xb=
SET xc=
SET XYes=
SET x=
GOTO :EOF
:ColorText
ECHO OFF
<nul SET /p .=. > "%~2"
FINDSTR /v /a:%1 /R "^$" "%~2" nul
ECHO(%DEL%%DEL%%DEL%
del "%~2" > nul 2>&1
GOTO :EOFHelper files, first one named rct1.bat:
@ECHO OFF
SET XYes=0
ECHO -------------------------------------------------------------
ECHO Testing computer %XComputer% for unwanted Task Schedule...
REM # Let's first see if machine is alive...
PING -n 1 -r 2 -s 2 -4 -i 1 %XComputer% | find "TTL=" > nul
IF ERRORLEVEL 1 ECHO %XComputer% not responding to ping. Next... && GOTO SKIP
REM # OK, so let's scan it...
ECHO Ping OK. Scanning...
AT \\%XComputer%|FIND /I "rundll32.exe" > rctTemp.txt
IF NOT ERRORLEVEL 1 ( CALL :ColorText 0C "WARNING! Probably infected with Conficker!!!"
ECHO.
CALL rct2.bat
AT \\%XComputer%|FIND /I "rundll32.exe"
IF ERRORLEVEL 1 CALL :ColorText 0a "Deleted!"
ECHO.
GOTO SKIP
)
CALL :ColorText 0a "OK. Computer seems healthy!"
ECHO.
:SKIP
:END
SET XComputer=
GOTO :EOF
:ColorText
ECHO OFF
<nul SET /p .=. > "%~2"
FINDSTR /v /a:%1 /R "^$" "%~2" nul
ECHO(%DEL%%DEL%%DEL%
del "%~2" > nul 2>&1
GOTO :EOFSecond helper file, named rct2.bat:
SET XFileContents=
copy SetFile.bat + rctTemp.txt $tmp$.bat > nul
call $tmp$.bat
del $tmp$.bat
set XTask=%XFileContents:~7%
ECHO %XTask%
ECHO.
CHOICE /T 10 /C YN /D y /M "Remove task?"
IF ERRORLEVEL 2 GOTO END
set XFileContents=%XFileContents:~0,10%
set XFileContents=%XFileContents: =%
ECHO Deleting Task ID %XFileContents% from %XComputer%...
AT \\%XComputer% %XFileContents% /DELETE /YES
:END
SET XFileContents=
SET XComputer=Third helper file, named SetFile.bat:
set XFileContents=Active Directory
--
Questions
--
Followers
Top Experts
Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.