Completely Removing the w32.downadup.B conficker worm from my network.

Thanks for your post and the time it took to respond.

All of the computers are running Symantec Corporate Edition (version 9 or 10 for the most part).  We just got Symantec Endpoint, but I haven't installed it on any machines yet.  Would Endpoint do the job that you describe above - check for malware, spyware.  I would think that when it came to checking viruses the version(s) I'm using now and the Endpoint version would look for the same types of viruses.  Is that safe to say?  Maybe now is a good time to upgrade to Endpoint.

However, it seems Symantec is doing an excellent job at picking up on the virus and stopping it before it infects the computer (see my attachment).  The only thing is that it is leaving that file on the computer after it 'quarantines'.  That is actually one of my questions....why isn't it completely removing it?

I mentioned before that I have only known four actual infections of the virus.  In two cases, there was no anti-virus software installed (oops).  In the other two cases the virus software was corrupt.  I promptly re-installed it, updated the definitions, ran the Symantec w32,downadup.b removal tool, and did a full scan.  In all four cases this seemed to have gotten rid of the threat  - the multiple login attempts to the server (resulting in user accounts being locked out) quickly stopped as soon as these machines were cleaned.  All four machines where infected at different times.

I don't believe my server has been infected but I will take your advice and check for unusual files that don't belong in the network shares.  That would be great if it told me which computer is creating and re-creating the bad files!

Of all of the computers I have visited on the network I have never noticed the Task Manager, or regedit disabled.  That doesn't mean that they haven't in the past, but I have never noticed this happen.  I will keep a look out for it now.  As far as safe mode goes,  I honestly haven't tried to boot in safe mode yet, so I can't answer to that.  If either of these happen to be the case, what does that mean?

Your recommendation to unplug all computers from the network, Clean Servers, Clean Desktops, disable autorun, and then reconnect all computers sound very reasonable, but unfortunately, very time consuming.  I work at a school, so I will have to wait until summer break to do all that.

We put a stop to all local network traffic and redirect it to a proxy server that is running DansGuardian web-filtering software.  We have many websites locked down and I have the ability to do some configuration on the linux server.  Is this enough protection?  Is there a way I can tell if computers are sending out information or accessing websites?  Maybe a way to look at my network traffic and see what is going on?  Perhaps opendns.org would do this for me?

I have a lot of concerns right now, but if I had to narrow it down to just two, this is what they are:

1.  Why are my users getting these auto-protect messaged from Symantec anti-virus and where are they coming from?  I need to stop these attempted invasions on our systems.

2.  Why are local computer services being stopped and how can I fix it permanently (no more work-arounds!)?  Computer Browser, Server, Windows Audio, etc.   Why am I getting the svchost.exe ('Generic Host Process for Win32 Services) error, which is locking up computers?  How can I solve these errors?

Thanks for your help.  Feel free to get more details from me.....I must solve this problem so I'll do whatever I need to.

First, the Endpoint protection (11) is designed to look for more than just viruses, which is what 9 and 10 focus on. You should feel better protected with the Endpoint protection.

Have you turned off System Restore, so the virus can't hide there after a reboot? If the Symantec can't remove the file, then something still has it locked. That's why I'd be suspicious of something else running. Have you looked at your processes running for anything suspicious? You can also download Process Explorer (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx) for more detail than Task Manager. Have you tried running a virus scan in Safe Mode to see if it removes the file?

It's a good sign that things like regedit and Task Manager still work. One of the first things that a blended threat can do is disable all the stuff you would normally use to fight the threat (it's protecting itself).

By the way, you may want to have everyone change their passwords more frequently for awhile just in case a login has been conpromised. I know they'll all moan about it, but the first time a critical file or account has been compromised, it's your neck and then maybe theirs'.

This threat appears to be able to access quit a few websites: http://www.symantec.com/security_response/writeup.jsp?docid=2008-123015-3826-99&tabid=2
You could add these to your firewall and monitor the logs to see if any computers are accessing them. If you have the capability of reporting internet activity through your firewall - great, if not, your firewall should at least give you a top 10 list. Many log files will only show the IP address of the destination server, so it's harded to determine. What is your internet security device/model (Cisco, Juniper, Sonicwall, etc).

It's also possible that whatever infection the computer had may have corrupted some OS files. You may want to try repairing one of the OSes to see if it fixes any of the symptoms. If it's just a few computers, you may be better off formatting them and reloading everything.

Just FYI, I've also called Microsoft in the past and they were very helpful. I believe they still offer free virus and security-related support:
http://www.microsoft.com/protect/support/default.mspx

I have bumped up the priority of upgrading all the computers to Endpoint.  Thanks for the recommendations on that point.  

I feel that our password security is pretty good.  I only have two user accounts with weak passwords, but they have access to nothing.

We run a Linux firewall (BrazilFW).  Past the basic configurations, I have limited knowledge of the firewall.  However, I'm NOT aware of its ability to report internet activity and I'm not even sure I can get get a top ten list of accessed sites.  (If anyone wants to comment on this then that would be an awesome side note!)  Our other internet security device besides the firewall is the DansGuardian.  Using this tool, I have limited means to evaluate internet activity.  Regardless, I added as many websites and domains as I could to the denied list on this proxy filter - these came from the Symantec link you provided above.  Hopefully this will take care of any chance the worm has to get to the outside world in the case I have an infected computer on the network.

Thanks for the advice to repair the OS files.  I will try that.  I have a few machines that are specifically locking up almost every day and these will be good test subjects.  If worst comes to worst, re-installing is my last option.  

I changed Explore to view all hidden files, extensions, and hidden system files and searched all of the shares on the server, but didn't find any autorun.inf files that were out of place.  I was kinda hoping I would find something.  Is it possible that this pesky .jpg file that never seems to be deleted by Symantec auto-protect is the source of the ability for this worm to keep trying to spread itself to other machines?  I guess I'm just really confused on how this thing is spreading because it's just a picture file....what harm can it do to systems?  

After a user receives the Symantec Auto-protect message (like the one in the initial post),  I do the following three things (in this order):

1.  Run the Symantec FixDownadupTool - it finds nothing
2.  Run a Symantec Virus scan - it also finds nothing
3.  Find the exact location of the .jpg, .bmp, or gif file and manually delete it (The fact that I can do this tells me that another process doesn't have it locked, right?)

* All of these steps are performed under an administrator account, with a normal boot (no safe mode), and System Restore is NOT disabled.

As soon as the worm attempts to propagate itself again over the network, the users will receive the same auto-protect message from Symantec and a new picture file will be created again.  Then, I have to find the time to repeat the above three steps.  It is a viscous cycle and I need to find a way out of it.  I really want to find the source of the spreading of the worm so I can nip it there.  

Right now, things are pretty calm.  Users aren't receiving the auto-protect message and most of the computers are acting almost normal - at least enough so that they can get their work done.  No domain users accounts are being locked out, but things will NOT stay this way for long....this worm seems to come in sweeps.  

My biggest questions/concern now is this....if I take the suggested steps above from above, what will keep the worm from spreading back to a computer once I clean it up?  The computers with XP SP3 are already patched, right?  But users will still get the auto-protect message and it then creates that file that it can't delete.  What keeps the worm from re-infecting as soon as I clean up a computer?

I would recommend disabling System Restore and performing the 3 steps in Safe Mode. I know you've run the tool to remove it, but have you followed the manual removal instructions on the Symantec page to see if the registry settings, etc. are actually getting done? Reboot and see if the changes stick.

1) Make sure that all machines are up-to-date with the latest definitions. Any AV product without the latest signatures will not work as expected.  

2) When you said that users still receiving Auto-Protect messages, this means that are being attacked by another machine(s) in the network.

3) Enable "Threat Tracer" to detect the source of infection. Follow these steps:

A) In the Symantec System Center console, right-click the server group that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options.

B) In the Auto-Protect Advanced Options dialog box, verify that the options under Threat Tracer are checked.

C) Click Ok

4) Run Windows Patch (MS08-067) + Symantec FixDownadup tool on those infected machines that were discovered by the "Threat Tracer"

xmachine,

Thanks for the tip on 'Risk Tracer'!

I double-checked the settings like you instructed and it turns out that all of the options for Rick Tracer were already enabled.  How do I view the results of the trace?  Is there a log file on the server or client that gives me the source IP of the attack?  Once I figure out which machine is generating the attacks then I can run the previously mentioned steps to get rid of the threat.

Have you tried contacting Microsoft as suggested above? They have a tool called WOLF (Windows Online Forensics) tool that will collect some data on the infected computer. You then upload a cab file for them to analyze.

Please check the following KB article:

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/f37e368c1f18a3b388256e29007bd7ac?OpenDocument

Hi,

Would you please update the status of your problem ?

I checked the Risk History logs and found that they all said localhost as the source computer.  This is true for multiple computers I checked.  I thought I was going to find a computer on the network that was spreading this worm?  I don't get it...

I'm still working really hard to grasp/comprehend/understand how these computers were infected by this worm in the first place and how it keeps propagating itself if it isn't spreading from computer to computer.  If the threat is coming from the 'localhost' then how do I stop it from coming back once I perform all these steps you guys have previously instructed?  These computers were fine until this worm first got on our network somehow and started spreading itself.  Who's to say once I go around to all these machines and clean 'em up right it just won't happen again just like it did in the beginning when the worm first started spreading over the network?

This is where I stand right now.  I feel very comfortable with the tools and suggestions you have provided me in regards to removing the worm from these computers.  Is it a lot of work?...YES, but that is fine with me if it gets rid of this thing forever.  However, I'm still trying to understand the bigger picture on this thing, as you can tell by my questions.  I will award partial credit to each of you for your efforts.  Please feel free to comment more on this question and maybe I can eventually understand it all better!

Thanks again for your help!  I do love this website!
 

Side note:  How do I export the Risk History log for all computers managed by the Symantec Server?