Link to home
Start Free TrialLog in
Avatar of idajagne
idajagne

asked on

SAM ERROR / CONFLICKER WORM

Dear Experts,

Recently, I found out that one of my systems  have detected a very dangerous worm (Conficker). Also, I have noticed that on almost all my server, the SERVER services keep stopping which is preventing my users to access network resources.

Currently, I have created a batch file using NET VIEW to query the devices and make sure I am aware of a drop in connectivity. However, patching the servers resolved the SERVER services issue.

But now I am having issue with my DC, please find the event log entry below:

EVENT ID: 12294
The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.

QUESTIONS:

1. How can I narrow down the client where it is trying to connect from and
2. The Conflicker worm - any ideas on how to resolve it.

Your help is greatly appreciated....
ASKER CERTIFIED SOLUTION
Avatar of cruxxe
cruxxe

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of idajagne
idajagne

ASKER

I am trying some of the tools as well. However, the anti virus client is now detecting BACKDOOR.Tiderinf. Any ideas / removal tools.
Hmm..look at the C:\Windows\System32
Is there a file x.dll or just x?
HI All,

I have some information about this,
SYMPTOMS:
Account lockout policies are being tripped.
Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.
Domain controllers respond slowly to client requests.
The network is congested.
Various security-related Web sites cannot be accessed

propagation methods:
Network share and Auto run feature

Work around:

Create a new policy that applies to all computers in a specific organizational unit (OU), site, or domain, as required in your environment.
1.Set the policy to remove write permissions to the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost

2.Set the policy to remove write permissions to the %windir%\tasks folder

REF:

http://www.microsoft.com/security/malwareremove/default.mspx 
http://technet.microsoft.com/en-us/security/dd452420.aspx