idajagne
asked on
SAM ERROR / CONFLICKER WORM
Dear Experts,
Recently, I found out that one of my systems have detected a very dangerous worm (Conficker). Also, I have noticed that on almost all my server, the SERVER services keep stopping which is preventing my users to access network resources.
Currently, I have created a batch file using NET VIEW to query the devices and make sure I am aware of a drop in connectivity. However, patching the servers resolved the SERVER services issue.
But now I am having issue with my DC, please find the event log entry below:
EVENT ID: 12294
The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.
QUESTIONS:
1. How can I narrow down the client where it is trying to connect from and
2. The Conflicker worm - any ideas on how to resolve it.
Your help is greatly appreciated....
Recently, I found out that one of my systems have detected a very dangerous worm (Conficker). Also, I have noticed that on almost all my server, the SERVER services keep stopping which is preventing my users to access network resources.
Currently, I have created a batch file using NET VIEW to query the devices and make sure I am aware of a drop in connectivity. However, patching the servers resolved the SERVER services issue.
But now I am having issue with my DC, please find the event log entry below:
EVENT ID: 12294
The SAM database was unable to lockout the account of Administrator due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.
QUESTIONS:
1. How can I narrow down the client where it is trying to connect from and
2. The Conflicker worm - any ideas on how to resolve it.
Your help is greatly appreciated....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hmm..look at the C:\Windows\System32
Is there a file x.dll or just x?
Is there a file x.dll or just x?
HI All,
I have some information about this,
SYMPTOMS:
Account lockout policies are being tripped.
Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.
Domain controllers respond slowly to client requests.
The network is congested.
Various security-related Web sites cannot be accessed
propagation methods:
Network share and Auto run feature
Work around:
Create a new policy that applies to all computers in a specific organizational unit (OU), site, or domain, as required in your environment.
1.Set the policy to remove write permissions to the following registry subkey:
HKEY_LOCAL_MACHINE\Softwar e\Microsof t\Windows NT\CurrentVersion\Svchost
2.Set the policy to remove write permissions to the %windir%\tasks folder
REF:
http://www.microsoft.com/security/malwareremove/default.mspx
http://technet.microsoft.com/en-us/security/dd452420.aspx
I have some information about this,
SYMPTOMS:
Account lockout policies are being tripped.
Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.
Domain controllers respond slowly to client requests.
The network is congested.
Various security-related Web sites cannot be accessed
propagation methods:
Network share and Auto run feature
Work around:
Create a new policy that applies to all computers in a specific organizational unit (OU), site, or domain, as required in your environment.
1.Set the policy to remove write permissions to the following registry subkey:
HKEY_LOCAL_MACHINE\Softwar
2.Set the policy to remove write permissions to the %windir%\tasks folder
REF:
http://www.microsoft.com/security/malwareremove/default.mspx
http://technet.microsoft.com/en-us/security/dd452420.aspx
ASKER