?
Solved

How to Remove Conficker virus

Posted on 2009-04-25
17
Medium Priority
?
3,726 Views
Last Modified: 2013-11-22
Hi all

    I am sure everyone aware of the Conficker virus. We got our network infected yesterday with this nasty virus.  Eventhough we had AVG installed, looked like some one brought this virus from their laptop.

Our office network has aroudn 40 desktops and 15 laptops and 5 servers (4virtual server and 1 physical server all running windows server 2003) running as DC, web and DB server etc..

  The virus started on a desktop PC. After I noticed that I switched off all the servers first. Then I found that few PC's which had Mcafee showed the virus below

virus name at1.job   Virus Type:  conficker.worm.job
Virus Name: antwtllbhz.ca   Virus Type: conficker.work.gen.a

 Now I disconnected all the desktop and laptop Pc's from the network. Only the servers are running at the moment.

  Can some one help me on

1. how to check the servers (windows server 2003) are infected, if it is how to cleanup
2. How to run the clean up on all the desktop and laptop Pc's?

 I did a google search and found so many solutions but couldn't find which one really works. since this is affecting our entire network, I would like to remove this virus permanently..

Note: all the Pc's had the MS patch as well.

regards
Mat
0
Comment
Question by:ExchangeGroup
  • 5
  • 4
  • 2
  • +5
17 Comments
 
LVL 1

Accepted Solution

by:
vague_hit earned 800 total points
ID: 24232651
hi there

download this program on a non-infected computer onto a USB disk and run it on each of the computers

http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDwndp.exe

Also download the anti-malware software from Malwarebytes and run it on each pc to be extra safe. You only need the trial version.

http://www.malwarebytes.org/mbam.php

Together these two tools will clean the computers thoroughly.  As a preventative measure, it may be worth investing in the version of malwarebytes' program that stays resident in memory.  What antivirus software is currently deployed across your network?  I would recommend investing in the corporate version of McAfee or in Kaspersky, which has always done a good job of protecting my PCs.
0
 
LVL 1

Expert Comment

by:vague_hit
ID: 24232656
oh, as far as running on all the computers at once from a central server, this is not really feasible as you really want to be scanning memory and low-level system files as well seeing as you are already infected.  I know it's very time consuming but thats the way it goes sometimes!  next time hopefully you are better protected.
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24232665
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Expert Comment

by:vague_hit
ID: 24232667
just one more comment; before you run these removal tools, disable System Restore, to keep the worm from reinstalling on reboot. Run the tools again, before re-enabling System Restore, just as a precaution.
0
 
LVL 3

Assisted Solution

by:samithsukumar
samithsukumar earned 200 total points
ID: 24232674
 
Make sure your server is updated with all the newly released updates  

http://mcafee-w32-conficker-stinger.en.softonic.com/ 

download the above removal tool and try to run  
0
 

Author Comment

by:ExchangeGroup
ID: 24232684
Hi Vague hit

            Thanks for your reply. I understand it is too late to regret, we had AVG but this virus could have been spread through USB stick. What is my concern is even though we have so many removal tools for different version of conficker, will the above tool you mentioned remove the conficker completely?
   
 after spending so much time, we don't want to get infected again.. so just want be sure the above symantec and malware tools remove this completely..

 The above tools can be run on windwso sever 2003 as well, right? As you mentioned we will be running PC by pc and sever by server.. on Monday.


0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 24233583
If you keep your computer up to date using windows update you should be able to just go to Start->Run and type in mrt.exe and press ok. This will launch Microsofts Malicious Software Removal Tool and should remove the problem.
0
 

Author Comment

by:ExchangeGroup
ID: 24235293
Hi all

        I need some help on how to run remover tools on Exchange and DC server (running on one server). I read some article on excluding the mdb and .stm files...
 
Incase if I want to run this, Can I stop the IIS and Exchange information store and run this? at the moment exchange DB is on D drive. OR I just stop only IIS and run the scan on C drive?
0
 
LVL 5

Expert Comment

by:louislietaer
ID: 24235415
At boot time press F8 and run windows in safe mode
0
 
LVL 1

Expert Comment

by:vague_hit
ID: 24235773
hi there, yes the tool can be run on windows server 2003 and is for ALL versions of the conficker virus.  also, malwarebytes finds and removes all instances of the virus as well.  with the combination of both tools (be sure to allow malwarebytes to update when you run it too) it should eliminate all trace
0
 
LVL 17

Assisted Solution

by:OriNetworks
OriNetworks earned 200 total points
ID: 24236561
You have to be VERY careful when installing anti virus and anti malware software on servers, especiallys DC's ane exchange servers. There are certain files and directories you have to exclude to corruption does not occur and so no critical files are deleted!

I would again suggest running MRT to check for and remove the infection for now and then you can research the necessary exclusions for when you do install the other software.
0
 

Author Comment

by:ExchangeGroup
ID: 24241498
Hi all

   We are doing the cleanups and will update you once we completed everything.
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24244766
0
 
LVL 15

Assisted Solution

by:xmachine
xmachine earned 400 total points
ID: 24247974
Hi,

This is my working cure for Conficker infections.

1) To start working, first you need to download the required patches + fix tool:

Windows 2000: http://download.microsoft.com/download/4/a/3/4a36c1ea-7555-4a88-98ac-b0909cc83c18/Windows2000-KB958644-x86-ENU.EXE 

Windows 2003: http://download.microsoft.com/download/e/e/3/ee322649-7f38-4553-a26b-a2ac40a0b205/WindowsServer2003-KB958644-x86-ENU.exe 

Windows XP: http://download.microsoft.com/download/4/f/a/4fabe08e-5358-418b-81dd-d5038730b324/WindowsXP-KB958644-x86-ENU.exe 

Windows Vista SP0 + SP1: http://download.microsoft.com/download/d/c/0/dc047ab9-53f8-481c-8c46-528b7f493fc1/Windows6.0-KB958644-x86.msu 

Symantec FixDownadupTool: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDownadup.exe

2) Create a shared folder on some server to contain the downloaded files (Apply Read-only permission for all users).

3) And you can use Psexec (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) to import a text file that contains the infected machines and run it using a privileged account like a Windows domain admin.

4) In the batch file, you should replace the server name and shared folder name.

so, for example (run this as domain administrator):

c:\psexec @infected.txt -d -c Clean-Downadup.bat

infected.txt should contains one name/ip per line, like:

...
192.168.1.2
192.168.1.3
192.168.1.4
...

Use netscan to ping a range of IP's and save the results as a text file (http://www.softperfect.com/products/networkscanner/)

Another important points:

1)  Review the current Passwords policy, you can configure a Windows GPO that will require a complex password, with a minimum number of characters.


2) Use Nessus (http://www.nessus.org/download/), and scan all machines using this plugin ID (34476) to check if they have MS08-067 patch installed or not. (BTW, you can use a different tool to check for the installed patch, but this just an example)
 

A Symantec Certified Specialist @ your service


@echo off
color 0A
ECHO. ***********************************************************************************************
ECHO.                ExtremeSecurity.blogspot.com - Do It Securely or Not At All 
ECHO.                                Multi OS W32.Downadup Cleaner 
ECHO. ***********************************************************************************************
 
 
ver | find "2003" > nul
if %ERRORLEVEL% == 0 goto ver_2003
 
ver | find "XP" > nul
if %ERRORLEVEL% == 0 goto ver_xp
 
ver | find "2000" > nul
if %ERRORLEVEL% == 0 goto ver_2000
 
ver | find "Version 6.0.6000" > nul
if %ERRORLEVEL% == 0 goto ver_vista-sp0
 
ver | find "Version 6.0.6001" > nul
if %ERRORLEVEL% == 0 goto ver_vista-sp1
 
 
goto exit
 
:ver_2003
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Enabling Windows Error Reporting Service (ERSvc) ...
sc config ERSvc start= auto
echo Starting Windows Error Reporting ...
net start ERSvc
echo Enabling Windows Error Reporting Service (WerSvc) ...
sc config WerSvc start= auto
echo Starting Windows Error Reporting ...
net start WerSvc
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Fixing Downadup infection ...
\\ServerName\ShareName\FixDownadup.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\WindowsServer2003-KB958644-x86-ENU.exe /quiet /norestart
echo Rebooting System in one minute ...  
shutdown -r -f -t 1024 -c "Rebooting system, you have 1 minute to save your work"
goto exit
 
:ver_xp
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Enabling Windows Security Center Service (wscsvc) ...
sc config wscsvc start= auto
echo Starting Windows Security Center ...
net start wscsvc
echo Enabling Windows Error Reporting Service (ERSvc) ...
sc config ERSvc start= auto
echo Starting Windows Error Reporting ...
net start ERSvc
echo Fixing Downadup infection ...
\\ServerName\ShareName\FixDownadup.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\WindowsXP-KB958644-x86-ENU.exe /quiet /norestart
echo Rebooting System in one minute ...  
shutdown -r -f -t 1024 -c "Rebooting system, you have 1 minute to save your work"
goto exit
 
:ver_2000
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Fixing Downadup infection ...
\\ServerName\ShareName\FixDownadup.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\Windows2000-KB958644-x86-ENU.EXE /quiet /norestart
echo Rebooting System in one minute ...  
shutdown -r -f -t 1024 -c "Rebooting system, you have 1 minute to save your work"
goto exit
 
:ver_vista-sp0
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "wuauserv"
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Enabling Windows Security Center Service (wscsvc) ...
sc config wscsvc start= auto
echo Starting Windows Security Center ...
net start wscsvc
echo Enabling Windows Defender Service (WinDefend) ...
sc config WinDefend start= auto
echo Starting Windows Defender ...
net start WinDefend
echo Enabling Windows Error Reporting Service (WerSvc) ...
sc config WerSvc start= auto
echo Starting Windows Error Reporting ...
net start WerSvc
echo Fixing Downadup infection ...
\\ServerName\ShareName\FixDownadup.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart
echo Rebooting System in one minute ...  
shutdown /r /f /c "Rebooting system, you have 1 minute to save your work"
goto exit
 
:ver_vista-sp1
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Enabling Windows Security Center Service (wscsvc) ...
sc config wscsvc start= auto
echo Starting Windows Security Center ...
net start wscsvc
echo Enabling Windows Defender Service (WinDefend) ...
sc config WinDefend start= auto
echo Starting Windows Defender ...
net start WinDefend
echo Enabling Windows Error Reporting Service (WerSvc) ...
sc config WerSvc start= auto
echo Starting Windows Error Reporting ...
net start WerSvc
echo Fixing Downadup infection ...
\\ServerName\ShareName\FixDownadup.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart
echo Rebooting System in one minute ...  
shutdown /r /f /c "Rebooting system, you have 1 minute to save your work"
goto exit
 
:exit

Open in new window

0
 
LVL 1

Assisted Solution

by:dt3itsteam
dt3itsteam earned 400 total points
ID: 24251079
Labeeb,

I use Malwarebytes all the time, a very good app for this kind of thing, in conjunction with the other tools, will help you alot with removing the virus. Also, as mentioned before, make sure you disble system restore and clear all restore points with it, as any work you have done previsouly may have been compromised.

Why are you using AVG my friend?

I think something along the lines of Symantec End Point or Kaspersky should be thought about, Kaspersky have a very easy Admin console that will intergrate well with AD, and its not too expensive at all, so you shouldn't have any issues getting budget from "you know who".

Keep well and good luck!

CB
0
 

Author Comment

by:ExchangeGroup
ID: 24259898
Thanks all for your input.

        We fixed the issue by running

1. Mcafee Stinger tool
2. Anti malware bytes and
3. updated AVG is installed
(System restore was disabled as well)
------------------------------------------
CB- We have done some research about the AV tools and AVG was the better option.. and we bought it as well. so need to stay with them until the contract runs out.
0
 
LVL 1

Expert Comment

by:vague_hit
ID: 24266394
I'm glad the issue is fixed!  To be honest I'm a little worried that AVG allowed a virus through.  A USB stick is just the new floppy disk so it should be expected that you'll be introducing them to the system.  

It's one of the downsides of AVG, despite it having it's "100%" detection of known viruses, programs such as corporate McAfee and Kaspersky in particular are much better at discovering new viruses in the wild.

Still, best of luck in the future and I hope something like this doesnt happen again, or at least is not so messy to clean up :)
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
With more and more companies allowing their employees to work remotely, it begs the question: What are some of the security risks involved with remote employees and what actions should we take to secure them?
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question