Solved

Completely Removing the w32.downadup.B conficker worm from my network.

Posted on 2009-05-18
14
9,886 Views
Last Modified: 2013-11-22
I would like to know how to completely removed the w32.downadup.b worm from my entire network.  I have been struggling with this thing since the beginning of the year and I can't seem to beat it.  It still seems to be lingering around and causing problems.  All I have been able to do so far is work-arounds.  

I have found and successfully removed the virus from four computers on my network.  The way I discovered that these computers were infected was by looking at the Security Event log and determining the machines that were failing the security audits.  The thing that got me to look here was the fact that the users were being locked out of their systems b/c of false log in attempts and I didn't know why.  I then assumed that the computer that was attempting all the login attempts was infected with the worm.  I used the Symantec removal tool to remove the worm. I would then confirm that Symantec was working and had the latest virus definitions and everything would be fine.  I wouldn't have anymore users getting locked out.  Like I said, this happened on four separate occasions and took the same steps each time and it has worked.  However, this hasn't been the end of it.

I have computers that the Computer Browser service is stopping so they can't access file shares on the server.  I have computers where Windows audio service is stopping and the sound won't work anymore.  I have computers that are receiving the 'Generic Host Process for Win32 Services' error and the entire computer stops responding and they must perform a hard boot.  I have computers that get a memory instruction error, but nothing ever happens after that.  The problems are so vast and so different and so computer specific that it is impossible to explain and even less likely to find trends or commonalities.  Some of these users are system administrators and some are not.  Some are local users and some are domain users.  Each have access to different file shares.  It is extremely frustrating and I really need some help.  

Even though I currently don't have any computers that I'm aware of that are infected with this worm, I'm still getting system wide Auto-protect messages from Symantec.  Not all computers get this message, but many do and sometimes they number up to as many as 10 messages a day.  Attached is a screen shot of an example of a the auto-protect from Symantec.  As you can see if removes part of the threat but leaves a .jpg file.  Not sure why it does this, but my guess is b/c it doesn't have rights to the folder where this file is usually located.  In my experiences this file is usually located in the following location: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\.......  I have deleted this file manually on some machines, but is doesn't seem to help.

I'm aware of the microsoft patch, but all my computers should be patched with XP sp3.  Plus doesn't this security whole address how the virus is spread over the network and not getting rid of it?  Symantec is doing it's job by auto protecting against this worm, right?  But where is the source and how do I find it and get rid of it?

Please help me....I can't take it any longer!
Auto-Protect-Results-5-15.bmp
0
Comment
Question by:AAIAdmin
  • 6
  • 4
  • 4
14 Comments
 
LVL 13

Accepted Solution

by:
notacomputergeek earned 250 total points
ID: 24415661
What version/product of Symantec are you using? If it's designed to only look for viruses, you may want to install an anti-spyware, anti-malware, etc. program such as spybot or switch to a solution that looks for more than viruses. Many times when a virus spreads by network shares there is an autorun.inf file on the share which does bad stuff everytime someone accesses the share. That's how they spread so quickly. There are various solutions to turn off the autorun feature in Windows. I can send you what I've done if you're interested.

Are your servers infected? It's likely they are not, but probably contain the files used to spread the infection. Many files used in spreading a virus are not themselves "infected". On the server, change Explore to view all hidden files, extensions, and hidden system files. You may suddenly see files on the shares that shouldn't be there. If you delete them and they return within a few seconds, then you have a computer on the network whose job is to put them back. Right click on the file, go to properties and it may tell you which user created the file. If you have a computer like this on your network, immediately unplug it and do not connect it until it's clean.

Has the virus disabled things such as regedit, Task Manager, Safe Mode booting, etc?

If you can go to another vendor website and download a 30-day trial, you can attempt to scan an infected computer with it. I've seen different vendors catch/not catch different viruses.

You can also go to www.ubcd4win.com and create a bootable CD, so no files are locked when trying to work on the drive. Make sure you add the Kaspersky add-in to use for scanning.

Ultimately, in general terms you may have to do this:
Unplug all computers from the network
Clean Servers
Clean Desktops (UBCD and other virus tools may be needed) and disable autorun
Reconnect all computers

If you have just a few computers in your network, you could re-image or format/re-install them and not worry about cleaning them. The servers have to be clean first or it starts all over again.

Also, if you feel the computers are not clean, caution all users about entering any vital information into their computers until this clears. There may be keyloggers at work and malicious websites accessed. Are you restricting access to any websites? Do you use a configurable internet device, http://www.mvps.org/winhelp2002/hosts.htm, or www.opendns.org? If not, you should.

I hope some of this will point you in the right direction.
0
 

Author Comment

by:AAIAdmin
ID: 24416145
Thanks for your post and the time it took to respond.

All of the computers are running Symantec Corporate Edition (version 9 or 10 for the most part).  We just got Symantec Endpoint, but I haven't installed it on any machines yet.  Would Endpoint do the job that you describe above - check for malware, spyware.  I would think that when it came to checking viruses the version(s) I'm using now and the Endpoint version would look for the same types of viruses.  Is that safe to say?  Maybe now is a good time to upgrade to Endpoint.

However, it seems Symantec is doing an excellent job at picking up on the virus and stopping it before it infects the computer (see my attachment).  The only thing is that it is leaving that file on the computer after it 'quarantines'.  That is actually one of my questions....why isn't it completely removing it?

I mentioned before that I have only known four actual infections of the virus.  In two cases, there was no anti-virus software installed (oops).  In the other two cases the virus software was corrupt.  I promptly re-installed it, updated the definitions, ran the Symantec w32,downadup.b removal tool, and did a full scan.  In all four cases this seemed to have gotten rid of the threat  - the multiple login attempts to the server (resulting in user accounts being locked out) quickly stopped as soon as these machines were cleaned.  All four machines where infected at different times.

I don't believe my server has been infected but I will take your advice and check for unusual files that don't belong in the network shares.  That would be great if it told me which computer is creating and re-creating the bad files!

Of all of the computers I have visited on the network I have never noticed the Task Manager, or regedit disabled.  That doesn't mean that they haven't in the past, but I have never noticed this happen.  I will keep a look out for it now.  As far as safe mode goes,  I honestly haven't tried to boot in safe mode yet, so I can't answer to that.  If either of these happen to be the case, what does that mean?

Your recommendation to unplug all computers from the network, Clean Servers, Clean Desktops, disable autorun, and then reconnect all computers sound very reasonable, but unfortunately, very time consuming.  I work at a school, so I will have to wait until summer break to do all that.

We put a stop to all local network traffic and redirect it to a proxy server that is running DansGuardian web-filtering software.  We have many websites locked down and I have the ability to do some configuration on the linux server.  Is this enough protection?  Is there a way I can tell if computers are sending out information or accessing websites?  Maybe a way to look at my network traffic and see what is going on?  Perhaps opendns.org would do this for me?

I have a lot of concerns right now, but if I had to narrow it down to just two, this is what they are:

1.  Why are my users getting these auto-protect messaged from Symantec anti-virus and where are they coming from?  I need to stop these attempted invasions on our systems.

2.  Why are local computer services being stopped and how can I fix it permanently (no more work-arounds!)?  Computer Browser, Server, Windows Audio, etc.   Why am I getting the svchost.exe ('Generic Host Process for Win32 Services) error, which is locking up computers?  How can I solve these errors?

Thanks for your help.  Feel free to get more details from me.....I must solve this problem so I'll do whatever I need to.
0
 
LVL 13

Expert Comment

by:notacomputergeek
ID: 24416514
First, the Endpoint protection (11) is designed to look for more than just viruses, which is what 9 and 10 focus on. You should feel better protected with the Endpoint protection.

Have you turned off System Restore, so the virus can't hide there after a reboot? If the Symantec can't remove the file, then something still has it locked. That's why I'd be suspicious of something else running. Have you looked at your processes running for anything suspicious? You can also download Process Explorer (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx) for more detail than Task Manager. Have you tried running a virus scan in Safe Mode to see if it removes the file?

It's a good sign that things like regedit and Task Manager still work. One of the first things that a blended threat can do is disable all the stuff you would normally use to fight the threat (it's protecting itself).

By the way, you may want to have everyone change their passwords more frequently for awhile just in case a login has been conpromised. I know they'll all moan about it, but the first time a critical file or account has been compromised, it's your neck and then maybe theirs'.

This threat appears to be able to access quit a few websites: http://www.symantec.com/security_response/writeup.jsp?docid=2008-123015-3826-99&tabid=2
You could add these to your firewall and monitor the logs to see if any computers are accessing them. If you have the capability of reporting internet activity through your firewall - great, if not, your firewall should at least give you a top 10 list. Many log files will only show the IP address of the destination server, so it's harded to determine. What is your internet security device/model (Cisco, Juniper, Sonicwall, etc).

It's also possible that whatever infection the computer had may have corrupted some OS files. You may want to try repairing one of the OSes to see if it fixes any of the symptoms. If it's just a few computers, you may be better off formatting them and reloading everything.
0
 
LVL 13

Expert Comment

by:notacomputergeek
ID: 24416795
Just FYI, I've also called Microsoft in the past and they were very helpful. I believe they still offer free virus and security-related support:
http://www.microsoft.com/protect/support/default.mspx
0
 
LVL 15

Assisted Solution

by:xmachine
xmachine earned 250 total points
ID: 24418486
Hi,

It's HIGHLY recommended to upgrade to SEP 11 as soon as possible to get red of W32.Downadup completely.

SEP fights W32.Downadup in two ways:

1) Antivirus Engine: SEP has all signatures to detect and clean all versions of Downadup (A/B/C/E).

2) Network Threat Protection (IPS): SEP has IPS signatures to block the exploitation attempt before a successful infection.


Also, SEP detection and eraser engines have been re-engineered from scratch to clean latest types of viruses.

See the following solution on how to clean Downadup infection in your network:

---------------------------------------------------------------------------------------------------------

This is my working cure for Conficker infections.

1) To start working, first you need to download the required patches + fix tool:

Windows 2000: http://download.microsoft.com/download/4/a/3/4a36c1ea-7555-4a88-98ac-b0909cc83c18/Windows2000-KB958644-x86-ENU.EXE

Windows 2003: http://download.microsoft.com/download/e/e/3/ee322649-7f38-4553-a26b-a2ac40a0b205/WindowsServer2003-KB958644-x86-ENU.exe

Windows XP: http://download.microsoft.com/download/4/f/a/4fabe08e-5358-418b-81dd-d5038730b324/WindowsXP-KB958644-x86-ENU.exe

Windows Vista SP0 + SP1: http://download.microsoft.com/download/d/c/0/dc047ab9-53f8-481c-8c46-528b7f493fc1/Windows6.0-KB958644-x86.msu

Symantec FixDownadupTool: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDwndp.exe

2) Create a shared folder on some server to contain the downloaded files (Apply Read-only permission for all users).

3) And you can use Psexec (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) to import a text file that contains the infected machines and run it using a privileged account like a Windows domain admin.

4) In the batch file, you should replace the server name and shared folder name.

so, for example (run this as domain administrator):

c:\psexec @infected.txt -d -c Clean-Downadup.bat

infected.txt should contains one name/ip per line, like:

...
192.168.1.2
192.168.1.3
192.168.1.4
...

Use netscan to ping a range of IP's and save the results as a text file (http://www.softperfect.com/products/networkscanner/)

Another important points:

1)  Review the current Passwords policy, you can configure a Windows GPO that will require a complex password, with a minimum number of characters.

http://technet.microsoft.com/en-us/library/cc736605.aspx
http://labmice.techtarget.com/security/passwordsec.htm

2) Use Nessus (http://www.nessus.org/download/), and scan all machines using this plugin ID (34476) to check if they have MS08-067 patch installed or not. (BTW, you can use a different tool to check for the installed patch, but this just an example)
 

A Symantec Certified Specialist @ your service


@echo off

color 0A

ECHO. ***********************************************************************************************

ECHO.                ExtremeSecurity.blogspot.com - Do It Securely or Not At All 

ECHO.                                Multi OS W32.Downadup Cleaner v2.0

ECHO. ***********************************************************************************************

 

 

ver | find "2003" > nul

if %ERRORLEVEL% == 0 goto ver_2003

 

ver | find "XP" > nul

if %ERRORLEVEL% == 0 goto ver_xp

 

ver | find "2000" > nul

if %ERRORLEVEL% == 0 goto ver_2000

 

ver | find "Version 6.0.6000" > nul

if %ERRORLEVEL% == 0 goto ver_vista-sp0

 

ver | find "Version 6.0.6001" > nul

if %ERRORLEVEL% == 0 goto ver_vista-sp1

 

 

goto exit

 

:ver_2003

echo Enabling BITs ...

sc config bits start= auto

echo Starting BITs ...

net start "Background Intelligent Transfer Service"

echo Enabling Automatic Updates ...

sc config Wuauserv start= auto

echo Starting Automatic Updates ...

net start "Windows Automatic Update Service"

echo Enabling Windows Error Reporting Service (ERSvc) ...

sc config ERSvc start= auto

echo Starting Windows Error Reporting ...

net start ERSvc

echo Enabling Windows Error Reporting Service (WerSvc) ...

sc config WerSvc start= auto

echo Starting Windows Error Reporting ...

net start WerSvc

echo Checking MS WSUS for any missing updates ... 

wuauclt.exe /detectnow

REM echo Removing all AT created scheduled tasks ...

REM AT /Delete /Yes

REM echo Stopping & Disabling Schedule service...

REM sc.exe stop schedule

REM sc.exe config schedule start= disabled

echo Fixing Downadup infection (Silent mode - Check log file in C:\)...

\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt

copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt

echo Patching MS08-067 ...

\\ServerName\ShareName\WindowsServer2003-KB958644-x86-ENU.exe /quiet /norestart

echo Rebooting System ...  

shutdown -r -f -c "Rebooting system"

goto exit

 

:ver_xp

echo Enabling BITs ...

sc config bits start= auto

echo Starting BITs ...

net start "Background Intelligent Transfer Service"

echo Enabling Automatic Updates ...

sc config Wuauserv start= auto

echo Starting Automatic Updates ...

net start "Windows Automatic Update Service"

echo Checking MS WSUS for any missing updates ... 

wuauclt.exe /detectnow

echo Enabling Windows Security Center Service (wscsvc) ...

sc config wscsvc start= auto

echo Starting Windows Security Center ...

net start wscsvc

echo Enabling Windows Error Reporting Service (ERSvc) ...

sc config ERSvc start= auto

echo Starting Windows Error Reporting ...

net start ERSvc

echo Removing all AT created scheduled tasks ...

AT /Delete /Yes

echo Stopping & Disabling Schedule service...

sc.exe stop schedule

sc.exe config schedule start= disabled

echo Disabling "AutoPlay" ...

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f

echo Fixing Downadup infection (Silent mode - Check log file in C:\)...

\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt

copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt

echo Patching MS08-067 ...

\\ServerName\ShareName\WindowsXP-KB958644-x86-ENU.exe /quiet /norestart

echo Rebooting System ...  

shutdown -r -f -c "Rebooting system"

goto exit

 

:ver_2000

echo Enabling BITs ...

sc config bits start= auto

echo Starting BITs ...

net start "Background Intelligent Transfer Service"

echo Enabling Automatic Updates ...

sc config Wuauserv start= auto

echo Starting Automatic Updates ...

net start "Windows Automatic Update Service"

echo Checking MS WSUS for any missing updates ... 

wuauclt.exe /detectnow

echo Removing all AT created scheduled tasks ...

AT /Delete /Yes

echo Fixing Downadup infection (Silent mode - Check log file in C:\)...

\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt

copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt

echo Patching MS08-067 ...

\\ServerName\ShareName\Windows2000-KB958644-x86-ENU.EXE /quiet /norestart

echo Rebooting System ...  

shutdown -r -f -c "Rebooting system"

goto exit

 

:ver_vista-sp0

echo Enabling BITs ...

sc config bits start= auto

echo Starting BITs ...

net start "Background Intelligent Transfer Service"

echo Enabling Automatic Updates ...

sc config Wuauserv start= auto

echo Starting Automatic Updates ...

net start "wuauserv"

echo Checking MS WSUS for any missing updates ... 

wuauclt.exe /detectnow

echo Enabling Windows Security Center Service (wscsvc) ...

sc config wscsvc start= auto

echo Starting Windows Security Center ...

net start wscsvc

echo Enabling Windows Defender Service (WinDefend) ...

sc config WinDefend start= auto

echo Starting Windows Defender ...

net start WinDefend

echo Enabling Windows Error Reporting Service (WerSvc) ...

sc config WerSvc start= auto

echo Starting Windows Error Reporting ...

net start WerSvc

echo Removing all AT created scheduled tasks ...

AT /Delete /Yes

echo Stopping & Disabling Schedule service...

sc.exe stop schedule

reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x4 /f

echo Disabling "AutoPlay" ...

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f

echo Restoring Windows Defender startup key ...

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe hide" /f

echo Enabling TCP Receive Window Auto-tuning ...

netsh interface tcp set global autotuning=normal

echo Fixing Downadup infection (Silent mode - Check log file in C:\)...

\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt

copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt

echo Patching MS08-067 ...

\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart

echo Rebooting System ...  

shutdown /r /f /c "Rebooting system"

goto exit

 

:ver_vista-sp1

echo Enabling BITs ...

sc config bits start= auto

echo Starting BITs ...

net start "Background Intelligent Transfer Service"

echo Enabling Automatic Updates ...

sc config Wuauserv start= auto

echo Starting Automatic Updates ...

net start "Windows Automatic Update Service"

echo Checking MS WSUS for any missing updates ... 

wuauclt.exe /detectnow

echo Enabling Windows Security Center Service (wscsvc) ...

sc config wscsvc start= auto

echo Starting Windows Security Center ...

net start wscsvc

echo Enabling Windows Defender Service (WinDefend) ...

sc config WinDefend start= auto

echo Starting Windows Defender ...

net start WinDefend

echo Enabling Windows Error Reporting Service (WerSvc) ...

sc config WerSvc start= auto

echo Starting Windows Error Reporting ...

net start WerSvc

echo Removing all AT created scheduled tasks ...

AT /Delete /Yes

echo Stopping & Disabling Schedule service...

sc.exe stop schedule

reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x4 /f

echo Disabling "AutoPlay" ...

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f

echo Restoring Windows Defender startup key ...

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe hide" /f

echo Enabling TCP Receive Window Auto-tuning ...

netsh interface tcp set global autotuning=normal

echo Fixing Downadup infection (Silent mode - Check log file in C:\)...

\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt

copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt

echo Patching MS08-067 ...

\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart

echo Rebooting System ...  

shutdown /r /f /c "Rebooting system"

goto exit

 

:exit

Open in new window

0
 

Author Comment

by:AAIAdmin
ID: 24423153
I have bumped up the priority of upgrading all the computers to Endpoint.  Thanks for the recommendations on that point.  

I feel that our password security is pretty good.  I only have two user accounts with weak passwords, but they have access to nothing.

We run a Linux firewall (BrazilFW).  Past the basic configurations, I have limited knowledge of the firewall.  However, I'm NOT aware of its ability to report internet activity and I'm not even sure I can get get a top ten list of accessed sites.  (If anyone wants to comment on this then that would be an awesome side note!)  Our other internet security device besides the firewall is the DansGuardian.  Using this tool, I have limited means to evaluate internet activity.  Regardless, I added as many websites and domains as I could to the denied list on this proxy filter - these came from the Symantec link you provided above.  Hopefully this will take care of any chance the worm has to get to the outside world in the case I have an infected computer on the network.

Thanks for the advice to repair the OS files.  I will try that.  I have a few machines that are specifically locking up almost every day and these will be good test subjects.  If worst comes to worst, re-installing is my last option.  

I changed Explore to view all hidden files, extensions, and hidden system files and searched all of the shares on the server, but didn't find any autorun.inf files that were out of place.  I was kinda hoping I would find something.  Is it possible that this pesky .jpg file that never seems to be deleted by Symantec auto-protect is the source of the ability for this worm to keep trying to spread itself to other machines?  I guess I'm just really confused on how this thing is spreading because it's just a picture file....what harm can it do to systems?  

After a user receives the Symantec Auto-protect message (like the one in the initial post),  I do the following three things (in this order):

1.  Run the Symantec FixDownadupTool - it finds nothing
2.  Run a Symantec Virus scan - it also finds nothing
3.  Find the exact location of the .jpg, .bmp, or gif file and manually delete it (The fact that I can do this tells me that another process doesn't have it locked, right?)

* All of these steps are performed under an administrator account, with a normal boot (no safe mode), and System Restore is NOT disabled.

As soon as the worm attempts to propagate itself again over the network, the users will receive the same auto-protect message from Symantec and a new picture file will be created again.  Then, I have to find the time to repeat the above three steps.  It is a viscous cycle and I need to find a way out of it.  I really want to find the source of the spreading of the worm so I can nip it there.  

Right now, things are pretty calm.  Users aren't receiving the auto-protect message and most of the computers are acting almost normal - at least enough so that they can get their work done.  No domain users accounts are being locked out, but things will NOT stay this way for long....this worm seems to come in sweeps.  

My biggest questions/concern now is this....if I take the suggested steps above from above, what will keep the worm from spreading back to a computer once I clean it up?  The computers with XP SP3 are already patched, right?  But users will still get the auto-protect message and it then creates that file that it can't delete.  What keeps the worm from re-infecting as soon as I clean up a computer?
0
 
LVL 13

Expert Comment

by:notacomputergeek
ID: 24423673
I would recommend disabling System Restore and performing the 3 steps in Safe Mode. I know you've run the tool to remove it, but have you followed the manual removal instructions on the Symantec page to see if the registry settings, etc. are actually getting done? Reboot and see if the changes stick.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 15

Expert Comment

by:xmachine
ID: 24448363
1) Make sure that all machines are up-to-date with the latest definitions. Any AV product without the latest signatures will not work as expected.  

2) When you said that users still receiving Auto-Protect messages, this means that are being attacked by another machine(s) in the network.

3) Enable "Threat Tracer" to detect the source of infection. Follow these steps:

A) In the Symantec System Center console, right-click the server group that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options.

B) In the Auto-Protect Advanced Options dialog box, verify that the options under Threat Tracer are checked.

C) Click Ok

4) Run Windows Patch (MS08-067) + Symantec FixDownadup tool on those infected machines that were discovered by the "Threat Tracer"
0
 

Author Comment

by:AAIAdmin
ID: 24450655
xmachine,

Thanks for the tip on 'Risk Tracer'!

I double-checked the settings like you instructed and it turns out that all of the options for Rick Tracer were already enabled.  How do I view the results of the trace?  Is there a log file on the server or client that gives me the source IP of the attack?  Once I figure out which machine is generating the attacks then I can run the previously mentioned steps to get rid of the threat.

0
 
LVL 13

Expert Comment

by:notacomputergeek
ID: 24453276
Have you tried contacting Microsoft as suggested above? They have a tool called WOLF (Windows Online Forensics) tool that will collect some data on the infected computer. You then upload a cab file for them to analyze.
0
 
LVL 15

Expert Comment

by:xmachine
ID: 24454503
0
 
LVL 15

Expert Comment

by:xmachine
ID: 24465290
Hi,

Would you please update the status of your problem ?
0
 

Author Comment

by:AAIAdmin
ID: 24466612
I checked the Risk History logs and found that they all said localhost as the source computer.  This is true for multiple computers I checked.  I thought I was going to find a computer on the network that was spreading this worm?  I don't get it...

I'm still working really hard to grasp/comprehend/understand how these computers were infected by this worm in the first place and how it keeps propagating itself if it isn't spreading from computer to computer.  If the threat is coming from the 'localhost' then how do I stop it from coming back once I perform all these steps you guys have previously instructed?  These computers were fine until this worm first got on our network somehow and started spreading itself.  Who's to say once I go around to all these machines and clean 'em up right it just won't happen again just like it did in the beginning when the worm first started spreading over the network?

This is where I stand right now.  I feel very comfortable with the tools and suggestions you have provided me in regards to removing the worm from these computers.  Is it a lot of work?...YES, but that is fine with me if it gets rid of this thing forever.  However, I'm still trying to understand the bigger picture on this thing, as you can tell by my questions.  I will award partial credit to each of you for your efforts.  Please feel free to comment more on this question and maybe I can eventually understand it all better!

Thanks again for your help!  I do love this website!
 

Side note:  How do I export the Risk History log for all computers managed by the Symantec Server?
Risk-Log.xls
0
 
LVL 13

Expert Comment

by:notacomputergeek
ID: 24502983
I understand your concern and frustration - it's a battle everyday to stay uninfected. As you may understand new viruses are created constantly and anti-virus companies may not have a solution for it until they capture it, analyze it, and update their software. So, A-V companies are usually always one step behind. Today, many of the threats are actually malware, spyware, etc. Years ago, leaving a floppy disk in the drive and rebooting is how many viruses were transferred to a computer. Nowadays, there are many more threats - mainly e-mail and visiting infected websites. Do the best you can to prevent it, but have proper tools handy to fight it. Here are a few suggestions for being proactive:

1) Keep your OS and applications up to date (for MS, I like to use WSUS unless you have a bigger budget). This program is handy for identifying which programs need updating on your desktop ( http://secunia.com/vulnerability_scanning/personal/ ).
2) Install and keep up to date with an A-V product. One that updates data files every hour is best - not once a day or more. If you're using Exchange, there are also A-V products specifically for it.
3) Install and use a product to defend against malware, spyware, etc. This can be the same as the A-V product. Unlike A-V, you can run several of these at once if you like.
4) I like to turn off the autorun feature in Windows to stop the virus from spreading easily over the LAN.
5) Use a more expensive internet firewall (Sonicwall, Juniper, Cisco, etc.) that can eliminate many threats before they even get to your server or desktops.
6) Incorporate a list of known bad websites, so users don't accidentally go there. This can be done with item #5 or something like http://www.mvps.org/winhelp2002/hosts.htm or opendns.org.
7) Educate your users about safe computing and potential threats. This is a big one.
8) Incorporate Internet and Computer Usage policies.

Hope this helps.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
autorun.inf blocked by Symantec 10 76
End Point Protection 11 70
antispam / virus gateway 5 47
ransomware virus 21 82
PREFACE The purpose of this guide is to explain what the SEPC Status Utility is and how it works. I have written the utility using AutoIt and have included the source code for your review. You are welcome to modify the code to your liking, but I wi…
Have you ever tried to find someone you know on Facebook and searched to find more than one result with the same picture? Perhaps someone you know has told you that they have a 'facebook stalker' or someone who is 'posing as them' online and ta…
This video discusses moving either the default database or any database to a new volume.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now