Domain user accounts lock out

Check this question for quick removal instructions for Conficker/Downadup:
https://www.experts-exchange.com/questions/24407560/Server-2003-standard-sp2-can-not-connect-to-microsoft-websites-or-antivirus-sites.html

This happened to us, conficker was hammering our shares trying to logon with its password dictionary, we've had great luck with the conficker removal tool from symantec http://www.symantec.com/norton/security_response/writeup.jsp?docid=2009-011316-0247-99 , we used trend micro and it still got thru and couldnt remove it via that.

I would advise trying to locate the source machine and taking it off your network. The AV console is your best bet if you have one , but install the latest microsoft malitious software removal tool on all your clients to minimise the impact

also , create a few domain admin accounts  ,brand new ones , the virus scans for reguarlly used usernames and if you get locked out depending on your default domain policy you are not gonna get anywhere fast. These will give you a way in should you get completely locked out.

http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Use ALockout.dll. On the client computer, helps determine a process or application that is sending wrong credentials.

You should get an IP of the client from the security logs on the DC.

Hi,

This is my working cure for Conficker infections.

1) To start working, first you need to download the required patches + fix tool:

Windows 2000: http://download.microsoft.com/download/4/a/3/4a36c1ea-7555-4a88-98ac-b0909cc83c18/Windows2000-KB958644-x86-ENU.EXE 

Windows 2003: http://download.microsoft.com/download/e/e/3/ee322649-7f38-4553-a26b-a2ac40a0b205/WindowsServer2003-KB958644-x86-ENU.exe 

Windows XP: http://download.microsoft.com/download/4/f/a/4fabe08e-5358-418b-81dd-d5038730b324/WindowsXP-KB958644-x86-ENU.exe 

Windows Vista SP0 + SP1: http://download.microsoft.com/download/d/c/0/dc047ab9-53f8-481c-8c46-528b7f493fc1/Windows6.0-KB958644-x86.msu 

Symantec FixDownadupTool: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDwndp.exe

2) Create a shared folder on some server to contain the downloaded files (Apply Read-only permission for all users).

3) And you can use Psexec (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) to import a text file that contains the infected machines and run it using a privileged account like a Windows domain admin.

4) In the batch file, you should replace the server name and shared folder name.

so, for example (run this as domain administrator):

c:\psexec @infected.txt -d -c Clean-Downadup.bat

infected.txt should contains one name/ip per line, like:

...
192.168.1.2
192.168.1.3
192.168.1.4
...

Use netscan to ping a range of IP's and save the results as a text file (http://www.softperfect.com/products/networkscanner/)

Another important points:

1) Review the current Passwords policy, you can configure a Windows GPO that will require a complex password, with a minimum number of characters.

http://technet.microsoft.com/en-us/library/cc736605.aspx
http://labmice.techtarget.com/security/passwordsec.htm

2) Use Nessus (http://www.nessus.org/download/), and scan all machines using this plugin ID (34476) to check if they have MS08-067 patch installed or not. (BTW, you can use a different tool to check for the installed patch, but this just an example)



Important Note: Please check the batch file before you run it on "Production Servers", becuase it will disable some features in Windows to prevent Conficker infection.


A Symantec Certified Specialist @ your service

@echo off
color 0A
ECHO. ***********************************************************************************************
ECHO.                ExtremeSecurity.blogspot.com - Do It Securely or Not At All 
ECHO.                                Multi OS W32.Downadup Cleaner v2.0
ECHO. ***********************************************************************************************
 
 
ver | find "2003" > nul
if %ERRORLEVEL% == 0 goto ver_2003
 
ver | find "XP" > nul
if %ERRORLEVEL% == 0 goto ver_xp
 
ver | find "2000" > nul
if %ERRORLEVEL% == 0 goto ver_2000
 
ver | find "Version 6.0.6000" > nul
if %ERRORLEVEL% == 0 goto ver_vista-sp0
 
ver | find "Version 6.0.6001" > nul
if %ERRORLEVEL% == 0 goto ver_vista-sp1
 
 
goto exit
 
:ver_2003
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Enabling Windows Error Reporting Service (ERSvc) ...
sc config ERSvc start= auto
echo Starting Windows Error Reporting ...
net start ERSvc
echo Enabling Windows Error Reporting Service (WerSvc) ...
sc config WerSvc start= auto
echo Starting Windows Error Reporting ...
net start WerSvc
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
REM echo Removing all AT created scheduled tasks ...
REM AT /Delete /Yes
REM echo Stopping & Disabling Schedule service...
REM sc.exe stop schedule
REM sc.exe config schedule start= disabled
echo Fixing Downadup infection (Silent mode - Check log file in C:\)...
\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\WindowsServer2003-KB958644-x86-ENU.exe /quiet /norestart
echo Rebooting System ...  
shutdown -r -f -c "Rebooting system"
goto exit
 
:ver_xp
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Enabling Windows Security Center Service (wscsvc) ...
sc config wscsvc start= auto
echo Starting Windows Security Center ...
net start wscsvc
echo Enabling Windows Error Reporting Service (ERSvc) ...
sc config ERSvc start= auto
echo Starting Windows Error Reporting ...
net start ERSvc
echo Removing all AT created scheduled tasks ...
AT /Delete /Yes
echo Stopping & Disabling Schedule service...
sc.exe stop schedule
sc.exe config schedule start= disabled
echo Disabling "AutoPlay" ...
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f
echo Fixing Downadup infection (Silent mode - Check log file in C:\)...
\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\WindowsXP-KB958644-x86-ENU.exe /quiet /norestart
echo Rebooting System ...  
shutdown -r -f -c "Rebooting system"
goto exit
 
:ver_2000
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Removing all AT created scheduled tasks ...
AT /Delete /Yes
echo Fixing Downadup infection (Silent mode - Check log file in C:\)...
\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\Windows2000-KB958644-x86-ENU.EXE /quiet /norestart
echo Rebooting System ...  
shutdown -r -f -c "Rebooting system"
goto exit
 
:ver_vista-sp0
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "wuauserv"
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Enabling Windows Security Center Service (wscsvc) ...
sc config wscsvc start= auto
echo Starting Windows Security Center ...
net start wscsvc
echo Enabling Windows Defender Service (WinDefend) ...
sc config WinDefend start= auto
echo Starting Windows Defender ...
net start WinDefend
echo Enabling Windows Error Reporting Service (WerSvc) ...
sc config WerSvc start= auto
echo Starting Windows Error Reporting ...
net start WerSvc
echo Removing all AT created scheduled tasks ...
AT /Delete /Yes
echo Stopping & Disabling Schedule service...
sc.exe stop schedule
reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x4 /f
echo Disabling "AutoPlay" ...
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f
echo Restoring Windows Defender startup key ...
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe hide" /f
echo Enabling TCP Receive Window Auto-tuning ...
netsh interface tcp set global autotuning=normal
echo Fixing Downadup infection (Silent mode - Check log file in C:\)...
\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart
echo Rebooting System ...  
shutdown /r /f /c "Rebooting system"
goto exit
 
:ver_vista-sp1
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Enabling Windows Security Center Service (wscsvc) ...
sc config wscsvc start= auto
echo Starting Windows Security Center ...
net start wscsvc
echo Enabling Windows Defender Service (WinDefend) ...
sc config WinDefend start= auto
echo Starting Windows Defender ...
net start WinDefend
echo Enabling Windows Error Reporting Service (WerSvc) ...
sc config WerSvc start= auto
echo Starting Windows Error Reporting ...
net start WerSvc
echo Removing all AT created scheduled tasks ...
AT /Delete /Yes
echo Stopping & Disabling Schedule service...
sc.exe stop schedule
reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x4 /f
echo Disabling "AutoPlay" ...
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f
echo Restoring Windows Defender startup key ...
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe hide" /f
echo Enabling TCP Receive Window Auto-tuning ...
netsh interface tcp set global autotuning=normal
echo Fixing Downadup infection (Silent mode - Check log file in C:\)...
\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart
echo Rebooting System ...  
shutdown /r /f /c "Rebooting system"
goto exit
 
:exit

Select allOpen in new window

Any update on the status?