Telstar-Networks
asked on
Conficker.B cleaning issues on network
So someone on my network managed to get Conficker.B the other day and it is spreading to other computers on a relatively small network.
From everything I have read, the way to deal with it manually is to remove the virus, then install an MS patch.
AVG 9 is the network av and it finds the virus, but doesn't clean it well. I instead use D.exe from Symantec or dcleaner from BitDefender to clean off the virus. I reboot and then install the patch from http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx and reboot again.
In theory, that patch is supposed to prevent reinfection, but even machines fully updated with MS updates and that patch specifically installed are getting reinfected.
If it was just a machine or two, I'd image them, but it's servers as well and I would prefer to just eradicate the virus than flatten 3 or 4 servers and rebuild. All the servers affected are Windows 2003 sp2 or Windows 2003 R2 sp2. All machines are XP sp3 except my own.
My machine is Vista sp2 and I am actually running MSE instead of AVG to test it out. It actually does a much better job, but what concerns me is that on the bulletin posted above for the patch, there is none at all for Vista sp2, only Vista sp1. My computer is routinely seeing attempts every few hours to reinstall the virus, although MSE catches the threat and immediately cleans it.
I guess what I'm looking for here is help to find a way to prevent reinfection as well as track down the source itself.
As far as servers, I am Identifying them by checking the event log on the DC and finding servers that are hammering the user accounts with dictionary attacks, locking out accounts, which is really annoying.
Anyone have any ideas? Just to add, AVG identifies it as Downadup, MSE as Conficker.B, which I believe is the same thing.
From everything I have read, the way to deal with it manually is to remove the virus, then install an MS patch.
AVG 9 is the network av and it finds the virus, but doesn't clean it well. I instead use D.exe from Symantec or dcleaner from BitDefender to clean off the virus. I reboot and then install the patch from http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx and reboot again.
In theory, that patch is supposed to prevent reinfection, but even machines fully updated with MS updates and that patch specifically installed are getting reinfected.
If it was just a machine or two, I'd image them, but it's servers as well and I would prefer to just eradicate the virus than flatten 3 or 4 servers and rebuild. All the servers affected are Windows 2003 sp2 or Windows 2003 R2 sp2. All machines are XP sp3 except my own.
My machine is Vista sp2 and I am actually running MSE instead of AVG to test it out. It actually does a much better job, but what concerns me is that on the bulletin posted above for the patch, there is none at all for Vista sp2, only Vista sp1. My computer is routinely seeing attempts every few hours to reinstall the virus, although MSE catches the threat and immediately cleans it.
I guess what I'm looking for here is help to find a way to prevent reinfection as well as track down the source itself.
As far as servers, I am Identifying them by checking the event log on the DC and finding servers that are hammering the user accounts with dictionary attacks, locking out accounts, which is really annoying.
Anyone have any ideas? Just to add, AVG identifies it as Downadup, MSE as Conficker.B, which I believe is the same thing.
ASKER
I apologize for the delay, it took some time to run through the network and verify what did and did not work. I now have the majority clean, but I seem to have 3 servers that just continue to get reinfected, despite having all the latest updates and manual install of the hotfix from 08-067, and both local and domain admin accounts pw changes. Any further ideas how they may be getting reinfected?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
To stop the virus spreading using network shares you'll need to change passwords, both domain and local user accounts - of every account.
There are several ways to identify which workstations are infected:
http://nmap.org/nsedoc/scripts/smb-check-vulns.html
http://www.eeye.com/Downloads/Security-Tools/Conficker-Worm-Scanning-Utility.aspx
http://www.mcafee.com/us/enterprise/confickertest.html