Conficker.B cleaning issues on network

So someone on my network managed to get Conficker.B the other day and it is spreading to other computers on a relatively small network.  

From everything I have read, the way to deal with it manually is to remove the virus, then install an MS patch.

AVG 9 is the network av and it finds the virus, but doesn't clean it well.  I instead use D.exe from Symantec or dcleaner from BitDefender to clean off the virus.  I reboot and then install the patch from http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx and reboot again.  

In theory, that patch is supposed to prevent reinfection, but even machines fully updated with MS updates and that patch specifically installed are getting reinfected.  

If it was just a machine or two, I'd image them, but it's servers as well and I would prefer to just eradicate the virus than flatten 3 or 4 servers and rebuild.  All the servers affected are Windows 2003 sp2 or Windows 2003 R2 sp2.  All machines are XP sp3 except my own.

My machine is Vista sp2 and I am actually running MSE instead of AVG to test it out.  It actually does a much better job, but what concerns me is that on the bulletin posted above for the patch, there is none at all for Vista sp2, only Vista sp1.  My computer is routinely seeing attempts every few hours to reinstall the virus, although MSE catches the threat and immediately cleans it.  

I guess what I'm looking for here is help to find a way to prevent reinfection as well as track down the source itself.

As far as servers, I am Identifying them by checking the event log on the DC and finding servers that are hammering the user accounts with dictionary attacks, locking out accounts, which is really annoying.

Anyone have any ideas?  Just to add, AVG identifies it as Downadup, MSE as Conficker.B, which I believe is the same thing.
LVL 1
Telstar-NetworksAsked:
Who is Participating?
 
Kevin_LeadbeaterConnect With a Mentor Commented:
It seems most likely that an infected machine is trying to copy files to the hard disk of your server using an authenticated account - this doesn't need to necessarily be an admin account, any account that could access a share.  

This likely indicates a password issue.  Is the server a member server connected to a domain?  Then short of changing the password of every account in the whole domain, you need to try and identify where the infection is coming from.

If there are just local accounts, then change the password of each of them.

To identify which machines and users are connected, first look in Computer Management > Shared Folders > Sessions.  If there is something there great.

Otherwise, try enabling auditing on any shared volumes (such as file server), this will give you a lot of log information to search through but you should see what / who is attempting to write to your disk.

Also you could try downloading Process Monitor from Sys Internals
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

It will show you in real time, the processes writing to disk.
0
 
Kevin_LeadbeaterCommented:
Conficker can also spread using network shares, if a patched machine (that has been rebooted) is getting infected again, then it sounds very likely that the infection is spreading using a network share with a username and password that the virus has managed to obtain from a dictionary attack of the infected workstation - i'm guessing that you have a shared administrator account on each of the infected machines, and it also has a weak password.

To stop the virus spreading using network shares you'll need to change passwords, both domain and local user accounts - of every account.

There are several ways to identify which workstations are infected:
http://nmap.org/nsedoc/scripts/smb-check-vulns.html
http://www.eeye.com/Downloads/Security-Tools/Conficker-Worm-Scanning-Utility.aspx
http://www.mcafee.com/us/enterprise/confickertest.html
0
 
Telstar-NetworksAuthor Commented:
I apologize for the delay, it took some time to run through the network and verify what did and did not work.  I now have the majority clean, but I seem to have 3 servers that just continue to get reinfected, despite having all the latest updates and manual install of the hotfix from 08-067, and both local and domain admin accounts pw changes.  Any further ideas how they may be getting reinfected?
0
All Courses

From novice to tech pro — start learning today.