Link to home
Create AccountLog in
Avatar of Atradius

asked on

Remove Conficker / Kido virus from 2 Domain controllers

I have a Windows network with 2 domain controllers (both Win Server 2003), 100 workstations.
We are using VIPRE antivirus.
About a month ago or so, a warning came up that the Conficker (Kido) virus had infected some computers. It was 50 computers at that time.
All computers are patched with the MS RPC vulnerability patch, and all workstations except 5 are running Windows XP SP3.
I implemented the group policy Microsoft recommends to stop Conficker from spreadiing. After this the Conficker warning dropped to zero. However, it came back to about 5 computers.

The 2 domain controllers have this virus. I tried everything to get rid of it and every tool I use says that it is removed, but it comes back a few hours later.
I tried:
Vipre Antivirus
Panda Antivirus
Kaspersky Kido removal tool kk.exe
Symantec Kido removal tool d.exe
They all say the removed it - sometimes it finds threads and processes actively running Conficker things (spliced functions). sometimes it only finds some obscure file in the Windows\System32 folder. It then says "cured" but a few hours later I find it either active again or that obscure file again.

The 2 DCs are patched to present time with Windows updates.

Now dcdiag.exe on the two domain controllers claims that there are replication problems between the two DCs, there are DNS problems with the host ID not found in DNS, it says that one of the DCs cannot respond to RPC Bind.
Some workstation users can now not log on to their computers, and some have their Outlook e-mail not connecting the Exchange server, some cannot access shared folders (which are on the two domain controllers).
Sometimes it works to have the workstation user change the password, then reboot his computer. Sometimes this does not help.

I need a definite and  terminated handling to get Conficker out of my network once and for all.
Isn't there any tool which can actually handle and remove Conficker for real?

Conficker spreads across the network, so what do I need to do to prevent that?
My admin (domain admin) passwords should be complex enough (20 char, with upper/lower case letters and numbers), and each local admin password has the same complexity
(Actually each local admin password on every workstation is the same password as the domain admin password - is that a problem?)
Avatar of Anglo
Flag of United Kingdom of Great Britain and Northern Ireland image was what I found good to remove it but best run it with the network disconnected as I found reinfection was quicker than the time it took me to browse and download the kb to stop it happening 
Avatar of splait
Flag of United States of America image

Link to home
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of Imal Upalakshitha
Os patch is not enough.I also have been faced same symptom
I don't know about VIPRE antivirus.we install kaspersky for servers & workstations after remove kido
It never come again

You should also use a e  malware removal tool such as spybot or malwarebytes. Did you remove your restore points
before you cleaned the system. Here is a link from experts exchange list the how to
Avatar of Atradius


Thanks for the tips.
I did change the password as splait suggested.
Meanwhile I managed to seemingly evict Conficker by using the BitDefender "bdtools" deployment tool. At least I have no more Conficker warning since I used that tool.
One point of my question was to ensure it does not come back. I could try using Kaspersky as one poster suggests but is there any certainty in that?
There are NO certainties in any remedy or barrier.

Kaspersky is an excellent product, as are Vipre, ESET, Norton, McAfee, and many others.  You will find that each consultant/user has their own favorite/bias.  Mine is for ESET and against Norton and McAfee. Just make sure you only select ONE product.  Multiple security solutions of the same nature can and will conflict with each other, causing slowness on your systems.
At the present I think all of anti virus software can detect it would appear your anti virus software not working properly.kaspersky detects kido from it's Anti Hacker part when it attacks accross the network in work station version.Server version has no firewall setting.however it can stop it.
I don't know about other countries,  I am Sri Lankan & which is best in our country.
jwgkvsq.vmx  add this file' hash to software restriction policy.If autorun.inf file calls to execute this code it will be definitely blocked.
Kido adds a randomly named .dll file to system32.this . this dll's hash must be same i think.if you can find it,add it also to software restriction policy.see what happens....
Seems that after I changed the domain admin AD password Kido did not come back and I subsequently managed to have the time to get it back to working state since I did not have to fight more Kido instances.