w32/conficker.b Issue

All.

having a heck of a time with a w32/conficker infection. Seems user brought a hard drive in and hooked it up without asking or checking now we have this.

I have secured the network and users and isolated 2 machines that I'm having the issues with. We run CA's ITM network antivirus for these machines . Its catching the infection  and telling me its from

"User: System. Status: File was cured; system cure performed. "  Now the user account "system", can i change that passwordwill that stop it?  I cleaned the machine and it keeps coming back, all updates and installed and its on a older w2k server
BMI-ITAsked:
Who is Participating?
 
Michael KnightConnect With a Mentor Commented:
I know conficker can be 'ellusive' but removal isn't really that tough.

First make sure you're patched against the vulnerability that allow Conficker to run:
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx

Now grab a few utilities and put em on a pen drive so they don't get corrupted.
1. Conficker Removal Tool: http://download.cnet.com/Conficker-Removal-Tool/3000-2239_4-10911447.html 
2. Grab RKILL: http://www.bleepingcomputer.com/forums/topic308364.html 
3. Grab the SAS Portable Scanner: http://www.superantispyware.com/portablescanner.html

Now.

1. boot up in safe mode (no networking), Login as an administrative user.
2. Open the removal tool, but don't click 'Start' just yet.
3. Open Super Anti Spyware, but don't start the scan.
4. Run RKill, screen will flicker, and the explorer process will be killed.
5. Alt-TAB or Task Manager to switch to the removal tool. Click start. Don't reboot when done.
6. When that's done, run SAS. Now reboot  into safemode (With Networking).
7. Run Trend's Cleanup engine: http://www.trendmicro.com/download/dcs.asp

Now you can run your AV of choice with a full scan just to make sure you're clean.

let me know how it goes.

0
 
harryhelpCommented:
Are you able to re-install Windows on the affected machines? Would seem the best solution as there doesn't seem to be a way to be 100% clean from this virus, and there'll be a chance that it will come back and infect other computers.
0
 
Russell_VenableConnect With a Mentor Commented:
I would suggest you read this article as it explains how it propogates and what you can do to fix/prevent further infections. I would also suggest you disable autorun for external drives such as USB etc. Just causes to much pain for the users and IT staff.

Without future ado http://support.microsoft.com/kb/962007
http://support.microsoft.com/kb/962007
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
BMI-ITAuthor Commented:
Thank you guys ill try the steps  Its not feasble to wipe the machines just yet
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
Exec better than a flash drive is to burn the tools to a cd. That way they can't get corrupted.
0
 
BMI-ITAuthor Commented:
just an update after checking the CA alerts it seems to have taken a users account should I disable that account until this is clean? and with it telling me the original "User: System" is there anything i can do with the system account?
0
 
harryhelpCommented:
Not really, SYSTEM runs services and programs that are meant to run at startup.

I'd suggest disabling their account and giving them a new profile altogether if at all possible.
0
 
Aaron TomoskyConnect With a Mentor SD-WAN SimplifiedCommented:
Step by step and things not to do direct from Microsoft:
http://support.microsoft.com/kb/962007
0
 
Russell_VenableConnect With a Mentor Commented:
Yes, definitely redo that account. That Is too much power for one account. Look at 'SYSTEM' as a superuser account  that cannot to signed Into. If you have the GPO in place you can lockdown your server so it can't  spread further, also if you stopped the at.exe service renaming that executable is a good thing too and when you are done just rename it back and start the schedule service again. Be sure to have a board meeting, conference, class to teach the employee's best practices for Internet security so they will not so this again and will know better for the future to come. Patches are a must  for this w2k system. When one of the systems gets infected separate it from the rest of your network by taking it offline and raise your security level. With these newer malware it is not safe to go into safe mode especially with administrator. You will be elevating the powers the worm in the process which makes things more difficult. It will be able to make new accounts and then try spreading via the admin$ share.
0
 
Russell_VenableConnect With a Mentor Commented:
You can also check your machines using this site to detect if your infected. http://four.cs.uni-bonn.de/fileadmin/user_upload/werner/cfdetector/
0
 
BMI-ITAuthor Commented:
Well after working over the weekend we isolated the infection and cleaned the systems. I used the GPO mentioned by MS for securing the scheduler as noted in http://support.microsoft.com/kb/962007 and a few applications mentioned here.

Thank you
0
 
harryhelpCommented:
Good to know that you got it working!
0
 
Russell_VenableCommented:
Good news to here! Hope it stays that way.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.