w32/conficker.b Issue

All.

having a heck of a time with a w32/conficker infection. Seems user brought a hard drive in and hooked it up without asking or checking now we have this.

I have secured the network and users and isolated 2 machines that I'm having the issues with. We run CA's ITM network antivirus for these machines . Its catching the infection  and telling me its from

"User: System. Status: File was cured; system cure performed. "  Now the user account "system", can i change that passwordwill that stop it?  I cleaned the machine and it keeps coming back, all updates and installed and its on a older w2k server
BMI-ITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Michael KnightCommented:
I know conficker can be 'ellusive' but removal isn't really that tough.

First make sure you're patched against the vulnerability that allow Conficker to run:
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx

Now grab a few utilities and put em on a pen drive so they don't get corrupted.
1. Conficker Removal Tool: http://download.cnet.com/Conficker-Removal-Tool/3000-2239_4-10911447.html 
2. Grab RKILL: http://www.bleepingcomputer.com/forums/topic308364.html 
3. Grab the SAS Portable Scanner: http://www.superantispyware.com/portablescanner.html

Now.

1. boot up in safe mode (no networking), Login as an administrative user.
2. Open the removal tool, but don't click 'Start' just yet.
3. Open Super Anti Spyware, but don't start the scan.
4. Run RKill, screen will flicker, and the explorer process will be killed.
5. Alt-TAB or Task Manager to switch to the removal tool. Click start. Don't reboot when done.
6. When that's done, run SAS. Now reboot  into safemode (With Networking).
7. Run Trend's Cleanup engine: http://www.trendmicro.com/download/dcs.asp

Now you can run your AV of choice with a full scan just to make sure you're clean.

let me know how it goes.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
harryhelpCommented:
Are you able to re-install Windows on the affected machines? Would seem the best solution as there doesn't seem to be a way to be 100% clean from this virus, and there'll be a chance that it will come back and infect other computers.
0
Russell_VenableCommented:
I would suggest you read this article as it explains how it propogates and what you can do to fix/prevent further infections. I would also suggest you disable autorun for external drives such as USB etc. Just causes to much pain for the users and IT staff.

Without future ado http://support.microsoft.com/kb/962007
http://support.microsoft.com/kb/962007
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

BMI-ITAuthor Commented:
Thank you guys ill try the steps  Its not feasble to wipe the machines just yet
0
Aaron TomoskySD-WAN SimplifiedCommented:
Exec better than a flash drive is to burn the tools to a cd. That way they can't get corrupted.
0
BMI-ITAuthor Commented:
just an update after checking the CA alerts it seems to have taken a users account should I disable that account until this is clean? and with it telling me the original "User: System" is there anything i can do with the system account?
0
harryhelpCommented:
Not really, SYSTEM runs services and programs that are meant to run at startup.

I'd suggest disabling their account and giving them a new profile altogether if at all possible.
0
Aaron TomoskySD-WAN SimplifiedCommented:
Step by step and things not to do direct from Microsoft:
http://support.microsoft.com/kb/962007
0
Russell_VenableCommented:
Yes, definitely redo that account. That Is too much power for one account. Look at 'SYSTEM' as a superuser account  that cannot to signed Into. If you have the GPO in place you can lockdown your server so it can't  spread further, also if you stopped the at.exe service renaming that executable is a good thing too and when you are done just rename it back and start the schedule service again. Be sure to have a board meeting, conference, class to teach the employee's best practices for Internet security so they will not so this again and will know better for the future to come. Patches are a must  for this w2k system. When one of the systems gets infected separate it from the rest of your network by taking it offline and raise your security level. With these newer malware it is not safe to go into safe mode especially with administrator. You will be elevating the powers the worm in the process which makes things more difficult. It will be able to make new accounts and then try spreading via the admin$ share.
0
Russell_VenableCommented:
You can also check your machines using this site to detect if your infected. http://four.cs.uni-bonn.de/fileadmin/user_upload/werner/cfdetector/
0
BMI-ITAuthor Commented:
Well after working over the weekend we isolated the infection and cleaned the systems. I used the GPO mentioned by MS for securing the scheduler as noted in http://support.microsoft.com/kb/962007 and a few applications mentioned here.

Thank you
0
harryhelpCommented:
Good to know that you got it working!
0
Russell_VenableCommented:
Good news to here! Hope it stays that way.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.