YellowbusTeam
asked on
how to remove the conficker virus
Hi i have a client that has the above virus on thier system but i am struggling to get it removed, so far i have the conficker removal tool running in the login script and have disabled the task scheduler on the server.
the antivirus i am using is ESET NOD32 gets rid of the file the virus is trying to execute but then it happens again about 40minutes later.
Does anyone have any suggestions about how i should go about getting rid of this problem??
Many Thanks
Matt
the antivirus i am using is ESET NOD32 gets rid of the file the virus is trying to execute but then it happens again about 40minutes later.
Does anyone have any suggestions about how i should go about getting rid of this problem??
Many Thanks
Matt
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That would be the suggested action (scanning while disconnected and in safe mode) the risk to downtime could be outweighed if you argue the risk of further infection.
if once you have completed scanning and removal you get reinfected then you need to trace the source of the reinfection like I had to
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the advice , i think i am in the process of cracking it by disabling the tsak scheduler changing all passwords, making sure the domain users dont have liocal admin right and removing all surplus user account on all the machines, using wireshark i found a lot of network traffice that was in black and red going from the server to a certain pc so i removed that pc from the network and updated and cleaned it etc and i have not had any attacks in 13 hours before it was ever 40 minutes. and breath
Matt
Matt
Hi Matt
Glad you are winning, shout if you need any further assistance!
Glad you are winning, shout if you need any further assistance!
ASKER
iThanks Moomin83 for your help, i am still going to do a safe mode virus scan and removal also just to eliminate all trace of it
I suggest you boot from a rescue CD or flash drive. I like AVG's (easy to create and use) or you can create the SARDU http://www.sarducd.it/downloads.html. You can also go to the vendor of your choice and do a search on rescue or repair disk and see if they have one of there own. The SARDU allows you to create several repair options but it takes a lot more work so I suggest you start with a simple one vendor rescue disk like AVG's
http://www.avg.com/us-en/avg-rescue-cd
http://www.softpedia.com/get/Antivirus/Kaspersky-Rescue-Disk.shtml
http://www.avg.com/us-en/avg-rescue-cd
http://www.softpedia.com/get/Antivirus/Kaspersky-Rescue-Disk.shtml
Sorry--last link was the wrong link
http://support.kaspersky.com/viruses/rescuedisk
http://support.kaspersky.com/viruses/rescuedisk
Here's a link for the vendor you use
http://kb.eset.com/esetkb/index?page=content&id=SOLN2103
http://kb.eset.com/esetkb/index?page=content&id=SOLN2103
Glad your getting there slowly...
Like I said wire shark is key with conficker if you are getting reinfected, but sounds like you are getting on top of it.
Like I said wire shark is key with conficker if you are getting reinfected, but sounds like you are getting on top of it.
ASKER
The this virus is on a server, and 2 domain pc's would i have to do the virus scan disconnected from the network and not connect them back until the scan had been done on all the PC's?
Cheers