Has Eduman been consumed by the virus too?
First thing to do is apply a registry patch to all machines and set security on the key to read for everyone including administrators the key is MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost. The easiest way is to do it via GP. I'm sure even on an RM network you can still use GP. Or you could deploy it via a script. I will post the other steps as soon as I can track what we did. It was a long time ago.
here is the svchost information from MS:
We downloaded and stored this Virus Description: Worm:W32/Downadup.AL on a network share and and used a startup script to initiate detection and removal, machines that don't connect to the share or have the virus will have to be manually scanned. You also need to turn off autoplay on all removable devices again you can do this in GP but a regedit deployment script would also work. We also installed SP3 on all workstations and laptops, not sure you can do this on RM but I don't see why not. This can be done via WSUS or startup script, or manually.
Further info from Ms:
Virus alert about the Win32/Conficker worm
You can, yes.We also installed SP3 on all workstations and laptops, not sure you can do this on RM but I don't see why not.
As others have said, disable network access for all machines that are not being brought back to you. It seems like you cant progress without clearing the virus to ensure thats not causing any problems. Send out an email giving staff a day to bring in their laptop for scanning or loose their connection to the network. That way you have covered yourself and given staff warning. Staff can sometimes be lazy and you need to give them a prod to do what is needed(or use a shoe I can see from this thread )
Once you have cleared the virus you can go back to RM if need be.
We did this here, staff don't have a choice when a virus hits, only had to do it twice blaster and conficker. For blaster even the servers were turned off for a day or so.
If you can't go to SP3 there is a download which patches the problem with conficker:
Seem to remember we didi deploy this patch prior to upgrading to SP3.
We also deployed and ran http://www.tech-forums.net/pc/f51/co...mation-203975/ conficker_mem_killer.exe for a good few weeks after the attack.
Last edited by jsnetman; 6th July 2010 at 12:38 PM.
No problems going to SP3 as long as you're SR1 at least. Update 75, as mentioned above provides the packages to do it. As long as your drivers are up to date (especially wireless if you have any Z91FR RM mobile one laptops or anything else with cewrtain model Intel wireless cards) you should be fine. Also make sure laptops are mains powered otherwise it wont install
Thank you all for your advice, ill pass them all on, beating with the shoes sounds perfect! May just try it !
Grip by the toe, aim for a square hit with the heel.
There are currently 1 users browsing this thread. (0 members and 1 guests)