Hi there, I was wondering if anyone could help me.
We had the Conficker virus when our anti-virus went down for the day. We managed to remove it but now we're having random task's being created in Scheduled tasks. We get task's named AT1 - AT10 that are randomly generated, if we delete them they will be back in a couple of hours.
I had a look at what the task's do and there trying to start rundll32.dll but with a mix of characters at the end such as..
rundll32.dll edfeee,fdsa
Any help would be appreicated
Cheers
AT1.job AT10.job create automatically scheduled task [Merged] - Kaspersky Lab Forum
The machines doing this are still infected.
It's only our admin server thats doing it. We've run the Conficker removal tool, Sophos, Stinger, and Windows Coficker tool but there all showing up clean. I tried the KK removal tool just encase it was the Kido virus, it removes the Task's but only for them to come back in a few hours.
Bump. Any ideas?
You're definitely still Confickered at the moment mate. We're battling Conficker at our place as I type. We're doing it without shutting the network down too....been going about a month maybe longer.
Anyway, my advice is to shut down the server and boot it in safe mode > Sophos Conficker removal tool > Reboot into Windows (normal) > Check services and scheduled tasks > Check the Sophos conficker tool log (in the %temp% directory of the user you ran it as) and see what it did > If it couldn't remove the files etc... do it manually and then run the tool again.
We have also been infected with this recently.
Can anyone explain to me why, if your machine has been cleaned, patched, sophos fully up to date (on-active scanner is active for files on read+write) are machines still being infected?
Surely if you disconnect a machine, clean it up, patch it, enable sophos, reconnect this machine should not be reinfected?
Maybe my clean up tools are lying to me?
I'm assuming your on about the patch for the vulnerability mentioned in MS08-067?
We found that even with patching the virus returns. We don't believe it stops all variants of Conficker but simply removes a mechanism of infection. We have recently locked down all of the firewalls on our workstations to only allow the ports and programs we specify and it seems to have stopped (or slowed to a virtual stop) the spread of the virus through file shares.
We keep finding machines with partial infections but usually only ones that haven't been fully cleaned and this is simply because our Enterprise Console is acting up (server needs a rebuild).
If your machines have an inactive on-access scanner try re-protecting the machine and it may well fail, most likely due to the computer browser services not running. For this to run you must have the firewall service running. There are also other services that Conficker stops running such as BITS, error reporting, BIT defender and Automatic Updates (there are more I think but I'm not sure).
Anyways, to get your machines protected again check the above services, make sure there are TCP ports open in your firewall for Sophos (8192, 8193 and 8194) and the Enterprise Console should squirt Sophos straight onto the machine. Failing that try installing it manually from the CID (central installation directory) on your Sophos server.
If all that fails then to Google you must go.
Hope that helps.
I thought about firewalling the pcs, but wasnt sure what ports should be left open to allow normal operation and block the spread of the virus.
I use this script currently on startup to help clean pcs + fix broken services - hope its of some use to others
You can check if sophos is installed with this too and make it install if your having problems with your enterprise console.Code:set server=YOURSERVER set share=YOURSHARE rem Stop Server service so that infection doesnt happen while we turn off sophos sc config browser start= disabled net stop browser /y sc config lanmanserver start= disabled net stop lanmanserver /y rem Fix Windows update services sc sdset bits "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)" sc sdset wuauserv "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)" rem Check Essential Services are set correctly and running sc config wuauserv start= auto net start "automatic updates" sc config bits start= demand sc config dhcp start= auto net start "dhcp client" sc config dnscache start= auto net start "dns client" sc config eventlog start= auto net start "event log" sc config audiosrv start= auto net start "windows audio" sc config w32time start= auto net start "windows time" sc config lanmanworkstation start= auto net start "workstation" sc config wscsvc start= auto net start wscsvc sc config ERSvc start= auto net start ERSvc rem disable task scheduler while we clean up sc config schedule start= disabled net stop "task scheduler" AT /Delete /Yes rem Disabling "AutoPlay" reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f rem Turn off sophos on-access scanning so it will let us remove the virus via symantecs scanner sc config savservice start= disabled net stop savservice rem Scan/patch PC for cleanup rem KB \\%SERVER%\%SHARE%\con-patch-xp.exe /quiet /norestart rem MS malicious software removal tool (quite/silent mode) \\%SERVER%\%SHARE%\mrt-june09.exe /q rem Symantec conficker scanner \\%SERVER%\%SHARE%\FixDwndp.exe /SILENT /LOG=c:\%computername%_%username%_logFixDownadup.txt rem Turn on Sohpos, renable Server service, enable task scheduler sc config savservice start= auto net start savservice sc config browser start= auto net start browser sc config lanmanserver start= auto net start lanmanserver sc config schedule start= auto net start schedule
After this you can do a full sophos scan to try and catch anything thats missed. This combination has helped me clean things up, but im still getting some reinfections.Code:@ECHO OFF REM --- Check for an existing installation of Sophos AutoUpdate if exist "C:\Program Files\Sophos\AutoUpdate\ALsvc.exe" goto _End REM --- Deploy to Windows 2000/XP/2003 \\sophosserver\InterChk\ESXP\Setup.exe -updp "\\sohposserver\InterChk\ESXP" -user "yourdomain\administrator" -pwd "your password" -mng yes REM --- End of the script :_End
You can also roll these scripts out using psexec remotely - however this dosent always work as some pcs become unreachable over the network, probably due to service termination - mstsc into this machines to install manually.
If you firewall the machines using Windows Firewall and Group Policy it's a piece of cake to add the exceptions into the firewall. See attached pics for enlightenment.
When adding program exceptions use the %programfiles% variable.
Depending on how your GPO refresh interval is set then you should have it filtered through to all machines within a couple of hours at most.
Hi Frazer,
re: "Can anyone explain to me why, if your machine has been cleaned, patched, sophos fully up to date (on-active scanner is active for files on read+write) are machines still being infected?"
Conficker has three ways to get on a machine
1) vulnerability
2) File sharing
3) USB
If you have patched, you have stopped no 1.
Even with an anti-virus enabled, it can still use no 1. It needs admin access as it uses C$/admin$ to connect to machine. An infected machine will try and guess admin passwords, or use the logged on account. If it has the rights, it will drop the DLL (odd extension) in System32.
With the AV enabled, it will stop it loading so wont actually be infected, it will have a malicious file on it and a scheduled task attempting to load it. This is why Task Scheduler should be disabled so it cannot attempt to load.
The best way to stop it is blocking file sharing access between clients - this stops them being reinfected.
Or, setup Wireshark (or SMB file sniffer) on a machine that keeps getting the file dropped - this way, you can find out which machine is dropping it. Usually you will find a weak point where a machine has no AV etc.
Hope that helps.
Rockin.
Hi mans.I am sertunc.I have a problem thıs confıcker. Anybody know how can ı fix thıs problem
I think Rockin has summed things up quite nicely in terms of actions you should take. You do need to remember to alter the permissions on the scheduled tasks folder to stop the virus creating tasks to reinfect the machine. To fo this you can remove all permissions except (I think) admins, system and sophos. This should stop tasks being recreated.
what other steps have you taken to stop this conficker because we have tried. windows updates, Windows Defender. Deleting scheduled tasks everything but seem to be infected again
We currently have Conficker floating about somewhere not sure where. We followed this
Sophos Anti-Virus for Windows 2000+: removing W32/Confick and Mal/Conficker
In my experience you have to be slow and methodical to remove it. We are just left to find which wireless device has it on.
Hey gays we deleted thıs virus
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote