+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 37
Windows Server 2008 R2 Thread, Conficker virus - advice needed in Technical; I haven't read the other answers but to clean this off one of my schools I had to disconnect EVERTHING ...
  1. #16

    SimpleSi's Avatar
    Join Date
    Jun 2005
    Location
    Lancashire
    Posts
    5,829
    Thank Post
    1,476
    Thanked 594 Times in 446 Posts
    Rep Power
    169
    I haven't read the other answers but to clean this off one of my schools I had to disconnect EVERTHING from the lan and make sure all servers were clean

    On each machine, I ran the sophos root kit/conficker removal tool - if the machine had an infection i rebooted and ran it again and then did a scan with Malabytes malaware just ot be sure.

    Once I'd done this - i reconnected machine to network.

    All computers set to not autorun USB drives and all USB devices with memory in them e.g cameras as well as pens) were banned from school until I personally had checked them and then they were not allowed on school machines if they were taken home - they had to be handed back to me again for rescanning .

    It took a week - i did the classroom teacher machines first.

    Been clean for a year now

    Good Luck

    Si

  2. #17

    Join Date
    Jul 2006
    Location
    London
    Posts
    2,962
    Thank Post
    160
    Thanked 152 Times in 116 Posts
    Rep Power
    49
    I'd also go software or driver conflict. If an AV and Microsoft's tool isn't finding anything, it won't be conficker. Probably isn't even a virus at all.
    Slightly odd that the council IT guy would tell you that and give you no proof of it, nor help you resolve it

  3. #18

    Join Date
    Sep 2010
    Posts
    228
    Thank Post
    3
    Thanked 36 Times in 33 Posts
    Rep Power
    16
    Quote Originally Posted by JMB View Post
    We have considered reinstalling all the drivers, but surely if it was a driver issue, the sound/LAN wouldn't work full stop. As it stands, it all works, but the respective services stop spontaneously...
    - Unfortunately iffy drivers can cause all sorts of problems


    I would sort out the 3 infected machines before doing anything else then rescan and if the network is clear pick a PC thats playing up and reinstall the drivers on it.

    I’ve had strange problems with drivers in the past; sound stopped working on a newly imaged PC, I had to revert to an older driver rather than the new one I had put on the image. Upgrading the nic driver on a server caused network problems to appear on all of the workstations and I had to upgrade the driver on every workstation in school to fix that problem.

    I would check that the latest drivers are installed if they already are you should consider installing the previous version and see if that makes any difference.

    Also if you have gig network cards connected to gig switches remember that XP has a problem with them (although they shouldn’t stop working) and you need to disable media sense via a reg entry or group policy doesn’t always get applied.

  4. #19

    Join Date
    Sep 2010
    Posts
    228
    Thank Post
    3
    Thanked 36 Times in 33 Posts
    Rep Power
    16
    If you still have problems after running another scan and updating the drivers look at any software that installs a service. I once had a problem where the remote software our lea used would crash the print spooler on the server – good luck!

  5. #20
    JMB
    JMB is offline

    Join Date
    May 2011
    Location
    Exeter
    Posts
    156
    Thank Post
    23
    Thanked 11 Times in 9 Posts
    Rep Power
    9
    **UPDATE**

    Thanks to everyone for their advice, some great suggestions. I've done a full virus scan of the entire network, and only 3 machines had any trace of Conficker on them. Ironically, none of them on the domain, and therefore none of them the PCs that had issues with sound/network dropping. In the process of logging in to these machines locally as admin, I noticed svhost.exe error messages. All these PCs are XP SP3, clean installs from a ScoMIS disc. Clean bill of health from every antivirus and spyware scan I throw at them. And I've thrown a LOT at them lately! I upgraded the .net framework on a couple of them, which seemed to fix the svhost.exe messages. I then went into the services themselves and set the Windows Audio and network services to restart if they are stopped for any reason. BUT - this still doesn't stop these services stopping. And having stopped, they still won't restart automatically.

    So...anyone got any other ideas?!

  6. #21
    mwbutler's Avatar
    Join Date
    Nov 2010
    Location
    Dorset
    Posts
    235
    Thank Post
    97
    Thanked 20 Times in 17 Posts
    Rep Power
    27
    We get McAfee from ScoMIS too and it caught any traces of Conficker immediately (surprised me tbh!) which stopped the virus spreading across the entire network. Therefore unless your version of Mcafee (EPO 4.5 on server and 8.7 patch 4 on desktops) is horribly out of date I don't think you will have Conficker on your network.

    What does the affected PC event logs say?
    Are you sure the correct drivers got installed?

    Try updating / reinstalling the PC's chipset, sound driver and network driver and see if that helps fix the problem.

  7. #22

    SimpleSi's Avatar
    Join Date
    Jun 2005
    Location
    Lancashire
    Posts
    5,829
    Thank Post
    1,476
    Thanked 594 Times in 446 Posts
    Rep Power
    169
    Clean bill of health from every antivirus and spyware scan I throw at them.
    Unless ALL your USB memory devices have been checked .. you can't sleep safe at night

    Si

  8. #23
    JMB
    JMB is offline

    Join Date
    May 2011
    Location
    Exeter
    Posts
    156
    Thank Post
    23
    Thanked 11 Times in 9 Posts
    Rep Power
    9
    Well...I've reinstalled all the drivers for everything on one of the PCs. Still getting the svhost.exe error message. This is what the error log says about this:

    Event Type: Error
    Event Source: Application Error
    Event Category: (100)
    Event ID: 1004
    Date: 30/09/2011
    Time: 14:14:08
    User: N/A
    Computer: ICT04
    Description:
    Faulting application svchost.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

    For more information, see Help and Support Center at Events and Errors Message Center: Basic Search.
    Data:
    0000: 41 70 70 6c 69 63 61 74 Applicat
    0008: 69 6f 6e 20 46 61 69 6c ion Fail
    0010: 75 72 65 20 20 73 76 63 ure svc
    0018: 68 6f 73 74 2e 65 78 65 host.exe
    0020: 20 30 2e 30 2e 30 2e 30 0.0.0.0
    0028: 20 69 6e 20 75 6e 6b 6e in unkn
    0030: 6f 77 6e 20 30 2e 30 2e own 0.0.
    0038: 30 2e 30 20 61 74 20 6f 0.0 at o
    0040: 66 66 73 65 74 20 30 30 ffset 00
    0048: 30 30 30 30 30 30 000000

    Going to leave this machine on for a while, see if the problem of sound/network dropping returns. If it does, we're going to wipe a machine and start over with it, from reinstalled XP up...

  9. #24
    mwbutler's Avatar
    Join Date
    Nov 2010
    Location
    Dorset
    Posts
    235
    Thank Post
    97
    Thanked 20 Times in 17 Posts
    Rep Power
    27
    Just had a thought. Mcafee blocks all sorts of things randomly; make sure it isn't blocking svhost plus other processes. IT used to block dns.exe plus all sorts of programs that interact with Exchange as it thinks it's a "mass mailing worm."

  10. #25
    JMB
    JMB is offline

    Join Date
    May 2011
    Location
    Exeter
    Posts
    156
    Thank Post
    23
    Thanked 11 Times in 9 Posts
    Rep Power
    9
    Nothing McAfee does would surprise me! Bless it. Good idea - I'll give that a try!

    Thanks again for all the ideas - always grateful for more! Have a good weekend all!

  11. #26

    Join Date
    Sep 2010
    Posts
    228
    Thank Post
    3
    Thanked 36 Times in 33 Posts
    Rep Power
    16
    Windows Update is one of the things that can cause svchost errors so this might be worth looking at:
    You receive an error message after a Windows XP-based computer runs an automatic update, and you may be unable to run any programs after you close the "svchost.exe - Application Error" error message dialog box

    I know its not a solution but if you disable the sound device in control panel do you still continue to get svchost errors?
    I'm just wondering if its the audio driver causing the svchost errors or if its the svchost error causing the audio problem...

    Do you have a WSUS server for your microsoft updates? And if the Answer is yes do you use WSUS to update drivers as well? - I removed the driver option on our WSUS server after an automatic update on one workstation messed it up so much I needed to do a full reinstall - I now only perform driver updates manually.

  12. #27
    JMB
    JMB is offline

    Join Date
    May 2011
    Location
    Exeter
    Posts
    156
    Thank Post
    23
    Thanked 11 Times in 9 Posts
    Rep Power
    9
    #Today's update#

    Reinstalled ALL drivers, and removed McAfee (in case that was causing issues somewhere) - problem still occurring. PCs left on but not logged in lose their network connectiopn and cause local profile logins, and PCs left logged in drop connection and lose sound. The sound/network services can be restarted if it's a local admin account that's logged in, but obviously this doesn't help in situations where teachers or student accounts are logged in. I've got a call logged with ScoMIS about it, as I'll be honest, I can't think of anything else!

  13. #28

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,157
    Thank Post
    522
    Thanked 2,552 Times in 1,981 Posts
    Blog Entries
    24
    Rep Power
    877
    This all sounds remarkably complicated, why not simply reimage all the machines and be done with it? I had a brief scan through and couldn't see anything saying you couldn't do this?

  14. #29
    JMB
    JMB is offline

    Join Date
    May 2011
    Location
    Exeter
    Posts
    156
    Thank Post
    23
    Thanked 11 Times in 9 Posts
    Rep Power
    9
    Well, I thought the same thing. We originally built a new image with a clean XP SP3 install, then imaged all our PCs; along the way, installing the relevant drivers and saving new images of different models as we went. So I don't see how an issue could have arisen with ALL the PCs. And my fear is that if we use the existing images we'll have the same problem, and if we repeat our original work (setting up new images, etc.) we're just taking up a lot of time with the same potential problems at the end of it. We're going to test a Windows 7 installation today, see if that's any better.

  15. #30
    JMB
    JMB is offline

    Join Date
    May 2011
    Location
    Exeter
    Posts
    156
    Thank Post
    23
    Thanked 11 Times in 9 Posts
    Rep Power
    9
    WIndows 7 appears to work fine...will therefore try a completely clean XP installation tomorrow to see if the problem comes back. I guess if it does, the issue has to be something to do with the server.

SHARE:
+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast

Similar Threads

  1. advice needed re anytime anywhere access system
    By projector1 in forum Virtual Learning Platforms
    Replies: 11
    Last Post: 27th November 2008, 12:36 AM
  2. Replies: 6
    Last Post: 24th February 2006, 08:36 PM
  3. advice needed on weather a new server is needed
    By projector1 in forum Hardware
    Replies: 3
    Last Post: 24th February 2006, 09:20 AM
  4. Wireles Network cards - advice needed
    By pooley in forum Wireless Networks
    Replies: 14
    Last Post: 5th February 2006, 12:34 PM
  5. Sophos advice needed please.
    By Kyle in forum How do you do....it?
    Replies: 6
    Last Post: 1st February 2006, 09:40 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •