Windows Server 2008 R2 Thread, Conficker virus - advice needed in Technical; Hi, we moved to Server 2008 R2 over the summer, and broadly speaking it's been a triumph. However, we appear ...
23rd September 2011, 01:10 PM #1
- Rep Power
Conficker virus - advice needed
Hi, we moved to Server 2008 R2 over the summer, and broadly speaking it's been a triumph. However, we appear to have a Conficker infestation. It seems to be disabling sound and network services, which is deeply irritating. I've tried McAfee, our standard AV, which hasn't detected anything. And I've downloaded the MS Malicious Tool, which also finds nothing. I know it's there though! Can anyone recommend a tool or a means to get rid of this little beast once and for all? Thanks!
23rd September 2011, 01:15 PM #2
Disable Autorun for all devices (you can do this with GPO) and for the time it takes to scan a machine, you may as well re-image it as new. It's primarily the Autoplay function in Windows that it exploits.
Even with Conficker removed, it creates a lot of damage with system files.
23rd September 2011, 01:16 PM #3
The MS tool normally finds it quite well, what's making you sure it's Conficker?
Isolate, scan, patch, scan, reconnect to clean LAN job.
23rd September 2011, 01:16 PM #4
23rd September 2011, 01:20 PM #5
Download the KK tool from the KAV site - that's quite good at getting rid of it + I have this running at logon at the moment for PCs that don't have KAV or MSE installed. Feel free to change it and use it - [ may I suggest you compile it first into a .exe and have it running at logon ]
Forgot to say it's an AutoIT script but could easily be ported to say powershell or something.
; Language: English
; Platform: WinXP
; Author: Matt
; Script Function: Run kk.exe in silent mode at logon
; Version: 1
; Date: June 2011
If FileExists('c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe') Then
ElseIf FileExists('c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe') Then
Run(@LogonServer & "\netlogon\kk.exe -f -s -z -y -x -t -j", "")
KK can be DLed from:
Last edited by mattx; 23rd September 2011 at 01:23 PM.
23rd September 2011, 01:56 PM #6
I don’t use McAfee but as they have a free conficker detection tool (McAfee Conficker Detection Tool | McAfee Labs) then your AV software should detect it if its there. If your computers are kept up to date then conficker shouldn’t be able to infect them as Microsoft released a patch for it.
Were all your workstations reimaged when you upgraded the servers? I had problems with a new image when I used the latest sound drivers and had to use an earlier driver or the sound would stop working.
If you want to try another tool give sophos a go but it sounds like something else could be causing your problem (Conficker Removal Tool | Conficker Virus Removal | Sophos Free Tools).
23rd September 2011, 02:03 PM #7
- Rep Power
There's a Microsoft tech article with some decent advice on this. Main thing is disabling autorun and I seem to recall restricting access to the system service, as it spreads by creating scheduled tasks.
Real pain when we had it, so good luck.
23rd September 2011, 02:12 PM #8
The most effective tool we found is cfremover cfremover.exe although this was about 18 months ago. All other tools seemed quite ineffective at the time but using that eradicated it for us.
We also created a folder called autorun.inf on all server hard drives as someone once told me that this helps. Not sure whether it's true or not but we have been Conficker free since then!
23rd September 2011, 02:25 PM #9
- Rep Power
Thanks everyone, really appreciate such a swift response! I should add some more detail...
ToyHeartsFan, you asked something specifically - yes, we worked from a completely clean image. Set up a PC with a clean install of XP SP3, installed all our standard software (Office, etc.), then took an image and used sysprep to push that out to all the other machines. From there we just updated drivers etc. on an ad hoc basis.
I've got a fully updated McAfee, which hasn't found anything. Have also tried the MS tool described above (found nothing) and the KK program suggested above (also drew a blank). I'll give the McAfee conficker tool and the Sophos ones a try.
It's very odd. Boot a PC (any PC) and everything's fine. Leave it on for any length of time without logging in, and when you try to log in you get a local profile and no network access. Likewise, if a PC is logged in and left for a while, you lose your network AND the sound stops working. And yet, although the sound stops working, when you shut Windows down, you get all the system sounds.
Puzzler! I have someone from the council's IT come and take a look (they helped with the server install) and he was the one who determined the Conficker.
23rd September 2011, 02:29 PM #10
23rd September 2011, 02:39 PM #11
Doesn't sound like Conficker. Conficker spreads by exploiting the ADMIN share that is created by default on Windows boxes that are joined to a domain with poorly secured user accounts that have created when building the inital image (stupid mistake on our part), by using scheduled tasks and also by memory stick (as autorun.ini I think). You'll know it's conficker if you have AT tasks in your scheduled tasks list on the infected machines.
- Disable autorun via GPO
- Disable USB access
- Check your firewall policy is configured securely
We have only just re-enabled USB. If you can afford to take your network offline and reimage everything then I'd say do that. Like I said though, your virus doesn't sound like Conficker although there may well be another variant or two that I've not come across.
23rd September 2011, 02:40 PM #12
- Rep Power
I've run the McAfee tool and it's searched the network; only 3 PCs are infected, and actually none of these are the ones that present with network/sound issues. But the sound/network services on many of the PCs do spontaneously stop. They can be restarted, of course, but not by a "civilian" user! So, if Conficker isn't behind these problems, it makes me wonder what is!
23rd September 2011, 02:41 PM #13
23rd September 2011, 02:49 PM #14
- Rep Power
We have considered reinstalling all the drivers, but surely if it was a driver issue, the sound/LAN wouldn't work full stop. As it stands, it all works, but the respective services stop spontaneously...
23rd September 2011, 02:51 PM #15
+1 to this
Originally Posted by Geoff
Also, what about a software conflict of some sort? We have Securus on our machines to help monitor activity on t'internet and to scan for any inappropriate words typed into documents the only problem is that Adobe Reader X doesn't get on well with it so we have to install version 9.
By projector1 in forum Virtual Learning Platforms
Last Post: 27th November 2008, 12:36 AM
Last Post: 24th February 2006, 08:36 PM
By projector1 in forum Hardware
Last Post: 24th February 2006, 09:20 AM
By pooley in forum Wireless Networks
Last Post: 5th February 2006, 12:34 PM
By Kyle in forum How do you do....it?
Last Post: 1st February 2006, 09:40 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)