+ Post New Thread
Page 1 of 3 123 LastLast
Results 1 to 15 of 37
Windows Server 2008 R2 Thread, Conficker virus - advice needed in Technical; Hi, we moved to Server 2008 R2 over the summer, and broadly speaking it's been a triumph. However, we appear ...
  1. #1
    JMB
    JMB is offline

    Join Date
    May 2011
    Location
    Exeter
    Posts
    156
    Thank Post
    23
    Thanked 11 Times in 9 Posts
    Rep Power
    9

    Conficker virus - advice needed

    Hi, we moved to Server 2008 R2 over the summer, and broadly speaking it's been a triumph. However, we appear to have a Conficker infestation. It seems to be disabling sound and network services, which is deeply irritating. I've tried McAfee, our standard AV, which hasn't detected anything. And I've downloaded the MS Malicious Tool, which also finds nothing. I know it's there though! Can anyone recommend a tool or a means to get rid of this little beast once and for all? Thanks!

  2. #2

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,572 Times in 1,252 Posts
    Rep Power
    340
    Disable Autorun for all devices (you can do this with GPO) and for the time it takes to scan a machine, you may as well re-image it as new. It's primarily the Autoplay function in Windows that it exploits.

    Even with Conficker removed, it creates a lot of damage with system files.

  3. #3


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,692
    Thank Post
    352
    Thanked 797 Times in 716 Posts
    Rep Power
    347
    The MS tool normally finds it quite well, what's making you sure it's Conficker?

    Isolate, scan, patch, scan, reconnect to clean LAN job.

  4. #4

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    Here's the MS article on the subject.

    Computer Worms - Conficker | Microsoft Security

  5. #5

    mattx's Avatar
    Join Date
    Jan 2007
    Posts
    9,240
    Thank Post
    1,058
    Thanked 1,068 Times in 625 Posts
    Rep Power
    740
    Download the KK tool from the KAV site - that's quite good at getting rid of it + I have this running at logon at the moment for PCs that don't have KAV or MSE installed. Feel free to change it and use it - [ may I suggest you compile it first into a .exe and have it running at logon ]

    Code:
    ; Language:        	English
    ; Platform:        	WinXP
    ; Author:          	Matt 
    ; Script Function: 	Run kk.exe in silent mode at logon
    ; Version:			1
    ; Date:				June 2011
    
    If FileExists('c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe') Then
    	Exit
    ElseIf FileExists('c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe') Then
    	Exit
    Else
    	Run(@LogonServer & "\netlogon\kk.exe -f -s -z -y -x -t -j", "")
    EndIf
    Exit
    Forgot to say it's an AutoIT script but could easily be ported to say powershell or something.

    KK can be DLed from:

    http://support.kaspersky.com/faq?cha...&qid=208279973
    Last edited by mattx; 23rd September 2011 at 01:23 PM.

  6. #6

    Join Date
    Sep 2010
    Posts
    228
    Thank Post
    3
    Thanked 36 Times in 33 Posts
    Rep Power
    16
    I don’t use McAfee but as they have a free conficker detection tool (McAfee Conficker Detection Tool | McAfee Labs) then your AV software should detect it if its there. If your computers are kept up to date then conficker shouldn’t be able to infect them as Microsoft released a patch for it.

    Were all your workstations reimaged when you upgraded the servers? I had problems with a new image when I used the latest sound drivers and had to use an earlier driver or the sound would stop working.

    If you want to try another tool give sophos a go but it sounds like something else could be causing your problem (Conficker Removal Tool | Conficker Virus Removal | Sophos Free Tools).

  7. #7

    Join Date
    Mar 2011
    Posts
    187
    Thank Post
    4
    Thanked 20 Times in 16 Posts
    Rep Power
    11
    There's a Microsoft tech article with some decent advice on this. Main thing is disabling autorun and I seem to recall restricting access to the system service, as it spreads by creating scheduled tasks.

    Real pain when we had it, so good luck.

  8. #8
    36Degrees's Avatar
    Join Date
    Jan 2010
    Location
    Nottingham
    Posts
    1,060
    Thank Post
    165
    Thanked 153 Times in 124 Posts
    Rep Power
    52
    The most effective tool we found is cfremover cfremover.exe although this was about 18 months ago. All other tools seemed quite ineffective at the time but using that eradicated it for us.

    We also created a folder called autorun.inf on all server hard drives as someone once told me that this helps. Not sure whether it's true or not but we have been Conficker free since then!

  9. #9
    JMB
    JMB is offline

    Join Date
    May 2011
    Location
    Exeter
    Posts
    156
    Thank Post
    23
    Thanked 11 Times in 9 Posts
    Rep Power
    9
    Thanks everyone, really appreciate such a swift response! I should add some more detail...

    ToyHeartsFan, you asked something specifically - yes, we worked from a completely clean image. Set up a PC with a clean install of XP SP3, installed all our standard software (Office, etc.), then took an image and used sysprep to push that out to all the other machines. From there we just updated drivers etc. on an ad hoc basis.

    I've got a fully updated McAfee, which hasn't found anything. Have also tried the MS tool described above (found nothing) and the KK program suggested above (also drew a blank). I'll give the McAfee conficker tool and the Sophos ones a try.

    It's very odd. Boot a PC (any PC) and everything's fine. Leave it on for any length of time without logging in, and when you try to log in you get a local profile and no network access. Likewise, if a PC is logged in and left for a while, you lose your network AND the sound stops working. And yet, although the sound stops working, when you shut Windows down, you get all the system sounds.

    Puzzler! I have someone from the council's IT come and take a look (they helped with the server install) and he was the one who determined the Conficker.

  10. #10
    36Degrees's Avatar
    Join Date
    Jan 2010
    Location
    Nottingham
    Posts
    1,060
    Thank Post
    165
    Thanked 153 Times in 124 Posts
    Rep Power
    52
    Make sure that the XP3 service patch has been installed: Download Details - Microsoft Download Center - Security Update for Windows XP (KB958644)

  11. #11
    DAZZD88's Avatar
    Join Date
    Apr 2009
    Location
    Sunderland, Tyne and Wear
    Posts
    788
    Thank Post
    163
    Thanked 77 Times in 66 Posts
    Rep Power
    48
    Doesn't sound like Conficker. Conficker spreads by exploiting the ADMIN share that is created by default on Windows boxes that are joined to a domain with poorly secured user accounts that have created when building the inital image (stupid mistake on our part), by using scheduled tasks and also by memory stick (as autorun.ini I think). You'll know it's conficker if you have AT tasks in your scheduled tasks list on the infected machines.

    • Disable autorun via GPO
    • Disable USB access
    • Check your firewall policy is configured securely


    We have only just re-enabled USB. If you can afford to take your network offline and reimage everything then I'd say do that. Like I said though, your virus doesn't sound like Conficker although there may well be another variant or two that I've not come across.

  12. #12
    JMB
    JMB is offline

    Join Date
    May 2011
    Location
    Exeter
    Posts
    156
    Thank Post
    23
    Thanked 11 Times in 9 Posts
    Rep Power
    9
    I've run the McAfee tool and it's searched the network; only 3 PCs are infected, and actually none of these are the ones that present with network/sound issues. But the sound/network services on many of the PCs do spontaneously stop. They can be restarted, of course, but not by a "civilian" user! So, if Conficker isn't behind these problems, it makes me wonder what is!

  13. #13

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    drivers?

  14. #14
    JMB
    JMB is offline

    Join Date
    May 2011
    Location
    Exeter
    Posts
    156
    Thank Post
    23
    Thanked 11 Times in 9 Posts
    Rep Power
    9
    We have considered reinstalling all the drivers, but surely if it was a driver issue, the sound/LAN wouldn't work full stop. As it stands, it all works, but the respective services stop spontaneously...

  15. #15
    DAZZD88's Avatar
    Join Date
    Apr 2009
    Location
    Sunderland, Tyne and Wear
    Posts
    788
    Thank Post
    163
    Thanked 77 Times in 66 Posts
    Rep Power
    48
    Quote Originally Posted by Geoff View Post
    drivers?
    +1 to this

    Also, what about a software conflict of some sort? We have Securus on our machines to help monitor activity on t'internet and to scan for any inappropriate words typed into documents the only problem is that Adobe Reader X doesn't get on well with it so we have to install version 9.

SHARE:
+ Post New Thread
Page 1 of 3 123 LastLast

Similar Threads

  1. advice needed re anytime anywhere access system
    By projector1 in forum Virtual Learning Platforms
    Replies: 11
    Last Post: 27th November 2008, 12:36 AM
  2. Replies: 6
    Last Post: 24th February 2006, 08:36 PM
  3. advice needed on weather a new server is needed
    By projector1 in forum Hardware
    Replies: 3
    Last Post: 24th February 2006, 09:20 AM
  4. Wireles Network cards - advice needed
    By pooley in forum Wireless Networks
    Replies: 14
    Last Post: 5th February 2006, 12:34 PM
  5. Sophos advice needed please.
    By Kyle in forum How do you do....it?
    Replies: 6
    Last Post: 1st February 2006, 09:40 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •