Can I apply the steps from the microsoft article to the default domain policy or is there a chance I might lock myself out.
Why do you need to do that? Can't you create a new one? I think it's generally bad practice to make those sorts of changes to the DDP.
We do keep scanning computers and have all patches on, we are removing it dailey as you know it keeps coming back, we were thinking of going on like this untill the easter break removing it dailey just for it to come back. We were thinking of doing the full cleanup and removal during easter just becuase of the amount of work we don't need the pressure of getting it back up and running fast.
I'd start now, rather than the holidays. Its gonna infect all machines, meaning more work.
If you get on top of it now, you might be able to clean it up within a few days. Also follow the Sophos steps as listed in one of the pages previous.
So it activates on april 1st? All this stuff its doing in the meantime I thought it was very much active :P There is another purpose behind just being annoying. We are going to try and start tackeling it right away. Just looking around for the best methods.
Edited cause i am superstitious
Last edited by Roopert; 23rd March 2009 at 02:43 PM.
Sophos seems to have blocked one or two flash sticks that have had it on and one PC that got it broke anyway so taken away for rebuild. Haven't spotted anything in the registry on machines yet, WSUS protecting our admin machines and manually ran the 958644 on teaching ones but still paranoid it could be waiting somewhere!
What did you notice in Wireshark btw, any obvious patterns?
could do with a bit of advice regarding this virus, our school has been infected late last week, having spent most of the weekend fighting the virus by disconnecting the network it appeared yesterday and promptly infected every pc that we had disinfected.
We have followed the MS advice and also sophos, after recieving the virus, and viewing the enterprise console we -
1. disconnected each device
2.patched all pcs up MS patch then disconnected each pc from patch lead
3.did a full sophos scan and disinfected PC (virus was caught in sophos quarantine)
4.rebooted pc, and (after all network was clean) added each pc back to network.
to stop the virus we have done -
1.stopped "task scheduler" through group policy to stop "A*" schedules running
2.disabled file and print sharing
3. disbale usb devices and cd/dvd drives to stop virus spreading
4.stopped autorun on PCs from removable devices
although we have done all the above the virus appeared again yesterday
one of many questions we would like answers for is -
1.if we leave the virus in quarantine what implications would we have if we left it untill april easter?
(we have already had the occasional account lockouts)
help would be appreciated
Apologies if this has already been linked to, but here is a conficker cleaning tool provided by BitDefender, for those who can't access sophos.
Remove Downadup - Removal tool for Downadup (known also as Conficker or Kido)
Seems like quite a nice tool. Testing in our ICT Suites after school today, although we don't have any infected machines thankfully. Works across the network using AD so you can deploy to all PCs at once.
Hey the network version. This tool from bit-defender is it safe running it on the server? Dont want it corrupting files as it goes through and deletes infected files. Just some guidance needed, poeple who have had the virus and have ran this tool.
Last edited by xeroxxe; 25th March 2009 at 10:37 AM.
We have had a couple of instances on conficker here. Can't remember which variant.
As far as im aware, all machines have 958644 installed, except a couple in WSUS with no status for that update. They are probably old machines that have been removed from the network.
In both cases of conficker appearing, it has been on a student USB stick. Sophos has caught them both immediatly and deleted the infection. It is auto set to delete any infection on workstations and on-access scanning is set to 'read' mode.
Auto-Play is disabled via GPO
How come so many of us are having problems, yet we seem to be fine here? If conficker does appear, it is dealt with swiftly.
I touching wood atm as it may still all go tits up yet
I am now about to go through my inventory to make sure AD, WSUS and Sophos are all consistant with each other.
There are currently 1 users browsing this thread. (0 members and 1 guests)