I have come in this morning after not a good monday to find all hell breaking loose!
My log on scripts dont work is the main one, we have had a new photocopier with account tracking, the nice people at konica came and set it up, however since this my logon script is causing a error (please see attached) also looks like the conflicker virus has come back as people cannot get to the server and some can? am i right in thinking the conflicker virus is a DoS attack? does anyone have a definate way to get rid of it? have e-mailed and rang symantec but they tell me tp consult the website... useless.
Only way to really erradicate would be to re-ghost I'd say if it keeps coming back. You don't want that :censored: flying around your network.
sorry forgot to attach error :S
In the short run, download KKiller (a Kaspersky tool) to kill off conficker on each workstation. Funnily enough, it's much better than Kaspersky AV itself. I run it as a scheduled task on my Windows servers and use it to disinfect workstations.
Originally Posted by neon
Another thing you can do is block conficker's command-and-control by looking in your server logs for URLs like this one:
and blocking them. I use a rule in my squid config to do this: I'm sure other proxies will do the same. It looks a bit like a Google search URL with the ?q= part but it only ever uses IP addresses, so the rule blocks those with search?q=nnn appended.
HTH, good luck.
(Another thing I meant to say: download Microsoft Security Essentials and schedule updates with this tool if you're not using WSUS:
Long-winded but works better than the commercial AV imo.)
As far as I understand it MSE is for home use only, not schools. So be careful where you use it.
Originally Posted by m0nty
Looks like you're trying to unmap a drive which isn't currently mapped.
Originally Posted by neon
The "tidy" way to fix that is to enumerate network drives and only unmap if they're not already mapped. The way to get it working now is to stick "on error resume next" before the unmap section - the error will happen but no-one will see and this buys you time to fix things properly.
The other thing to do is to make sure your login scripts run with cscript (rather than wscript which is what you are using)
the benefit of this is that error messages etc are not done in message boxes (which confuse users and need "OK" clicking) but just written to the console (where users will ignore them but everything will just work :-))
There are lots of conficker threads on this site already- worth your time checking.
We got hit with it Jan '09- took down everything e.g. because of its constant attacks on the administrator account eventually everyone's accounts got disabled automatically by the AD.
Besides all of the problems it causes the single all-conquering best thing to do is to update your images and implement a mass reimaging plan. We had our staff told that the internet would be out of use for a couple of weeks, ofc this is in the most dire of situations.
If you can catch it in isolated areas- then disconnect those machines, sort them out while windows updating all the non-infected. This whole experience has caused me to use WSUS much more regularly!
We haven't had a take down of any sorts for over a year now :) Good luck.