SBS 2002 infected with Conficker virus - how to remove??

  • Thread starter Thread starter eggedd2k
  • Start date Start date
E

eggedd2k

We've just taken over the IT support of a new client. The previous IT
company didn't look after the server or workstations very well.

One of the problems they left was a Conficker virus infection. I know
their server is infected and I'm visiting site to check the
workstations some of which I expect to be infected.

Their server SBS 2003 had not had any windows updates installed since
around 2008 - when I ran windows updates the other day there were
hundreds of updates installed. Similarly the workstations only have XP
SP2 as the last update. Workstations are running AVG Home Edition,
server is running AVG SBS out of date as of May.


I want to remove Conficker from the server first.

So far I've done the following on the server:

1. Managed to access windows update and installed every update
available - including the conficker patch.
2. Ran the MS malicious software removal tool. This identifies 3
Conficker infections and indicates it has removed them.
3. Disabled autorun via group policy as per microsoft instructions.
4. Rebooted the server

However upon reboot the server clearly gets reinfected as the windows
update site becomes inaccessible, the related services are disabled
and the malicious software tool indicates it has found conficker
infection again.


Can anyone tell me how best to prevent reinfection? I was under the
impression that having all patches installed and autorun disabled via
group policy would prevent reinfection.

Thanks in advance.
 
From: "eggedd2k" <[email protected]>

| We've just taken over the IT support of a new client. The previous IT
| company didn't look after the server or workstations very well.

Flatten, wipe disks and reinstall OS.
 
I'm not even going to take on the support for the client - it's far
more trouble than it's worth.

On a side note though is that really what's necessary to get rid of
conficker? I mean they've got around 14 workstations all infected
plus their domain controller. Surely nobody is going to want to
undertake that?
 
From: "eggedd2k" <[email protected]>

| I'm not even going to take on the support for the client - it's far
| more trouble than it's worth.

| On a side note though is that really what's necessary to get rid of
| conficker? I mean they've got around 14 workstations all infected
| plus their domain controller. Surely nobody is going to want to
| undertake that?

Well it is my professional opinion based upon the note "...just taken over the IT support
of a new client. The previous IT company didn't look after the server or workstations very
well" and I believe you need to start them on a clean slate free of defects and malware
and thus my suggestion to wipe and re-instal from scratch.

If you had conficker and this was a company you belonged to and were a part of I would
suggest trying to slug it out.
 
[...]
On a side note though is that really what's necessary to get rid of
conficker?
Click to expand...

No, most good AV programs and some of the better antimalware programs
should be able to rid you of Conficker.

....but the condition these machines were left in makes me think that
Conficker probably isn't your only problem.
 
Back
Top