Cannot get rid of Conficker on company network

[corp_jones]

Hi Guys

We got a network of about 30 PC's most on XP SP2, 1 win2k and couple of win2k servers, all patched MS08-67 and all running trend officescan, we've also got a SBS 2003 server again patched, the problem is trend officescan keeps sending us alerts on different machines saying downadup detected cannot clean so it quarantines it.
I cant put SP3 on the machines as the IT manager doesn't want any big changes as in service packs yet.

The SBS server also keeps getting alerts once every couple of days, the virus is normally found in "temporary internet files", I dont understand how its getting thru as its patched now and also no weak passwords, we've ran several tools including symentec which scans the system and confirms the virus has been removed and no infections but then it comes back from somewhere which trend detects again and removes, trend doesnt display the source IP address unfortunately!

I'm at a bit of a loss, any ideas appreciated!

[Agent]

Probably an obvious one, but did you turn off system restore when doing this? All sorts of nastys can hide there

[smargh]

A system won't be magically permanently cleaned because of one detected infected file being deleted and the infection vector (MS08-067) being disabed.

Check scheduled tasks.
Check the "at" command via the command prompt.
Check for processes started via rundll32.exe.

Even if, for example, PC2 is 100% patched, if the user of PC1 can run to the c$ share of PC2 and copy a file, then PC2 will get a Conficker binary and several scheduled tasks to run the copied .exe at a later time. This gets MUCH worse if a domain admin or server becomes infected....

My sledgehamemer solution: deny all incoming network connections via GPO (local security policy->user rights assignment->access this computer from the network->add "Everyone" to it)

To see which PCs are trying to log on multiple times, enable audit logging on one PC and watch a few hundred attempts from infected PCs to log on with various common administrator accounts. Sometimes it just tries to log on a few times with the currently logged on user of the currently infected PC.

[synaesthesia]

Since its only 30 odd machines, schedule a day's downtime (or half if you're feeling nippy).

Download a couple of items:

1. Sophos's Conficker Cleaner tool ( http://www.sophos.com/support/cleaners/scct_10_sfx.exe )
2. Malwarebytes Anti Malware package ( http://www.malwarebytes.org/ )

Copy them to each machine locally over the network (or use a USB pen you can destroy/disinfect later)

Disconnect the network. Everything.

Starting from the server, manually run the above two tools and disinfect the lot as you see fit (one at a time, multiple machines at a time). If one or both tools refuse to run or strangely don't start as a result of the infection, just rename the tool (i.e. if you cant install Malwarebytes, rename mbamsetup.exe or whatever its called to fluffy.exe. Install, and after installation go into the program files folder and rename mbam.exe to whatever.exe too. Hey presto, it'll run)
Malwarebytes is capable of removing conficker entirely on it's own, however I'd suggest playing safe and running the Sophos removal tool first, then Malwarebytes as a "mop up" afterwards.

Find a standalone machine (laptop is ideal) that you wont mind losing the data from. Get EVERYONE's USB pen, stick it in, copy the docs to the machine and format (fully) the pen. Copy docs back over to pen, hand back to owner.

Only when you're absolutely sure everything is clean, you should be good to go. Use a standalone machine to clean and format the original USB pen use then blat the standalone.

Long old process but preventing re-infection will be just as important as disinfection in the first place. Thankfully I've only had a couple of large sites (200-300 PC's) to unburden this infection from and the rest have been entirely isolatable due to security restrictions in place stopping the infection from actually doing anything other than being present.

[lodore]

also try drweb cure it
and superantispyware

[Singh400]

Disconnect every machine from the network. Isolate every machine from one another. Then disinfect one by one.

[corp_jones]

Thanks guys, I had a feeling I would have to do manual scans on each PC and was trying to avoid it, but has to be done.