Conficker infection on network - advice wanted on removal/protection
I've just taken on a new client whose network has been left in pretty bad shape by their previous IT support provider. They have approximately 11 XP workstations and 1 SBS 2003 DC.
To sum up the state they're in:
- No server or workstation Windows Updates installed for a very long time (still on XP SP2)
- AVG Personal Edition on all workstations, AVG SBS on the server but expired May 2010.
- No logon passwords needed/very poor passwords on workstations
- Conficker virus infection on all computers.
The previous IT firm seemed to give up on the client once they knew they had a Conficker infection.
I want to rid them of the Conficker virus first of all. My plan of attack is as follows:-
One workstation at a time:
1. Format the workstation. Reinstall Windows.
2. Install all available Windows Updates.
3. Install business class anti-virus software
4. Implement additional protection to prevent reinfection (see below)
5. Ensure complex logon password
6. Join the workstation back into the domain and configure for the user.
By doing this I'm hoping to gradually one workstation at a time eradicate the virus from the network and prevent reinfection once the workstation is re-introduced to the network. Additionally doing one at a time to prevent mass downtime.
The advice I would appreciate from you guys is:
1. I want to prevent re-infection. This is crucial. As well as updates and AV software I plan on doing the following:
- Secure the Admin$ share
- Block Autorun
Is there anything else I can do on the workstation before reintroducing it to the network to PREVENT reinfection?
2. Is this the most effective method of removing the virus from the whole network?
Thanks in advance.
Re: Conficker infection on network - advice wanted on removal/protection
Download all the relevant updates first (especially the confiker one, although preferably all of them), an av and stick it all on a clean usb pen (not via one of the infected machines!) then install them offline before putting them back on to your infected network. At least this way you won't get an infection as soon as windows boots up the first time...
Re: Conficker infection on network - advice wanted on removal/protection
Obviously you'll want to have a good look through the Group Policies before rejoining machines to the domain, and with regards to preventing the spread: http://wmug.co.uk/blogs/scambler/arc...up-policy.aspx
Re: Conficker infection on network - advice wanted on removal/protection
Re: Conficker infection on network - advice wanted on removal/protection
A few rules of conficker:
1. Turn off all PC's. Any infected PC left on can re-infect others.
2. Windows updates prevent (re)infection.
3. MS Malicious Software removal tool removes existing infection from each workstation.
4. Then worry about antivirus.
The first 3 are the only way to clean a conficker network - antivirus can't prevent (re)infection on it's own and as such its less important.
First thing you need to do is disconnect all the clients and get the server clean.
1. Get some long network cables if necessary and re-plug the server so that you have just the server connected to the internet.
2. Run the MS hotfix (MS08-067) that deals specifically with conficker
3. Run MS Malicious Software removal tool.
4. After it's clean Download all windows Updates.
5. Run MS Malicious Software removal tool again to make sure.
6. Install corporate antivirus, update virus defenitions and run a full scan.
Now your server is clean hopefully, all you need to do is fix your workstations. You can of course go ahead and format them all but that's a lot of work. You should be able to eradicate conficker from each workstation using the method above though if they are all in a truly poor state they may have much more than just conficker on them, so format may be the only option.
Whatever you do, make sure you run MS Malicious Software removal tool at the end on all workstations and the server to make 100% sure everything's clean. Bear in mind a formatted workstation can become re-infected before it has a chance to get all the windows updates on.
Butuz
Re: Conficker infection on network - advice wanted on removal/protection
Ditch AVG like a hot rock and get a Commercial Kaspersky licence :)
As you can tell I'm not a very big fan of AVG anymore.