Question : How to completely remove conficker

Folks,my DC is affected with the Conficker virus.accounts keep getting locked out.Can't  even edit the registry now.
How would we I  completely remove conficker from my dc & other servers & desktop on the network.

Please help.

Answer : How to completely remove conficker

Hi,

This is my working cure for Conficker infections.

1) To start working, first you need to download the required patches + fix tool:

Windows 2000: http://download.microsoft.com/download/4/a/3/4a36c1ea-7555-4a88-98ac-b0909cc83c18/Windows2000-KB958644-x86-ENU.EXE

Windows 2003: http://download.microsoft.com/download/e/e/3/ee322649-7f38-4553-a26b-a2ac40a0b205/WindowsServer2003-KB958644-x86-ENU.exe

Windows XP: http://download.microsoft.com/download/4/f/a/4fabe08e-5358-418b-81dd-d5038730b324/WindowsXP-KB958644-x86-ENU.exe

Windows Vista SP0 + SP1: http://download.microsoft.com/download/d/c/0/dc047ab9-53f8-481c-8c46-528b7f493fc1/Windows6.0-KB958644-x86.msu

Symantec FixDownadupTool: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDwndp.exe

2) Create a shared folder on some server to contain the downloaded files (Apply Read-only permission for all users).

3) And you can use Psexec (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) to import a text file that contains the infected machines and run it using a privileged account like a Windows domain admin.

4) In the batch file, you should replace the server name and shared folder name.

so, for example (run this as domain administrator):

c:\psexec @infected.txt -d -c Clean-Downadup.bat

infected.txt should contains one name/ip per line, like:

...
192.168.1.2
192.168.1.3
192.168.1.4
...

Use netscan to ping a range of IP's and save the results as a text file (http://www.softperfect.com/products/networkscanner/)

Another important points:

1) Review the current Passwords policy, you can configure a Windows GPO that will require a complex password, with a minimum number of characters.

http://technet.microsoft.com/en-us/library/cc736605.aspx
http://labmice.techtarget.com/security/passwordsec.htm

2) Use Nessus (http://www.nessus.org/download/), and scan all machines using this plugin ID (34476) to check if they have MS08-067 patch installed or not. (BTW, you can use a different tool to check for the installed patch, but this just an example)

Important Note: Please check the batch file before you run it on "Production Servers", becuase it will disable some features in Windows to prevent Conficker infection.

A Symantec Certified Specialist @ your service

1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 35: 36: 37: 38: 39: 40: 41: 42: 43: 44: 45: 46: 47: 48: 49: 50: 51: 52: 53: 54: 55: 56: 57: 58: 59: 60: 61: 62: 63: 64: 65: 66: 67: 68: 69: 70: 71: 72: 73: 74: 75: 76: 77: 78: 79: 80: 81: 82: 83: 84: 85: 86: 87: 88: 89: 90: 91: 92: 93: 94: 95: 96: 97: 98: 99: 100: 101: 102: 103: 104: 105: 106: 107: 108: 109: 110: 111: 112: 113: 114: 115: 116: 117: 118: 119: 120: 121: 122: 123: 124: 125: 126: 127: 128: 129: 130: 131: 132: 133: 134: 135: 136: 137: 138: 139: 140: 141: 142: 143: 144: 145: 146: 147: 148: 149: 150: 151: 152: 153: 154: 155: 156: 157: 158: 159: 160: 161: 162: 163: 164: 165: 166: 167: 168: 169: 170: 171: 172: 173: 174: 175: 176: 177: 178: 179: 180: 181: 182: 183: 184: 185: 186: 187: 188: 189: 190: 191: 192: 193: 194: 195: 196: 197: 198: 199: 200: 201: 202: 203:

@echo off color 0A ECHO. *********************************************************************************************** ECHO. ExtremeSecurity.blogspot.com - Do It Securely or Not At All ECHO. Multi OS W32.Downadup Cleaner v2.0 ECHO. *********************************************************************************************** ver | find "2003" > nul if %ERRORLEVEL% == 0 goto ver_2003 ver | find "XP" > nul if %ERRORLEVEL% == 0 goto ver_xp ver | find "2000" > nul if %ERRORLEVEL% == 0 goto ver_2000 ver | find "Version 6.0.6000" > nul if %ERRORLEVEL% == 0 goto ver_vista-sp0 ver | find "Version 6.0.6001" > nul if %ERRORLEVEL% == 0 goto ver_vista-sp1 goto exit :ver_2003 echo Enabling BITs ... sc config bits start= auto echo Starting BITs ... net start "Background Intelligent Transfer Service" echo Enabling Automatic Updates ... sc config Wuauserv start= auto echo Starting Automatic Updates ... net start "Windows Automatic Update Service" echo Enabling Windows Error Reporting Service (ERSvc) ... sc config ERSvc start= auto echo Starting Windows Error Reporting ... net start ERSvc echo Enabling Windows Error Reporting Service (WerSvc) ... sc config WerSvc start= auto echo Starting Windows Error Reporting ... net start WerSvc echo Checking MS WSUS for any missing updates ... wuauclt.exe /detectnow REM echo Removing all AT created scheduled tasks ... REM AT /Delete /Yes REM echo Stopping & Disabling Schedule service... REM sc.exe stop schedule REM sc.exe config schedule start= disabled echo Fixing Downadup infection (Silent mode - Check log file in C:\)... \\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt echo Patching MS08-067 ... \\ServerName\ShareName\WindowsServer2003-KB958644-x86-ENU.exe /quiet /norestart echo Rebooting System ... shutdown -r -f -c "Rebooting system" goto exit :ver_xp echo Enabling BITs ... sc config bits start= auto echo Starting BITs ... net start "Background Intelligent Transfer Service" echo Enabling Automatic Updates ... sc config Wuauserv start= auto echo Starting Automatic Updates ... net start "Windows Automatic Update Service" echo Checking MS WSUS for any missing updates ... wuauclt.exe /detectnow echo Enabling Windows Security Center Service (wscsvc) ... sc config wscsvc start= auto echo Starting Windows Security Center ... net start wscsvc echo Enabling Windows Error Reporting Service (ERSvc) ... sc config ERSvc start= auto echo Starting Windows Error Reporting ... net start ERSvc echo Removing all AT created scheduled tasks ... AT /Delete /Yes echo Stopping & Disabling Schedule service... sc.exe stop schedule sc.exe config schedule start= disabled echo Disabling "AutoPlay" ... reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f echo Fixing Downadup infection (Silent mode - Check log file in C:\)... \\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt echo Patching MS08-067 ... \\ServerName\ShareName\WindowsXP-KB958644-x86-ENU.exe /quiet /norestart echo Rebooting System ... shutdown -r -f -c "Rebooting system" goto exit :ver_2000 echo Enabling BITs ... sc config bits start= auto echo Starting BITs ... net start "Background Intelligent Transfer Service" echo Enabling Automatic Updates ... sc config Wuauserv start= auto echo Starting Automatic Updates ... net start "Windows Automatic Update Service" echo Checking MS WSUS for any missing updates ... wuauclt.exe /detectnow echo Removing all AT created scheduled tasks ... AT /Delete /Yes echo Fixing Downadup infection (Silent mode - Check log file in C:\)... \\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt echo Patching MS08-067 ... \\ServerName\ShareName\Windows2000-KB958644-x86-ENU.EXE /quiet /norestart echo Rebooting System ... shutdown -r -f -c "Rebooting system" goto exit :ver_vista-sp0 echo Enabling BITs ... sc config bits start= auto echo Starting BITs ... net start "Background Intelligent Transfer Service" echo Enabling Automatic Updates ... sc config Wuauserv start= auto echo Starting Automatic Updates ... net start "wuauserv" echo Checking MS WSUS for any missing updates ... wuauclt.exe /detectnow echo Enabling Windows Security Center Service (wscsvc) ... sc config wscsvc start= auto echo Starting Windows Security Center ... net start wscsvc echo Enabling Windows Defender Service (WinDefend) ... sc config WinDefend start= auto echo Starting Windows Defender ... net start WinDefend echo Enabling Windows Error Reporting Service (WerSvc) ... sc config WerSvc start= auto echo Starting Windows Error Reporting ... net start WerSvc echo Removing all AT created scheduled tasks ... AT /Delete /Yes echo Stopping & Disabling Schedule service... sc.exe stop schedule reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x4 /f echo Disabling "AutoPlay" ... reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f echo Restoring Windows Defender startup key ... reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe hide" /f echo Enabling TCP Receive Window Auto-tuning ... netsh interface tcp set global autotuning=normal echo Fixing Downadup infection (Silent mode - Check log file in C:\)... \\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt echo Patching MS08-067 ... \\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart echo Rebooting System ... shutdown /r /f /c "Rebooting system" goto exit :ver_vista-sp1 echo Enabling BITs ... sc config bits start= auto echo Starting BITs ... net start "Background Intelligent Transfer Service" echo Enabling Automatic Updates ... sc config Wuauserv start= auto echo Starting Automatic Updates ... net start "Windows Automatic Update Service" echo Checking MS WSUS for any missing updates ... wuauclt.exe /detectnow echo Enabling Windows Security Center Service (wscsvc) ... sc config wscsvc start= auto echo Starting Windows Security Center ... net start wscsvc echo Enabling Windows Defender Service (WinDefend) ... sc config WinDefend start= auto echo Starting Windows Defender ... net start WinDefend echo Enabling Windows Error Reporting Service (WerSvc) ... sc config WerSvc start= auto echo Starting Windows Error Reporting ... net start WerSvc echo Removing all AT created scheduled tasks ... AT /Delete /Yes echo Stopping & Disabling Schedule service... sc.exe stop schedule reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x4 /f echo Disabling "AutoPlay" ... reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f echo Restoring Windows Defender startup key ... reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe hide" /f echo Enabling TCP Receive Window Auto-tuning ... netsh interface tcp set global autotuning=normal echo Fixing Downadup infection (Silent mode - Check log file in C:\)... \\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt echo Patching MS08-067 ... \\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart echo Rebooting System ... shutdown /r /f /c "Rebooting system" goto exit :exit

Open in New Window Select All