Home / server / Questions / 34116
Accepted
smackaysmith
Asked: 2009-07-01 13:41:40 +0800 CST

An effective method to clean XP, Win2k and Windows 2003 after Conflicker

  • 772

Conflicker has been beating us down all week. We think a server or workstation is clean, but it comes back.

Windows Updates are up-to-date and everyone runs Trend or NOD32.

It would be great to use an effective tool to help us clean the computers. We are still experiencing workstation and/or server services shutting down, random tasks are added to the Scheduler, failing Automatic Update service, and DNS poisoning (I think that's what it's called when you suddenly can't get to microsoft.com and its related update sites).

So far we have used Windows Malicious Software Removal Tool (6/2009), and BitDefender Removal Tool. Neither seems terribly effective.

windows windows-server-2003 windows-xp

5 Answers

  1. There is only one effective method to clean a compromised workstation\server\network, and that is to wipe the machine(s), reinstall Windows and restore your data. Any other method, and you will never be sure that someone else doesn't own your network.

    Once you're back up and running, the most effective ways to protect your network are, in order of importance/effectiveness:

    1. Not giving users local administrator rights on their Workstations.
    2. Enforce a strong password policy
    3. Use Group Policy to manage Internet Explorer and XP Firewall on Workstations.
    4. WSUS for updates for Servers and Workstations
    5. Anti-Virus
    • 13
  2. Best Answer

    The issue seems to be not that the things you have tried haven't worked, it seems more likely that, after you have cleaned one machine, another infected machine on the network will infect the machine you have just cleaned. You need to do a complete clean of all systems on the network. During that time, you will have to keep the machines from re-infecting one another.

    Microsoft does have a knowledge base about this, Here. If the things there don't work, you will have disconnect every machine from the network, disinfect every machine, and then hook everything back up again. Good luck.

    • 3

  3. The reason it spreads is because you have not yet set the group policy as specified here. Then you can clean the machines using the Malicious Software Removal tool. While many times you do need to wipe the machine, this is not one of them (as long as this is the only issue you have). Hopefully you have also initiated some sort of WSUS or another mandatory patch management solution.

    • 1

  4. Symantec offers a removal tool along with instructions on how to quarantine while disinfecting. McAfee does also, but they call it S.T.I.N.G.E.R.
    Take down the network while cleaning if you can, that will keep computers from getting re-infected.

    • 0

  5. There's the Confickr working group and the Unfickr project. I pretty much guess you'll find all infos there. I would recommend to go through propper Nmap checks at first on the whole available subnet.

    System hardening, working in user mode, using app policies - priceless nowadays.

    • 0