How to remove Conficker from Network?

By Snuffy09 ·
(Windows XP/7 network)

Our Domain administrator accounts were being locked at first then User accounts were being locked out at random.

We started scanning the network with retina scanner and found infected computers. we patched these computers but we are still getting locked out. Retina returns values of computers being patched.

we are currently running a scheduled tasks to unlock accounts.
our antvirus program is finding 100's of downadup hits on machines that are patched and running Trend micro offiicescan v 10.5.1799.

Are there any other ways of tracing down or isolating this virus?

Thank You

This conversation is currently closed to new comments.

4 total posts (Page 1 of 1)  
Thread display: Collapse - | Expand +

All Answers

Collapse -

Offline, one client at a time, probably.

by seanferd In reply to How to remove Conficker f ...

No one likes it, but that's pretty much how you have to do it.

Conficker does patch the vulnerability it exploits, so infected machines may show up as patched. The big question: Why weren't these patched already? :0

Collapse -

Reponse To Answer

by brian In reply to Offline, one client at a ...

this is the only way we were able to remove it from out network, pull a system offline, scan it, patch it. After pulling all offline and patching/scanning, plug em all back in...

Collapse -


by acerosalez In reply to How to remove Conficker f ...

I suggest to reformat your computer and put some anti virus on it in order to remove the "conficker" virus.

Collapse -

Find the Host

by TheChas In reply to How to remove Conficker f ...

Somewhere on your network is a computer that is acting as the local host for the conficker worm. Eliminate the host, and you can then finally clean of client computers.

For removal, we are scanning with the Microsoft Malicious Software Removal Tool. You need to run a full scan to remove all the files that conficker places on a system.

Both Trend and Symantec often require the user to reboot after a conficker infection is found. Any delay in rebooting to clear the infected files means that the computer is still actively spreading the worm.

The Microsoft virus database also has information on manual removal of conficker.

Depending on how widespread the infection is, you may have to take the full nuclear option and shut down the entire network.
Then, manually scan each computer and only allow those that are clean to connect.

While the normal route of infection for conficker is over a network, make sure that any and all removable storage is scanned and checked. If users ever remote or VPN into the network, make sure those systems they use are also cleaned.


Back to Malware Forum
4 total posts (Page 1 of 1)  

Related Discussions

Related Forums