I posted a few weeks ago but have done some further work/consideration
about this issue.
I've just taken on a new client whose network has been left in pretty
bad shape by their previous IT support provider. They have
approximately 11 XP workstations and 1 SBS 2003 DC.
To sum up the state they're in:
- No server or workstation Windows Updates installed for a very long
time (still on XP SP2)
- AVG Personal Edition on all workstations, AVG SBS on the server but
expired May 2010.
- No logon passwords needed/very poor passwords on workstations
- Conficker virus infection on all computers.
The previous IT firm seemed to give up on the client once they knew
they had a Conficker infection.
I want to rid them of the Conficker virus first of all. My plan of
attack is as follows:-
One workstation at a time:
1. Format the workstation. Reinstall Windows.
2. Install all available Windows Updates.
3. Install business class anti-virus software
4. Implement additional protection to prevent reinfection (see below)
5. Ensure complex logon password
6. Join the workstation back into the domain and configure for the
user.
By doing this I'm hoping to gradually one workstation at a time
eradicate the virus from the network and prevent reinfection once the
workstation is re-introduced to the network. Additionally doing one at
a time to prevent mass downtime.
The advice I would appreciate from you guys is:
1. I want to PREVENT re-infection. This is crucial. As well as updates
and AV software I plan on doing the following:
- Complex local admin password
- Block Autorun
Is there anything else I can do on the workstation before
reintroducing it to the network to PREVENT reinfection?
2. Is this the most effective method of removing the virus from the
whole network?
Thanks in advance.
|
|
0
|
|
|
|
Reply
|
 eggedd2k
|
9/9/2010 5:10:20 PM |
|
This is a multi-part message in MIME format.
------=_NextPart_000_00EA_01CB501F.70624DD0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Part of the problem here is that by doing one at a time...when you =
reintroduce it to the network..it risks reinfection by another =
workstation
Is the server infected
You should go here http://support.microsoft.com/kb/962007 and follow =
the instructions
It may not be required to format each machine unless you think there is =
more going on.
After you've taken all the steps in the KB...run Malwarebytes at =
Malwarebytes.org and find out whatelse you've got to deal with
I'm not a big fan of expecting the virus to be dealt with once it gets =
into the network...I'd much rather it be dealt with by blocking it from =
ever getting to the network. A good UTM Firewall will do this...think =
of it as the Moat around the Castle
Then consider ForeFront Client Security on the workstations...can be =
updated by Windows Update or WSUS
--=20
Cris Hanna [SBS - MVP] (since 1997)
Co-Contributor, Windows Small Business Server 2008 Unleashed
http://www.amazon.com/Windows-Small-Business-Server-Unleashed/dp/06723295=
73/ref=3Dpd_bbs_sr_1?ie=3DUTF8&s=3Dbooks&qid=3D1217269967&sr=3D8-1
Owner, CPU Services, Belleville, IL
A Microsoft Registered Partner
------------------------------------
MVPs do not work for Microsoft
Please do not submit questions directly to me.
"eggedd2k" <eggedd2k@gmail.com> wrote in message =
news:162fae21-bed4-4d67-93ff-b58a85e7e1af@k9g2000vbo.googlegroups.com...
I posted a few weeks ago but have done some further work/consideration
about this issue.
I've just taken on a new client whose network has been left in pretty
bad shape by their previous IT support provider. They have
approximately 11 XP workstations and 1 SBS 2003 DC.
To sum up the state they're in:
- No server or workstation Windows Updates installed for a very long
time (still on XP SP2)
- AVG Personal Edition on all workstations, AVG SBS on the server but
expired May 2010.
- No logon passwords needed/very poor passwords on workstations
- Conficker virus infection on all computers.
The previous IT firm seemed to give up on the client once they knew
they had a Conficker infection.
I want to rid them of the Conficker virus first of all. My plan of
attack is as follows:-
One workstation at a time:
1. Format the workstation. Reinstall Windows.
2. Install all available Windows Updates.
3. Install business class anti-virus software
4. Implement additional protection to prevent reinfection (see below)
5. Ensure complex logon password
6. Join the workstation back into the domain and configure for the
user.
By doing this I'm hoping to gradually one workstation at a time
eradicate the virus from the network and prevent reinfection once the
workstation is re-introduced to the network. Additionally doing one at
a time to prevent mass downtime.
The advice I would appreciate from you guys is:
1. I want to PREVENT re-infection. This is crucial. As well as updates
and AV software I plan on doing the following:
- Complex local admin password
- Block Autorun
Is there anything else I can do on the workstation before
reintroducing it to the network to PREVENT reinfection?
2. Is this the most effective method of removing the virus from the
whole network?
Thanks in advance.
------=_NextPart_000_00EA_01CB501F.70624DD0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.6000.17080" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Part of the problem here is that by =
doing one at a=20
time...when you reintroduce it to the network..it risks reinfection by =
another=20
workstation</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Is the server infected</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>You should go here <A=20
href=3D"http://support.microsoft.com/kb/962007">http://support.microsoft.=
com/kb/962007</A> and=20
follow the instructions</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>It may not be required to format each =
machine=20
unless you think there is more going on.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>After you've taken all the steps in the =
KB...run=20
Malwarebytes at Malwarebytes.org and find out whatelse you've got to =
deal=20
with</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I'm not a big fan of expecting the =
virus to be=20
dealt with once it gets into the network...I'd much rather it be dealt =
with by=20
blocking it from ever getting to the network. A good UTM =
Firewall=20
will do this...think of it as the Moat around the Castle</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Then consider ForeFront Client Security =
on the=20
workstations...can be updated by Windows Update or WSUS</FONT></DIV>
<DIV><BR>-- <BR>Cris Hanna [SBS - MVP] (since 1997)<BR>Co-Contributor, =
Windows=20
Small Business Server 2008 Unleashed<BR><A=20
href=3D"http://www.amazon.com/Windows-Small-Business-Server-Unleashed/dp/=
0672329573/ref=3Dpd_bbs_sr_1?ie=3DUTF8&s=3Dbooks&qid=3D1217269967=
&sr=3D8-1">http://www.amazon.com/Windows-Small-Business-Server-Unleas=
hed/dp/0672329573/ref=3Dpd_bbs_sr_1?ie=3DUTF8&s=3Dbooks&qid=3D121=
7269967&sr=3D8-1</A><BR>Owner,=20
CPU Services, Belleville, IL<BR>A Microsoft Registered=20
Partner<BR>------------------------------------<BR>MVPs do not work for=20
Microsoft<BR>Please do not submit questions directly to me.<BR></DIV>
<BLOCKQUOTE=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"eggedd2k" <<A=20
href=3D"mailto:eggedd2k@gmail.com">eggedd2k@gmail.com</A>> wrote in =
message=20
<A=20
=
href=3D"news:162fae21-bed4-4d67-93ff-b58a85e7e1af@k9g2000vbo.googlegroups=
..com">news:162fae21-bed4-4d67-93ff-b58a85e7e1af@k9g2000vbo.googlegroups.c=
om</A>...</DIV>I=20
posted a few weeks ago but have done some further =
work/consideration<BR>about=20
this issue.<BR><BR>I've just taken on a new client whose network has =
been left=20
in pretty<BR>bad shape by their previous IT support provider. They=20
have<BR>approximately 11 XP workstations and 1 SBS 2003 DC.<BR><BR>To =
sum up=20
the state they're in:<BR><BR>- No server or workstation Windows =
Updates=20
installed for a very long<BR>time (still on XP SP2)<BR>- AVG Personal =
Edition=20
on all workstations, AVG SBS on the server but<BR>expired May =
2010.<BR>- No=20
logon passwords needed/very poor passwords on workstations<BR>- =
Conficker=20
virus infection on all computers.<BR><BR>The previous IT firm seemed =
to give=20
up on the client once they knew<BR>they had a Conficker=20
infection.<BR><BR><BR>I want to rid them of the Conficker virus first =
of all.=20
My plan of<BR>attack is as follows:-<BR><BR>One workstation at a=20
time:<BR><BR>1. Format the workstation. Reinstall Windows.<BR>2. =
Install all=20
available Windows Updates.<BR>3. Install business class anti-virus=20
software<BR>4. Implement additional protection to prevent reinfection =
(see=20
below)<BR>5. Ensure complex logon password<BR>6. Join the workstation =
back=20
into the domain and configure for the<BR>user.<BR><BR>By doing this =
I'm hoping=20
to gradually one workstation at a time<BR>eradicate the virus from the =
network=20
and prevent reinfection once the<BR>workstation is re-introduced to =
the=20
network. Additionally doing one at<BR>a time to prevent mass=20
downtime.<BR><BR>The advice I would appreciate from you guys =
is:<BR><BR>1. I=20
want to PREVENT re-infection. This is crucial. As well as =
updates<BR>and AV=20
software I plan on doing the following:<BR><BR>- Complex local admin=20
password<BR>- Block Autorun<BR><BR>Is there anything else I can do on =
the=20
workstation before<BR>reintroducing it to the network to PREVENT=20
reinfection?<BR><BR>2. Is this the most effective method of removing =
the virus=20
from the<BR>whole network?<BR><BR><BR><BR><BR>Thanks in=20
advance.</BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_00EA_01CB501F.70624DD0--
|
|
|
0
|
|
|
|
Reply
|
Cris
|
9/9/2010 6:03:46 PM
|
|
thanks for your response on this.
Yes the server is infected.
Having thought this through it's clear that by doing one system at a
time there is a risk of reinfection when the cleaned workstation is
joined back into the network.
The Microsoft link you posted is of great help and this is clearly the
path to go down:
1. Stop Conficker from spreading via group policy.
2. Clean each system with AV/Malwarebytes/Malicious Software Removal
tool
thanks again for your help on this!
|
|
|
0
|
|
|
|
Reply
|
eggedd2k
|
9/10/2010 8:06:23 AM
|
|
Especially with the server also infected how will you be sure that all
infections are totally removed without also reformatting the server and
reinstalling SBS?
"eggedd2k" <eggedd2k@gmail.com> wrote in message
news:329012f9-8a3b-4baa-b2f4-a1c338ea06ec@t7g2000vbj.googlegroups.com...
> thanks for your response on this.
>
> Yes the server is infected.
>
> Having thought this through it's clear that by doing one system at a
> time there is a risk of reinfection when the cleaned workstation is
> joined back into the network.
>
> The Microsoft link you posted is of great help and this is clearly the
> path to go down:
>
> 1. Stop Conficker from spreading via group policy.
> 2. Clean each system with AV/Malwarebytes/Malicious Software Removal
> tool
>
> thanks again for your help on this!
|
|
|
0
|
|
|
|
Reply
|
SteveB
|
9/10/2010 3:24:37 PM
|
|
This is a multi-part message in MIME format.
------=_NextPart_000_00A9_01CB50D6.34211D80
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
I have to agree If server and workstations are infected...I'd flatten =
everything and start over...or you risk just reinfecting all over again
--=20
Cris Hanna [SBS - MVP] (since 1997)
Co-Contributor, Windows Small Business Server 2008 Unleashed
http://www.amazon.com/Windows-Small-Business-Server-Unleashed/dp/06723295=
73/ref=3Dpd_bbs_sr_1?ie=3DUTF8&s=3Dbooks&qid=3D1217269967&sr=3D8-1
Owner, CPU Services, Belleville, IL
A Microsoft Registered Partner
------------------------------------
MVPs do not work for Microsoft
Please do not submit questions directly to me.
"SteveB" <newsgroup@public.lan> wrote in message =
news:%232lZJxPULHA.784@TK2MSFTNGP02.phx.gbl...
Especially with the server also infected how will you be sure that all =
infections are totally removed without also reformatting the server =
and=20
reinstalling SBS?
"eggedd2k" <eggedd2k@gmail.com> wrote in message=20
=
news:329012f9-8a3b-4baa-b2f4-a1c338ea06ec@t7g2000vbj.googlegroups.com...
> thanks for your response on this.
>
> Yes the server is infected.
>
> Having thought this through it's clear that by doing one system at a
> time there is a risk of reinfection when the cleaned workstation is
> joined back into the network.
>
> The Microsoft link you posted is of great help and this is clearly =
the
> path to go down:
>
> 1. Stop Conficker from spreading via group policy.
> 2. Clean each system with AV/Malwarebytes/Malicious Software Removal
> tool
>
> thanks again for your help on this!=20
------=_NextPart_000_00A9_01CB50D6.34211D80
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.6000.17080" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>I have to agree If server =
and=20
workstations are infected...I'd flatten everything and start over...or =
you risk=20
just reinfecting all over again</FONT></DIV>
<DIV><BR>-- <BR>Cris Hanna [SBS - MVP] (since 1997)<BR>Co-Contributor, =
Windows=20
Small Business Server 2008 Unleashed<BR><A=20
href=3D"http://www.amazon.com/Windows-Small-Business-Server-Unleashed/dp/=
0672329573/ref=3Dpd_bbs_sr_1?ie=3DUTF8&s=3Dbooks&qid=3D1217269967=
&sr=3D8-1">http://www.amazon.com/Windows-Small-Business-Server-Unleas=
hed/dp/0672329573/ref=3Dpd_bbs_sr_1?ie=3DUTF8&s=3Dbooks&qid=3D121=
7269967&sr=3D8-1</A><BR>Owner,=20
CPU Services, Belleville, IL<BR>A Microsoft Registered=20
Partner<BR>------------------------------------<BR>MVPs do not work for=20
Microsoft<BR>Please do not submit questions directly to me.<BR></DIV>
<BLOCKQUOTE=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"SteveB" <<A=20
href=3D"mailto:newsgroup@public.lan">newsgroup@public.lan</A>> =
wrote in=20
message <A=20
=
href=3D"news:%232lZJxPULHA.784@TK2MSFTNGP02.phx.gbl">news:%232lZJxPULHA.7=
84@TK2MSFTNGP02.phx.gbl</A>...</DIV>Especially=20
with the server also infected how will you be sure that all =
<BR>infections are=20
totally removed without also reformatting the server and =
<BR>reinstalling=20
SBS?<BR><BR>"eggedd2k" <<A=20
href=3D"mailto:eggedd2k@gmail.com">eggedd2k@gmail.com</A>> wrote in =
message=20
<BR><A=20
=
href=3D"news:329012f9-8a3b-4baa-b2f4-a1c338ea06ec@t7g2000vbj.googlegroups=
..com">news:329012f9-8a3b-4baa-b2f4-a1c338ea06ec@t7g2000vbj.googlegroups.c=
om</A>...<BR>>=20
thanks for your response on this.<BR>><BR>> Yes the server is=20
infected.<BR>><BR>> Having thought this through it's clear that =
by doing=20
one system at a<BR>> time there is a risk of reinfection when the =
cleaned=20
workstation is<BR>> joined back into the network.<BR>><BR>> =
The=20
Microsoft link you posted is of great help and this is clearly =
the<BR>>=20
path to go down:<BR>><BR>> 1. Stop Conficker from spreading via =
group=20
policy.<BR>> 2. Clean each system with AV/Malwarebytes/Malicious =
Software=20
Removal<BR>> tool<BR>><BR>> thanks again for your help on =
this!=20
<BR><BR></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_00A9_01CB50D6.34211D80--
|
|
|
0
|
|
|
|
Reply
|
Cris
|
9/10/2010 3:52:03 PM
|
|
On 9/9/2010 10:10 AM, eggedd2k wrote:
> I posted a few weeks ago but have done some further work/consideration
> about this issue.
>
> I've just taken on a new client whose network has been left in pretty
> bad shape by their previous IT support provider. They have
> approximately 11 XP workstations and 1 SBS 2003 DC.
>
> To sum up the state they're in:
>
> - No server or workstation Windows Updates installed for a very long
> time (still on XP SP2)
> - AVG Personal Edition on all workstations, AVG SBS on the server but
> expired May 2010.
> - No logon passwords needed/very poor passwords on workstations
> - Conficker virus infection on all computers.
>
> The previous IT firm seemed to give up on the client once they knew
> they had a Conficker infection.
>
>
> I want to rid them of the Conficker virus first of all. My plan of
> attack is as follows:-
>
> One workstation at a time:
>
> 1. Format the workstation. Reinstall Windows.
> 2. Install all available Windows Updates.
> 3. Install business class anti-virus software
> 4. Implement additional protection to prevent reinfection (see below)
> 5. Ensure complex logon password
> 6. Join the workstation back into the domain and configure for the
> user.
>
> By doing this I'm hoping to gradually one workstation at a time
> eradicate the virus from the network and prevent reinfection once the
> workstation is re-introduced to the network. Additionally doing one at
> a time to prevent mass downtime.
>
> The advice I would appreciate from you guys is:
>
> 1. I want to PREVENT re-infection. This is crucial. As well as updates
> and AV software I plan on doing the following:
>
> - Complex local admin password
> - Block Autorun
>
> Is there anything else I can do on the workstation before
> reintroducing it to the network to PREVENT reinfection?
>
> 2. Is this the most effective method of removing the virus from the
> whole network?
>
>
>
>
> Thanks in advance.
Call Microsoft security at 1-800-Microsoft and ask for their CSS
security team for Conficker and they will help you with what to do.
Apologies for this... but please repost to www.sbsforum.info this
newsgroup is closing tomorrow.
|
|
|
0
|
|
|
|
Reply
|
Susan
|
9/12/2010 1:30:11 AM
|
|
On Sat, 11 Sep 2010 18:30:11 -0700, Susan Bradley
<sbradcpa@pacbell.net> wrote:
snip
>Apologies for this... but please repost to www.sbsforum.info this
>newsgroup is closing tomorrow.
While some servers may drop the newsgroup (you didn't identify which
of the three you meant), it will have no affect on the other servers
that carry it.
--
Remove del for email
|
|
|
0
|
|
|
|
Reply
|
Barry
|
9/12/2010 7:06:21 PM
|
|
On 9/12/2010 12:06 PM, Barry Schwarz wrote:
> On Sat, 11 Sep 2010 18:30:11 -0700, Susan Bradley
> <sbradcpa@pacbell.net> wrote:
>
> snip
>
>> Apologies for this... but please repost to www.sbsforum.info this
>> newsgroup is closing tomorrow.
> While some servers may drop the newsgroup (you didn't identify which
> of the three you meant), it will have no affect on the other servers
> that carry it.
>
The reality is that many of us will not find another nntp server, so if
you want the largest pool of helpers, this is the reality.
|
|
|
0
|
|
|
|
Reply
|
Susan
|
9/12/2010 9:48:46 PM
|
|
Susan Bradley wrote:
> On 9/12/2010 12:06 PM, Barry Schwarz wrote:
>> On Sat, 11 Sep 2010 18:30:11 -0700, Susan Bradley
>> <sbradcpa@pacbell.net> wrote:
>>
>> snip
>>
>>> Apologies for this... but please repost to www.sbsforum.info this
>>> newsgroup is closing tomorrow.
>> While some servers may drop the newsgroup (you didn't identify which
>> of the three you meant), it will have no affect on the other servers
>> that carry it.
>>
> The reality is that many of us will not find another nntp server, so if
> you want the largest pool of helpers, this is the reality.
http://www.aioe.org/
nntp.aioe.org is available, with no registration required.
You can start using it immediately.
I'm posting from it right now.
The reason the owner can afford to do it, is his NNTP server
does not support binaries or movie downloads.
Paul
|
|
|
0
|
|
|
|
Reply
|
Paul
|
9/12/2010 10:35:56 PM
|
|
On Sun, 12 Sep 2010 14:48:46 -0700, Susan Bradley
<sbradcpa@pacbell.net> wrote:
> On 9/12/2010 12:06 PM, Barry Schwarz wrote:
>> On Sat, 11 Sep 2010 18:30:11 -0700, Susan Bradley
>> <sbradcpa@pacbell.net> wrote:
>>
>> snip
>>
>>> Apologies for this... but please repost to www.sbsforum.info this
>>> newsgroup is closing tomorrow.
>> While some servers may drop the newsgroup (you didn't identify which
>> of the three you meant), it will have no affect on the other servers
>> that carry it.
>>
>The reality is that many of us will not find another nntp server, so if
>you want the largest pool of helpers, this is the reality.
If you are using a newsreader (as opposed to a web browser), there are
several servers that are either free or have one time fees of less
than US $10.
--
Remove del for email
|
|
|
0
|
|
|
|
Reply
|
Barry
|
9/12/2010 11:13:21 PM
|
|
Sure we could switch to something else but why bother? As Susan points out
you will receive only very limited responses to questions and most of the
pool of well qualified respondents such as SBS MVPs and Microsoft personnel
will all be using the new forum. That forum is also easily accessed by an
NNTP reader using the community bridge.
Steve
"Barry Schwarz" <schwarzb@dqel.com> wrote in message
news:95nq86pcau0vhf2446881lpokrk690fcu1@4ax.com...
> On Sun, 12 Sep 2010 14:48:46 -0700, Susan Bradley
> <sbradcpa@pacbell.net> wrote:
>
>> On 9/12/2010 12:06 PM, Barry Schwarz wrote:
>>> On Sat, 11 Sep 2010 18:30:11 -0700, Susan Bradley
>>> <sbradcpa@pacbell.net> wrote:
>>>
>>> snip
>>>
>>>> Apologies for this... but please repost to www.sbsforum.info this
>>>> newsgroup is closing tomorrow.
>>> While some servers may drop the newsgroup (you didn't identify which
>>> of the three you meant), it will have no affect on the other servers
>>> that carry it.
>>>
>>The reality is that many of us will not find another nntp server, so if
>>you want the largest pool of helpers, this is the reality.
>
> If you are using a newsreader (as opposed to a web browser), there are
> several servers that are either free or have one time fees of less
> than US $10.
>
> --
> Remove del for email
|
|
|
0
|
|
|
|
Reply
|
SteveB
|
9/13/2010 2:52:56 AM
|
|
In article <162fae21-bed4-4d67-93ff-
b58a85e7e1af@k9g2000vbo.googlegroups.com>, eggedd2k@gmail.com says...
>
> I posted a few weeks ago but have done some further work/consideration
> about this issue.
>
> I've just taken on a new client whose network has been left in pretty
> bad shape by their previous IT support provider. They have
> approximately 11 XP workstations and 1 SBS 2003 DC.
>
> To sum up the state they're in:
>
> - No server or workstation Windows Updates installed for a very long
> time (still on XP SP2)
> - AVG Personal Edition on all workstations, AVG SBS on the server but
> expired May 2010.
> - No logon passwords needed/very poor passwords on workstations
> - Conficker virus infection on all computers.
>
> The previous IT firm seemed to give up on the client once they knew
> they had a Conficker infection.
>
>
> I want to rid them of the Conficker virus first of all. My plan of
> attack is as follows:-
>
> One workstation at a time:
>
> 1. Format the workstation. Reinstall Windows.
> 2. Install all available Windows Updates.
> 3. Install business class anti-virus software
> 4. Implement additional protection to prevent reinfection (see below)
> 5. Ensure complex logon password
> 6. Join the workstation back into the domain and configure for the
> user.
>
> By doing this I'm hoping to gradually one workstation at a time
> eradicate the virus from the network and prevent reinfection once the
> workstation is re-introduced to the network. Additionally doing one at
> a time to prevent mass downtime.
>
> The advice I would appreciate from you guys is:
>
> 1. I want to PREVENT re-infection. This is crucial. As well as updates
> and AV software I plan on doing the following:
>
> - Complex local admin password
> - Block Autorun
>
> Is there anything else I can do on the workstation before
> reintroducing it to the network to PREVENT reinfection?
>
> 2. Is this the most effective method of removing the virus from the
> whole network?
You can't do this one at a time, you need to down all workstations, keep
them off the network, and then do as follows:
Download the Avira Antivir Server product, it will run for 30 days,
install it on the server, reboot, make sure it updated, run a full scan.
Download Avira Antivir and put it on a USB stick, download the manual
updates.
Now, take one of the XP workstations, assuming the company was smart
enough to purchase all the same systems around the same time - wipe it,
reinstall from scratch, install Avira Antivir, connect to the network,
do all the updates, DO NOT JOIN THE DOMAIN YET. Now, SYSPREP the
computer making it ready to clone to the other computers...
http://support.microsoft.com/kb/302577
Now, clone the computer's HD to the other machines that are the same
type/model.
Bring them all online, rejoin them to the domain, install a Enterprise
type AV solution that is managed by the server, don't make local
workstation users LOCAL ADMINISTRATORS.
Next, get them a firewall appliance that can inspect email and HTTP
traffic and remove malware - like the www.watchguard.com units.
--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
spam999free@rrohio.com (remove 999 for proper email address)
|
|
|
0
|
|
|
|
Reply
|
Leythos
|
9/13/2010 2:58:11 AM
|
|
In article <uvD9HRsULHA.4132@TK2MSFTNGP04.phx.gbl>, sbradcpa@pacbell.net
says...
>
> On 9/12/2010 12:06 PM, Barry Schwarz wrote:
> > On Sat, 11 Sep 2010 18:30:11 -0700, Susan Bradley
> > <sbradcpa@pacbell.net> wrote:
> >
> > snip
> >
> >> Apologies for this... but please repost to www.sbsforum.info this
> >> newsgroup is closing tomorrow.
> > While some servers may drop the newsgroup (you didn't identify which
> > of the three you meant), it will have no affect on the other servers
> > that carry it.
> >
> The reality is that many of us will not find another nntp server, so if
> you want the largest pool of helpers, this is the reality.
I think the reality is that Usenet was around long before MS even
learned about email or the Internet and will be around long after it.
The forums are a bad way and cumbersome.
--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
spam999free@rrohio.com (remove 999 for proper email address)
|
|
|
0
|
|
|
|
Reply
|
Leythos
|
9/13/2010 2:59:42 AM
|
|
|
12 Replies
348 Views
(page loaded in 0.217 seconds)
|
Search |
Post Question |
Groups |
Stream |
About |
Register
1975 articles. 
7 followers. 