Conficker is still out there.
Yesterday our network got infected and we worked till dawn to remove it.It spread again today.
So a warning to you all out there;it still exists and and it can effect win7 and server 2008.You'd think a good firewall + up to date anti-virus on every machine/server + good password practices would prevent this but it doesn't.
I sincerely hope whoever created this thing gets tortured everyday for the rest of his/her life.It has been 5 damn years and it is still around.
Didn't MS release a patch to combat it? Is this a new variant? It has evolved quite a lot since 2008 so I wouldn't be surprised if the creator or whoever is now modifying it has found a workaround for the patch. MS's malicious software removal tool is a joke.
Seems like we killed it *knocks on wood*
Trying to remove malicious software from actively used test,development and application servers is not fun :) So is going from desk to desk and ensuring every employee run the removal tool :)
Moral of the story;bug your bosses to buy a network controlled antvrius thats worth a damn.
First off review your MS server edition, Conficker uses an Exploit in the system to infect the system and downloads payloads from specific servers. I would suggest wireshark the network from a clean PC or a linux PC (Kali Linux) and watch all traffic from and into your network, you may find the IP that it is coming from, or at least which PC is allowing it to enter, although if it has returned all PCs could be allowing it.
If you use a centralized network try scan via the main terminal, I would follow my standard virus plan.
Use a variant of linux (Fedora, Kali) and scan it and see if clamAV can do anything.
Also if you attempt to use standard security which all should have definitions for use Malwarebytes Chamelion first, It will attempt to install malwarebytes by fooling the threat into thinking its installing more secruity issues, then attempt malwabytes install and scan.
Jumpshot is also a pain alternative but I dont know how well it can combat such threats.
If you are on a P2P network or a home network style setup only option is to do the steps on each PC, slow but has to be done.
Check your firewall, and general security, passwords wont stop conficker, more than likely the programmer has evolved it and a simple windows password wont last 2 mins against it, all it needs is admin rights.
Also try use Nmap and find where it could be coming from via traffic watching, you maybe able to stop its installs.
Do not attempt rollbacks or anything, It already has beaten you to it, and will just reinstall that way.
Good luck!
Thats what we did.Scanned from the main terminal again and found the host pc.Isolated and cleaned it.Cleaned the rest of the network.
Couldn't find the source tho.Probably a tunnel to a client or some flash drive plugged to an employee pc.
Really dissapointed in AVG enterprise edition.
Use nmap and read what it says, it could identify what happened, also try belarc advisor if you have a small amount of PCs, although using central network I doubt you do.
Also I would suggest getting rid of AVG the engine is absolute crap, Try ESET Endpoint, I personally would use F-Secure I love their products and recommend them.
Did you also try the Fedora Security spin? Scan it all without PCs been on, makes it easier to remove stuff, and always good as a first sweep then move onto windows apps, also although may already have been done, restrict USB drives until your 100% sure your system is clean, only problem is if an employee has the infection at home you cant really contain it.