Virus Infection

I run Sophos on over 2000 workstations. Over the weekend we've had a virus outbreak with Troj/Clomp-B & Troj/Clomp-C. I've worked with Sophos all morning because this Trojan uses port 80 to propagate & eats up so much bandwidth we are crawling. I sent Sophos several files earlier today & am expecting to get some results later this evening. My question is, is anyone else seeing this on their network? It seems that the fix Sophos has is not working.

Anti-Virus AppsAnti-Spyware

Last Comment

xmachine

8/22/2022 - Mon

ASKER CERTIFIED SOLUTION

Dhiraj Mutha

3/2/2009

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.

View this solution by signing up for a free trial.

Members can start a 7-Day free trial and enjoy unlimited access to the platform.

See Pricing Options

Start Free Trial

GET A PERSONALIZED SOLUTION

Ask your own question & get feedback from real experts

Find out why thousands trust the EE community with their toughest problems.

dmarinenko

3/2/2009

I haven't seen this. My SOP for infexctions is this.

#1 remove network cable (when you remove one trojan, say the "b" one then the "c" one sometimes will just re-download and install. then removing the "C", the "B" does the same. Having the network cable plugged in is sometimes a never ending battle)
#2 Insert kaspersky bootable CD (you can download and make one from there site) this will take awhile to run a virus check,but since it is it's own OS it gets rid of junk easier.
#3 boot into safe mode and go through starting processes in registry (either regedit or hijack this) remove junk and anything unkown google the name
#4 run malware bytes on infected system
#5 run whatever is installed
#6 replug in network cable and try running trend house call as a final check.

Running multiple anti-virus and anti-spyware checkers is always a good idea (not running multiple in background of course) when removing junk.

Mohammed Hamada

3/3/2009

Hello wantabe2

After reading the reference of the file from Sophos website
http://www.sophos.com/security/analyses/viruses-and-spyware/trojclompb.html?_log_from=rss

I have created a batch file and a registry that will remove all the Troj/Clomp-B instances of files and registry from the locations in the sophos article...

Note that by default there are no exe files located in the %userprofile%\application data folder..
and the registry will remove all the values from the locations that was mentioned too..

Open notepad and copy the following in it

@Echo off
cls
cd\
cd %userprofile%\Application Data
Del /f svchosts.exe
Del /f taskmon.exe
Del /f rundll.exe
Del /f service.exe
Del /f sound.exe
Del /f upnpsvc.exe
Del /f lsas.exe
Del /f logon.exe
Del /f helper.exe
Del /f event.exe
Del /f dumpreport.exe
Del /f msiexeca.exe
Del /f upnpsvc.exe

cd\
regedit.exe RemovingValues.reg

Now click File and save file as Removingfiles.bat to C:\ drive

And copy the code snippet below to new notepad and save the file as removingvalues.reg to C:\ drive too

Test this on one PC and if you were able to get rid of trojan, if it didn't work you will need to apply the removal in safe mode.

Hope this helps

REGEDIT5.1
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"svchosts"=-
"TaskMon"=-
"RunDll"=-
"System"=-
"Sound"=-
"UPNP"=-
"lsass"=-
"Init"=-
"Windows"=-
"EventLog"=-
"CrashDump"=-
"Setup"=-
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
"GID"=-
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
"GatesList"=-
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
"KeyM"=-
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft]
"9593275321"=-

Open in new window

xmachine

3/10/2009

Hi,

You can use Psexec tool to copy/run the batch remotely on your infected computers

http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

A Symantec Certified Specialist @ your service

Your help has saved me hundreds of hours of internet surfing.

fblack61