Avatar of wantabe2
Flag for United States of America asked on

Virus Infection

I run Sophos on over 2000 workstations. Over the weekend we've had a virus outbreak with Troj/Clomp-B & Troj/Clomp-C. I've worked with Sophos all morning because this Trojan uses port 80 to propagate & eats up so much bandwidth we are crawling. I sent Sophos several files earlier today & am expecting to get some results later this evening. My question is, is anyone else seeing this on their network? It seems that the fix Sophos has is not working.
Anti-Virus AppsAnti-Spyware

Avatar of undefined
Last Comment

8/22/2022 - Mon
Dhiraj Mutha

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

I haven't seen this.  My SOP for infexctions is this.

#1 remove network cable (when you remove one trojan, say the "b" one then the "c" one sometimes will just re-download and install.  then removing the "C", the "B" does the same.  Having the network cable plugged in is sometimes a never ending battle)
#2 Insert kaspersky bootable CD (you can download and make one from there site) this will take awhile to run a virus check,but since it is it's own OS it gets rid of junk easier.
#3 boot into safe mode and go through starting processes in registry (either regedit or hijack this) remove junk and anything unkown google the name
#4 run malware bytes on infected system
#5 run whatever is installed
#6 replug in network cable and try running trend house call as a final check.

Running multiple anti-virus and anti-spyware checkers is always a good idea (not running multiple in background of course) when removing junk.
Mohammed Hamada

Hello wantabe2

After reading the reference of the file from Sophos website

I have created a batch file and a registry that will remove all the Troj/Clomp-B instances of files and registry from the locations in the sophos article...

Note that by default there are no exe files located in the %userprofile%\application data folder..
and the registry will remove all the values from the locations that was mentioned too..

Open notepad and copy the following in it

@Echo off
cd %userprofile%\Application Data
Del /f svchosts.exe
Del /f taskmon.exe
Del /f rundll.exe
Del /f service.exe
Del /f sound.exe
Del /f upnpsvc.exe
Del /f lsas.exe
Del /f logon.exe
Del /f helper.exe
Del /f event.exe
Del /f dumpreport.exe
Del /f msiexeca.exe
Del /f upnpsvc.exe

regedit.exe RemovingValues.reg

Now click File and save file as Removingfiles.bat to C:\ drive

And copy the code snippet below to new notepad and save the file as removingvalues.reg to C:\ drive too

Test this on one PC and if you were able to get rid of trojan, if it didn't work you will need to apply the removal in safe mode.

Hope this helps

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Open in new window



You can use Psexec tool to copy/run the batch remotely on your infected computers


A Symantec Certified Specialist @ your service
Your help has saved me hundreds of hours of internet surfing.