Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 480
  • Last Modified:

got infected by conficker-a

i need your help to help me figured it out what to do, i just install sophos endpoint on my 25 computer, and what a surprise, all my computer is infected by the conficker-a. i followed the procedure for removal of sophos. then i wait 1 day to see if that is working, and when i entered this morning the two pc got the virus back

what can i do. do i have to reformat every pc?
0
GCI_SUPPORT
Asked:
GCI_SUPPORT
  • 8
  • 6
  • 2
  • +2
1 Solution
 
axyrCommented:
I would run combofix on the computers and then post the log here. Also check to make sure none of your flash drives are the source of your reinfection.
0
 
TimAllanCommented:
as axyr says, use combofix : combofix.org
download and run.
0
 
GCI_SUPPORTAuthor Commented:
this virus can it cause my network to be slow ???
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
GCI_SUPPORTAuthor Commented:
my sophos reject he software
0
 
TimAllanCommented:
yep, i wouldn't use sophos.  i would use AVG Free as a better alternative to removing this virus : http://free.avg.com/au-en/homepage
0
 
GCI_SUPPORTAuthor Commented:
but my netwrok is protected by sophos
0
 
TimAllanCommented:
you can install AVG free, just disable sophos for the time being as two virus scanners working side by side wont play nicely.  use avg to remove the virus, reboot, then remove AVG once it's gone.
0
 
GCI_SUPPORTAuthor Commented:
do you know how to turn off sophos protection when is controlled by sophos control center ?
0
 
TimAllanCommented:
You could always just uninstall it if you have administrator access to do so.  or disable the sophos service from Services
0
 
GCI_SUPPORTAuthor Commented:
k i'll try this
0
 
GCI_SUPPORTAuthor Commented:
this virus can it cause my network to be slow ???
0
 
TimAllanCommented:
depending on type of virus you have, yes, it can slow down your network
0
 
GCI_SUPPORTAuthor Commented:
k i did what you said, all sophos servies was stopped, after that avg installed and updated and he found nothing, but the thing is sophos found a file and deleted it this morning and the files was in the system32 directory.

i think the worm always come back
0
 
TimAllanCommented:
Try also turning off System Restore in Windows....just so it's not keeping a backup of the virus.
0
 
optomaCommented:
Firstly, if using Combofix download from here
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Secondly, no need to turn off system restore yet!

Try Hitmanpro on all the machines. Installs + scans very quick :)
http://www.surfright.nl/en/hitmanpro
0
 
optomaCommented:
Hitmanpro will run alongside Sophos so no need to uninstall anything
0
 
GCI_SUPPORTAuthor Commented:
i found this on my network with a packet analyser
this appear a lot of time in the packet analyser
and i think that is what is causing my network to be slow

 192.168.1.100 52396 172.16.1.1 139 TCP X0 X1 152 0  
 192.168.1.100 52398 172.16.1.1 445 TCP X0 X1 152 0  

how can i know what cause that ?

0
 
garethclarifiedCommented:
Ok so what you are seeing here is Conficker brute forcing usernames and passwords against your machines.  

If you look in the event log on your domain controllers in the security log you will see lots of Log-on Failures.

So there are a few things to take into consideration.

1) The windows machines need patching with KB958644
2) Ensure that any unrecognised scheduled tasks have been removed.
3) Run the latest Microsoft Malicious Software Removal Tool and reboot when complete
4) Ensure that Sophos (whilst your network is still infected) has on access scanning enabled on both Read & Write
5) Do a full scan with Sophos.

Unfortunately there isnt a fast one click way of getting rid of this.  Also I noted that there were many strange and unrelated issue were caused by having a conficker infection.  My advice would be to tackle the conficker infection first.

Hope this helps

0
 
axyrCommented:
It would still be nice to see that combofix log. Disable sophos or even uninstall it so combofix can run.
0
 
garethclarifiedCommented:
I dont wish to step on anyones toes here but removing AV is a bad idea.

The link for the Microsoft Malcious Software Removal tool is http://www.microsoft.com/security/malwareremove/default.aspx

This appears to be the Microsoft equivalient of combofix and will not clash with Sophos.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 8
  • 6
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now