Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

got infected by conficker-a

Posted on 2010-09-02
20
Medium Priority
?
475 Views
Last Modified: 2013-11-22
i need your help to help me figured it out what to do, i just install sophos endpoint on my 25 computer, and what a surprise, all my computer is infected by the conficker-a. i followed the procedure for removal of sophos. then i wait 1 day to see if that is working, and when i entered this morning the two pc got the virus back

what can i do. do i have to reformat every pc?
0
Comment
Question by:GCI_SUPPORT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
  • 2
  • +2
20 Comments
 

Expert Comment

by:axyr
ID: 33585927
I would run combofix on the computers and then post the log here. Also check to make sure none of your flash drives are the source of your reinfection.
0
 
LVL 5

Expert Comment

by:TimAllan
ID: 33585997
as axyr says, use combofix : combofix.org
download and run.
0
 

Author Comment

by:GCI_SUPPORT
ID: 33586050
this virus can it cause my network to be slow ???
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 

Author Comment

by:GCI_SUPPORT
ID: 33586197
my sophos reject he software
0
 
LVL 5

Expert Comment

by:TimAllan
ID: 33586226
yep, i wouldn't use sophos.  i would use AVG Free as a better alternative to removing this virus : http://free.avg.com/au-en/homepage
0
 

Author Comment

by:GCI_SUPPORT
ID: 33586259
but my netwrok is protected by sophos
0
 
LVL 5

Expert Comment

by:TimAllan
ID: 33586313
you can install AVG free, just disable sophos for the time being as two virus scanners working side by side wont play nicely.  use avg to remove the virus, reboot, then remove AVG once it's gone.
0
 

Author Comment

by:GCI_SUPPORT
ID: 33586412
do you know how to turn off sophos protection when is controlled by sophos control center ?
0
 
LVL 5

Expert Comment

by:TimAllan
ID: 33586472
You could always just uninstall it if you have administrator access to do so.  or disable the sophos service from Services
0
 

Author Comment

by:GCI_SUPPORT
ID: 33586519
k i'll try this
0
 

Author Comment

by:GCI_SUPPORT
ID: 33586640
this virus can it cause my network to be slow ???
0
 
LVL 5

Expert Comment

by:TimAllan
ID: 33586726
depending on type of virus you have, yes, it can slow down your network
0
 

Author Comment

by:GCI_SUPPORT
ID: 33587054
k i did what you said, all sophos servies was stopped, after that avg installed and updated and he found nothing, but the thing is sophos found a file and deleted it this morning and the files was in the system32 directory.

i think the worm always come back
0
 
LVL 5

Expert Comment

by:TimAllan
ID: 33587154
Try also turning off System Restore in Windows....just so it's not keeping a backup of the virus.
0
 
LVL 22

Expert Comment

by:optoma
ID: 33587969
Firstly, if using Combofix download from here
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Secondly, no need to turn off system restore yet!

Try Hitmanpro on all the machines. Installs + scans very quick :)
http://www.surfright.nl/en/hitmanpro
0
 
LVL 22

Expert Comment

by:optoma
ID: 33587975
Hitmanpro will run alongside Sophos so no need to uninstall anything
0
 

Author Comment

by:GCI_SUPPORT
ID: 33588743
i found this on my network with a packet analyser
this appear a lot of time in the packet analyser
and i think that is what is causing my network to be slow

 192.168.1.100 52396 172.16.1.1 139 TCP X0 X1 152 0  
 192.168.1.100 52398 172.16.1.1 445 TCP X0 X1 152 0  

how can i know what cause that ?

0
 
LVL 2

Expert Comment

by:garethclarified
ID: 33594877
Ok so what you are seeing here is Conficker brute forcing usernames and passwords against your machines.  

If you look in the event log on your domain controllers in the security log you will see lots of Log-on Failures.

So there are a few things to take into consideration.

1) The windows machines need patching with KB958644
2) Ensure that any unrecognised scheduled tasks have been removed.
3) Run the latest Microsoft Malicious Software Removal Tool and reboot when complete
4) Ensure that Sophos (whilst your network is still infected) has on access scanning enabled on both Read & Write
5) Do a full scan with Sophos.

Unfortunately there isnt a fast one click way of getting rid of this.  Also I noted that there were many strange and unrelated issue were caused by having a conficker infection.  My advice would be to tackle the conficker infection first.

Hope this helps

0
 

Expert Comment

by:axyr
ID: 33595456
It would still be nice to see that combofix log. Disable sophos or even uninstall it so combofix can run.
0
 
LVL 2

Accepted Solution

by:
garethclarified earned 2000 total points
ID: 33595925
I dont wish to step on anyones toes here but removing AV is a bad idea.

The link for the Microsoft Malcious Software Removal tool is http://www.microsoft.com/security/malwareremove/default.aspx

This appears to be the Microsoft equivalient of combofix and will not clash with Sophos.
0

Featured Post

Enroll in September's Course of the Month

This month’s featured course covers 16 hours of training in installation, management, and deployment of VMware vSphere virtualization environments. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PREFACE The purpose of this guide is to explain how to manually move a SEP client to a different client group by performing steps on the client-side. These steps may prove particularly useful because they allow the client to move after it has alrea…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question