Solved

got infected by conficker-a

Posted on 2010-09-02
20
461 Views
Last Modified: 2013-11-22
i need your help to help me figured it out what to do, i just install sophos endpoint on my 25 computer, and what a surprise, all my computer is infected by the conficker-a. i followed the procedure for removal of sophos. then i wait 1 day to see if that is working, and when i entered this morning the two pc got the virus back

what can i do. do i have to reformat every pc?
0
Comment
Question by:GCI_SUPPORT
  • 8
  • 6
  • 2
  • +2
20 Comments
 

Expert Comment

by:axyr
ID: 33585927
I would run combofix on the computers and then post the log here. Also check to make sure none of your flash drives are the source of your reinfection.
0
 
LVL 5

Expert Comment

by:TimAllan
ID: 33585997
as axyr says, use combofix : combofix.org
download and run.
0
 

Author Comment

by:GCI_SUPPORT
ID: 33586050
this virus can it cause my network to be slow ???
0
 

Author Comment

by:GCI_SUPPORT
ID: 33586197
my sophos reject he software
0
 
LVL 5

Expert Comment

by:TimAllan
ID: 33586226
yep, i wouldn't use sophos.  i would use AVG Free as a better alternative to removing this virus : http://free.avg.com/au-en/homepage
0
 

Author Comment

by:GCI_SUPPORT
ID: 33586259
but my netwrok is protected by sophos
0
 
LVL 5

Expert Comment

by:TimAllan
ID: 33586313
you can install AVG free, just disable sophos for the time being as two virus scanners working side by side wont play nicely.  use avg to remove the virus, reboot, then remove AVG once it's gone.
0
 

Author Comment

by:GCI_SUPPORT
ID: 33586412
do you know how to turn off sophos protection when is controlled by sophos control center ?
0
 
LVL 5

Expert Comment

by:TimAllan
ID: 33586472
You could always just uninstall it if you have administrator access to do so.  or disable the sophos service from Services
0
 

Author Comment

by:GCI_SUPPORT
ID: 33586519
k i'll try this
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:GCI_SUPPORT
ID: 33586640
this virus can it cause my network to be slow ???
0
 
LVL 5

Expert Comment

by:TimAllan
ID: 33586726
depending on type of virus you have, yes, it can slow down your network
0
 

Author Comment

by:GCI_SUPPORT
ID: 33587054
k i did what you said, all sophos servies was stopped, after that avg installed and updated and he found nothing, but the thing is sophos found a file and deleted it this morning and the files was in the system32 directory.

i think the worm always come back
0
 
LVL 5

Expert Comment

by:TimAllan
ID: 33587154
Try also turning off System Restore in Windows....just so it's not keeping a backup of the virus.
0
 
LVL 22

Expert Comment

by:optoma
ID: 33587969
Firstly, if using Combofix download from here
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Secondly, no need to turn off system restore yet!

Try Hitmanpro on all the machines. Installs + scans very quick :)
http://www.surfright.nl/en/hitmanpro
0
 
LVL 22

Expert Comment

by:optoma
ID: 33587975
Hitmanpro will run alongside Sophos so no need to uninstall anything
0
 

Author Comment

by:GCI_SUPPORT
ID: 33588743
i found this on my network with a packet analyser
this appear a lot of time in the packet analyser
and i think that is what is causing my network to be slow

 192.168.1.100 52396 172.16.1.1 139 TCP X0 X1 152 0  
 192.168.1.100 52398 172.16.1.1 445 TCP X0 X1 152 0  

how can i know what cause that ?

0
 
LVL 2

Expert Comment

by:garethclarified
ID: 33594877
Ok so what you are seeing here is Conficker brute forcing usernames and passwords against your machines.  

If you look in the event log on your domain controllers in the security log you will see lots of Log-on Failures.

So there are a few things to take into consideration.

1) The windows machines need patching with KB958644
2) Ensure that any unrecognised scheduled tasks have been removed.
3) Run the latest Microsoft Malicious Software Removal Tool and reboot when complete
4) Ensure that Sophos (whilst your network is still infected) has on access scanning enabled on both Read & Write
5) Do a full scan with Sophos.

Unfortunately there isnt a fast one click way of getting rid of this.  Also I noted that there were many strange and unrelated issue were caused by having a conficker infection.  My advice would be to tackle the conficker infection first.

Hope this helps

0
 

Expert Comment

by:axyr
ID: 33595456
It would still be nice to see that combofix log. Disable sophos or even uninstall it so combofix can run.
0
 
LVL 2

Accepted Solution

by:
garethclarified earned 500 total points
ID: 33595925
I dont wish to step on anyones toes here but removing AV is a bad idea.

The link for the Microsoft Malcious Software Removal tool is http://www.microsoft.com/security/malwareremove/default.aspx

This appears to be the Microsoft equivalient of combofix and will not clash with Sophos.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now