• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 482
  • Last Modified:

got infected by conficker-a

i need your help to help me figured it out what to do, i just install sophos endpoint on my 25 computer, and what a surprise, all my computer is infected by the conficker-a. i followed the procedure for removal of sophos. then i wait 1 day to see if that is working, and when i entered this morning the two pc got the virus back

what can i do. do i have to reformat every pc?
0
GCI_SUPPORT
Asked:
GCI_SUPPORT
  • 8
  • 6
  • 2
  • +2
1 Solution
 
axyrCommented:
I would run combofix on the computers and then post the log here. Also check to make sure none of your flash drives are the source of your reinfection.
0
 
TimAllanCommented:
as axyr says, use combofix : combofix.org
download and run.
0
 
GCI_SUPPORTAuthor Commented:
this virus can it cause my network to be slow ???
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
GCI_SUPPORTAuthor Commented:
my sophos reject he software
0
 
TimAllanCommented:
yep, i wouldn't use sophos.  i would use AVG Free as a better alternative to removing this virus : http://free.avg.com/au-en/homepage
0
 
GCI_SUPPORTAuthor Commented:
but my netwrok is protected by sophos
0
 
TimAllanCommented:
you can install AVG free, just disable sophos for the time being as two virus scanners working side by side wont play nicely.  use avg to remove the virus, reboot, then remove AVG once it's gone.
0
 
GCI_SUPPORTAuthor Commented:
do you know how to turn off sophos protection when is controlled by sophos control center ?
0
 
TimAllanCommented:
You could always just uninstall it if you have administrator access to do so.  or disable the sophos service from Services
0
 
GCI_SUPPORTAuthor Commented:
k i'll try this
0
 
GCI_SUPPORTAuthor Commented:
this virus can it cause my network to be slow ???
0
 
TimAllanCommented:
depending on type of virus you have, yes, it can slow down your network
0
 
GCI_SUPPORTAuthor Commented:
k i did what you said, all sophos servies was stopped, after that avg installed and updated and he found nothing, but the thing is sophos found a file and deleted it this morning and the files was in the system32 directory.

i think the worm always come back
0
 
TimAllanCommented:
Try also turning off System Restore in Windows....just so it's not keeping a backup of the virus.
0
 
optomaCommented:
Firstly, if using Combofix download from here
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Secondly, no need to turn off system restore yet!

Try Hitmanpro on all the machines. Installs + scans very quick :)
http://www.surfright.nl/en/hitmanpro
0
 
optomaCommented:
Hitmanpro will run alongside Sophos so no need to uninstall anything
0
 
GCI_SUPPORTAuthor Commented:
i found this on my network with a packet analyser
this appear a lot of time in the packet analyser
and i think that is what is causing my network to be slow

 192.168.1.100 52396 172.16.1.1 139 TCP X0 X1 152 0  
 192.168.1.100 52398 172.16.1.1 445 TCP X0 X1 152 0  

how can i know what cause that ?

0
 
garethclarifiedCommented:
Ok so what you are seeing here is Conficker brute forcing usernames and passwords against your machines.  

If you look in the event log on your domain controllers in the security log you will see lots of Log-on Failures.

So there are a few things to take into consideration.

1) The windows machines need patching with KB958644
2) Ensure that any unrecognised scheduled tasks have been removed.
3) Run the latest Microsoft Malicious Software Removal Tool and reboot when complete
4) Ensure that Sophos (whilst your network is still infected) has on access scanning enabled on both Read & Write
5) Do a full scan with Sophos.

Unfortunately there isnt a fast one click way of getting rid of this.  Also I noted that there were many strange and unrelated issue were caused by having a conficker infection.  My advice would be to tackle the conficker infection first.

Hope this helps

0
 
axyrCommented:
It would still be nice to see that combofix log. Disable sophos or even uninstall it so combofix can run.
0
 
garethclarifiedCommented:
I dont wish to step on anyones toes here but removing AV is a bad idea.

The link for the Microsoft Malcious Software Removal tool is http://www.microsoft.com/security/malwareremove/default.aspx

This appears to be the Microsoft equivalient of combofix and will not clash with Sophos.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 8
  • 6
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now