Solved

got infected by conficker-a

Posted on 2010-09-02
20
469 Views
Last Modified: 2013-11-22
i need your help to help me figured it out what to do, i just install sophos endpoint on my 25 computer, and what a surprise, all my computer is infected by the conficker-a. i followed the procedure for removal of sophos. then i wait 1 day to see if that is working, and when i entered this morning the two pc got the virus back

what can i do. do i have to reformat every pc?
0
Comment
Question by:GCI_SUPPORT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
  • 2
  • +2
20 Comments
 

Expert Comment

by:axyr
ID: 33585927
I would run combofix on the computers and then post the log here. Also check to make sure none of your flash drives are the source of your reinfection.
0
 
LVL 5

Expert Comment

by:TimAllan
ID: 33585997
as axyr says, use combofix : combofix.org
download and run.
0
 

Author Comment

by:GCI_SUPPORT
ID: 33586050
this virus can it cause my network to be slow ???
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:GCI_SUPPORT
ID: 33586197
my sophos reject he software
0
 
LVL 5

Expert Comment

by:TimAllan
ID: 33586226
yep, i wouldn't use sophos.  i would use AVG Free as a better alternative to removing this virus : http://free.avg.com/au-en/homepage
0
 

Author Comment

by:GCI_SUPPORT
ID: 33586259
but my netwrok is protected by sophos
0
 
LVL 5

Expert Comment

by:TimAllan
ID: 33586313
you can install AVG free, just disable sophos for the time being as two virus scanners working side by side wont play nicely.  use avg to remove the virus, reboot, then remove AVG once it's gone.
0
 

Author Comment

by:GCI_SUPPORT
ID: 33586412
do you know how to turn off sophos protection when is controlled by sophos control center ?
0
 
LVL 5

Expert Comment

by:TimAllan
ID: 33586472
You could always just uninstall it if you have administrator access to do so.  or disable the sophos service from Services
0
 

Author Comment

by:GCI_SUPPORT
ID: 33586519
k i'll try this
0
 

Author Comment

by:GCI_SUPPORT
ID: 33586640
this virus can it cause my network to be slow ???
0
 
LVL 5

Expert Comment

by:TimAllan
ID: 33586726
depending on type of virus you have, yes, it can slow down your network
0
 

Author Comment

by:GCI_SUPPORT
ID: 33587054
k i did what you said, all sophos servies was stopped, after that avg installed and updated and he found nothing, but the thing is sophos found a file and deleted it this morning and the files was in the system32 directory.

i think the worm always come back
0
 
LVL 5

Expert Comment

by:TimAllan
ID: 33587154
Try also turning off System Restore in Windows....just so it's not keeping a backup of the virus.
0
 
LVL 22

Expert Comment

by:optoma
ID: 33587969
Firstly, if using Combofix download from here
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Secondly, no need to turn off system restore yet!

Try Hitmanpro on all the machines. Installs + scans very quick :)
http://www.surfright.nl/en/hitmanpro
0
 
LVL 22

Expert Comment

by:optoma
ID: 33587975
Hitmanpro will run alongside Sophos so no need to uninstall anything
0
 

Author Comment

by:GCI_SUPPORT
ID: 33588743
i found this on my network with a packet analyser
this appear a lot of time in the packet analyser
and i think that is what is causing my network to be slow

 192.168.1.100 52396 172.16.1.1 139 TCP X0 X1 152 0  
 192.168.1.100 52398 172.16.1.1 445 TCP X0 X1 152 0  

how can i know what cause that ?

0
 
LVL 2

Expert Comment

by:garethclarified
ID: 33594877
Ok so what you are seeing here is Conficker brute forcing usernames and passwords against your machines.  

If you look in the event log on your domain controllers in the security log you will see lots of Log-on Failures.

So there are a few things to take into consideration.

1) The windows machines need patching with KB958644
2) Ensure that any unrecognised scheduled tasks have been removed.
3) Run the latest Microsoft Malicious Software Removal Tool and reboot when complete
4) Ensure that Sophos (whilst your network is still infected) has on access scanning enabled on both Read & Write
5) Do a full scan with Sophos.

Unfortunately there isnt a fast one click way of getting rid of this.  Also I noted that there were many strange and unrelated issue were caused by having a conficker infection.  My advice would be to tackle the conficker infection first.

Hope this helps

0
 

Expert Comment

by:axyr
ID: 33595456
It would still be nice to see that combofix log. Disable sophos or even uninstall it so combofix can run.
0
 
LVL 2

Accepted Solution

by:
garethclarified earned 500 total points
ID: 33595925
I dont wish to step on anyones toes here but removing AV is a bad idea.

The link for the Microsoft Malcious Software Removal tool is http://www.microsoft.com/security/malwareremove/default.aspx

This appears to be the Microsoft equivalient of combofix and will not clash with Sophos.
0

Featured Post

SendBlaster Pro 4 - Bulk Email Sending Software

SendBlaster 4 Pro - Best Bulk Emailing Sending Software
Automatic Subscribe / Unsubscribe Processing
Great for Newsletters & Mass Mailings
Optional HTML & Text Composition
Integration with Google Features
Built in Spam Score Checking
Free Professional Templates - Feature Packed!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Some site administrators might be considering how to filter incoming traffic to a site by identifying the domains or networks of the traffic source, in the same way that a spam filter does on an email server, such as blocking all emails sent from th…
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question