Web broswer probs... not looking forward to work tomorrow :(

[jahilton2002]

OK i think this is my first post and i have dyslexia so please forgive any errors. i find it hard to get my point across sometimes but here goes....

oh and sorry for the long post;

i think we have some big probs at oursite..... and i think this might just be the tip of the iceberg!

for a few weeks now, the internet access drops for approx 3mins at 3 set times during the day. I've checked update/backup schedules and almost every bit of software installed in our site to see if something is floodin' the net. i couldn't see anything amiss.

it happened today, so i check the firewall log to see if anything popped up in there..... i have reports saying computer X @ 10.15.x.x has exceded http requests and might be infected.blah blah blah..... at first i thought, cable, nic faulty. but the list of machines is as long as my arm......

so i think oh dear... we have a virus...... so i asked when the last sophos update was done and what the report reads... and 45% of the networks pcs are infected with;

troj/userin-a

vbs/autom-b

vbs/malnir-a

...... now i'm very new to domains and large networks at a whole... so please forgive me if some of my wording is off.

the sophos version we WERE on was 4.5 sophos console and endpoint 9.5 (i think might have that the wrong way around)

with it being a virus issue i asked my boss if there was a newer version of sophos.... to which we found console 5 and endpoint 10.....

both of which are NOW installed and fully updated.....after doing a scan on all the computers infected. the virus "SEEMS" to of been removed.

however.... all the web broswers on all the computers on the network are now crashing ..... servers/clients on both domains the lot. Firefox/ie/safari .

this didn't happen stright away some 3hrs after the sophos update...... it might just be coincidence that this is happening after a sophs update. but i really dont know where to start.....


i tested all the broswers. firefox just crashes and gives a "oops error", ie just drops to the desktop, safari locks ups and google also gives the "oops" error.

i thought sophos must be blocking something, so i disabled it breifly... but the same thing happened...... i had to use the 3g dongle to get online.... which worked fine on all broswers..... i even checked on a "suspected" infected pc. works fine.

done a scan on all the servers all clean....... my head hurts now..... and im not looking forwards to tomorrow....

any ideas? thx in advance.

[garethedmondson]

As a test how about building a totally fresh machine from CD. Download all the updates using WSUSOffline and burn them to CD or USB stick (at home maybe?) - this will let you setup a machine without connecting to the internet. Try and get an AV on there before connecting it to the network.

Then connect it to the network and see what happens - does it still crash? Any virus shouldn't hit the machine as you are fully updated.

Gareth

[teejay]

Try getting What is Windows Defender Offline Beta&#63 and booting off this and re-checking the machine. Also check the machine with the free version of Malwarebytes : Free anti-malware, anti-virus and spyware removal download
Try reinstalling Firefox, try Chrome. Test booting off a Linux Live CD such as Ubuntu and see if you get the problem.

[Dos_Box]

It's not uncommon that when a virus is removed from an infected system that infected system files are also removed or damaged and the only recourse you have is to re-image the machine. Judgign by the fact that various browsers are malfunctioning you may have goosed a system file.
It'll just be quicker to re-image and ensure the new image updates Sophos correctly than worry about what was damged/removed as there will probably be very little you could do anyway.

[jahilton2002]

It's not uncommon that when a virus is removed from an infected system that infected system files are also removed or damaged and the only recourse you have is to re-image the machine. Judgign by the fact that various browsers are malfunctioning you may have goosed a system file.
It'll just be quicker to re-image and ensure the new image updates Sophos correctly than worry about what was damged/removed as there will probably be very little you could do anyway.

yeah i could just re-image a machine first thing tomorrow.... we use fog so thats not much of an issue.... prob is.... i know before i put fog inplace the computers were build 1 by 1 ! and some of the hardware doesn't have an image........

45% of the site is about 240 pcs!

still...... i was really hopin' i would never have to use "i told you so" in my place of work..... leason learnt...... could of been alit worse!


thanks for all the help guys...... i reimage a infected suite tomorrow and report back! thx again

[jahilton2002]

just an update......

after restoring a pc in one of the suites.. it worked fine... did all the updates still fine..... updated to endpoint 10 and it started again...... removed it, was fine again...... reinstalled 9.5 works fine..... removed 9.5 and installed 10. and it stopped working again......

put 9.5 back on and its fine again!

so looks to be sophos!

still running the lastest console also......

[jahilton2002]

think we've cracked this now..... now using latest console and endpoint 10

we called sophos support who checked a few settings. we had download scanning off! once enabled it worked fine....

sophos V10-policy setting.JPG