+ Post New Thread
Page 6 of 9 FirstFirst ... 23456789 LastLast
Results 76 to 90 of 121
Windows Thread, Annoying Virus (confick-E) in Technical; This b*****d of a virus made a comeback today, think we found a few machines that Sophos hasn't been updating ...
  1. #76
    mullet_man's Avatar
    Join Date
    Oct 2005
    Location
    Oldham
    Posts
    726
    Thank Post
    34
    Thanked 46 Times in 45 Posts
    Rep Power
    26
    This b*****d of a virus made a comeback today, think we found a few machines that Sophos hasn't been updating recently.

    Hopefully we should be ok, been a crappy few day today.

  2. #77

    tmcd35's Avatar
    Join Date
    Jul 2005
    Location
    Norfolk
    Posts
    5,665
    Thank Post
    850
    Thanked 893 Times in 738 Posts
    Blog Entries
    9
    Rep Power
    328
    This virus has made the local news here on Norfolk!

    EDP24 - Norfolk schools hit by computer virus

    Five secondary schools and the PDC hit! The main secondary school mentioned in the article, Thorpe St Andrew, was my old place. I've been back over the past week to help them eradicate it.

    It's quite a vicious virus. Once it's in, it's there to stay.

  3. #78
    mullet_man's Avatar
    Join Date
    Oct 2005
    Location
    Oldham
    Posts
    726
    Thank Post
    34
    Thanked 46 Times in 45 Posts
    Rep Power
    26
    Quote Originally Posted by tmcd35 View Post
    It's quite a vicious virus. Once it's in, it's there to stay.

    Tell me about it, thought I got rid of it last week.

    How you been hitting it??

  4. #79
    mossj's Avatar
    Join Date
    Dec 2008
    Location
    Leicester
    Posts
    1,466
    Thank Post
    157
    Thanked 189 Times in 174 Posts
    Rep Power
    52
    How do you put the tool in the start up script?

    We run batch files on start up so i assumened it would be easy but found some code but doesn't seem to be working

    Code:
    on error resume next
    
    Dim StrServer
    Dim StrShare
    Dim StrComputer
    Dim objFSO
    Dim objLogFile
    Dim objFSO2
    Dim objLogFile2
    Dim objFSO3
    Dim WshNetwork
    Dim WshShell
    Dim WshEnv
    Dim objSystemInfo
    Dim OpSysSet
    
    StrServer = "10.177.0.15" 
    StrShare = "downanup"
    
    set wshnetwork = CreateObject("wscript.network")
    StrComputer = wshnetwork.computername
    set wshnetwork = nothing
    
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Set objLogFile = objFSO.OpenTextFile("\\" & StrServer & "\" & StrShare & "\" & StrComputer & ".txt", 8, True)
    objLogFile.Write("F-Secure Trojan/Worm Scan started at " & now() & " ") 
    objLogFile.Writeline
    
    Set objFSO3 = CreateObject("Scripting.FileSystemObject")
    
    If objFSO3.FileExists("c:\fsmrt.exe") Then
    
    objLogFile.Write("Application File already in place") 
    objLogFile.Writeline
    
    Else
    
    objLogFile.Write("Copying FSMRT File to " & StrComputer) 
    objLogFile.Writeline
    objFSO3.CopyFile "\\" & StrServer & "\" & StrShare & "\fsmrt.exe", "c:\"
    
    End If
    
    Set WshShell = WScript.CreateObject("WScript.Shell")
    Set WshEnv = WshShell.Environment("PROCESS")
    
    WshEnv("SEE_MASK_NOZONECHECKS") = 1
    
    Return = WshShell.Run("c:\fsmrt.exe >>\\" & StrServer & "\" & StrShare & "\" & StrComputer &".txt", 0, true)
    
    WshEnv.Remove("SEE_MASK_NOZONECHECKS")
    
    Set objSystemInfo = CreateObject("ADSystemInfo") 
    Set OpSysSet = GetObject("winmgmts:{(Shutdown)}//" & StrComputer & "/root/cimv2").ExecQuery("select * from Win32_OperatingSystem where Primary=true")
    
    For each OpSys in OpSysSet
    
    If Return = 10 Or Return = 1 Then
    
    Set objFSO2 = CreateObject("Scripting.FileSystemObject")
    Set objLogFile2 = objFSO2.OpenTextFile("\\" & StrServer & "\" & StrShare & "\Cleared.txt", 8, True)
    objLogFile2.Write("Trojan/Worm Found ... Item cleaned " & StrComputer & " rebooted at " & now() & " ") 
    objLogFile2.Writeline
    
    objLogFile.Write("Trojan/Worm Found ... Item cleaned " & StrComputer & " rebooted at " & now() & " ") 
    objLogFile.Writeline
    
    OpSys.Reboot()
    
    ElseIf Return = 2 Then
    
    Set objFSO2 = CreateObject("Scripting.FileSystemObject")
    Set objLogFile2 = objFSO3.OpenTextFile("\\" & StrServer & "\" & StrShare & "\Infected.txt", 8, True)
    objLogFile2.Write("Trojan/Worm Found ... Cannot clean " & StrComputer & " Shutdown at " & now() & " ") 
    objLogFile2.Writeline
    
    objLogFile.Write("Trojan/Worm Found ... Cannot clean " & StrComputer & " Shutdown at " & now() & " ") 
    objLogFile.Writeline
    
    opSys.Win32Shutdown(5)
    
    Else
    
    Set objFSO2 = CreateObject("Scripting.FileSystemObject")
    Set objLogFile2 = objFSO3.OpenTextFile("\\" & StrServer & "\" & StrShare & "\Clean.txt", 8, True)
    objLogFile2.Write("Nothing found on " & StrComputer & " ... Ending Scan at " & now() & " ") 
    objLogFile2.Writeline
    
    objLogFile.Write("Nothing found on " & StrComputer & " ... Ending Scan at " & now() & " ") 
    objLogFile.WriteLine
    
    End If
    
    Next
    
    Set objLogFile2 = nothing
    Set objLogFile = nothing
    Set objFSO3 = nothing
    Set objFSO2 = nothing
    Set objFSO = nothing
    Set WshShell = Nothing

    Also does it slow boot up? how much by?

  5. #80
    mossj's Avatar
    Join Date
    Dec 2008
    Location
    Leicester
    Posts
    1,466
    Thank Post
    157
    Thanked 189 Times in 174 Posts
    Rep Power
    52
    Bump I need the solution urgently

  6. #81

    Join Date
    Apr 2007
    Location
    Corby, Northants
    Posts
    48
    Thank Post
    8
    Thanked 9 Times in 8 Posts
    Rep Power
    16
    Quote Originally Posted by mossj View Post
    Bump I need the solution urgently
    Ok, I think this would be the right method. If anyone notices a mistake, then please correct me. Copy the contents of the quoted text, and paste into notepad. Save the notepad document as "MyScript.vbs". The speech marks are important, as they stop notepad appending .txt to the end.

    On your domain controller, if you have the group policy management console installed, click Start, Run and enter gpmc.msc. This launches the management tool. All your workstations should be contained in an organisational unit, such as 'workstations', or possibly a bunch of OU's, such as 'Room1', 'Room2'. Locate the correct organisational unit, and right click on it, and select 'Create and Link a GPO Here'. This creates a new group policy object, linked to the stations in that OU. Give that group policy object a descriptive name.

    Now you need to configure the GPO. In the right hand side, the new GPO should appear. Right click on this, and click Edit. Expand the Computer Configuration node, followed by Windows Settings, and click on 'Scripts'. In the right hand pane, double click on 'Startup'. A properties box should appear. On here there will be a button labelled 'Show Files'. Click on this, and windows explorer will open, at the location where you need to place your startup script. Copy the .vbs file into here, and close the window. Next, click on the 'Add' button on the startup properties sheet. Either type in the name of the script, or browse to it using the browse button. Close all open windows, and click Start, Run and type gpupdate. This will update the group policies. Your clients should then run the script on startup.

    However, before doing all this, test the script works OK in your environment. Log on to a workstation, get the script, and double click it to run it, and observe that it doesn't break anything. If everything seems OK, try a couple more, and when you feel sure enough, set it with group policy.

    Best of luck

    Maria

  7. #82
    Maz
    Maz is offline
    Maz's Avatar
    Join Date
    Dec 2008
    Location
    Redcar, Middlesbrough
    Posts
    142
    Thank Post
    17
    Thanked 9 Times in 8 Posts
    Rep Power
    13
    Just a heads up to anyone who has / had the virus, check your scheduled tasks - it seems to create files named "At1" "At2" etc. Simply deleting these files do the trick, we also disabled the Task Scheduler service aswell.

    Also could anyone else tell me if there virus has created new services. I've seen a few new ones popping up and can't seem to get rid of them. A few keywords that they use are 'Network', 'Security', 'Center Time', and 'System'.

    These services also steal a random description from one of the other legitamite services that are running, it's pathetic when you reliase a name you haven't seen - look at the description and it has nothing to do with the service name.

    Service Name: "Center Time"
    Description: Provides automatic IPv6 connectivity over an IPv4 network. If this service is stopped, the machine will only have IPv6 connectivity if it is connected to a native IPv6 network.

    Oh rly?

  8. #83
    meastaugh1's Avatar
    Join Date
    Jul 2006
    Location
    London/Hertfordshire
    Posts
    890
    Thank Post
    69
    Thanked 85 Times in 70 Posts
    Rep Power
    32
    Quote Originally Posted by Maz View Post
    Also could anyone else tell me if there virus has created new services. I've seen a few new ones popping up and can't seem to get rid of them. A few keywords that they use are 'Network', 'Security', 'Center Time', and 'System'.
    Yeah, this was mentioned a couple of pages back in this post. If the service isn't removed I'm fairly confident that the scheduled tasks will get recreated when you enable the Task Scheduler service again.

    I'd recommend the MS article for further advice on this.

  9. #84

    Join Date
    Mar 2009
    Location
    Lancashire
    Posts
    23
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Also have it.

    We have this virus also, but got 6 pages to read through now on how to remove it cheers guys :P We thinking of holding out till the easter break before removal, just becuase they cannot do without the network for a day.

  10. #85
    AyatollahPies's Avatar
    Join Date
    Jan 2008
    Location
    Earth
    Posts
    900
    Thank Post
    48
    Thanked 105 Times in 95 Posts
    Rep Power
    42
    Quote Originally Posted by xeroxxe View Post
    We have this virus also, but got 6 pages to read through now on how to remove it cheers guys :P We thinking of holding out till the easter break before removal, just becuase they cannot do without the network for a day.
    Are you not getting annoyed by the locked out user accounts, or have you not suffered that yet?

  11. #86
    mullet_man's Avatar
    Join Date
    Oct 2005
    Location
    Oldham
    Posts
    726
    Thank Post
    34
    Thanked 46 Times in 45 Posts
    Rep Power
    26
    Quote Originally Posted by xeroxxe View Post
    We have this virus also, but got 6 pages to read through now on how to remove it cheers guys :P We thinking of holding out till the easter break before removal, just becuase they cannot do without the network for a day.
    I managed to get rid of it without bringing the network down.

    Send out the patch, firstly patch the servers, and make sure everyone has up to date virus, send down Microsoft Malcious Software remover as a startup script. (slows down logging in, but required)

    Also I used wireshark to watch for dodgy packets around the network, this helped me track down a couple of machines that were unpatched.

    Also make sure you do not log in as administrator in any machines you think are infected this will allow it to spread again.

  12. #87
    mullet_man's Avatar
    Join Date
    Oct 2005
    Location
    Oldham
    Posts
    726
    Thank Post
    34
    Thanked 46 Times in 45 Posts
    Rep Power
    26
    Quote Originally Posted by Ayatollah Pies View Post
    Are you not getting annoyed by the locked out user accounts, or have you not suffered that yet?
    The lockouts were a PITA, luckly it only got on our admin network so locked out around 80 accounts.

    Would have locked out 700 on the pupil.

  13. #88

    Join Date
    Mar 2009
    Location
    Lancashire
    Posts
    23
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    No we have not

    No we have not yet had accounts locked up, we have however had a significantly slower network last few working days due to the virus. It congests the network horribly, to be honest at the moment getting the pens sorted would be a good start, I mean I have seen a few teachers now bring it in on their pen drive and a couple of them were admin :S

  14. #89
    meastaugh1's Avatar
    Join Date
    Jul 2006
    Location
    London/Hertfordshire
    Posts
    890
    Thank Post
    69
    Thanked 85 Times in 70 Posts
    Rep Power
    32
    I'd personally be nervous about leaving it until Easter with 1 April coming up.

    If you follow the MS article you should be able to contain it from spreading further, patch it, then remove it. I'm not yet convinced that it is absolutely necessary to shutdown to cleanse yourself of the infection.

    As AP suggests, it can bring unpatched computers to a stop as I'm pretty sure we've seen it stop more than just the update service.
    Last edited by meastaugh1; 23rd March 2009 at 01:41 PM. Reason: typo

  15. #90

    Join Date
    Sep 2007
    Location
    North - UK
    Posts
    65
    Thank Post
    23
    Thanked 5 Times in 4 Posts
    Rep Power
    15
    To those getting page not found for some sophos tools etc. the virus actively blocks anti-virus sites so you cannot download these cleanup tools etc.

SHARE:
+ Post New Thread
Page 6 of 9 FirstFirst ... 23456789 LastLast

Similar Threads

  1. [Video] Most Annoying Runner Ever
    By mattx in forum Jokes/Interweb Things
    Replies: 1
    Last Post: 13th January 2009, 01:51 PM
  2. Top 10 annoying technologies
    By FN-GM in forum IT News
    Replies: 14
    Last Post: 8th December 2008, 11:05 AM
  3. Annoying thing!
    By chrbb in forum Windows Vista
    Replies: 3
    Last Post: 2nd September 2008, 02:10 PM
  4. Annoying Error Message
    By firefox_2006 in forum Windows
    Replies: 7
    Last Post: 7th April 2007, 08:14 PM
  5. Bloddy annoying
    By GrumbleDook in forum Jokes/Interweb Things
    Replies: 28
    Last Post: 12th July 2006, 01:09 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •