I appear to have picked up the W32/Confick-E virus. Not entirely sure where from as the servers were all bang up to date with Windows Updates and Sophos Anti-Virus.
The Sophos website says to install the MS08-067 hotfix from Microsoft (which when I've checked was actually installed on my machines last year.) It then says to use Sophos to clean the virus.
Now I've tried doing this, I do a full Sophos scan, it picks the virus up, I perform a clean and it says clean successful. At this point a few services (such as the server service) are turned off (presumably to allow a proper clean) so I have to reboot. Upon reboot I run another scan and the virus is still there.
Is it possible that some of my desktop machines have the virus and are transmitting it back to the server when the server reboots and reconnects to the network?
If this is the case it looks like I may have to go round every PC and ensure they're all up to date with Updates and do a virus scan on them all.
Has anyone any experiences with this virus or have any suggestions?
Yes. Along with the exploit referenced in MS08-067 Confick also spreads via UNC network shares, mapped drives and USB storage devices. I suggest you shut down your network and bring up machines one by one while isolated to perform a full cleanup. You also have to round up everyones USB storage devices (pen drives, music players, phones, etc) and inspect and clean those.
Also, if you can, try and identify the original source of the infection. As you say you have kept up with patching on your servers, it's likely that a USB flash drive is the cause. You may wish to review your proceedures and policies to prevent similar infections in future.
Most virus removal tools cannot get rid of the virus from some machines. We have Kaspersky on our network which picked up hacking attempts from machines which our AV and the removal tool showed as being clean. I came across these removal instructions online which has now erradicated the virus. You need to ensure that the random name in step 3 is definately the virus. I would recommend googling it before you delete it.
We had a similar problem when i was relatively new to the education environment, and well the usb sticks was the hardest part to stop, so we simply stoped auto-run on everything and also put in software restrictions to stop the virus being run, also good idea for future is to always make sure you have decent permissions set on each share area like within are environment we have a common area which only admins can write directly into the path which stops spreading from other accounts.
Malwarebytes Anti Malware is a great little app that will entirely remove an infection from a machine, but if it's networked, as above you'll need to repeat the process on all machines. Install it, run it, job done.
Now, depending on the level of infection and the specific variation of that worm, you might not be able to run the installer let alone the program itself. Thankfully it's a bit "thick". Rename the mbam.exe installer file to "fluffy.exe"
Once installed, go to the installation folder (c:\program files\malwarebytes etc) and rename the EXE file to fluffy.exe. Update or make a new shortcut to that. It'll now run and you'll be able to murder the infection safely. You can of course choose any name you want, "fluffy" is just my preferred alternative name. Sometimes if it's a bad infection i like the name "moist.exe".
Again thanks to all who replied. I couldn't do this tonight as there was something very important on that needed to use the network. I'm going to tackle it tomorrow.
The servers are detecting the virus (even though they were right up to date with Windows updates and anti virus). When I removed it with Sophos, the server service was stopped, I ran another virus scan straight away and nothing was detected, I rebooted in safe mode and ran another scan and nothing was detected again but as soon as I rebooted normally and was connected to the network it reappeared.
There's no way I'm flattening them, so need to remove.
Going to turn everything off tomorrow, go round each workstation and run the hotfix and a virus scan. Once I've done that I'll do the same on the servers and then re-connect everything.
I'll turn autorun off so USB sticks don't spread it and then will insist any sticks get brought to myself for a scan before use.
Is this Malwarebytes Anti Malware free? I've never heard of it, but I am willing to try anything that will make life easier.
Also another suggestion, Turn off the switches, just because there is always someone who either doesn't get the message about all the pcs need to be off etc because of the virus, that or someone always turns them back on thinking off i thought it just this one wouldn't make a difference. I'm sure we have all seen it before.
And ye Malwarebytes Anti Malware is free really nice program