+ Post New Thread
Page 1 of 9 12345 ... LastLast
Results 1 to 15 of 121
Windows Thread, Annoying Virus (confick-E) in Technical; Hi, I appear to have picked up the W32/Confick-E virus. Not entirely sure where from as the servers were all ...
  1. #1

    Join Date
    Jan 2009
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Annoying Virus (confick-E)

    Hi,

    I appear to have picked up the W32/Confick-E virus. Not entirely sure where from as the servers were all bang up to date with Windows Updates and Sophos Anti-Virus.
    The Sophos website says to install the MS08-067 hotfix from Microsoft (which when I've checked was actually installed on my machines last year.) It then says to use Sophos to clean the virus.
    Now I've tried doing this, I do a full Sophos scan, it picks the virus up, I perform a clean and it says clean successful. At this point a few services (such as the server service) are turned off (presumably to allow a proper clean) so I have to reboot. Upon reboot I run another scan and the virus is still there.
    Is it possible that some of my desktop machines have the virus and are transmitting it back to the server when the server reboots and reconnects to the network?
    If this is the case it looks like I may have to go round every PC and ensure they're all up to date with Updates and do a virus scan on them all.
    Has anyone any experiences with this virus or have any suggestions?

    Many thanks.

  2. #2

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,813
    Thank Post
    110
    Thanked 586 Times in 507 Posts
    Blog Entries
    1
    Rep Power
    225
    Yes. Along with the exploit referenced in MS08-067 Confick also spreads via UNC network shares, mapped drives and USB storage devices. I suggest you shut down your network and bring up machines one by one while isolated to perform a full cleanup. You also have to round up everyones USB storage devices (pen drives, music players, phones, etc) and inspect and clean those.

  3. #3
    AyatollahPies's Avatar
    Join Date
    Jan 2008
    Location
    Earth
    Posts
    900
    Thank Post
    48
    Thanked 105 Times in 95 Posts
    Rep Power
    42
    Further to everything Geoff has said, I'd recommend you download a tool specifically crated to remove this Worm such as this one by F-Secure.

    ftp://ftp.f-secure.com/anti-virus/to...f-downadup.zip

    As many on here point out, Sophos can be a pain in the neck when it comes to actually removing anything it finds.

    Also turn off system restore on every workstation before scanning.

    Do you get paid for overtime?

  4. #4

    Join Date
    Jan 2009
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi,

    Thanks for the prompt reply. Is it possible to get rid of this without shutting the network down (this isn't really an option at this moment in time)?

  5. #5

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,813
    Thank Post
    110
    Thanked 586 Times in 507 Posts
    Blog Entries
    1
    Rep Power
    225
    No, because as soon as you clean up one machine it'll be reinfected via the network.

  6. #6
    AyatollahPies's Avatar
    Join Date
    Jan 2008
    Location
    Earth
    Posts
    900
    Thank Post
    48
    Thanked 105 Times in 95 Posts
    Rep Power
    42
    Quote Originally Posted by GrahamWibbly View Post
    Hi,

    Thanks for the prompt reply. Is it possible to get rid of this without shutting the network down (this isn't really an option at this moment in time)?
    If you want to rid your network of it, no.

    If the head kicks up a fuss, direct him towards the news stories about how many machines worldwide are affected, emphasizing the Sheffield teaching hospitals.

    Good luck.

  7. #7

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,813
    Thank Post
    110
    Thanked 586 Times in 507 Posts
    Blog Entries
    1
    Rep Power
    225
    Also, if you can, try and identify the original source of the infection. As you say you have kept up with patching on your servers, it's likely that a USB flash drive is the cause. You may wish to review your proceedures and policies to prevent similar infections in future.

  8. #8

    Join Date
    Jan 2009
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I get that. I was thinking more along the lines of doing it room by room, disconnecting each as I go. Then reconnecting them all at the end.

    What's pissing me off is where it's come from and why Sophos didn't pick it up.

    So my plan should basically be:

    1) Disconnect the servers from the network.
    2) Go round every PC and run the removal tool from above and also run Windows Update.

  9. #9

    Join Date
    Dec 2006
    Location
    Hertfordshire
    Posts
    81
    Thank Post
    0
    Thanked 5 Times in 4 Posts
    Rep Power
    16
    Most virus removal tools cannot get rid of the virus from some machines. We have Kaspersky on our network which picked up hacking attempts from machines which our AV and the removal tool showed as being clean. I came across these removal instructions online which has now erradicated the virus. You need to ensure that the random name in step 3 is definately the virus. I would recommend googling it before you delete it.

    1. Install the Microsoft Patch for MS08-067.

    2. Open Regedit and go to the following

    HKLM>Software>Microsoft>Windows NT>CurrentVersion>svchost

    3. In right hand pane double click on “netsvcs” and scroll down to the bottom line. There will be a random name such as rbydwcit. Make a note of this random name and delete the line of text.

    4. Now go to

    HKLM>System>controlset001>services>”virus name”(from step 3)>Parameters.

    5. In right hand pane make a note of the dll which contains the virus.

    Now delete the “virus name” key from the left hand pane.

    6. Reboot to safe mode.

    7. Delete the dll from step 5 found in c:\windows\system32\

  10. #10

    Join Date
    Jan 2009
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks for all the replies, I think Sophos does actually remove it, it's just as soon as it reconnects to the network it picks it back up again.

    I did try what Trekmad said above but when I got to step 5 there wasn't actually a DLL named there.

    Looks like it could be a late night for me.

  11. #11


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,697
    Thank Post
    352
    Thanked 803 Times in 718 Posts
    Rep Power
    348
    Depending upon your network ....

    Disconnect all uplinks to your servers so they are on their own.

    Isolate the servers and run a scan across them, any detection of infection and my advice would be to flatten it and reinstall restoring files from a known good back up before infection.

    Reimage if you can each room in turn (ensuring they don't boot into windows before booting from the imaging device (usb/cdrom/floppy etc). - Once this is done, the room can be live.

    If you can't reimage for whatever reason then yes, isolate, scan, check, reconnect.

    I can't see which area you're in but it might be worth calling in some help from neighbouring schools, many hands make light work and all.

    Good luck.

  12. #12
    Azhibberd's Avatar
    Join Date
    May 2008
    Location
    Newbury,Berkshire
    Posts
    169
    Thank Post
    20
    Thanked 21 Times in 20 Posts
    Rep Power
    17
    We had a similar problem when i was relatively new to the education environment, and well the usb sticks was the hardest part to stop, so we simply stoped auto-run on everything and also put in software restrictions to stop the virus being run, also good idea for future is to always make sure you have decent permissions set on each share area like within are environment we have a common area which only admins can write directly into the path which stops spreading from other accounts.

  13. #13

    synaesthesia's Avatar
    Join Date
    Jan 2009
    Location
    Northamptonshire
    Posts
    6,227
    Thank Post
    603
    Thanked 1,092 Times in 840 Posts
    Blog Entries
    15
    Rep Power
    485
    Malwarebytes Anti Malware is a great little app that will entirely remove an infection from a machine, but if it's networked, as above you'll need to repeat the process on all machines. Install it, run it, job done.

    Now, depending on the level of infection and the specific variation of that worm, you might not be able to run the installer let alone the program itself. Thankfully it's a bit "thick". Rename the mbam.exe installer file to "fluffy.exe"

    Install.

    Once installed, go to the installation folder (c:\program files\malwarebytes etc) and rename the EXE file to fluffy.exe. Update or make a new shortcut to that. It'll now run and you'll be able to murder the infection safely. You can of course choose any name you want, "fluffy" is just my preferred alternative name. Sometimes if it's a bad infection i like the name "moist.exe".

    No reason.

  14. #14

    Join Date
    Jan 2009
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Again thanks to all who replied. I couldn't do this tonight as there was something very important on that needed to use the network. I'm going to tackle it tomorrow.

    The servers are detecting the virus (even though they were right up to date with Windows updates and anti virus). When I removed it with Sophos, the server service was stopped, I ran another virus scan straight away and nothing was detected, I rebooted in safe mode and ran another scan and nothing was detected again but as soon as I rebooted normally and was connected to the network it reappeared.
    There's no way I'm flattening them, so need to remove.
    Going to turn everything off tomorrow, go round each workstation and run the hotfix and a virus scan. Once I've done that I'll do the same on the servers and then re-connect everything.
    I'll turn autorun off so USB sticks don't spread it and then will insist any sticks get brought to myself for a scan before use.

    Is this Malwarebytes Anti Malware free? I've never heard of it, but I am willing to try anything that will make life easier.

    Thanks again for everyones help.

  15. #15
    Azhibberd's Avatar
    Join Date
    May 2008
    Location
    Newbury,Berkshire
    Posts
    169
    Thank Post
    20
    Thanked 21 Times in 20 Posts
    Rep Power
    17
    Also another suggestion, Turn off the switches, just because there is always someone who either doesn't get the message about all the pcs need to be off etc because of the virus, that or someone always turns them back on thinking off i thought it just this one wouldn't make a difference. I'm sure we have all seen it before.

    And ye Malwarebytes Anti Malware is free really nice program

SHARE:
+ Post New Thread
Page 1 of 9 12345 ... LastLast

Similar Threads

  1. [Video] Most Annoying Runner Ever
    By mattx in forum Jokes/Interweb Things
    Replies: 1
    Last Post: 13th January 2009, 01:51 PM
  2. Top 10 annoying technologies
    By FN-GM in forum IT News
    Replies: 14
    Last Post: 8th December 2008, 11:05 AM
  3. Annoying thing!
    By chrbb in forum Windows Vista
    Replies: 3
    Last Post: 2nd September 2008, 02:10 PM
  4. Annoying Error Message
    By firefox_2006 in forum Windows
    Replies: 7
    Last Post: 7th April 2007, 08:14 PM
  5. Bloddy annoying
    By GrumbleDook in forum Jokes/Interweb Things
    Replies: 28
    Last Post: 12th July 2006, 01:09 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •