To the OP, yes Malwarebytes Anti-Malware is free (though paid for versions are available) and should be a firm part of your arsenal. It's got me out of quite a few sticky issues.
and probably anyone who typos his name :rolleyes: *freud
if you were to packet sniff your connection as you join the network it might be possible to see where the infection is coming from. Of course it could be all over the place....
Yeah it's free in it's basic "run and disinfect" form - there is a paid version which runs in the background keeping a constant eye but the former will be sufficient for your needs.
I tend to be very wary of most anti spyware programs esepcially if it's one I've not heard of, as there's a stupid amount of fake ones out there which are malware in their own right. Did one infection of Conficker yesterday which the laptops owner decided to try and correct himself by downloading something called XoftSpySE which is malicious software itself, more than doubling the original problem :)
Ah, edit : looks like a few people pipped me to the post on that one. But to expand on browolf's point about packet sniffing, Ethereal is a great app for that.
it's called wireshark now
Thats the jobby, shows how much I use it ;)
The removal tool that was mentioned (from f-secure) works well to detect and remove this thing...however be really careful about running it on the servers. We used on a server hoping it would disinfect -> reboot -> done.....well we rebooted the server and it didn't come back up. Seems this tool sometimes corrupts the boot record and other windows essentials. Haven't had any issues with desktop removals though....
Would be worth checking but I doubt that's the fault of the tool, more likely that an "important" file(s) was infected and the tool wiped it for clean. Restore from back up the files pre infection, or repair the installation yourself and it should work.
Mind you, once infected, I'd never trust a device again until it's been formatted.
I'm not the only paranoid one then, thank god for that! :D
On the positive side real viruses are very rare these days, I've not had a viral infection to deal with in years - it's mostly all worms, spy/adware. Conficker is definitely the worst infection of it's type for a long time and I've certainly had to deal with more infections of that than Sasser a few years ago. Trouble is with this one it's leaving entire networks wide open for abuse and there's a niggling doubt that once an infections taken hold it'd be near impossible to entirely get rid without an entire network rebuild. I'm just thankful the only one I've had to deal with in a school was a standalone machine.
i'll second the thought of turning switches off.
at my old school we had a virus (cant remember its name) that spread via unc so the moment any pc came online it was infected again. we asked for all machines to stay off and then found one teacher 'had' to get those documents from the shared area.
get all tools needed on to a usb stick or external hdd, down the switches, then work round the rooms. and dont be tempted once a room is clean to turn that switch back on, it only needs one usb stick to re-infect and start from scratch. once EVERY machine is clean, then get the switches online, preferably leaving half an hour between turn on of each to check that nothing is resurfacing.
good luck with this, i feel your pain!
Had this last week at one site.
You must shut down the network - no arguments everything.
The servers that are infected simply shutdown services and are useless anyway, so turn them off or unplug them until cleaned.
Patch them first, run the MSRT to isolate/clean the infection.
Make sure you have a working and updated AV solution.
If you are using Sophos - (there is nothing wrong with it, if it's not working for you, then look in the mirror and blame the first person you see!) make sure your servers are set for on access scanning read/write.
Set the Default Domain Policy to disable Autorun on all drives!!!
Run a full scan on your server and keep the on access scanning turned on for a week at least!
Then start on all of your administrative level access systems.
Technician accounts, workstations that run with local administrator or power user rights... Patches, MSRT AV updates.
If you run WSUS and have a healthy AV system the chances are the impact will be minimal but USB device usage in schools so liberally policed the risk of infection is high.
In my case the culprit was a workstation used by the Network Administrator logged in as himself a user with Full Admin Rights!
His own PC was out of date with it's patches and the AV was not configured to clean an infection, not that it would have helped much as that was out of date too! - AVG Pro!!
He had foolishly used his administrative workstation to inspect a suspected defective USB stick, it must of had at least 18 - 24 hrs head start to get a hold on the network.
11 Hrs from 1st detection to site cleaned.
I know that other schools in the same LEA that refuse to shutdown were still trying to clean it 4 days later!
Same old dog, with new tricks. Clever Confiker!
Sophos Anti-Virus for Windows 2000+: removing W32/Confick and Mal/Conficker
Our main file server, as reported one file as infected with this virus, and when I check the Mcafee EPO server, it has two reports of the virus.
One on the main file server, and one on the workstation that had the USB disk with the virus on.... not sure how it managed to move to the file server... as it was deleted on both.
I like this.. Virus found, Virus deleted... it's like the Advert. :cool:
We got pounded by this this today. Spent all day with eveything off cleaning everything. Continuing tomorrow and banning the use of USB pen drives unless they're scanned by us first.
Harsh but seemingly required, especially as was mentioned earlier with the spate of them being given out free.
I'd be tempted to disable USB ports altogether (unless required on specific machines) either through BIOS or via software/AD permissions. If infections like this can spread throughout a network which is heavily protected already continue to gain in popularity I'd be fairly paranoid about security about now :/