Help
I am IT admin for a local private school and we are experiencing major issues with W32.Xpaj.B infection. I am not sure if anyone else has run into this but it is difficult to remove and spreads quickly over the network. It affects several system files including dll and exe files. We have been working with TrendMicro (which is running on all machines) Symantec and AVG and none of them have a sufficient cleaning or prevention solution. We have had these problems for two weeks and cannot resolve. Students are on spring break this week but will return on Monday. If anyone has seen this particular infection before and has any insight please help. Even when we wipe and rebuild machines, infection continues to return. Note, there is also a variant W32.Xpaj.A that some of you may have come across. Note- just for context, our staff includes 2 CCNA, 2 MCSA and 1 Server 2008 certified professionals. Thanks for your help.
Page 1 of 1
18 Servers & 350 PC's Infected With W32.Xpaj.B
Back to top
#2
- Bleepin Madman
-
- Group: BC Advisor
- Posts: 18,367
- Joined: 08-September 08
- Gender:Male
- Location:Catonsville, Md
Posted 31 March 2011 - 08:42 AM
Are you restoring these machines from backups?
My work schedule is as follows: Mon and Tues 1800 to 0600, Friday - Sunday 1800EST to 0600, and Wednesday to Thursday 1800est to 0600. So if I do not respond right away I am at work.
----------------
If I am helping you, then Please Send Me a Message!with your thread link in it. This is only if I haven't replied back to you within 24 to 48 hours.
----------------
My Main Site || My Backup Site || steam://friends/add/cryptodan Add me to your Steam Friends.
#3
- New Member
-
- Group: Members
- Posts: 4
- Joined: 31-March 11
Posted 31 March 2011 - 08:48 AM
Not at this time, just rebuilding the desktops. We are not sure if the servers backup files are infected so we are waiting on that. We really want to try to clean the servers but at this point nothing works to actually clean.
#4
- Bleepin Madman
-
- Group: BC Advisor
- Posts: 18,367
- Joined: 08-September 08
- Gender:Male
- Location:Catonsville, Md
Posted 31 March 2011 - 09:04 AM
I would scan any software that you are using on a known clean computer, and see about making sure that your router or switches are not infected, and I would recommend doing one machine at a time.
My work schedule is as follows: Mon and Tues 1800 to 0600, Friday - Sunday 1800EST to 0600, and Wednesday to Thursday 1800est to 0600. So if I do not respond right away I am at work.
----------------
If I am helping you, then Please Send Me a Message!with your thread link in it. This is only if I haven't replied back to you within 24 to 48 hours.
----------------
My Main Site || My Backup Site || steam://friends/add/cryptodan Add me to your Steam Friends.
#5
- New Member
-
- Group: Members
- Posts: 4
- Joined: 31-March 11
Posted 31 March 2011 - 10:14 AM
Thanks. We have done all standard practices. We have been working with major AV vendors Symantec, TrendMicro and AVG and they have no solution either.
#6
- Bleepin Madman
-
- Group: BC Advisor
- Posts: 18,367
- Joined: 08-September 08
- Gender:Male
- Location:Catonsville, Md
Posted 31 March 2011 - 02:30 PM
You are reinfecting yourself via the installation medium, or via the backed up files.
My work schedule is as follows: Mon and Tues 1800 to 0600, Friday - Sunday 1800EST to 0600, and Wednesday to Thursday 1800est to 0600. So if I do not respond right away I am at work.
----------------
If I am helping you, then Please Send Me a Message!with your thread link in it. This is only if I haven't replied back to you within 24 to 48 hours.
----------------
My Main Site || My Backup Site || steam://friends/add/cryptodan Add me to your Steam Friends.
#7
- New Member
-
- Group: Members
- Posts: 4
- Joined: 31-March 11
Posted 31 March 2011 - 02:49 PM
Anyone else????
#8
- bleepin' _temp_
-
- Group: Malware Response Instructor
- Posts: 27,518
- Joined: 25-January 08
- Gender:Female
- Location:At home
Posted 31 March 2011 - 03:20 PM
Hi,
have you checked that all external devices connected to the PCs are clean? The infection spreads through removable devices and therefore one overlooked infected flash drive could reinfect the entire network.
Also take into consideration that any executable on a flash drive inserted while the PCs were infected has likely also been compromised.
I'd advise to a) either ban all flash drives from the network for torubleshooting or
disinfect all flash drives and use a utility like flash_disinfector (only works on XP) or Panda Vaccine (only works if the flash dirves aren't connected to Mac/Linux PCs) to vaccine the flash drives and prevent that they can automatically reinfect the PC.
Also disable file sharing unless it's aboslutely needed.
Could you elaborate on how you cleaned the PCs? You'd need to clean them all at once and keep the clean ones disconnected from the infected ones to avoid reinfection from the rest of the server. I'd definitely recommend a reformat and reinstall as "cleaning procedure". Anything else lis likely to lead to reinfection due to one overlooked/undetected file.
regards myrti
have you checked that all external devices connected to the PCs are clean? The infection spreads through removable devices and therefore one overlooked infected flash drive could reinfect the entire network.
Also take into consideration that any executable on a flash drive inserted while the PCs were infected has likely also been compromised.
I'd advise to a) either ban all flash drives from the network for torubleshooting or
disinfect all flash drives and use a utility like flash_disinfector (only works on XP) or Panda Vaccine (only works if the flash dirves aren't connected to Mac/Linux PCs) to vaccine the flash drives and prevent that they can automatically reinfect the PC.Also disable file sharing unless it's aboslutely needed.
Could you elaborate on how you cleaned the PCs? You'd need to clean them all at once and keep the clean ones disconnected from the infected ones to avoid reinfection from the rest of the server. I'd definitely recommend a reformat and reinstall as "cleaning procedure". Anything else lis likely to lead to reinfection due to one overlooked/undetected file.
regards myrti
This post has been edited by myrti: 31 March 2011 - 03:20 PM
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!
Please don't send help request via PM, unless I am already helping you. Use the forums!
I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones. ~ Albert Einstein
Heroism on command, senseless violence, and all the loathsome nonsense that goes by the name of patriotism -- how passionately I hate them! ~ Albert Einstein
Please don't send help request via PM, unless I am already helping you. Use the forums!
I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones. ~ Albert Einstein
Heroism on command, senseless violence, and all the loathsome nonsense that goes by the name of patriotism -- how passionately I hate them! ~ Albert Einstein
Share this topic:
Page 1 of 1