Sophos

Online support

Product maintenance

Contact support

Support services

Download Free hard drive encryption - Download a trial of SafeGuard Easy

Sophos Conficker Clean-up Tool (network version)

As described in Sophos Anti-Virus for Windows 2000+: removing W32/Confick and Mal/Conficker, Conficker is a virus that spreads through infected Windows shared folders and USB storage devices.

The Sophos Conficker Cleanup Tool (network version) is a powerful solution for eliminating Conficker infections. It allows you to detect, isolate, and remove the Conficker virus on your network.

Note: If you need to remove Conficker from computers that are not in a network, use the Sophos Conficker Cleanup Tool (standalone version).

If you are running Sophos Anti-Virus you do not need to disable HIPs while you're using the Sophos Conficker Cleanup Tool. Whilst this tool should not conflict with other anti-virus products, the nature of the tool means it may be blocked by behaviour-based (HIPS) functionality within non-Sophos anti-virus solutions.

Operating systems affected
Windows 2000
Windows XP and Vista
Windows Server 2003 and 2008

Note: It is possible for infected files to be found on computers that run other operating systems. Because they cannot infect these systems, you can safely delete any infected files. If you try using the Sophos Conficker Cleanup Tool on computers running Windows 95, 98 or NT, you may see an error message or the tool will simply stop. In that case, any error messages can be safely ignored.

Known issue

If the ‘AdminCheck’ option is enabled when the tool is run on some non-English versions of Windows you will get an error. This option is enabled by default. This is because the script is checking for membership of the group named ‘Administrators’. For example, on a German installation of Windows the default name for the administrators group is ‘Administratoren’. 
To fix this:

  1. Open the SCCT.vbs file that comes in the download. Scroll down to line 89, which reads
    For Each AdminMember In GetObject("WinNT://" & ComputerName & "/Administrators").Members
  2. Edit this line. Replace the word Administrators with the Windows default name for the administrators group in your language, which in the example of German given above, would be Administratoren.

What to do

  1. If your anti-virus solution does not have an on-access scanner that can detect and block Conficker from executing, your computers could be infected, and reinfected, if they remain connected to the network. Either:

    Once you have done this, follow step 2 or 3, depending on whether you use Active Directory on your network.

  2. If you have a firewall product that is blocking access to your shared network folders, and you use Active Directory on your network, download the Sophos Conficker Cleanup Tool, configure it and then deploy it to your computers as a startup script using Active Directory Group Policy. Follow the instructions in these sections:

    a. Download the Sophos Conficker Cleanup Tool
    b. Edit the SCCT.vbs file to configure it for your network settings
    c. Deploy the files to your computers using Active Directory Group Policy

  3. If you have disconnected your computers from the network, or you do not use Active Directory on your network, download the Sophos Conficker Cleanup Tool and configure it, then burn it to CD or DVD. You will then have to go to each of your infected computers, load the CD/DVD and run the Sophos Conficker Cleanup Tool. NOTE, Conficker can infect removable drives, so do not use a USB pen drive for running the tool manually.
    Follow the instructions in these sections:

    a. Download the Sophos Conficker Cleanup Tool
    b. Edit the SCCT.vbs file to configure it to use from a CD
    c. Create a CD or DVD to be used on each infected computer

    Other sections of this article:
    Configuration Options
    Scheduled Tasks
    The scct10 folder contents
    Temp directory
    Windows NT and Windows 98 error message

    Download the Sophos Conficker Cleanup Tool

    1. On an uninfected computer that has access to the internet and either:
      • has access to a CD or DVD writer and CD/DVD burning software (for running the Sophos Conficker Cleanup Tool from CD or DVD on each computer)
      • or is a Domain Controller (for deploying the Sophos Conficker Cleanup Tool as an Active Directory Group Policy),
    2. Navigate to the following location to download the tool: http://www.sophos.com/products/free-tools/conficker-removal-tool-network/download
       
    3. Save the file and double-click it to extract its contents. If you accept the defaults, the setup program will create a %TEMP%\scct10 folder for you in the current directory.

    Edit the SCCT.vbs file to configure it for your network

    1. Open the scct10 folder.

    2. Right-click the SCCT.vbs file and click Edit to change its configuration, as described below (see the Configuration Options section below for more details about these settings):

      Using a CD/DVD to run the tool on each computer

      These are the recommended options:
      CopyFiles=0
      Reboot=1
      PromptBeforeReboot=1
      AdminCheck=1

      Using Active Directory to deploy the tool via Group Policy

      These are the recommended options:
      CopyFiles=1
      Reboot=0
      PromptBeforeReboot=0
      RunOnce=1
      AdminCheck=0
      CopyFrom=\\SERVER\SHARE\FOLDER

    3. Save your changes and close the SCCT.vbs file

    Create a CD or DVD to be used on each infected computer

    1. Once you have configured the SCCT.vbs file, write the scct10 folder to a CD or DVD.

    2. At the first infected computer, open the CD folder to explore its contents and double-click the ‘SSCT.vbs’ file to start the scan.

    3. When the scan completes, it will prompt the user to save their work before the computer restarts (if you have configured this option in the SCCT.vbs file). When the computer restarts, the Sophos Conficker Cleanup Tool will delete the infected files.

    4. Once the reboot is complete, you can remove the CD or DVD from the drive and go to the next computer.

    5. To prevent re-infecting the computers that have been cleaned up, network connections should only be resumed once:

      • every infected computer in the network is scanned and cleaned up,

      • the necessary Microsoft patches are applied,

      • the anti-virus software on every computer on the network is up to date.

    Creating a script to be used in Active Directory Group Policy

    Note: as part of this configuration, you will need to specify the 'Maximum wait time for group policy scripts'. It may be necessary to test the tool on one of your typical computers in order to configure this option.

    Please ensure that the Server service is running on clients before attempting this procedure.

    If you can't test this tool before configuring it, we recommend setting it to three hours for computers with a modest amount of files (typical) and up to six hours for computers that have a lot of files. Using zero is not recommended as any errors will cause the scan to hang and it will not inform you that there is an error.

    If you run a NAC agent or client firewall you will need to ensure that these do not prevent the tool copying files from the server.

    Sophos recommends deploying the tool to a small pilot group to ensure that the correct configuration is being used and that nothing is blocking the cleanup tool

    Copy and set up the files

    1. Copy the files from the scct10 folder to a shared folder on the server (or create a new shared folder).

    2. Give authenticated users read, share and security permissions.

    3. Check the files in the folder to ensure that they do not have the ‘Read only’ attribute set. If they do, remove the check mark in the Read-Only check box.

    Set up the Group Policy

    1. On the Domain Controller, click 'Administrative Tools'.

    2. Open 'Active Directory Users and Computers'.

    3. In the Directory tree, right-click the organisation unit containing the computers on which you want to run the tool and select 'Properties'.

    4. Click the Group Policy tab.

    5. Click ‘New’, type a policy name and click OK.

    6. Select the policy from the list and click ‘Edit’.

    7. In the Group Policy Object Editor, browse to Computer Configuration|Windows Settings|Scripts.

    8. Double-click 'Startup'.

    9. In the 'Startup Properties' dialog box, click the 'Show Files' button.

    10. Browse to the scct10 folder and copy the SCCT.vbs file into the Group Policy folder. Close the scct10 folder.

    11. In the Startup Properties dialog box, click 'Add'.

    12. In the 'Add a Script' dialog box, click 'Browse'.

    13. Select the file ‘SCCT.vbs’ and click 'Open'.

    14. Click OK and then OK.

    15. Browse to Computer Configuration|Administrative Templates|System|Scripts.

    16. Double-click ‘Maximum wait time for group policy scripts’.

    17. Select ‘Enabled’ and enter a value between 7200 seconds (2 hours) and 32000 seconds (aproximately 8 hours) in the ‘Seconds’ box.
      This is the amount of time allowed for the tool to scan the infected computer.

    18. Click ‘OK’.

    19. Close the Group Policy Object Editor.

    20. Click ‘Close'.

    What will happen next

    • The computers in the group will synchronise with their Group Policy the next time the computer starts up.

    • The scan will load and run in the background.

    • When the scan is completed, it will list the files to be deleted in the scan log.

    • At the next restart, the Sophos Conficker Cleanup Tool will delete the infected files.

    • As the interval between finding the files and deleting the files could be long, it is essential that you use an anti-virus program with on-access scanning to block and/or delete all new instances of Conficker from re-infecting your computers.

    • When the infected files have been deleted from your network, be sure to remove the Sophos Conficker Cleanup Tool from your Group Policy settings.

    Configuration options

    When you open the SCCT.vbs file, you will find a section near the top named Configuration where you must set your required options. 

    To set an option use:
    0 = Off
    1 = On

    OptionDescription
    CopyFiles

    Determines whether the files are copied to a subdirectory of the local %TEMP% folder before being run.

    (Recommended for Active Directory Group Policy rollout).

    Reboot

    Determines whether the script should initiate a reboot at the end. A reboot is required to complete the cleaning. If Conficker is not detected the computer will not be rebooted. If this option is set, the computer will reboot without promoting the user.

    (Recommended for using the Sophos Conficker Cleanup Tool on CD/DVD).

    PromptBeforeReboot

    Determines whether a message is displayed before rebooting, giving the user an opportunity to save their work before the reboot is initiated. This option does not work with Active Directory scripts.

    (Recommended for using the Sophos Conficker Cleanup Tool on CD/DVD).

    RunOnce

    Determines whether the script should only run once. This is determined by checking for the existence of the tools log file

    (Recommended for Active Directory Group Policy rollout).

    CopyFrom

    Specifies the shared folder that the computer will copy the files from.

    (For use with Active Directory Group Policy rollout only).

    DeleteFilesIf the ‘CopyFiles’ option is set, this option deletes the local copy of the files after the tool has run. The log files created during the scan and the subdirectory in %TEMP% will not be deleted.
    AdminCheck

    Checks that the user running the script is a member of the administrators group.

    (Recommended for using the Sophos Conficker Cleanup Tool on CD/DVD only).

    RunVisibleAllows the tool to be run in the foreground on the PC, so you will see the scan commands and file names updating as they change.
    DeleteScheduledJobsThis option will delete all of the scheduled jobs created by the AT (at.exe) scheduler and therefore may delete scheduled jobs other than those created by Conficker. Jobs created using the task scheduler (schtasks.exe) will not be deleted. This option is off by default.

    Scheduled Tasks

    As part of its attack, Conficker configures some Scheduled Tasks on the infected computer:

    • A scheduled task, called AT*.job (where * is a sequential number), is created to run some randomly named .dll files using a rundll32.exe process.
    •  There will be one rundll32.exe process running for every scheduled task that has been created.

    The Sophos Conficker Cleanup Tool can remove these scheduled tasks if you set the appropriate option in the SCCT.vbs file.

    The scct10 folder contents

    The Sophos Conficker Cleanup Tool, downloaded from Sophos, contains the following files:

    • conficker.ide
    • SCCT.vbs
    • findsvc.exe
    • helper.exe
    • MEMSWEEP.sys
    • sar1.dll
    • sar2.dll
    • sar3.dll
    • sar4.dll
    • sar5.dll
    • sar6.dll
    • sarcli.exe 
    • sarkboottasks.sys
    • scctreadme.txt
    • EULA (20-Jan-09).txt

    Temp directory

    The SCCT creates a subdirectory of the %TEMP% folder called 'SophosConfickerTool' for its files and logs.

    Windows NT and Windows 98 error message

    If you try running the Sophos Conficker Cleanup Tool on a computer running Windows NT or Windows 98, you may see the following error, which can be safely ignored:

    "Windows Script Host"
    Script C:\Winnt\Profile\support\Desktop\ConfickerTool.vbs
    Line: 81
    Char: 1
    Error: Invalid Syntax
    Code: 800401E4
    Source: (null)

    Refer also to Current  major threats: Conficker, Virtumundo

    If you need more information or guidance, then please contact technical support.

    Download Free hard drive encryption
    Download a trial of SafeGuard Easy
    • Protect sensitive data from unauthorized use
    • Encrypt data, hard drives and removable media
    • Work uninterrupted with encryption on demand