I'm looking for a little help here. I have a windows 2003 server (W2K3 SP1 with all hotfixes and patches) It has Sophos AV installed, up to date. It is one of 24.
One day Sophos starts going nuts telling me that Mal/GenericA and Basine/C. This nasty little blighter comes in the form of 3 files, copy.exe, host.exe and autorun.inf. (ALL HSR bits set)
It couldn't clean them up, so I removed the network cable, and dropped the server down to command line safe mode and ran a full system scan with latest defs using sav32cli.
So it found and removed these infections. Started it up without the network cable in, and it was all fine, all gone, or so I thought.
Put the network cable in, went home. Overnight came back and the virus had come back and deleted 300 times (I kid you not!) I am not sure where this infection comes from (This machine sits on a 100 user domain) I have tried a bit of rudimentory security, ie removing the everyone group from the shares etc, but I can't go too far because it runs an exceptionally custom piece of software that I really really cant risk breaking.
It has also managed to infect a NT4 BDC. This is just as bad, but NT4 is now retired and support for it is non existant. Also have Sophos on this machine.
Now Sophos tech support have been about as useful as a chocolate tea pot. Any suggestions. No other machines (except these two) on the network seems to have it, according to the Sophos EM console, but the laptops (30 - 40 of them on top of the domain setup) do not have reporting capability.
So what I need to really do is first off find the source of the infection (but how?) and secondly, any ideas on securing this machine so its at least a little virus resistant.