Endpoint Protection

I have 1200 workstations connected on my network.  There are at least 100 workstation that have not been patched with MS08-067.  Out of these only 5 of the workstations keep getting reinfected with the conflicker virus after using the Norton removal tool.  Software that is in use on these machines will not work if MS08-067 is installed.  They are all WinXP machines.  What I would like to know is why only these 5 keep getting reinfected and not the rest of the unpatched workstations.  They all share the same network access.

 Once infected then it might have dropped backdoor or rootkits on your system that remains un-detected and keeps re-infecting your system.

This is a very critical patch make sure your system are upto date with atleast windows security patches.

Once a computer is compromised it cannot be trusted because you never know what files did the threat leave behind for opening the backdoor

 I agree with Vikram. My guess is that it is not necessarily something to do with the network at all, but instead a rootkit or something else that is infecting these machines again and again. If I were you I would pull these 5 off the network clean them and then see if they get infected again. This would tell you that it is not another computer on the network. Also it could be spreading via USB so make sure one user isn't infecting just these 5 with a bad USB key.

Cheers
Grant

Try by scanning all these PCs in safe mode at a time.Also keep the system restore off. You can also use downadup removal tool for scanning

Did you look to see if MS08-067 did install on those PCs?
Any errors come up when you installed MS08-067?

1. Check for antivirus
2. Install SEP
3. Use Complex password for windows login
4. Delete or disable local admin accounts if not requred or do keep weak passwords.
5. Patch the system with MS08-067
6. use fixdowna.exe tool to remove downadup virus.
7. stop all open sharing.

This will stop infecting again & again


Regards...
Ramji Iyyer