Persistent Worm, Server 2003 R2

WARNING: The below registry patch is only for Bowlersaid. It is not a generic fix to use for everyone.

Copy the bold text below to notepad. Save it as fixNetSVC.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



Then attach the below logs:

• C:\MGlogs.zip

Now do not power down or reboot your PC!!!! Wait until you hear back from me on what to do next.

 

Just an FYI for Kestrel13! and others. You cannot search the registry for the below strings because they do not exist in plain ASCII like this:

nncrbg
jiqmcnw
zdxtjms
ofjqdedr
zzqncjk
inifhzbk
vyykoylm
gespfbyx

They are in the registry in hexidecimal format and have additional embedded 00 after each character since they are in dword format. They look like the below in the registry ( which you can see in the attachment obtained from from doing the export on the registry key, the colon is just a character separator ):

6e:00:6e:00:63:00:72:00:62:00:67:00:00:00:
6a:00:69:00:71:00:6d:00:63:00:6e:00:77:00:00:00:
7a:00:64:00:78:00:74:00:6a:00:6d:00:73:00:00:00:
6f:00:66:00:6a:00:71:00:64:00:65:00:64:00:72:00:00:00:
7a:00:7a:00:71:00:6e:00:63:00:6a:00:6b:00:00:00:
69:00:6e:00:69:00:66:00:68:00:7a:00:62:00:6b:00:00:00:
76:00:79:00:79:00:6b:00:6f:00:79:00:6c:00:6d:00:00:00:
67:00:65:00:73:00:70:00:66:00:62:00:79:00:78:00:00:00

 

You're welcome. Okay that appears to have removed the leftovers from Confiker but I need to make a new registry patch since the last one did not format the NetSvcs registry key value properly. I had a feeling that would happen which is why I said not to reboot or power down. Hangon while I work up another fix.

 

Okay lets make a new registry patch that we will name as fixNetSvcs2.reg

Copy the bold text below to notepad. Save it as fixNetSvcs2.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Code:

[COLOR=black][B][COLOR=black]REGEDIT4[/COLOR][/B][/COLOR]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs"=hex(7):41,65,4c,6f,6f,6b,75,70,53,76,63,00,41,70,70,4d,67,6d,74,00,\
  41,75,64,69,6f,53,72,76,00,42,72,6f,77,73,65,72,00,43,72,79,70,74,53,76,63,\
  00,44,4d,53,65,72,76,65,72,00,45,76,65,6e,74,53,79,73,74,65,6d,00,48,69,64,\
  53,65,72,76,00,49,61,73,00,49,70,72,69,70,00,49,72,6d,6f,6e,00,4c,61,6e,6d,\
  61,6e,53,65,72,76,65,72,00,4c,61,6e,6d,61,6e,57,6f,72,6b,73,74,61,74,69,6f,\
  6e,00,4d,65,73,73,65,6e,67,65,72,00,4e,65,74,6d,61,6e,00,4e,6c,61,00,4e,74,\
  6d,73,73,76,63,00,4e,57,43,57,6f,72,6b,73,74,61,74,69,6f,6e,00,4e,77,73,61,\
  70,61,67,65,6e,74,00,52,61,73,61,75,74,6f,00,52,61,73,6d,61,6e,00,52,65,6d,\
  6f,74,65,61,63,63,65,73,73,00,53,61,63,73,76,72,00,53,63,68,65,64,75,6c,65,\
  00,53,65,63,6c,6f,67,6f,6e,00,53,45,4e,53,00,53,68,61,72,65,64,61,63,63,65,\
  73,73,00,54,68,65,6d,65,73,00,54,72,6b,57,6b,73,00,54,72,6b,53,76,72,00,57,\
  5a,43,53,56,43,00,57,6d,69,00,57,6d,64,6d,50,6d,53,70,00,77,69,6e,6d,67,6d,\
  74,00,78,6d,6c,70,72,6f,76,00,42,49,54,53,00,77,75,61,75,73,65,72,76,00,53,\
  68,65,6c,6c,48,57,44,65,74,65,63,74,69,6f,6e,00,68,65,6c,70,73,76,63,00,57,\
  6d,64,6d,50,6d,53,4e,00,00

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip

Now do not power down or reboot your PC!!!! Wait until you hear back from me on what to do next!

 

Okay that looks better. How are things working right now?

Reboot your PC and make sure all is good.

 

I suggest that you re-run GMER and attach a new log before we do final steps.

 

Yes now that we actually removed the infection, MSRT finally woke up. It likely only detected what we removed and quarantined or just some minor inactive leftovers.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

So glad you're sorted. I knew Chas would work his magic

 

Were these items actually removed now by MBAM. The one with the .vir extension was just a renamed file ( quarantined ) from running previous fixes. Previous attempts were always failing since the NetSvcs entries were not fixed at the time. After we fixed the NetSvcs entries ( and assuming the services entries had not returned ) these should have been easily deleted. If not, it could be that the infection had returned before rebooting the server. It is important when fixing infections like this that rebooting after the fixes occur immediately. The server really should be taken offline while doing fixes since it could spread the infection to clients.

What driver exactly? Did you look at event viewer to see? It could be one of the drivers from Conficker that is failing to load and that would mean there is a left over registry entry.

Could have been part of your infection. Are they still occurring?

 

Let's run a few scans.


Download OTL to your desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Attach both of these logs into your next reply.


Now run the scan with DDS given in the below link and attach the two requested logs:

Scanning with DDS


Now download MGtools and run a new scan. Attach the new MGlogs.zip file.

 

That is what I was guessing but I had never tried it on Win Server 2003. I knew ComboFix and Avenger would not work but was hoping DDS would.

Okay one new NetSvcs process showed up from Conficker. This one is named nkmxpsz and it was not there before. I'm not sure if this occurred due to not rebooting immediately after previous fixes or if another PC accessing this server is causing reinfection. Is this server fully up to date with ALL Microsoft Updates? Are other PCs on the network also fully up to date and have they been scanned to check for Conficker?

We need to check to see if any services were added before making a new fix, please run the below and attach the GMER log

GMER - running with a random name

 

Then what are all of the many many admin logins for. Your logs show the below:

Code:

Users on this computer:
Is Admin? | Username
------------------
   Yes    | Administrator
          | Guest (Disabled)
   Yes    | localsm
          | office
   Yes    | RCSSupport
   Yes    | remotesm
   Yes    | Robot
          | SBS
   Yes    | SCOT
   Yes    | SNSupport
          | SUPPORT_388945a0 (Disabled)
   Yes    | WRKSTN01
   Yes    | WRKSTN02
   Yes    | WRKSTN03
   Yes    | WRKSTN04
   Yes    | WRKSTN05
   Yes    | WRKSTN06
   Yes    | WRKSTN07
   Yes    | WRKSTN08
   Yes    | WRKSTN09
................ many many more

Run Registrar Lite and paste the below into the address bar and click the green Go button.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost

You will now see two entries titled netsvcs. The first is a folder ( yellow icon ) the second is a normal entry. Double click on this normal entry and the Data Editor should come up. Scroll down to the bottom of the list and you should set nkmxpsz listed. Highlight this text name with your mouse and right click on it and select delete. Okay the delete. Then close the Data Editor. Now click View and then Refresh in the main Registrar Lite window. Double check to make sure the aboe entry from Conficker is gone. Let me know. We will then start the next part of the fix once this has been completed.

Do you still have OTM and OTL on this PC? If not please download them again. See Kestrel13!'s earlier messages.

 

I did not want you to reboot. Double check to make sure the entry has not returned. If it has then remove it again and do not reboot. Just continue on with the below.

• Right-click OTM.exe And select " Run as administrator " to run it.
• Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.

Code:

:services
nkmxpsz  
 
:reg
[-HKLM\SYSTEM\CurrentControlSet\Services\nkmxpsz]
[-HKLM\SYSTEM\ControlSet002\Services\nkmxpsz]
 
:files
C:\WINDOWS\system32\zfyspqu.dll
C:\WINDOWS\system32\zfyspqu.u
C:\32788R22FWJFW
 
:Commands
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.
Make sure your PC has been rebooted after the above.

See if the C:\WINDOWS\system32\zfyspqu.dll file exist or not?
Rerun GMER and attach a new log.
Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Attach the new C:\MGlogs.zip

 

Looks good now. I suggest that you do the below to cleanup all of what we put on the PC and remove the quarantines and other files and then afterwards ( not before final steps ) run a full scan with AVG. If all still looks good, you can then put it back online. If it gets reinfected again, it likely means that something else on your network ( or a device like a USB drive plugged in ) that is connecting to it is infected.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Re: Update ---

Was it connected to the network?

Quickly run C:\MGtools\GetLogs.bat and attach the new MGlogs.zip

Also run GMER and attach the log.

I expect a new NetSvcs/driver infection.

 

Then it is very possible that any or all of these are infected. You now have a new Conficker rootkit driver infection. The driver is now named cyqlb

It may be a waste of time to continue cleaning this PC as it will continue to get reinfected when you connect these other devices to it if they are infected. You need to fix them all or you need to fix this server and then DO NOT connect it to the network or anything else for awhile to prove that it remains clean while not connected to anything else.

 

We can try cleaning the server and not connecting anything to it all and just let it sit with the cable to the network physically unplugged. ( Not sure how long you can leave it offline but not sure you have any choice. ) It did not take too long last time before you saw reinfection. If you give it a number of hours or even overnight and it does not have the infection return then you can be pretty sure the reinfection is coming from the other devices. You should also disable autoruns on the server an perhaps this may help keep the infection from reoccuring due to other devices being plugged in ( like USB drives ). Try running the below right now while a prepare a fix based on your last logs. Then UNPLUGGED the ethernet cable to this server can keep the USB drive you have been using unplugged.

Autorun Eater

Also download and save the below to your Desktop but do not run it yet:

http://majorgeeks.com/McAfee_AVERT_Stinger_Conficker_d5985.html

You may also want to see the below which could be useful for other systems too:

http://www.mcafee.com/us/enterprise/confickertest.html

 

Then next fix for the server.


Run Registrar Lite and paste the below into the address bar and click the green Go button.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost

You will now see two entries titled netsvcs. The first is a folder ( yellow icon ) the second is a normal entry. Double click on this normal entry and the Data Editor should come up. Scroll down to the bottom of the list and you should set cyqlb listed. Highlight this text name with your mouse and right click on it and select delete. Okay the delete. Then close the Data Editor. Now click View and then Refresh in the main Registrar Lite window. Double check to make sure the aboe entry from Conficker is gone. Let me know. We will then start the next part of the fix once this has been completed.

• Right-click OTM.exe And select " Run as administrator " to run it.
• Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.

Code:

:services
cyqlb 
 
:reg
[-HKLM\SYSTEM\CurrentControlSet\Services\cyqlb]
[-HKLM\SYSTEM\ControlSet002\Services\cyqlb]
 
:files
C:\WINDOWS\system32\zfyspqu.dll
C:\WINDOWS\system32\zfyspqu.u
:Commands
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

Make sure your PC has been rebooted after the above.

Now run the McAfee Stinger Conficker program. And if it finds anything, fix it, reboot, and run it again until clean. Once it does not detect anything, wait a number of hours or until tomorrow to see if it remains clean ( ie. AVG does not popup and run Stinger again still finds nothing.

 

Hmmm! Looks like McAfee took it offline. Not sure exactly why but probably because it did not work too well from what I had see in the past. It never removed everything which is why we use manual steps. But sometime it helped located leftovers.

Download the Symantec tool ( D.EXE ) from the below and use it instead. Run it in safe mode if it seems to have any problem removing any part of the infection ( they also suggest this in the link ).

http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99

You may also want to check out the below tools from BitDefender since they also have one to run on a network:

http://www.bdtools.net/

 

Okay but the server itself should have the cable unplugged. You do not want anyone/thing being able to connect to it remotely which is what a conficker infection will also do.

 

I assume you meant Symantec?

 

Obviously not a problem.

Make sure that you do have this patch installed.

Let me know the result.

 

If all is still clean, only just connect to the network first and wait a bit to see if it stays clean just being connected. Do not connect the passport drive yet. However with all updates installed and with AutoRun Eater in place, I'm hoping it will block issues with the passport if there are any.

 

Previously you said the PC was updated. I checked your logs and see that the KB958644 patch is installed. Thus you should have it. See:http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx

 

I don't know for sure but I guess it is possible that these systems use an autorun.inf file. If so it is a major security risk as you can see from conficker and it is only one on many many forms of autorun infections. You could try disabling autorun eater, but if the server gets infected..... you then know you have a problem that begins with the registers that you will have to fix.

 

Okay if things continue to remain clean thru the day, you can then try reconnecting your passport drive to see what happens.

By the way, if these registers are Windows based, you need to make sure they have the MS08-067 patch ( and all other patches ) too.

 

Yes it needs to be scanned right away and don't run programs or open any files on it until fully scanned. Hopefully Autorun Eater will block any autorun.inf files from running that may be on the drive.

Yes it would be best to have just one admin account. You may need to clean these "registers" manually with similar procedures used on the server. Many times the Conficker removal tools do not get everything.

You also have to understand, that any remote PCs that have been accessing the server or registers may also be infected and could even be the source of the infection.