Persistent Worm, Server 2003 R2

Are you saying that when you re-scan with Malware Bytes it returns?

I am seeing the below installed, what products are you currently using from norton/symantec?

• LiveReg (Symantec Corporation)
• LiveUpdate 3.2 (Symantec Corporation)

 

SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :filefind
  zfyspqu.u

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

Are you able to do this?

Download OTL to your desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Attach both of these logs into your next reply.

Run a full scan with AVG and let me know the results.

 

The logs were not showing it before. Now let's try again to attack it!

We need to run an OTL Fix

• Right-click OTL.exe And select " Run as administrator " to run it. If Windows UAC prompts you, please allow it.
• Copy and Paste the following code into the Image textbox. Do not include the word Code

Code:

Code:

:otl
@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34   
   
:files
C:\WINDOWS\System32\zfyspqu.dll   
  
:commands
[EMPTYTEMP]
[REBOOT]

• Then click the Run Fix button at the top.
• Click Image.
• OTL may ask to reboot the machine. Please do so if asked.
• The report should appear in Notepad after the reboot. ATTACH that report in your next reply.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

 

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :filefind
  zfyspqu.dll

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Attach both of these logs into your next reply.

 

Queen of the clouds stands before him and shakes her head. "That file does not exist any longer by the looks, but before we get excited, just navigate to the system32 folder and seek out the be-devilled DLL. Let me know if it exists or not."

 

Wait a minute, something else I want to add... still look for that DLL, let me know.

 

I see some services that could be connected to it and still running. The file does not appear to exist but we will include it anyway for redundancy into the script.

Download and run OTM.

Download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe And select " Run as administrator " to run it.
• Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.

Code:

:files
C:\WINDOWS\System32\zfyspqu.dll  

:services
zdxtjms
ofjqdedr
nncrbg
jiqmcnw

:Commands
[emptytemp]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Queen of clouds welcomes you back from your short journey and smiles. "You did well, seeker of shadows... but another return trip awaits you! Take the quickest clearest path towards your destination and slay that evil! Be sure to show no mercy..."

• C:\WINDOWS\system32\zfyspqu.u

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Ha ha! That's AWESOME! LOL I love the way you write.

...Accepts the map that the hero is handing me and holds it tightly in my hand. Drifts off into the kitchen to go boil the kettle for tea and opens my mouth to speak whilst looking over my shoulder, "Reboot the machine and once again navigate through the valley of the system32 and check for the presence of any of those shadow beasts while I engage in refreshments, just to be sure they didn't survive the attacks... Once I have my tea I shall study the latest map and let you know if anything else that shouldn't be there needs dealing with"

 

Okay... you rebooted, and navigated back to sys32 to check for those files. Are they gone still?

Having so many users with admin priviledges is a bad idea.

C:\GROCERY\SM2EJ.EXE <--- What is this? Something benign?

WinPcap 4.0.2 <--- Uninstall this double edged sword if you did not install it yourself. If you installed it purposely then that is fine.

Do you recognise any of these tasks?

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix exit HJT.

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :filefind
  scspkg.exe
  prcebook.exe
  scsbook.exe
  scspkg25.exe

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

Dammit. I had a feeling it would resurface. We will continue on, and I have some questions to ask of my colleagues about something I am seeing in one of those logs. Rest and sleep, as will I soon and we'll battle forth when time allows, and once I have found answers.

 

Also do this as well as my previous instructions:

Using BitDefender Online Scan

Post the bdscan.txt file as an attachment.

See how you get on with this

Running GMER to detect rootkits

 

Because this is Windows 2003, I am not able to utilise some of the tools that would better attack this infection, but one way or another we will resolve it I hope.

Let's do this for now whilst I seek out advice from colleagues.

• Right-click OTM.exe And select " Run as administrator " to run it.
• Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.

Code:

:services
zzqncjk
inifhzbk   
  
:reg
[-HKLM\SYSTEM\CurrentControlSet\Services\inifhzbk]                                                     
[-HKLM\SYSTEM\CurrentControlSet\Services\zzqncjk]                                                    
[-HKLM\SYSTEM\ControlSet002\Services\zzqncjk]   

:files
C:\WINDOWS\system32\zfyspqu.dll
C:\WINDOWS\system32\zfyspqu.u

:Commands
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

Now navigate to the system32 folder again and see if those files exist, and take a look in the registry to see if those keys are present now.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

Halooween party tonight where I work so it's going to be a late one. I'll get back to you on Sunday.

 

Hi there, sorry for the long wait, work was very busy indeed this weekend. Okay we need to continue on, and as much as I love the way we have been creative with our words, we need to stick to being down to earth now, especially since I may need help from my colleagues and I want it to be clear and easy to read.

Delete this

C:\WINDOWS\Tasks\At1.job

• Right-click OTM.exe And select " Run as administrator " to run it.
• Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.

Code:

:services
jiqmcnw
zdxtjms
ofjqdedr
fepzj
zzqncjk
inifhzbk
dydyet 
  
:Commands
[emptytemp]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

Do these files still exist?

C:\WINDOWS\system32\zfyspqu.dll
C:\WINDOWS\system32zfyspqu.u

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

 

You're very welcome!!

Now hang in there again whilst I am away (I return tomorrow night)

 

Good evening! You have a conficker infection.

Okay let's get back to it, sorry for the delay in a reply.

I need you to download and install Registrar Lite (Screenshot included of how we want to go about this)

Now using the program navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost

In the right pane, if you see any of the following keys you will need to right click and delete them:

• nncrbg
• zdxtjms
• ofjqdedr
• jiqmcnw
• fepzj
• zzqncjk
• inifhzbk
• dydyet

Let me know how you get on. Then:

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Repeat the step but with this key:

If you found anything and successfully deleted it, then run the C:\MGTools\GetLogs.bat and attach the C:\MGlogs.zip Otherwise.. let me know.

 

Jeez... Let's try this!

Open up RegLite and click on the "search" Search Registry as shown in screenshot for each of the following: (and press enter)

• nncrbg
• jiqmcnw
• zdxtjms
• ofjqdedr
• zzqncjk
• inifhzbk
• vyykoylm
• gespfbyx

Let me know the results

 

Then very carefully delete all those bad values.

Again, very carefully delete any bad values and keys that you see relating to the ones I listed.

Delete that too afterwards!

Yes but now we are making some real progress I think

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Please try this. In the mean time please bear with me whilst I have a think about how to proceed.

Now download Registry Search (see the link titled RegSearch Download Link)

• Extract the files from Regsearch.zip into a folder.
• Doubleclick regsearch.exe to start the program.
• In the top 3 boxes under the Enter search strings case independen) and click Ok... option, enter the below string (use copy and paste)

• Then click "OK".
• Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well).
• Attach this RegSearch.txt file.

 

Run this ConfickerRemover Let me know the results.

 

• Click the Start menu and click Run.
• Type "regedit" and click OK.
• Navigate to this key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost
• Click Registry in the Registry Editor toolbar.
• Or File > Click Export Registry File.
• Select the directory for the exported file and type a file name. Use a specific name so that you can identify the file easily
• Click OK to export the Registry file.

Zip it up and attach it here for our reviewal.

 

@Kes: Here is the link for Registrar Lite. ( The old version. )

 

Thanks Tim, but I have the link to it already. I did not instruct the OP to use this older version because for me, when I installed it and tried to use it, it would not open up this key for me, I clicked on it and nothing....

Few other keys showed as "restricted" too. This is on my win7 laptop... does it work smoothly for you Tim?

 

Bowlersmaid... also do this:

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :regfind
  nncrbg*
  jiqmcnw*
  zdxtjms*
  ofjqdedr*
  zzqncjk*
  inifhzbk*
  vyykoylm*
  gespfbyx*
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

Sigh, I feel just rotten that I haven't been able to get to the heart of this infection and solve it for you within good time. However, I am going to persevere until I run out of ideas. Chaslang is away at the moment for a few days, but rest assured, if I cannot rid you of this infection, Chaslang will.

Let's rewind back a bit, because SystemLook found nothing and after reviewing the reg key nothing was revealed to help me to help you.

Open up RegLite and click on the "search" Search Registry for the following: (and press enter)

• nncrbg

You said:

So, once the list has populised after you made your search query for just nncrbg, I want you to screenshot the full results for me. One step at a time, I am so hoping to solve this for you.

 

My apologies for my typo!

 

EDIT: removed post

 

Bowlersaid, I am going to leave your thread open and when Chaslang returns I will seek his advice and get back to you ASAP, or he will.