Solved

Problem in account lockout for domain users

Posted on 2009-04-13
16
1,266 Views
Last Modified: 2013-12-19
Hi Everyone,

We have a problem in our compnay where a virus hits our system called conficker. Symantec call it dwndp.B. We are still trying to recover from it . I followed up many instructions over the internet on how to remove this virus but still not completely resolved.

Another issue (My main problem) which is seems to be related to this virus that the accounts in our domain keeps locking out every minute ( ALL USERS ). Then, we decided to stop the account lock out policy from group policy until we can completely resolve the virus issue.

However, the accounts are still lockout. Is there any windows registry or some other techniques that this virus may did which let this account lockout still happen although we have changed the group policy.

Please assist me in this. Also if you know any perfect way to defeat this virus, I will appreciate that alot.   LOUCKOUT + VIRUS = NIGHTMARE FOR IT ...... we are getting calls from staff every 10 seconds >>>> :(
0
Comment
Question by:fireline1082
  • 5
  • 4
  • 3
  • +1
16 Comments
 
LVL 47

Expert Comment

by:dstewartjr
Comment Utility
Start with the Network tool here
 
http://www.bdtools.net/
0
 
LVL 3

Author Comment

by:fireline1082
Comment Utility
Thank you,

I tried this tool and others. It seems my PC is clean but since the virus is still in the network, it keeps hitting my PC and others as well. Account is lockout frequently
0
 
LVL 47

Expert Comment

by:dstewartjr
Comment Utility
0
 
LVL 3

Author Comment

by:fireline1082
Comment Utility
Thankx dstewartjr,

This is commercial product and I am sure it will not be better than Symantec Endpoint protection which we have already in the company.

The most important issue is to resolve the account lockout problem. The virus is almost conatined but of course it is still poping in the network since not all PCs are healed it

Thank you all for your suuport.  LOCKOUT is hell
0
 
LVL 47

Expert Comment

by:dstewartjr
Comment Utility
Until you fully get rid of the virus you are gonna experience lockouts, this is one of its symptoms.
0
 
LVL 20

Expert Comment

by:MightySW
Comment Utility
I have SEP and I can tell you RIGHT NOW that it will NOT protect or use its Heuristcs to rid the Conficker worm.  You must take steps on each computer. Remember, this worm will not sit on wires, just computers.  Keep it contained, and get all nodes isolated per network switch.  

Again, SEP WILL NOT fix your problem.  Conficker is a worm/malware, that physically changes your registry to think that your computers are patched and there are no viruses on your machine.  It uses RSA signatures to update the files on the computers (like 564 something bit encryption).  This is a VERY sophisticated worm and you should treat it as such.  Isolation is the key as version C will update all computers to zombies if they are version B or A.  

HTH
0
 
LVL 3

Author Comment

by:fireline1082
Comment Utility
Thank you all for your help,

HELP !! Any expert in Actrive directory and windows registries

Forget the virus issue for a moment. let's say my PC is clean, updated and with virus protection active and fine.

Usually this kind of worms are trying to access the PC using the user account which can lockout the account in case the group policy for account lockout policy is enabled. This is the case in our company

Therefore, we decided to remove the account lockout policy from the group policy for awhile. However, still the account get lockout. There is no reason for this account lockout since the policy has been changed. I confirm my PC is getting the modified policy by  rsop.msc, but still my account and others are locked account. I doubt that the virus may be changed some registry that can cause this account lockout again

Any idea, help please
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 47

Accepted Solution

by:
dstewartjr earned 125 total points
Comment Utility
You seem to be missing the point. Conficker is notorious for causing account lockouts.
See if this will help you out with lockouts, but until the virus is completely remedied it wont make a difference.



Implementing and Troubleshooting Account Lockout

help with conficker here


http://www.experts-exchange.com/Microsoft/Applications/Q_24233568.html
0
 
LVL 15

Expert Comment

by:xmachine
Comment Utility
@MightySW: SEP has two ways to prevent/clean Conficker(Dowandup)

A) Antivirus engine will detect the virus using 4 signatures:

W32.Downadup (Released: Nov 21, 2008)
W32.Downadup.B (Released: Feb 20, 2009)
W32.Downadup.C (Released: Mar 6, 2009)
W32.Downadup.E (Released: April 9, 2009)

B) Network Threat Protection (IPS) will prevent the infection attempt using 2 signatures:

MSRPC Server Service BO
MSRPC Server Service BO2

0
 
LVL 15

Expert Comment

by:xmachine
Comment Utility
This is my working cure for Conficker infections.

1) To start working, first you need to download the required patches + fix tool:

Windows 2000: http://download.microsoft.com/download/4/a/3/4a36c1ea-7555-4a88-98ac-b0909cc83c18/Windows2000-KB958644-x86-ENU.EXE

Windows 2003: http://download.microsoft.com/download/e/e/3/ee322649-7f38-4553-a26b-a2ac40a0b205/WindowsServer2003-KB958644-x86-ENU.exe

Windows XP: http://download.microsoft.com/download/4/f/a/4fabe08e-5358-418b-81dd-d5038730b324/WindowsXP-KB958644-x86-ENU.exe

Windows Vista SP0 + SP1: http://download.microsoft.com/download/d/c/0/dc047ab9-53f8-481c-8c46-528b7f493fc1/Windows6.0-KB958644-x86.msu

Symantec FixDownadupTool: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDwndp.exe

2) Create a shared folder on some server to contain the downloaded files (Apply Read-only permission for all users).

3) And you can use Psexec (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) to import a text file that contains the infected machines and run it using a privileged account like a Windows domain admin.

4) In the batch file, you should replace the server name and shared folder name.

so, for example (run this as domain administrator):

c:\psexec @infected.txt -d -c Clean-Downadup.bat

infected.txt should contains one name/ip per line, like:

...
192.168.1.2
192.168.1.3
192.168.1.4
...

Use netscan to ping a range of IP's and save the results as a text file (http://www.softperfect.com/products/networkscanner/)

Another important points:

1)  Review the current Passwords policy, you can configure a Windows GPO that will require a complex password, with a minimum number of characters.

http://technet.microsoft.com/en-us/library/cc736605.aspx
http://labmice.techtarget.com/security/passwordsec.htm

2) Use Nessus (http://www.nessus.org/download/), and scan all machines using this plugin ID (34476) to check if they have MS08-067 patch installed or not. (BTW, you can use a different tool to check for the installed patch, but this just an example)
 

A Symantec Certified Specialist @ your service


@echo off

color 0A

ECHO. ***********************************************************************************************

ECHO.                ExtremeSecurity.blogspot.com - Do It Securely or Not At All 

ECHO.                                Multi OS W32.Downadup Cleaner v2.0

ECHO. ***********************************************************************************************

 

 

ver | find "2003" > nul

if %ERRORLEVEL% == 0 goto ver_2003

 

ver | find "XP" > nul

if %ERRORLEVEL% == 0 goto ver_xp

 

ver | find "2000" > nul

if %ERRORLEVEL% == 0 goto ver_2000

 

ver | find "Version 6.0.6000" > nul

if %ERRORLEVEL% == 0 goto ver_vista-sp0

 

ver | find "Version 6.0.6001" > nul

if %ERRORLEVEL% == 0 goto ver_vista-sp1

 

 

goto exit

 

:ver_2003

echo Enabling BITs ...

sc config bits start= auto

echo Starting BITs ...

net start "Background Intelligent Transfer Service"

echo Enabling Automatic Updates ...

sc config Wuauserv start= auto

echo Starting Automatic Updates ...

net start "Windows Automatic Update Service"

echo Enabling Windows Error Reporting Service (ERSvc) ...

sc config ERSvc start= auto

echo Starting Windows Error Reporting ...

net start ERSvc

echo Enabling Windows Error Reporting Service (WerSvc) ...

sc config WerSvc start= auto

echo Starting Windows Error Reporting ...

net start WerSvc

echo Checking MS WSUS for any missing updates ... 

wuauclt.exe /detectnow

REM echo Removing all AT created scheduled tasks ...

REM AT /Delete /Yes

REM echo Stopping & Disabling Schedule service...

REM sc.exe stop schedule

REM sc.exe config schedule start= disabled

echo Fixing Downadup infection (Silent mode - Check log file in C:\)...

\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt

copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt

echo Patching MS08-067 ...

\\ServerName\ShareName\WindowsServer2003-KB958644-x86-ENU.exe /quiet /norestart

echo Rebooting System ...  

shutdown -r -f -c "Rebooting system"

goto exit

 

:ver_xp

echo Enabling BITs ...

sc config bits start= auto

echo Starting BITs ...

net start "Background Intelligent Transfer Service"

echo Enabling Automatic Updates ...

sc config Wuauserv start= auto

echo Starting Automatic Updates ...

net start "Windows Automatic Update Service"

echo Checking MS WSUS for any missing updates ... 

wuauclt.exe /detectnow

echo Enabling Windows Security Center Service (wscsvc) ...

sc config wscsvc start= auto

echo Starting Windows Security Center ...

net start wscsvc

echo Enabling Windows Error Reporting Service (ERSvc) ...

sc config ERSvc start= auto

echo Starting Windows Error Reporting ...

net start ERSvc

echo Removing all AT created scheduled tasks ...

AT /Delete /Yes

echo Stopping & Disabling Schedule service...

sc.exe stop schedule

sc.exe config schedule start= disabled

echo Disabling "AutoPlay" ...

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f

echo Fixing Downadup infection (Silent mode - Check log file in C:\)...

\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt

copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt

echo Patching MS08-067 ...

\\ServerName\ShareName\WindowsXP-KB958644-x86-ENU.exe /quiet /norestart

echo Rebooting System ...  

shutdown -r -f -c "Rebooting system"

goto exit

 

:ver_2000

echo Enabling BITs ...

sc config bits start= auto

echo Starting BITs ...

net start "Background Intelligent Transfer Service"

echo Enabling Automatic Updates ...

sc config Wuauserv start= auto

echo Starting Automatic Updates ...

net start "Windows Automatic Update Service"

echo Checking MS WSUS for any missing updates ... 

wuauclt.exe /detectnow

echo Removing all AT created scheduled tasks ...

AT /Delete /Yes

echo Fixing Downadup infection (Silent mode - Check log file in C:\)...

\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt

copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt

echo Patching MS08-067 ...

\\ServerName\ShareName\Windows2000-KB958644-x86-ENU.EXE /quiet /norestart

echo Rebooting System ...  

shutdown -r -f -c "Rebooting system"

goto exit

 

:ver_vista-sp0

echo Enabling BITs ...

sc config bits start= auto

echo Starting BITs ...

net start "Background Intelligent Transfer Service"

echo Enabling Automatic Updates ...

sc config Wuauserv start= auto

echo Starting Automatic Updates ...

net start "wuauserv"

echo Checking MS WSUS for any missing updates ... 

wuauclt.exe /detectnow

echo Enabling Windows Security Center Service (wscsvc) ...

sc config wscsvc start= auto

echo Starting Windows Security Center ...

net start wscsvc

echo Enabling Windows Defender Service (WinDefend) ...

sc config WinDefend start= auto

echo Starting Windows Defender ...

net start WinDefend

echo Enabling Windows Error Reporting Service (WerSvc) ...

sc config WerSvc start= auto

echo Starting Windows Error Reporting ...

net start WerSvc

echo Removing all AT created scheduled tasks ...

AT /Delete /Yes

echo Stopping & Disabling Schedule service...

sc.exe stop schedule

reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x4 /f

echo Disabling "AutoPlay" ...

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f

echo Restoring Windows Defender startup key ...

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe hide" /f

echo Enabling TCP Receive Window Auto-tuning ...

netsh interface tcp set global autotuning=normal

echo Fixing Downadup infection (Silent mode - Check log file in C:\)...

\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt

copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt

echo Patching MS08-067 ...

\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart

echo Rebooting System ...  

shutdown /r /f /c "Rebooting system"

goto exit

 

:ver_vista-sp1

echo Enabling BITs ...

sc config bits start= auto

echo Starting BITs ...

net start "Background Intelligent Transfer Service"

echo Enabling Automatic Updates ...

sc config Wuauserv start= auto

echo Starting Automatic Updates ...

net start "Windows Automatic Update Service"

echo Checking MS WSUS for any missing updates ... 

wuauclt.exe /detectnow

echo Enabling Windows Security Center Service (wscsvc) ...

sc config wscsvc start= auto

echo Starting Windows Security Center ...

net start wscsvc

echo Enabling Windows Defender Service (WinDefend) ...

sc config WinDefend start= auto

echo Starting Windows Defender ...

net start WinDefend

echo Enabling Windows Error Reporting Service (WerSvc) ...

sc config WerSvc start= auto

echo Starting Windows Error Reporting ...

net start WerSvc

echo Removing all AT created scheduled tasks ...

AT /Delete /Yes

echo Stopping & Disabling Schedule service...

sc.exe stop schedule

reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x4 /f

echo Disabling "AutoPlay" ...

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f

echo Restoring Windows Defender startup key ...

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe hide" /f

echo Enabling TCP Receive Window Auto-tuning ...

netsh interface tcp set global autotuning=normal

echo Fixing Downadup infection (Silent mode - Check log file in C:\)...

\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt

copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt

echo Patching MS08-067 ...

\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart

echo Rebooting System ...  

shutdown /r /f /c "Rebooting system"

goto exit

 

:exit

Open in new window

0
 
LVL 47

Expert Comment

by:dstewartjr
Comment Utility
Xmachine, I had already pointed the author towards your solution
http://www.experts-exchange.com/Database/LDAP/Q_24317359.html?cid=238#a24135063
0
 
LVL 20

Expert Comment

by:MightySW
Comment Utility
SEP will NOT stop conficker from infecting other computers.  Granted that if IPS is installed and working then it will not BECOME infected.  However, if already infected, then the AV will NOT effectively remove the worm.
0
 
LVL 3

Author Closing Comment

by:fireline1082
Comment Utility
Thanx dstewartjr:,

I made the account lockout settings to NOT CONFIGURED which will keep taking the old setting as I guess. I changed it to  ZERO and the account lockout is not active any more --- PERFECT for now

0
 
LVL 15

Expert Comment

by:xmachine
Comment Utility
@MightySW: Have you faced a case where SEP didn't clean the virus ? I've some customers who had other AV product which unfortunately, didn't catch/clean conficker. They installed SEP and got their networks clean and happy management as well.

0
 
LVL 20

Expert Comment

by:MightySW
Comment Utility
Again, you had them install it after the fact.  I said that if it is installed it will NOT catch it.

This is not a virus, it is a worm that utilizes about 10,000,000 zombies in a very complicated and diverse botnet with masters, RSA signed updates, and the ability to generate 500,000 domain names that are for 'future' use.  Symantec can only keep up with the DNS servers that are tracked.  They cannot keep up with the different variants of the worm.  They have explained this.  Removing the infection is one thing, but keeping it from spreading across a network is another.  The point here is to clean all infected machines.  

And yes, I have run into two cases where an up to date SEP honeypot did not clear it of the virus.  I was still able to monitor the code by looking at the assembly language jumps.  This is something most likely beyond this thread, but its sophistication is not.  I have even tried to maximize SEP ID and IP specifically to the dll file that it exploits, however nothing changed.  

If you say that it can then I believe you, but in my case, I say that it only works with existing cases with a new deployment of SEP.

Thanks for the info.  I will post if I find anything else out there.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

SQL Command Tool comes with APEX under SQL Workshop. It helps us to make changes on the database directly using a graphical user interface. This helps us writing any SQL/ PLSQL queries and execute it on the database and we can create any database ob…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now