Solved

Problem in account lockout for domain users

Posted on 2009-04-13
16
1,318 Views
Last Modified: 2013-12-19
Hi Everyone,

We have a problem in our compnay where a virus hits our system called conficker. Symantec call it dwndp.B. We are still trying to recover from it . I followed up many instructions over the internet on how to remove this virus but still not completely resolved.

Another issue (My main problem) which is seems to be related to this virus that the accounts in our domain keeps locking out every minute ( ALL USERS ). Then, we decided to stop the account lock out policy from group policy until we can completely resolve the virus issue.

However, the accounts are still lockout. Is there any windows registry or some other techniques that this virus may did which let this account lockout still happen although we have changed the group policy.

Please assist me in this. Also if you know any perfect way to defeat this virus, I will appreciate that alot.   LOUCKOUT + VIRUS = NIGHTMARE FOR IT ...... we are getting calls from staff every 10 seconds >>>> :(
0
Comment
Question by:fireline1082
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +1
16 Comments
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24130501
Start with the Network tool here
 
http://www.bdtools.net/ 
0
 
LVL 3

Author Comment

by:fireline1082
ID: 24132088
Thank you,

I tried this tool and others. It seems my PC is clean but since the virus is still in the network, it keeps hitting my PC and others as well. Account is lockout frequently
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24132383
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 3

Author Comment

by:fireline1082
ID: 24132886
Thankx dstewartjr,

This is commercial product and I am sure it will not be better than Symantec Endpoint protection which we have already in the company.

The most important issue is to resolve the account lockout problem. The virus is almost conatined but of course it is still poping in the network since not all PCs are healed it

Thank you all for your suuport.  LOCKOUT is hell
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24132922
Until you fully get rid of the virus you are gonna experience lockouts, this is one of its symptoms.
0
 
LVL 20

Expert Comment

by:MightySW
ID: 24132966
I have SEP and I can tell you RIGHT NOW that it will NOT protect or use its Heuristcs to rid the Conficker worm.  You must take steps on each computer. Remember, this worm will not sit on wires, just computers.  Keep it contained, and get all nodes isolated per network switch.  

Again, SEP WILL NOT fix your problem.  Conficker is a worm/malware, that physically changes your registry to think that your computers are patched and there are no viruses on your machine.  It uses RSA signatures to update the files on the computers (like 564 something bit encryption).  This is a VERY sophisticated worm and you should treat it as such.  Isolation is the key as version C will update all computers to zombies if they are version B or A.  

HTH
0
 
LVL 3

Author Comment

by:fireline1082
ID: 24134909
Thank you all for your help,

HELP !! Any expert in Actrive directory and windows registries

Forget the virus issue for a moment. let's say my PC is clean, updated and with virus protection active and fine.

Usually this kind of worms are trying to access the PC using the user account which can lockout the account in case the group policy for account lockout policy is enabled. This is the case in our company

Therefore, we decided to remove the account lockout policy from the group policy for awhile. However, still the account get lockout. There is no reason for this account lockout since the policy has been changed. I confirm my PC is getting the modified policy by  rsop.msc, but still my account and others are locked account. I doubt that the virus may be changed some registry that can cause this account lockout again

Any idea, help please
0
 
LVL 47

Accepted Solution

by:
Donald Stewart earned 125 total points
ID: 24135063
You seem to be missing the point. Conficker is notorious for causing account lockouts.
See if this will help you out with lockouts, but until the virus is completely remedied it wont make a difference.



Implementing and Troubleshooting Account Lockout

help with conficker here


http://www.experts-exchange.com/Microsoft/Applications/Q_24233568.html
0
 
LVL 15

Expert Comment

by:xmachine
ID: 24135234
@MightySW: SEP has two ways to prevent/clean Conficker(Dowandup)

A) Antivirus engine will detect the virus using 4 signatures:

W32.Downadup (Released: Nov 21, 2008)
W32.Downadup.B (Released: Feb 20, 2009)
W32.Downadup.C (Released: Mar 6, 2009)
W32.Downadup.E (Released: April 9, 2009)

B) Network Threat Protection (IPS) will prevent the infection attempt using 2 signatures:

MSRPC Server Service BO
MSRPC Server Service BO2

0
 
LVL 15

Expert Comment

by:xmachine
ID: 24135237
This is my working cure for Conficker infections.

1) To start working, first you need to download the required patches + fix tool:

Windows 2000: http://download.microsoft.com/download/4/a/3/4a36c1ea-7555-4a88-98ac-b0909cc83c18/Windows2000-KB958644-x86-ENU.EXE 

Windows 2003: http://download.microsoft.com/download/e/e/3/ee322649-7f38-4553-a26b-a2ac40a0b205/WindowsServer2003-KB958644-x86-ENU.exe 

Windows XP: http://download.microsoft.com/download/4/f/a/4fabe08e-5358-418b-81dd-d5038730b324/WindowsXP-KB958644-x86-ENU.exe 

Windows Vista SP0 + SP1: http://download.microsoft.com/download/d/c/0/dc047ab9-53f8-481c-8c46-528b7f493fc1/Windows6.0-KB958644-x86.msu 

Symantec FixDownadupTool: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDwndp.exe

2) Create a shared folder on some server to contain the downloaded files (Apply Read-only permission for all users).

3) And you can use Psexec (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) to import a text file that contains the infected machines and run it using a privileged account like a Windows domain admin.

4) In the batch file, you should replace the server name and shared folder name.

so, for example (run this as domain administrator):

c:\psexec @infected.txt -d -c Clean-Downadup.bat

infected.txt should contains one name/ip per line, like:

...
192.168.1.2
192.168.1.3
192.168.1.4
...

Use netscan to ping a range of IP's and save the results as a text file (http://www.softperfect.com/products/networkscanner/)

Another important points:

1)  Review the current Passwords policy, you can configure a Windows GPO that will require a complex password, with a minimum number of characters.

http://technet.microsoft.com/en-us/library/cc736605.aspx
http://labmice.techtarget.com/security/passwordsec.htm

2) Use Nessus (http://www.nessus.org/download/), and scan all machines using this plugin ID (34476) to check if they have MS08-067 patch installed or not. (BTW, you can use a different tool to check for the installed patch, but this just an example)
 

A Symantec Certified Specialist @ your service


@echo off
color 0A
ECHO. ***********************************************************************************************
ECHO.                ExtremeSecurity.blogspot.com - Do It Securely or Not At All 
ECHO.                                Multi OS W32.Downadup Cleaner v2.0
ECHO. ***********************************************************************************************
 
 
ver | find "2003" > nul
if %ERRORLEVEL% == 0 goto ver_2003
 
ver | find "XP" > nul
if %ERRORLEVEL% == 0 goto ver_xp
 
ver | find "2000" > nul
if %ERRORLEVEL% == 0 goto ver_2000
 
ver | find "Version 6.0.6000" > nul
if %ERRORLEVEL% == 0 goto ver_vista-sp0
 
ver | find "Version 6.0.6001" > nul
if %ERRORLEVEL% == 0 goto ver_vista-sp1
 
 
goto exit
 
:ver_2003
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Enabling Windows Error Reporting Service (ERSvc) ...
sc config ERSvc start= auto
echo Starting Windows Error Reporting ...
net start ERSvc
echo Enabling Windows Error Reporting Service (WerSvc) ...
sc config WerSvc start= auto
echo Starting Windows Error Reporting ...
net start WerSvc
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
REM echo Removing all AT created scheduled tasks ...
REM AT /Delete /Yes
REM echo Stopping & Disabling Schedule service...
REM sc.exe stop schedule
REM sc.exe config schedule start= disabled
echo Fixing Downadup infection (Silent mode - Check log file in C:\)...
\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\WindowsServer2003-KB958644-x86-ENU.exe /quiet /norestart
echo Rebooting System ...  
shutdown -r -f -c "Rebooting system"
goto exit
 
:ver_xp
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Enabling Windows Security Center Service (wscsvc) ...
sc config wscsvc start= auto
echo Starting Windows Security Center ...
net start wscsvc
echo Enabling Windows Error Reporting Service (ERSvc) ...
sc config ERSvc start= auto
echo Starting Windows Error Reporting ...
net start ERSvc
echo Removing all AT created scheduled tasks ...
AT /Delete /Yes
echo Stopping & Disabling Schedule service...
sc.exe stop schedule
sc.exe config schedule start= disabled
echo Disabling "AutoPlay" ...
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f
echo Fixing Downadup infection (Silent mode - Check log file in C:\)...
\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\WindowsXP-KB958644-x86-ENU.exe /quiet /norestart
echo Rebooting System ...  
shutdown -r -f -c "Rebooting system"
goto exit
 
:ver_2000
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Removing all AT created scheduled tasks ...
AT /Delete /Yes
echo Fixing Downadup infection (Silent mode - Check log file in C:\)...
\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\Windows2000-KB958644-x86-ENU.EXE /quiet /norestart
echo Rebooting System ...  
shutdown -r -f -c "Rebooting system"
goto exit
 
:ver_vista-sp0
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "wuauserv"
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Enabling Windows Security Center Service (wscsvc) ...
sc config wscsvc start= auto
echo Starting Windows Security Center ...
net start wscsvc
echo Enabling Windows Defender Service (WinDefend) ...
sc config WinDefend start= auto
echo Starting Windows Defender ...
net start WinDefend
echo Enabling Windows Error Reporting Service (WerSvc) ...
sc config WerSvc start= auto
echo Starting Windows Error Reporting ...
net start WerSvc
echo Removing all AT created scheduled tasks ...
AT /Delete /Yes
echo Stopping & Disabling Schedule service...
sc.exe stop schedule
reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x4 /f
echo Disabling "AutoPlay" ...
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f
echo Restoring Windows Defender startup key ...
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe hide" /f
echo Enabling TCP Receive Window Auto-tuning ...
netsh interface tcp set global autotuning=normal
echo Fixing Downadup infection (Silent mode - Check log file in C:\)...
\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart
echo Rebooting System ...  
shutdown /r /f /c "Rebooting system"
goto exit
 
:ver_vista-sp1
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Enabling Windows Security Center Service (wscsvc) ...
sc config wscsvc start= auto
echo Starting Windows Security Center ...
net start wscsvc
echo Enabling Windows Defender Service (WinDefend) ...
sc config WinDefend start= auto
echo Starting Windows Defender ...
net start WinDefend
echo Enabling Windows Error Reporting Service (WerSvc) ...
sc config WerSvc start= auto
echo Starting Windows Error Reporting ...
net start WerSvc
echo Removing all AT created scheduled tasks ...
AT /Delete /Yes
echo Stopping & Disabling Schedule service...
sc.exe stop schedule
reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x4 /f
echo Disabling "AutoPlay" ...
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f
echo Restoring Windows Defender startup key ...
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe hide" /f
echo Enabling TCP Receive Window Auto-tuning ...
netsh interface tcp set global autotuning=normal
echo Fixing Downadup infection (Silent mode - Check log file in C:\)...
\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart
echo Rebooting System ...  
shutdown /r /f /c "Rebooting system"
goto exit
 
:exit

Open in new window

0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24138007
Xmachine, I had already pointed the author towards your solution
http://www.experts-exchange.com/Database/LDAP/Q_24317359.html?cid=238#a24135063 
0
 
LVL 20

Expert Comment

by:MightySW
ID: 24139246
SEP will NOT stop conficker from infecting other computers.  Granted that if IPS is installed and working then it will not BECOME infected.  However, if already infected, then the AV will NOT effectively remove the worm.
0
 
LVL 3

Author Closing Comment

by:fireline1082
ID: 31569527
Thanx dstewartjr:,

I made the account lockout settings to NOT CONFIGURED which will keep taking the old setting as I guess. I changed it to  ZERO and the account lockout is not active any more --- PERFECT for now

0
 
LVL 15

Expert Comment

by:xmachine
ID: 24146894
@MightySW: Have you faced a case where SEP didn't clean the virus ? I've some customers who had other AV product which unfortunately, didn't catch/clean conficker. They installed SEP and got their networks clean and happy management as well.

0
 
LVL 20

Expert Comment

by:MightySW
ID: 24148528
Again, you had them install it after the fact.  I said that if it is installed it will NOT catch it.

This is not a virus, it is a worm that utilizes about 10,000,000 zombies in a very complicated and diverse botnet with masters, RSA signed updates, and the ability to generate 500,000 domain names that are for 'future' use.  Symantec can only keep up with the DNS servers that are tracked.  They cannot keep up with the different variants of the worm.  They have explained this.  Removing the infection is one thing, but keeping it from spreading across a network is another.  The point here is to clean all infected machines.  

And yes, I have run into two cases where an up to date SEP honeypot did not clear it of the virus.  I was still able to monitor the code by looking at the assembly language jumps.  This is something most likely beyond this thread, but its sophistication is not.  I have even tried to maximize SEP ID and IP specifically to the dll file that it exploits, however nothing changed.  

If you say that it can then I believe you, but in my case, I say that it only works with existing cases with a new deployment of SEP.

Thanks for the info.  I will post if I find anything else out there.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
In this blog post, we’ll look at how ClickHouse performs in a general analytical workload using the star schema benchmark test.
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question