[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

cleaning up last of conficker

Posted on 2009-04-23
11
Medium Priority
?
800 Views
Last Modified: 2013-12-04
I had a system on the network get conficker.B.  The machines that were patched and had virus software didn't catch the virus, but the infected machine was logged in with a domain admin account before anyone knew it was infected and that enabled it to add a bunch of crap on other machines on the network.

Norton deleted all of the c:\windows\randomfilename.ext as they were put on, but the virus also added over 1000 entries to c:\windows\tasks telling it to run rundll32.exe randomefilename.ext dsfhds

These would run every hour, on the hour.  20-50 each time.

Rundll32 would not exit on its own, so it consumed resources and slowed down the machines.

Now, I deleted all of those entries in that folder, and all computers except mine have stopped.

But I still get 30+ rundll32.exe every hour on the hour.

I've run housecall, norton's conficker cleaner, malwarebites, spybot, adaware and the combofix.  They all say I'm clean.

Housecall actually told me to delete those scheduled tasks, so I let it... but it's still happening.
Anywhere else I can look for launched tasks?

BTW, vista ultimate, 4GB mem
0
Comment
Question by:bennybutler
  • 2
  • 2
  • 2
  • +4
10 Comments
 
LVL 23

Expert Comment

by:ComputerTechie
ID: 24217298
I would run combofix again and make a CFscript and see if the fixes the problem.
make sure you run in safe mode and disable norton and after rebooting go in to safe mode again to finish.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_23196589.html

CT
0
 

Expert Comment

by:Waynejci
ID: 24219286
I would also disable system restore, boot into safe mode and run Norton and Malwarebytes again.
0
 
LVL 1

Author Comment

by:bennybutler
ID: 24219316
Here's my latest combofix...

This is driving me nuts.  I think something other than taskeng is launching it because they're happening more than every hour, maybe every 15... then I have to spend a few minutes killing them all.

I'm trying to avoid reinstalling windows, I hate trying to round up all those serial numbers again.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 5

Expert Comment

by:Gregg DesElms
ID: 24227828
Ohgod... just reading this thread gave me heartburn.  I feel your pain, bennybutler.  Yikes!

I saw an article a couple days ago which said that the accumulated cost of Conflicker, to date, is estimated to be $9.1 billion.

     http://www.tgdaily.com/content/view/42101/108/

If you're like me, you'd probably gladly pony-up that kinda' cash outta' your pocket right about now (that is, if you had it) just to be out of this mess, eh?  Been there.  Done that.  Bought the t-shirt.  [shakes head]

You wrote "[h]ere's my latest combofix..." but I don't see an attachment.  Did it fail when you posted?

It would be interesting to see a HiJack-This log for the troubled machine, too.

And by the phrase "and all computers except mine have stopped," do I understand you to mean that your computer is the only one, at this point, with a problem?  All others are now okay?

Also, I know it's thought of by many as lame, but have you tried Microsoft's own "Malicious Software Removal Tool" utility?  One wouldn't think that it would be useful, but Microsoft got real serious about this Conflicker thing... and so the last two versions of the MSRT actually do a fair job of at least detecting (and also removing... or at least coming darned close) Conflicker.  It's worth a try, at least, it would seem to me.

     http://www.microsoft.com/security/malwareremove/default.mspx

Also, open your mind to that there may be more than Conflicker at work, here.... just generally.  Just sayin'.

I'm concerned about the closing line in your last post... that you're trying to round-up all those serial numbers.  Do you mean Windows numbers for multiple machines?  Or do you just mean the Windows serial for your machine, and then the serials for everything else that's installed thereon?  (Again, I'm trying to figure out if your machine is the only one still in trouble, or if it's still LAN-wide.)
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24230130
I suggest that you have a quick read the below, they have lots of useful information (don't forget to read xmachine's post, that is really good advice and might be very helpful in your current situation):

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_24268820.html

Hope it helps.
0
 
LVL 15

Expert Comment

by:xmachine
ID: 24258778
Hi,

This is my working cure for Conficker infections.

1) To start working, first you need to download the required patches + fix tool:

Windows 2000: http://download.microsoft.com/download/4/a/3/4a36c1ea-7555-4a88-98ac-b0909cc83c18/Windows2000-KB958644-x86-ENU.EXE 

Windows 2003: http://download.microsoft.com/download/e/e/3/ee322649-7f38-4553-a26b-a2ac40a0b205/WindowsServer2003-KB958644-x86-ENU.exe 

Windows XP: http://download.microsoft.com/download/4/f/a/4fabe08e-5358-418b-81dd-d5038730b324/WindowsXP-KB958644-x86-ENU.exe 

Windows Vista SP0 + SP1: http://download.microsoft.com/download/d/c/0/dc047ab9-53f8-481c-8c46-528b7f493fc1/Windows6.0-KB958644-x86.msu 

Symantec FixDownadupTool: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDownadup.exe

2) Create a shared folder on some server to contain the downloaded files (Apply Read-only permission for all users).

3) And you can use Psexec (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) to import a text file that contains the infected machines and run it using a privileged account like a Windows domain admin.

4) In the batch file, you should replace the server name and shared folder name.

so, for example (run this as domain administrator):

c:\psexec @infected.txt -d -c Clean-Downadup.bat

infected.txt should contains one name/ip per line, like:

...
192.168.1.2
192.168.1.3
192.168.1.4
...

Use netscan to ping a range of IP's and save the results as a text file (http://www.softperfect.com/products/networkscanner/)

Another important points:

1)  Review the current Passwords policy, you can configure a Windows GPO that will require a complex password, with a minimum number of characters.


2) Use Nessus (http://www.nessus.org/download/), and scan all machines using this plugin ID (34476) to check if they have MS08-067 patch installed or not. (BTW, you can use a different tool to check for the installed patch, but this just an example)
 

A Symantec Certified Specialist @ your service



@echo off
color 0A
ECHO. ***********************************************************************************************
ECHO.                ExtremeSecurity.blogspot.com - Do It Securely or Not At All 
ECHO.                                Multi OS W32.Downadup Cleaner 
ECHO. ***********************************************************************************************
 
 
ver | find "2003" > nul
if %ERRORLEVEL% == 0 goto ver_2003
 
ver | find "XP" > nul
if %ERRORLEVEL% == 0 goto ver_xp
 
ver | find "2000" > nul
if %ERRORLEVEL% == 0 goto ver_2000
 
ver | find "Version 6.0.6000" > nul
if %ERRORLEVEL% == 0 goto ver_vista-sp0
 
ver | find "Version 6.0.6001" > nul
if %ERRORLEVEL% == 0 goto ver_vista-sp1
 
 
goto exit
 
:ver_2003
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Enabling Windows Error Reporting Service (ERSvc) ...
sc config ERSvc start= auto
echo Starting Windows Error Reporting ...
net start ERSvc
echo Enabling Windows Error Reporting Service (WerSvc) ...
sc config WerSvc start= auto
echo Starting Windows Error Reporting ...
net start WerSvc
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Fixing Downadup infection ...
\\ServerName\ShareName\FixDownadup.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\WindowsServer2003-KB958644-x86-ENU.exe /quiet /norestart
echo Rebooting System in one minute ...  
shutdown -r -f -t 1024 -c "Rebooting system, you have 1 minute to save your work"
goto exit
 
:ver_xp
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Enabling Windows Security Center Service (wscsvc) ...
sc config wscsvc start= auto
echo Starting Windows Security Center ...
net start wscsvc
echo Enabling Windows Error Reporting Service (ERSvc) ...
sc config ERSvc start= auto
echo Starting Windows Error Reporting ...
net start ERSvc
echo Fixing Downadup infection ...
\\ServerName\ShareName\FixDownadup.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\WindowsXP-KB958644-x86-ENU.exe /quiet /norestart
echo Rebooting System in one minute ...  
shutdown -r -f -t 1024 -c "Rebooting system, you have 1 minute to save your work"
goto exit
 
:ver_2000
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Fixing Downadup infection ...
\\ServerName\ShareName\FixDownadup.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\Windows2000-KB958644-x86-ENU.EXE /quiet /norestart
echo Rebooting System in one minute ...  
shutdown -r -f -t 1024 -c "Rebooting system, you have 1 minute to save your work"
goto exit
 
:ver_vista-sp0
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "wuauserv"
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Enabling Windows Security Center Service (wscsvc) ...
sc config wscsvc start= auto
echo Starting Windows Security Center ...
net start wscsvc
echo Enabling Windows Defender Service (WinDefend) ...
sc config WinDefend start= auto
echo Starting Windows Defender ...
net start WinDefend
echo Enabling Windows Error Reporting Service (WerSvc) ...
sc config WerSvc start= auto
echo Starting Windows Error Reporting ...
net start WerSvc
echo Fixing Downadup infection ...
\\ServerName\ShareName\FixDownadup.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart
echo Rebooting System in one minute ...  
shutdown /r /f /c "Rebooting system, you have 1 minute to save your work"
goto exit
 
:ver_vista-sp1
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Enabling Windows Security Center Service (wscsvc) ...
sc config wscsvc start= auto
echo Starting Windows Security Center ...
net start wscsvc
echo Enabling Windows Defender Service (WinDefend) ...
sc config WinDefend start= auto
echo Starting Windows Defender ...
net start WinDefend
echo Enabling Windows Error Reporting Service (WerSvc) ...
sc config WerSvc start= auto
echo Starting Windows Error Reporting ...
net start WerSvc
echo Fixing Downadup infection ...
\\ServerName\ShareName\FixDownadup.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart
echo Rebooting System in one minute ...  
shutdown /r /f /c "Rebooting system, you have 1 minute to save your work"
goto exit
 
:exit

Open in new window

0
 
LVL 1

Author Comment

by:bennybutler
ID: 24260484
Ok guys, thanks for the help, but by the time I got to here, I had removed the virus itself, the only thing that was left was some windows settings that it had created telling it to launch itself on a schedule.  Apparently it only does it THIS way in vista, and I have the only vista machine, that's why the others were done with less steps than mine.

The launchers were set up 2 ways.
The easy way to find/fix, and which housecall found was About 1000 entries in c:\windows\tasks.

The others were all in task scheduler.  THe vista version of this is MUCh more complicated than what XP uses... and I was unfamiliar with it.

The steps:
start
"Task Scheduler"
Pick it from the list when it shows up.
Click "Task Scheduler Library" (Don't do like I did, and expand TSL and go digging through the subfolders.  I came back to task scheduler a dozen times before I accidently clicked on the TSL folder, instead of expanding it)
Delete all of the at1,at2,at3, commands that are constantly running "run32dll.exe randomcrap.ran random"

So, the problem was not that I HAD conficker any longer, but that conficker had set up all these tasks to run, 40+ at a time, every 30 minutes or so.  The file that it was trying to launch didn't exist, so run32dll just launched and stayed there... 40 of them, each trying to do something, slowing the computer down to the point where it was almost unusable.

Thanks



0
 
LVL 16

Expert Comment

by:warturtle
ID: 24262143
Good, good - so the problem has been resolved now after deleting the scheduled tasks from the scheduler?
0
 
LVL 15

Expert Comment

by:xmachine
ID: 24507078
Any update on the status?
0
 

Accepted Solution

by:
ee_auto earned 0 total points
ID: 24734380
Question PAQ'd, 250 points refunded, and stored in the solution database.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question