W32.Downadup.B Virus on SBS2003

Securrity Risk Found!Threat: W32.Downadup.B in File: C:\WINDOWS\System32\ukzwgbt.ttl by: Auto-Protect scan.  Action: Clean failed : Quarantine failed : Delete succeeded : Access denied.  Action Description: The file was deleted successfully.

About every 5 Minutes in Event Viewer
I have Symantec End Protect
It finds it deletes it then straight Back
Tried the Symantec Removal tool  (No Issues Found)
Malaware Bytes (Clean) , Hijack This (Clean)
It appaers to lock out some users (Like it guessing passwords)
logicalstepcompAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

xmachineCommented:
Hi,

SEP fights W32.Downadup in two ways:

1) Antivirus Engine: SEP has all signatures to detect and clean all versions of Downadup (A/B/C/E).

2) Network Threat Protection (IPS): SEP has IPS signatures to block the exploitation attempt before a successful infection.


Also, SEP detection and eraser engines have been re-engineered from scratch to clean latest types of viruses.

See the following solution on how to clean Downadup infection in your network:

---------------------------------------------------------------------------------------------------------

This is my working cure for Conficker infections.

1) To start working, first you need to download the required patches + fix tool:

Windows 2000: http://download.microsoft.com/download/4/a/3/4a36c1ea-7555-4a88-98ac-b0909cc83c18/Windows2000-KB958644-x86-ENU.EXE 

Windows 2003: http://download.microsoft.com/download/e/e/3/ee322649-7f38-4553-a26b-a2ac40a0b205/WindowsServer2003-KB958644-x86-ENU.exe 

Windows XP: http://download.microsoft.com/download/4/f/a/4fabe08e-5358-418b-81dd-d5038730b324/WindowsXP-KB958644-x86-ENU.exe 

Windows Vista SP0 + SP1: http://download.microsoft.com/download/d/c/0/dc047ab9-53f8-481c-8c46-528b7f493fc1/Windows6.0-KB958644-x86.msu 

Symantec FixDownadupTool: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/D.exe

2) Create a shared folder on some server to contain the downloaded files (Apply Read-only permission for all users).

3) And you can use Psexec (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) to import a text file that contains the infected machines and run it using a privileged account like a Windows domain admin.

4) In the batch file, you should replace the server name and shared folder name.

so, for example (run this as domain administrator):

c:\psexec @infected.txt -d -c Clean-Downadup.bat

infected.txt should contains one name/ip per line, like:

...
192.168.1.2
192.168.1.3
192.168.1.4
...

Use netscan to ping a range of IP's and save the results as a text file (http://www.softperfect.com/products/networkscanner/)

Another important points:

1)  Review the current Passwords policy, you can configure a Windows GPO that will require a complex password, with a minimum number of characters.

http://technet.microsoft.com/en-us/library/cc736605.aspx
http://labmice.techtarget.com/security/passwordsec.htm

2) Use Nessus (http://www.nessus.org/download/), and scan all machines using this plugin ID (34476) to check if they have MS08-067 patch installed or not. (BTW, you can use a different tool to check for the installed patch, but this just an example)

3) Enable "Threat Tracer" to detect the source of infection. Follow these steps:

A) In the Symantec System Center console, right-click the server group that you want to configure, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options.

B) In the Auto-Protect Advanced Options dialog box, verify that the options under Threat Tracer are checked.

C) Click Ok

4) Run Windows Patch (MS08-067) + Symantec FixDownadup tool on those infected machines that were discovered by the "Threat Tracer"

5) Read this KB article about "Threat Tracer" Logs:

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/f37e368c1f18a3b388256e29007bd7ac?OpenDocument
 
@echo off 
color 0A 
ECHO. *********************************************************************************************** 
ECHO.                ExtremeSecurity.blogspot.com - Do It Securely or Not At All  
ECHO.                                Multi OS W32.Downadup Cleaner v2.0 
ECHO. *********************************************************************************************** 
  
  
ver | find "2003" > nul 
if %ERRORLEVEL% == 0 goto ver_2003 
  
ver | find "XP" > nul 
if %ERRORLEVEL% == 0 goto ver_xp 
  
ver | find "2000" > nul 
if %ERRORLEVEL% == 0 goto ver_2000 
  
ver | find "Version 6.0.6000" > nul 
if %ERRORLEVEL% == 0 goto ver_vista-sp0 
  
ver | find "Version 6.0.6001" > nul 
if %ERRORLEVEL% == 0 goto ver_vista-sp1 
  
  
goto exit 
  
:ver_2003 
echo Enabling BITs ... 
sc config bits start= auto 
echo Starting BITs ... 
net start "Background Intelligent Transfer Service" 
echo Enabling Automatic Updates ... 
sc config Wuauserv start= auto 
echo Starting Automatic Updates ... 
net start "Windows Automatic Update Service" 
echo Enabling Windows Error Reporting Service (ERSvc) ... 
sc config ERSvc start= auto 
echo Starting Windows Error Reporting ... 
net start ERSvc 
echo Enabling Windows Error Reporting Service (WerSvc) ... 
sc config WerSvc start= auto 
echo Starting Windows Error Reporting ... 
net start WerSvc 
echo Checking MS WSUS for any missing updates ...  
wuauclt.exe /detectnow 
REM echo Removing all AT created scheduled tasks ... 
REM AT /Delete /Yes 
REM echo Stopping & Disabling Schedule service... 
REM sc.exe stop schedule 
REM sc.exe config schedule start= disabled 
echo Fixing Downadup infection (Silent mode - Check log file in C:\)... 
\\ServerName\ShareName\D.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt 
echo Patching MS08-067 ... 
\\ServerName\ShareName\WindowsServer2003-KB958644-x86-ENU.exe /quiet /norestart 
echo Rebooting System ...   
shutdown -r -f -t 120 -c "Rebooting system" 
goto exit 
  
:ver_xp 
echo Enabling BITs ... 
sc config bits start= auto 
echo Starting BITs ... 
net start "Background Intelligent Transfer Service" 
echo Enabling Automatic Updates ... 
sc config Wuauserv start= auto 
echo Starting Automatic Updates ... 
net start "Windows Automatic Update Service" 
echo Checking MS WSUS for any missing updates ...  
wuauclt.exe /detectnow 
echo Enabling Windows Security Center Service (wscsvc) ... 
sc config wscsvc start= auto 
echo Starting Windows Security Center ... 
net start wscsvc 
echo Enabling Windows Error Reporting Service (ERSvc) ... 
sc config ERSvc start= auto 
echo Starting Windows Error Reporting ... 
net start ERSvc 
echo Removing all AT created scheduled tasks ... 
AT /Delete /Yes 
echo Stopping & Disabling Schedule service... 
sc.exe stop schedule 
sc.exe config schedule start= disabled 
echo Disabling "AutoPlay" ... 
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f 
echo Fixing Downadup infection (Silent mode - Check log file in C:\)... 
\\ServerName\ShareName\D.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt 
echo Patching MS08-067 ... 
\\ServerName\ShareName\WindowsXP-KB958644-x86-ENU.exe /quiet /norestart 
echo Rebooting System ...   
shutdown -r -f -t 120 -c "Rebooting system" 
goto exit 
  
:ver_2000 
echo Enabling BITs ... 
sc config bits start= auto 
echo Starting BITs ... 
net start "Background Intelligent Transfer Service" 
echo Enabling Automatic Updates ... 
sc config Wuauserv start= auto 
echo Starting Automatic Updates ... 
net start "Windows Automatic Update Service" 
echo Checking MS WSUS for any missing updates ...  
wuauclt.exe /detectnow 
echo Removing all AT created scheduled tasks ... 
AT /Delete /Yes 
echo Fixing Downadup infection (Silent mode - Check log file in C:\)... 
\\ServerName\ShareName\D.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt 
echo Patching MS08-067 ... 
\\ServerName\ShareName\Windows2000-KB958644-x86-ENU.EXE /quiet /norestart 
echo Rebooting System ...   
shutdown -r -f -t 120 -c "Rebooting system" 
goto exit 
  
:ver_vista-sp0 
echo Enabling BITs ... 
sc config bits start= auto 
echo Starting BITs ... 
net start "Background Intelligent Transfer Service" 
echo Enabling Automatic Updates ... 
sc config Wuauserv start= auto 
echo Starting Automatic Updates ... 
net start "wuauserv" 
echo Checking MS WSUS for any missing updates ...  
wuauclt.exe /detectnow 
echo Enabling Windows Security Center Service (wscsvc) ... 
sc config wscsvc start= auto 
echo Starting Windows Security Center ... 
net start wscsvc 
echo Enabling Windows Defender Service (WinDefend) ... 
sc config WinDefend start= auto 
echo Starting Windows Defender ... 
net start WinDefend 
echo Enabling Windows Error Reporting Service (WerSvc) ... 
sc config WerSvc start= auto 
echo Starting Windows Error Reporting ... 
net start WerSvc 
echo Removing all AT created scheduled tasks ... 
AT /Delete /Yes 
echo Stopping & Disabling Schedule service... 
sc.exe stop schedule 
reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x4 /f 
echo Disabling "AutoPlay" ... 
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f 
echo Restoring Windows Defender startup key ... 
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe hide" /f 
echo Enabling TCP Receive Window Auto-tuning ... 
netsh interface tcp set global autotuning=normal 
echo Fixing Downadup infection (Silent mode - Check log file in C:\)... 
\\ServerName\ShareName\D.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt 
echo Patching MS08-067 ... 
\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart 
echo Rebooting System ...   
shutdown /r /f /t 120 /c "Rebooting system" 
goto exit 
  
:ver_vista-sp1 
echo Enabling BITs ... 
sc config bits start= auto 
echo Starting BITs ... 
net start "Background Intelligent Transfer Service" 
echo Enabling Automatic Updates ... 
sc config Wuauserv start= auto 
echo Starting Automatic Updates ... 
net start "Windows Automatic Update Service" 
echo Checking MS WSUS for any missing updates ...  
wuauclt.exe /detectnow 
echo Enabling Windows Security Center Service (wscsvc) ... 
sc config wscsvc start= auto 
echo Starting Windows Security Center ... 
net start wscsvc 
echo Enabling Windows Defender Service (WinDefend) ... 
sc config WinDefend start= auto 
echo Starting Windows Defender ... 
net start WinDefend 
echo Enabling Windows Error Reporting Service (WerSvc) ... 
sc config WerSvc start= auto 
echo Starting Windows Error Reporting ... 
net start WerSvc 
echo Removing all AT created scheduled tasks ... 
AT /Delete /Yes 
echo Stopping & Disabling Schedule service... 
sc.exe stop schedule 
reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x4 /f 
echo Disabling "AutoPlay" ... 
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f 
echo Restoring Windows Defender startup key ... 
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe hide" /f 
echo Enabling TCP Receive Window Auto-tuning ... 
netsh interface tcp set global autotuning=normal 
echo Fixing Downadup infection (Silent mode - Check log file in C:\)... 
\\ServerName\ShareName\D.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt 
echo Patching MS08-067 ... 
\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart 
echo Rebooting System ...   
shutdown /r /f /t 120 /c "Rebooting system" 
goto exit 
  
:exit

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
logicalstepcompAuthor Commented:
All cleanup up
Thankyou
0
xmachineCommented:
Glad to hear it worked for you, and thanks for the points :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.