Tr.gootkit + Proc.svchost

[mist63]

Hello,
I just cannot get rid of Tr.gootkit and Proc.svchost on a customer's server. I have been working on it for weeks. Roguekiller removes it fine, but after a couple of hours it is already back and detected again. 
- Server Windows 2003 + SP2 with Terminal Services installed.
- Symantec Endpoint Protection v12 installed as a client. A full scan does not detect anything wrong (fileless infection).
- attached: roguekiller last reports (this morning and last friday)

I tried to follow these instructions:
http://malwaretips.com/blogs/svchost-exe-virus-removal/
- Eset find and removes the infection, but it keeps on coming back (same as roguekiller)
- MalwareBytes hangs during pre-scan ("SDKDatabaseLoadDefaults failed with code: 2")

There are actually about 15 users working daily on this server, so re-installing the OS would be my last choice indeed.
Is there anything I can do to prevent this infection from coming back, and finaly solve this problem?
Please let me know if you need any futrher information.

Thanks for your help

[Curson]

Hi mist63,

Please follow the following process as close as possible.

1. Suspicious files uploading

Could you please upload the following files on a cloud (Google Drive, Dropbox, ...)

C:\windows\reboot1.bat
C:\windows\reboot2.bat
C:\windows\reboot3.bat
C:\windows\reboot4.bat
C:\windows\reboot5.bat
C:\WINDOWS\DelTemp.bat

Make sure it's public and paste the link in your next reply.

2. TDSSKiller

• Please download TDSSKiller and save it to your Desktop.
  
• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  
  
  
  
• Check Loaded Modules and Detect TDLFS file system. 
  
• If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.
  
  
  
  
• Click Start Scan and allow the scan process to run.
  If threats are detected select Skip for all of them unless I instruct you otherwise.
  
• Click Continue
  
  
  
  
• Click Reboot computer
  

Please post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\) in your next reply.

Regards.

[mist63]

Hi Curson,

Thanks for your reply.
1. These 6 bat files were all created by myself...
- reboot1.bat to reboot5.bat are running NTBackup.exe in order to backup the server datas every day (from monday to friday).
- deltemp.bat runs icsweep utility in order to clean the users TEMP and temporary internet files folders every night.
I use these 6 files as scheduled tasks. Is there still any need to upload them?

2. TDSSKILLER
I ran it and followed your process but it did not find any threat.
Please find attached the log file.

Best regards

[Curson]

Hi mist63,

No, since you created them yourself, you don't have to upload the scripts.
Could you please download RogueKiller latest version (currently 10.5.0), scan the server with option -nokill and copy/paste the report obtained in your next reply ?

EDIT : Is the OS up-to-date ?

Best regards.

[mist63]

Hi Curson,

Yes the OS is Up to Date, I checked Microsoft Update this morning.

Please find attached the last RK 10.5 report. It seems fine to me, what do you think?
Except Symantec false positive submitted already. But no more traces of tr.gootkit or proc.svchost... I hope it will not come back.

Regards

[Curson]

Hi mist63,

Indeed, the infection seems to be no longer present on your system.
I suggest you to wait some days to see if the infection is present again.

Regards.

[mist63]

Hi Curson,

FYI I had a look this morning and ran a roguekiller -nokill scan: it is still clean.
I will wait some days as you say to make sure it does not come back.

Thanks a lot for your help
Have a nice day

[Curson]

Hi mist63,

I'm glad to hear this good new. 
Keep me informed.

Regards.

[mist63]

Hello,

I'm afraid it's back again. The customer told me this morning they have some trouble for a few days. They just "forgot" to tell me about it...

I ran roguekiller and eset poweliks: still the same problem. When  I run TDSSkiller with "loaded modules" option checked, I have to restart the server. Once it's restarted I got the attached message at startup when I log in.
Tried that this morning, seemed fine for a moment, but it was back in the afternoon. 

Any clue to get rid of this for good?
Thanks

[Curson]

Hi mist63,

TDSSKiller didn't detect anything.
Gootkit propagation is made possible by interaction with Exploit Kits. I believe there is an out-of-date software running on the server which is used to reinstall the infection as soon we remove it.

Moreover, Windows firewall is disabled which render useless any network monitoring.

08:30:19.0609 0x1484  Win FW state via NFM: disabled

I suggest you to disconnect the server off the network, remove the infection with RogueKiller and review all the softwares installed on the server to found the culprit.
Another way is to install and configure Enhanced Mitigation Experience Toolkit (EMET) and hope it helps mitigating the vulnerability used to infect the server again and again.

Please keep me informed.

Regards.

[mist63]

Hi Curson,

Thanks for your help and sorry not coming back to you earlier. I was stuck with other matters.
I'm afraid the problem is still there. I could not find the culprit, neither could I disconnect the server off the network, because I'm not at the place where the server is (remote connexion).
I tried to install EMET, but it asks me for .NET Framework 4.0 and I cannot download it (white screen in IE or Firefox when I try). I cannot run Microsoft Update either: white screen.

Maybe Windows 2003 IS the culprit? 
Probably the best solution would be to reinstall this server, though I have no time for this at the moment.

I'll have another try and I'll let you know.

Regards

[mist63]

I ran roguekiller without "nokill" option, and then I could use Windows update again. I installed .net Framework 4.0 whitout any trouble. Then it found and installed 27 updates... Maybe this will be helpful to prevent the virus coming back? I'll let you know... need to restart the server 1st.

[Curson]

Hi mist63,

Could you please download RogueKiller latest version and do a fresh scan ?
Anyway, since Windows Server 2003 EOL date is July 14, 2015, I suggests you to take time to plan a migration to a more recent of Windows as early as possible. 

Regards.