Jump to content

Malware Conhost.exe Windows 2008 R2 SP1

Recommended Posts

My problem is identical to the one reported in https://forums.malwarebytes.com/topic/237542-malware-conhostexe-windows-2008-r2-sp1/

The following items will be removed, and reappear after a reboot:

* Task scheduler items (Mysa* etc.)

* c:\windows\temp\conhost.exe

* stuff in C:\windows\debug

* reset of the primary DNS record of the network

* network services disabled

and who knows what else

The output of FRST64.exe is attached.  Note the following:

FRST.txt:HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local: [ActivePolicy] SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{d1fdaa9a-d087-4b06-8225-4d0f7c8f299a} <==== ATTENTION (Restriction - IP)
Addition.txt:WMI:subscription\__FilterToConsumerBinding->CommandLineEventConsumer.Name=\"*****youmm4\"",Filter="__EventFilter.Name=\"*****youmm3\": <==== ATTENTION
Addition.txt:WMI:subscription\__TimerInstruction->*****youmm2_itimer: <==== ATTENTION
Addition.txt:WMI:subscription\__IntervalTimerInstruction->*****youmm2_itimer: <==== ATTENTION
Addition.txt:WMI:subscription\__EventFilter->*****youmm3: <==== ATTENTION
Addition.txt:WMI:subscription\CommandLineEventConsumer->*****youmm4: <==== ATTENTION
Addition.txt:ATTENTION: System Restore is disabled

please help.  I _really_ don't want to reinstall this server.




Link to post
Share on other sites

It would be a much easier sell to management if I knew this one was on your radar.  Just responding with "BUY OUR STUFF" isn't very helpful.

Yesterday I broke down and did a reinstall.  Guess what: it survived the reinstall.  This is getting annoying.

Link to post
Share on other sites

35 minutes ago, LDTate said:

Reset the router and make sure the default password is changed on the router.


This machine is in a data center.  I've been on with their tech support.  We're on the 2nd reinstall of windows on this machine.  My suspicion is that TeamViewer 14 is vulnerable and is the vector through which the virus is being installed.  But that is just a hunch.  That's the only thing other than IIS that has any open ports on the box.  

Link to post
Share on other sites

For the sake of searches, the only other information on the internet with similar signatures I can find is on one russian website: https://virusinfo.info/showthread.php?t=221283 . 

5 tasks show up in the Task Scheduler immediately after a fresh windows install + Team Viewer:

  • mysa{,1,2,3}
  • a task named "ok"

If you examine them, they include binary data run in powershell, which does a bunch of nasty stuff.  Once you see these things, the server appears to be toast.


Link to post
Share on other sites

  • Root Admin

Hello @davidd and :welcome:

Give me a few and I'll review your logs and get back with you. On another note, very curious why someone would be using a Server to browse the web and install Chrome on it. I've managed hundreds of servers in my career and have never allowed users to logon and use a server like a desktop.




Link to post
Share on other sites

  • Root Admin

Your Event Logs show that your controller board needs a battery replaced

Error: (01/07/2019 06:19:57 PM) (Source: Server Administrator) (EventID: 2169) (User: )
Description: The controller battery needs to be replaced.:  Battery 0 Controller 0

Nothing wrong with it as long as you're aware and you're the one that set it up but you have an IPSEC policy in place according to the logs.



Link to post
Share on other sites

  • Root Admin

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.





Link to post
Share on other sites

 I've managed hundreds of servers in my career and have never allowed users to logon and use a server like a desktop.

This is a web & database server.  I'm not sure what gave you that impression.  I have RDP access to maintain it.

I'll have a look at the fix you sent.  Thank you for your time.

Link to post
Share on other sites

  • Root Admin

Google Chrome on a Windows Server is rare, that's all. Hosting website does not require browsing them on the server. Getting this type of infection can come via a browser, via email, and via RDP. 

I would highly recommend you review all security settings for RDP as there are remote attacks for that assuming you're very certain the infection did not come from browsing the web or using a mail client on the server.


How to protect your RDP access from ransomware attacks

Securing Remote Desktop (RDP) for System Administrators

Protect Remote Desktop credentials with Windows Defender Remote Credential Guard

Are My RDP Connections Really Secured by a Certificate?

Don’t Become a Ransomware Target – Secure Your RDP Access Responsibly

Securing RDP with IPSec

Oregon FBI Tech Tuesday: Building a Digital Defense Against Remote Desktop Protocol Threats




Link to post
Share on other sites

  • 5 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.



Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.