J
jimt@
Guest
Originally posted by smerkel
Greetings:
We are having good luck cleaning things up, and I thought it may be useful to some of you out there if I went ahead and posted our complete process. Your mileage may vary as there may be a couple variants out there (based on the slight differences in files that I’m seeing people post.)
Additionally, those that asked for a link where SWSoft posted the MailEnable issue should refer to here: http://forums.swsoft.com/showthread.php?s=&threadid=40792
1. Boot Windows CD and enter Recovery Console.
2. Ensured rdriv service was present and start was set to Manual
3. ran disable rdriv, and verified that the service was set to disabled.
4. Renamed (or deleted) the following files:
* c:\windows\system32\a.exe
* c:\windows\system32\bot.exe
* c:\windows\system32\bw.exe
* c:\windows\system32\gethashes.exe
* c:\windows\system32\getsyskey.exe
* c:\windows\system32\nc.exe
* c:\windows\system32\rdriv.sys
* c:\windows\system32\start.bat
I would recommend looking at all executables in windows\system32, windows\system, and windows\. I would consider any file with an identical timestamp as rdriv.sys as suspect.
5. Rebooted server into Windows (minus a network connection)
6. Within Registry Editor, removed all references to rdriv.sys, and start.bat. There were several keys referencing the rdriv.sys file. The only reference to start.bat that we came across was in a couple of MUICache folders. We did not come across any references to any of the other files listed above.
7. We patched MailEnable with the latest hotfix at http://www.mailenable.com/hotfix/. (Copy this to a CD, or download it from a network segment that does not allow inbound TCP 110 connections.)
8. Rebooted the server several times to ensure re-infection did not occur. (Note: If you do not delete start.bat, you will likely be re-infected.)
9. Ran the local security policy editor, and looked at the "Access this computer from the network". I added the psacln group to the policy, however, I'm not sure this is required - other PSA winboxes we have do not have this group applied to the policy. They all do have the IUSR and IWAM objects applied, so I ensured these were present as well. (I'll check the psacln requirement on the next cleanup I do and report back.)
10. I ran the Plesk Reconfigurator -> Repair Plesk Installation -> Check Plesk Server Accounts and Plesk Virtual Hosts Security.
Most of this will be applicable to PSA 8.1 and PSA 7.6. The only part I cannot confirm for now is the process of repairing all of the permissions so sites do not prompt for credentials. I will report on that when I clean a 7.6 box shortly.
Good hunting.
Regards,
Steve
The only thing I would add to the above is the removal of the "MailEnable SMTP Relay Service".
Jim
Bocacom