DHCP Client Service cannot start after conficker invaded

Hi everyone,

Thank you for your help in advaced.

I have some servers with static IP assigned and have been running fine until
the moment they got the "conficker" infected. Now the servers are clean, and
they can go to "mcafee.com" and "microsoft.com". But they could not start the
DHCP client service. I know it is not important at this point as the servers
are running on static IP. But I just want to look into the solution.

Thank you very much for your help.

Bobson

The DHCP client service IS important to update DNS records, even when using
fixed ip addresses. What error message do you get when you try to start it?

To me an infected server is a compromised server. I would either restore it
completely from a clean backup or rebuild it. The risk of using it, even
when "cleaned", is far too great.

I would like to ask... you metnioned that DHCP Client service could not
start would affect the DNS... may you tell me little more speicifc details
lke what would happen if the DHCP client service could not start?

Check this article, don't take care about the title, just control the steps:
http://support.microsoft.com/default...b;en-us;895149

And if the problems go on better think about reinstalling if the server was
infected from a backup prior to it.

Best regards

Hi Meinolf,

Thank you for your prompt response.

The "warning" i got is: Even ID 1004, Source DHCP. It said The DHCP CLient
Service is shutting down. The follow error occurred: Access is Denied.

I did some resaarch and found couple of article to fix the similar error by
adding "network services" group to something in the registry. But it could
not fix the problem. WHen I start the service, it would tell me it won't
start and access denied.

Hope the info help.

Hi Pegasus,

Yep I totally agreed with you at some point. But we have 40 servers right
here mgiht have the same problem. I would rather trying other solutions first
and will put this as a last resort.

I have complete wiped out two of them and they started up right now compared
to the others.

Thank you for your help!

Hi Meinolf,

My apology!! As mentioned, I followed one of the articles before (you also
sent me the same one). I claimed that it could not resovle the problem... I
was wrong!! Once the server rebooted after changing registry, the DHCP
clients can start again!

I should have done so earlier.

Thank you very much for all your help (everyone's) !!

Just as an FYI. These are the only permissions needed to fix this problem.
This is what a default out of box install does:

Modify the permissions of this registry key:
HKLM\SYSTEM\CurrentControlSet\Services\Dhcp\Parame ters
Add this builtin group -- access: Network Service -- Full Control
Add this builtin group – access: Network Configuration Operators -- Read
Have these permissions applied down the hive from the Parameters key --
Check “Replace permission entries on all child objects….� Under advanced.

We ran into the same problem and fixed it on all computers with a GPO.

Hi Troy,

I was about to reply to Meinolf that the fix still did not work. ANd I just
called Microsoft but our free tickets were used up.

And I found your response as my bright light!!! It defintely works. And you
claim me down now !!! I really apprecaite your help! This is the same to all
of the others' help and responses!!

Bobson

[cubanomx]

I just registered to thanks you and to let you know this above fix the issue in our servers. Another solution is to install SP2 - this fix the problem as well, but your solution is for far the best practice.

Let me tell you this solution is not provided by Microsoft in any KB... I spend hours and hours in the internet, forums, friends, colleagues, etc and the only fix was the SP2.

But this post save my day. I add the permissions and the dhcp client service is now working in a sec... nice!!!

FYI i fix with this 10 servers running from DC, DNS, DHCP, Exchange, SQL, BES, etc in Vmware !!! cool!

Thanks to you I finish my maintenance very quick today saturday!

Bobson... No matter if you servers already have the SP2... Re-Installing SP2 is another fix for this as well.....

From 15 servers i fixed a couple with the SP2 reinstall and the remaining with your solution... :)

Thanks Troy to share the solution! very nice.

Thanks for asking. We stopped the conflicker virus (all the versions) with Mcafee 8.5 w the last signature, the required patchs / updates from Microsoft and MRT (last version). MRT has been a very good resource to stop the worm.

CSA Cisco has been important to keep the network secured with cero hour viruses but we do not have CSA in all servers.

We even had servers without AV (Exchange, SQL and backup server) but conflicker has just demostrated you need to protect ALL servers. At this time all our servers are running an AV package.

We have very good security (IDS, Forescout, ASA , GPOS, auditing, etc) but all this is not always enough. Working well with shares, strong password, user permissions and a central AV policy is highly important. Highly importance is to keep servers and workstations with the last service pack and critical updates from MS.

Having a network with multiple offices is always a problem to stop this kind of viruses... always need advanced tools to track and determine and close the perimeter of the atack. Our security guy was working hard to stop this.

Now we have more tighten security in place, we was able to stop the virus but the worm make some damage at certain point (like this dhcp service issue) and the worm disabled the Mcafee AV as well in some servers.

In this last case, the MRT works great and we was able to clean the infected machine or server. An snapshot comparison shows this "compromised" server do not need to be re-installed because the MRT was able to clean the server 100% and actually the risk is inexistent.

I added new rules to our Adaptive Security Appliance and we are monitoring traffic at layer 2/3 with the Forescout.

We have extra backups and new Vmware snapshots just to be protected if new variants appears on the globe.... :)

Hi Cubanomx

In fact, all of our servers already have SP2 installed and the damage is
true. Unless you have the image back for those servers (which someone
mentioned in this post)... I would have no choice to wipe it out to redo
those.

The fix really worked for me and I am so~~~ happy at this point as well :)
hope things will go thru smooth to you.

Again, thank you for all the responses and the solution here!!

Hi Cubanomx,

Thank you again for the info! May you mind if we could keep in touch? I can
also write you what we had here with the conficker... In fact some of the
"ways" you mentioned did not work for us though...

My personal email is ultrabobson@hotmail.com. For sure my machine which will
be used to email you is clean and do not worry about "infection"...at this
point :)

Troy here was the person to tell me the soltion. He is great!!

Take care. Thank you.

Sorry for the delay in response. I didn't have it set to Notify me of
replies....didn't think I would get any.

We ended up not going with the GPO fix. We wanted the fix to be more
permanent and to only fix the computers that were affected. I created two
scripts to fix all the computers. The first script scans a list of computer
names and creates a log for you to double check. This log tells you if the
computer is on, if the permissions are right, if the service is started and
the Product name of the OS. Remove the lines of the computers to don't want
to change...(I could have combined the two scripts but I like to double and
triple check things like this...a little OCD, I guess). Then run the second
script against your modifed log. Windows 2000 computers are not affected.
The DHCP Client service starts as the Local System account...not the Network
Service account.

After you run the second script your can rerun the first to rescan and
double check to make sure everything is good.

Your computer list input file should not include the "\\". I'm sure this
little window I am typing in will really mess up the formatting too. As
always, test first...And I am not responsible if anything bad happens. I ran
it in my environment and it worked great....ENJOY!
----------------------------------snipit-------------------------------------
@echo off
echo +================================================= =========+
echo + +
echo + Check DHCP Client Service Registry Permissions +
echo + +
echo + Enter the file to read from: +
set list=
set /p list=%list%
set output=ScanOutput.log
echo Servername,Power,RegistryPerms,Service State,ProductName>%output%
for /f "tokens=*" %%a in (%list%) do call :isitup %%a
If exist templog del templog
echo +================================================= =========+

:end
exit /b

:isitup
set power=Off
set regperms=DoubleCheck
set PName=NA
Set scstate=NA
ping -n 1 %1|find /i "Request">nul 2>nul
if %errorlevel%==1 set power=On
If %power%==On goto check
If %power%==Off goto output
exit /b

:check
Echo Checking: %1
for /f "tokens=4" %%b in ('sc \\%1 query "DHCP" ^|find /i "state"') do set
scstate=%%b
subinacl /nostatistic /noverbose /outputlog=templog /keyreg
\\%1\HKEY_LOCAL_MACHINE\System\CurrentControlSet\S ervices\Dhcp\Parameters
/display
for /f "tokens=* skip=2" %%z in ('reg query
"\\%1\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName') do
set PName=%%z
set PName=%PName:~25%
type templog |find /i "network" >nul 2>nul
If %errorlevel%==0 Set regperms=Good
If "%PName%"=="Microsoft Windows 2000" set regperms=NA

:output
echo %1,%power%,%regperms%,%scstate%,%PName% >>%output%

----------------------------------snipit-------------------------------------

Sorry...Forgot to tell you that you need the Server 2003 resource kit for
the SC utility and to download an updated version of the SUBINACL
utility....I put the download URL below..

http://www.microsoft.com/downloads/d...displaylang=en

I called Microsoft for this problem, apparently their
KB article is missing one more Reg. Key that needs to be modified,
here is what you need to to to fix the problem per microsoft support
(and it did fix all my servers)

1. We went to H_K_L_M\System\CurrentControlSet\Services\DHCP. We went
to
Permissions. We added "Network Service" and gave it Full
Control.

2. We went to H_K_L_M\System\CurrentControlSet\Services\Tcpip. We went
to
Permissions. We added "Network Service" and gave it Full
Control.

3. We went to
H_K_L_M\System\CurrentControlSet\Services\DHCP\Par ameters. We went to

Permissions. We added "Network Service" and gave it Full
Control. This resolved this issue.

What was the original KB article # you are referring to?

[Roco]

Friend, you saved me not to format.

Thanks

The article I am refering to is KB 895149
and here is the link to it
http://support.microsoft.com/kb/895149

Thank you very much for posting the link. Hopefully it will help others if
they find this thread searching the Internet.