What's s2prcuen.zd3.vbs?

Calby

Active Member
Joined
Mar 27, 2017
Hi,
I did take a look at my firewall log at Kaspersky and I did see that a file s2prcuen.zd3.vbs had showed up.
When I google on the file I can't find anything about the file.

I did also look after the file but it's gone, I have also been looking at my backups for 21:00 and 00:00 at the same day but the file are not there, according to Kaspersky firewall the file did try to access out from the network at 22:47.
So what's is this file? IS it something to worry about? Should I re-install my server?
I'm running Windows Server 2016 at this machine.

According to picture no2 Kaspersky did put it in the Trusted section due the analysis of the digital signature.

I think that I have my server pritty secure, it's behind a Router Firewall, Windows Firewall is enabled, Kaspersky Office security for server (Firewall and Anti-Virus and malmware) and I also use Windows defender.
I only use the server for SMB share internaly and as Plex server.
I have disabled SMB v1.

152z6kh.png


nnm71s.png


m8zbwl.png


When I take a look at the Event log I can find this things:

Code:
2017-07-16 22:47:45
The Background Intelligent Transfer Service service entered the stopped state.

2017-07-16 22:47:45
The start type of the Background Intelligent Transfer Service service was changed from auto start to demand start.

2017-07-16 22:46:57
The Windows Insider Service service entered the stopped state.

2017-07-16 22:46:28
A scheduled backup has been configured for this computer.

2017-07-16 22:46:02
Installation Successful: Windows successfully installed the following update: Definition Update for Windows Defender - KB2267602 (Definition 1.247.957.0)
 
Last edited:
Based on the location it was trying to run from, I'd say it is malicious. Did your AV quarantine it if so can you zip and upload it? You can also try Recuva Recuva - Restore deleted files, even if you've emptied the Recycle bin! - Piriform. I'd be interested in examining the file.

Side Note - some malware have a self destruct behavior if some condition is met (anti-forensics/analysis). A likely scenario, because it could not beacon home the script deleted itself to avoid analysis.
 
Based on the location it was trying to run from, I'd say it is malicious. Did your AV quarantine it if so can you zip and upload it? You can also try Recuva Recuva - Restore deleted files, even if you've emptied the Recycle bin! - Piriform. I'd be interested in examining the file.

Side Note - some malware have a self destruct behavior if some condition is met (anti-forensics/analysis). A likely scenario, because it could not beacon home the script deleted itself to avoid analysis.

No, Kaspersky did not quarantine it - that's the strange thing at first Kaspersky Firewall notice it and it was not trusted but then directly after as you can see on the pictures above Kaspersky did put it on Trusted due to digital signature.
I'm downloading Recuva now, I'll replay back soon.
 
Recuva are running a deep scan because it could not find the file on the "light" scan, It 'll take about 20mins.

Do you think that I need to re-install my server?
Or do you think it safe?
 
You may want to run a couple extra scans in safe mode, but you're probably ok.

I would run malwarebytes and spybot.
 
You may want to run a couple extra scans in safe mode, but you're probably ok.

I would run malwarebytes and spybot.

Ok, So run Malmwarebytes, Kaspersky, Windows defender and Spybot in safe mode.
So that is what you should have done if you were me? No re-installing the server?

I'll get back as soon as I have the file, if I can recreate it.
 
Well it doesn't sound like whatever the scripts intent was that it was able to accomplish it, so I would run the extra scans and call it good.
 
You may want to run a couple extra scans in safe mode, but you're probably ok.

I would run malwarebytes and spybot.

It could not recreate the file sadly, I have download Malmwarebytes now and I'm running it
Well it doesn't sound like whatever the scripts intent was that it was able to accomplish it, so I would run the extra scans and call it good.

I could not recreate the script sadly.

I have been running Malmwarebytes and Kaspersky on fullscan's and deep scan's nothing is found.
I did also run Windows defender and nothing is found here either.

I guess I'm good then, Malmwarebytes is it the same to run Home Pro on the server? It was no free trial of the business version.
I'm running a home server, but I'll buy Malmwarebytes in the end of the month if it's something that you recommend?
 
If you have Kaspersky there's no reason to buy another malware suite.

Ok, so then I call it good now then I guess.
Nothing can find anything wrong and I have manuelly blocked the script if it should somehow re-create it self.
 
A couple of thoughts for you; you mention that you are running BOTH Kaspersky & Windows Defender (WD) concurrently on your Server2016. This is not possible; as you can only be running 1 AV program at a time. If you are running Kaspersky, then you need to go into your System Tray or the WD app itself and disable Real-time Protection and Firewall, in order to let Kaspersky be the primary.

I have several issues with Kaspersky with my Customer-base, and have mentioned it several times here and on other forums. Most of the techs here don't have problems with it. In the interest of troubleshooting, our Admins usually recommended temporarily disabling your Kaspersky, and making sure to enable only WD, and rescan for viruses. Continue to run MALWAREBYTES are recommended by Neemo, make sure you download the v3.x version which is the newest and only available for 14-day trial.

If you are running the Server2016 product for a business, and are testing it for deployment at your home, you have a lot more control over what products you run, and to my knowledge, there are no Fortune500 companies currently running it. There are many reasons for this, but, here is one possible reason; see this link: Senate Gets Ready to Ban Kaspersky Products as FBI Interviews Company's US Employees

You may wish to stick with WD as your Server-side AV, but personally I still recommend a 3rd party AV or AV-suite such as EMSIsoft, Avast, Norton, or TrendMicro. By the way, the file you have appears to be a script-virus, which usually comes in via E-mail via a MS OFFICE attachment such as Word, Excel, or PowerPoint. You should also carefully check your E-mail client settings, especially if you are running Exchange Server on your Server2016 PC, as well as your router settings for incoming TCP/UDP traffic. Don't know who your ISP is either, but you should be aware that several of them, including Spectrum and Comcast do not allow for fully secured encryption over their lines; specifically SSLx protocols. If you are running Exchange Server on the same PC as your Server2016, this is no Bueno! No large businesses ever do this due to the issues of non-separation and single-point of failure. If your main Server goes down, so does your E-mail server!! Most companies can't afford to do this. This happened to Microsoft in 1998 with the I LOVE YOU VIRUS, and their E-mail went down for 4 days for 95,000 employees and lost millions of $$.

If you've contracted a script-virus on your Server, you have to look at the full security picture of your network environment. If you DO plan on deploying this server into a business environment, you should look at purchasing an enterprise-wide security appliance, such as from Symantec, CA, or Cisco. We used to use a Cisco PIX firewall appliance on the TDC of our corporate network, and it did a pretty good job.

Food for thought.
Best of luck,:encouragement:
<<BIGBEARJEDI>>
 
A couple of thoughts for you; you mention that you are running BOTH Kaspersky & Windows Defender (WD) concurrently on your Server2016. This is not possible; as you can only be running 1 AV program at a time. If you are running Kaspersky, then you need to go into your System Tray or the WD app itself and disable Real-time Protection and Firewall, in order to let Kaspersky be the primary.

I have several issues with Kaspersky with my Customer-base, and have mentioned it several times here and on other forums. Most of the techs here don't have problems with it. In the interest of troubleshooting, our Admins usually recommended temporarily disabling your Kaspersky, and making sure to enable only WD, and rescan for viruses. Continue to run MALWAREBYTES are recommended by Neemo, make sure you download the v3.x version which is the newest and only available for 14-day trial.

If you are running the Server2016 product for a business, and are testing it for deployment at your home, you have a lot more control over what products you run, and to my knowledge, there are no Fortune500 companies currently running it. There are many reasons for this, but, here is one possible reason; see this link: Senate Gets Ready to Ban Kaspersky Products as FBI Interviews Company's US Employees

You may wish to stick with WD as your Server-side AV, but personally I still recommend a 3rd party AV or AV-suite such as EMSIsoft, Avast, Norton, or TrendMicro. By the way, the file you have appears to be a script-virus, which usually comes in via E-mail via a MS OFFICE attachment such as Word, Excel, or PowerPoint. You should also carefully check your E-mail client settings, especially if you are running Exchange Server on your Server2016 PC, as well as your router settings for incoming TCP/UDP traffic. Don't know who your ISP is either, but you should be aware that several of them, including Spectrum and Comcast do not allow for fully secured encryption over their lines; specifically SSLx protocols. If you are running Exchange Server on the same PC as your Server2016, this is no Bueno! No large businesses ever do this due to the issues of non-separation and single-point of failure. If your main Server goes down, so does your E-mail server!! Most companies can't afford to do this. This happened to Microsoft in 1998 with the I LOVE YOU VIRUS, and their E-mail went down for 4 days for 95,000 employees and lost millions of $$.

If you've contracted a script-virus on your Server, you have to look at the full security picture of your network environment. If you DO plan on deploying this server into a business environment, you should look at purchasing an enterprise-wide security appliance, such as from Symantec, CA, or Cisco. We used to use a Cisco PIX firewall appliance on the TDC of our corporate network, and it did a pretty good job.

Food for thought.
Best of luck,:encouragement:
<<BIGBEARJEDI>>

Strange I don't have a email server or email client on the server.

I don't know what the virus have or should have done what I have done is that I did roll back to the date where the virus was not on my server.

I'll disable WD tonight on the server and only run Kaspersky.
I don't know how WD can bee active at the same time as Kaspersky.

I have recently paid good money for the Kaspersky so for now I'll stick with it.

My isp have full encryption on there lines they even have free vpn and they are fighting for the customers privacy etc they are big in Sweden because of that.

Edit:
I did notice that on the clients Kaspersky or if it's Windows are deactivating WD by default when I install Kaspersky - but on Windows Server you need to deactivate WD by your self - don't know why it is like this but it is.
So I have deactivated WD for now.
 
Last edited:
A little explanation of Windows Defender and what happens (usually) when you install a 3rd party AV.

  1. Windows Defender is the only AV on the system (it stays enabled and protects your system)
  2. You install a 3rd party AV suite, the AV suite will call some code to register to WSC (windows security center)
  3. WD sees this registration and disables it's real time protection
    • If the 3rd party AV doesn't register with WSC, WD will remain active
While it's not recommended to run multiple AV products many 3rd party suites will run in tandem without any issues.
 
Back
Top Bottom