MrMintanet
asked on
URGENT: Is Conficker blocking Windows Update?
Or is Windows Update getting slammed by downloaders scrambling to get the patch? Is conficker causing users to slam the Windows Update site?
I can't get these links to show anything:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
http://update.microsoft.com/microsoftupdate
I can't get these links to show anything:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
http://update.microsoft.com/microsoftupdate
ASKER
Thanks for the canned answer. Please read my question now.
Both links work just fine here , could be a temporary down time as you say because of the 1st of April alert
can you get to the Microsoft Malicious software removal tool ?
http://www.microsoft.com/security/malwareremove/default.mspx
also in order for windows update to function properly the BITS service which is affected by Conficker infection needs to be repaired
start>run>services.msc
look for the service named "Background Intelligent Transfer Service", make sure it is running , running under Local system Account & that the path to executable is set to "C:\WINDOWS\system32\svchos
also you may want to confirm that there is no DNS / Hosts file hijack , please take a look at HOSTS file on the impacted machine to confirm it does not contain any rogue entries related to windows update
start>run>notepad
notepad c:\WINDOWS\system32\driver
the last line there should be 127.0.0.1 localhost
hope this helps.
can you get to the Microsoft Malicious software removal tool ?
http://www.microsoft.com/security/malwareremove/default.mspx
also in order for windows update to function properly the BITS service which is affected by Conficker infection needs to be repaired
start>run>services.msc
look for the service named "Background Intelligent Transfer Service", make sure it is running , running under Local system Account & that the path to executable is set to "C:\WINDOWS\system32\svchos
also you may want to confirm that there is no DNS / Hosts file hijack , please take a look at HOSTS file on the impacted machine to confirm it does not contain any rogue entries related to windows update
start>run>notepad
notepad c:\WINDOWS\system32\driver
the last line there should be 127.0.0.1 localhost
hope this helps.
If the problem persists, please psot a hijack this log, this may assist in revealing any remaining infectiosn that could be denying you access to windows update website
Yes, a HijackThis log would help. You may need to download it on another PC and transfer it over on a flash drive, ect....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Can anyone else that is in the US tell me if they are able to connect with Microsoft Updates site? I am thinking that they are getting hit hard by update seekers. Please confirm. That's all I am asking.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I work for Microsoft and am politely trying to tell you that one of the variants of the Conflicker worm DOES AFFECT YOUR ABILITY to view our update site amoung other update sites including AV programs. Would you please look thoroughly at the links I have sent you and READ them, thank you.
ASKER
Michael, thanks for the feedback.
More details:
Site actually tries to load and takes aproximately 1-2 minutes to load. Symantec and Spybot found nothing. I actually went to Symantec and Spybot's website and downloaded "trial" packages just to test the ability to connect. The problem is only with MS website.
More details:
Site actually tries to load and takes aproximately 1-2 minutes to load. Symantec and Spybot found nothing. I actually went to Symantec and Spybot's website and downloaded "trial" packages just to test the ability to connect. The problem is only with MS website.
Run this scan tool"Trend Micro HijackThis 2.0.2" and Copy/paste the list here.
Trend Micro HijackThis 2.0.2 Download:
http://www.softpedia.com/progDownload/Trend-Micro-HijackThis-Download-69011.html
Trend Micro HijackThis 2.0.2
Will scan the registry and will produce a detailed list of your system for me to analyze.
A logfile is not so easy to analyze. Even for an advanced computer user. With the help of this automatic analyzer you are able to get some additional support. Just paste your complete logfile into the textbox at the bottom of this page.
But
MrMintanet said:
"most would be happy for you not to solve their questions"
Trend Micro HijackThis 2.0.2 Download:
http://www.softpedia.com/progDownload/Trend-Micro-HijackThis-Download-69011.html
Trend Micro HijackThis 2.0.2
Will scan the registry and will produce a detailed list of your system for me to analyze.
A logfile is not so easy to analyze. Even for an advanced computer user. With the help of this automatic analyzer you are able to get some additional support. Just paste your complete logfile into the textbox at the bottom of this page.
But
MrMintanet said:
"most would be happy for you not to solve their questions"
FREE COMPUTER REPAIR
http://onecare.live.com/site/en-us/default.htm
And run the: "FULL SERVICE SCAN" it will cleanup & speedup your computer, if it won't run then:
You may have been infected with Worm:Win32/Conficker.B
To protect from Conficker apply an emergency patch that Microsoft issued in October - ahead of Conficker's arrival - for a recently discovered flaw in the Windows operating system that Conficker was designed to exploit.
The patch was originally intended to protect Microsoft's customers against a different piece of malicious code, a data-stealing worm called Gimmev.
Conficker could still activate itself, and it's not the most dangerous piece of malicious code out there
Ways to detect and clean a system that has the Win32/Conficker.B worm
http://support.microsoft.com/kb/962007
If on a network, I recommend disabling "Password Lockout" policy for the time being, till you are sure the infection has been contained and cleaned in your network.
(http://technet.microsoft.com/en-us/library/cc781491.aspx)
Also see:
Bit Defender:
http://anti-virus-software-review.toptenreviews.com/
This is free:
http://www.pctools.com/free-antivirus/
(Regards from Michael Best: I troubleshoot: both, English OS & Japanese OS)
http://onecare.live.com/site/en-us/default.htm
And run the: "FULL SERVICE SCAN" it will cleanup & speedup your computer, if it won't run then:
You may have been infected with Worm:Win32/Conficker.B
To protect from Conficker apply an emergency patch that Microsoft issued in October - ahead of Conficker's arrival - for a recently discovered flaw in the Windows operating system that Conficker was designed to exploit.
The patch was originally intended to protect Microsoft's customers against a different piece of malicious code, a data-stealing worm called Gimmev.
Conficker could still activate itself, and it's not the most dangerous piece of malicious code out there
Ways to detect and clean a system that has the Win32/Conficker.B worm
http://support.microsoft.com/kb/962007
If on a network, I recommend disabling "Password Lockout" policy for the time being, till you are sure the infection has been contained and cleaned in your network.
(http://technet.microsoft.com/en-us/library/cc781491.aspx)
Also see:
Bit Defender:
http://anti-virus-software-review.toptenreviews.com/
This is free:
http://www.pctools.com/free-antivirus/
(Regards from Michael Best: I troubleshoot: both, English OS & Japanese OS)
ASKER
Again, Michael Best, please do not give me these copy/paste answers. Please take the time to read what has already been established since my initial question. Furthermore, I have no intention of using an automated "clean up tool" on a server. I also have no intention of posting a hijack this log.
As Michael MCDST says. This solution works for me.
This is my working cure for Conficker infections.
1) To start working, first you need to download the required patches + fix tool:
Windows 2000: http://download.microsoft.com/download/4/a/3/4a36c1ea-7555-4a88-98ac-b0909cc83c18/Windows2000-KB958644-x86-ENU.EXE
Windows 2003: http://download.microsoft.com/download/e/e/3/ee322649-7f38-4553-a26b-a2ac40a0b205/WindowsServer2003-KB958644-x86-ENU.exe
Windows XP: http://download.microsoft.com/download/4/f/a/4fabe08e-5358-418b-81dd-d5038730b324/WindowsXP-KB958644-x86-ENU.exe
Windows Vista SP0 + SP1: http://download.microsoft.com/download/d/c/0/dc047ab9-53f8-481c-8c46-528b7f493fc1/Windows6.0-KB958644-x86.msu
Symantec FixDownadupTool: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDwndp.exe
2) Create a shared folder on some server to contain the downloaded files (Apply Read-only permission for all users).
3) And you can use Psexec (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) to import a text file that contains the infected machines and run it using a privileged account like a Windows domain admin.
4) In the batch file, you should replace the server name and shared folder name.
so, for example (run this as domain administrator):
c:\psexec @infected.txt -d -c Clean-Downadup.bat
infected.txt should contains one name/ip per line, like:
...
192.168.1.2
192.168.1.3
192.168.1.4
...
Use netscan to ping a range of IP's and save the results as a text file (http://www.softperfect.com/products/networkscanner/)
Another important points:
1) Review the current Passwords policy, you can configure a Windows GPO that will require a complex password, with a minimum number of characters.
http://technet.microsoft.com/en-us/library/cc736605.aspx
http://labmice.techtarget.com/security/passwordsec.htm
2) Use Nessus (http://www.nessus.org/download/), and scan all machines using this plugin ID (34476) to check if they have MS08-067 patch installed or not. (BTW, you can use a different tool to check for the installed patch, but this just an example)
A Symantec Certified Specialist @ your service
Open in new window