Solved

URGENT:  Is Conficker blocking Windows Update?

Posted on 2009-04-01
14
2,574 Views
Last Modified: 2013-12-06
Or is Windows Update getting slammed by downloaders scrambling to get the patch?  Is conficker causing users to slam the Windows Update site?  

I can't get these links to show anything:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
http://update.microsoft.com/microsoftupdate
0
Comment
Question by:MrMintanet
  • 4
  • 2
  • 2
  • +4
14 Comments
 
LVL 15

Expert Comment

by:xmachine
Comment Utility
Hi,

This is my working cure for Conficker infections.

1) To start working, first you need to download the required patches + fix tool:

Windows 2000: http://download.microsoft.com/download/4/a/3/4a36c1ea-7555-4a88-98ac-b0909cc83c18/Windows2000-KB958644-x86-ENU.EXE

Windows 2003: http://download.microsoft.com/download/e/e/3/ee322649-7f38-4553-a26b-a2ac40a0b205/WindowsServer2003-KB958644-x86-ENU.exe

Windows XP: http://download.microsoft.com/download/4/f/a/4fabe08e-5358-418b-81dd-d5038730b324/WindowsXP-KB958644-x86-ENU.exe

Windows Vista SP0 + SP1: http://download.microsoft.com/download/d/c/0/dc047ab9-53f8-481c-8c46-528b7f493fc1/Windows6.0-KB958644-x86.msu

Symantec FixDownadupTool: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDwndp.exe

2) Create a shared folder on some server to contain the downloaded files (Apply Read-only permission for all users).

3) And you can use Psexec (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) to import a text file that contains the infected machines and run it using a privileged account like a Windows domain admin.

4) In the batch file, you should replace the server name and shared folder name.

so, for example (run this as domain administrator):

c:\psexec @infected.txt -d -c Clean-Downadup.bat

infected.txt should contains one name/ip per line, like:

...
192.168.1.2
192.168.1.3
192.168.1.4
...

Use netscan to ping a range of IP's and save the results as a text file (http://www.softperfect.com/products/networkscanner/)

Another important points:

1)  Review the current Passwords policy, you can configure a Windows GPO that will require a complex password, with a minimum number of characters.

http://technet.microsoft.com/en-us/library/cc736605.aspx
http://labmice.techtarget.com/security/passwordsec.htm

2) Use Nessus (http://www.nessus.org/download/), and scan all machines using this plugin ID (34476) to check if they have MS08-067 patch installed or not. (BTW, you can use a different tool to check for the installed patch, but this just an example)
 

A Symantec Certified Specialist @ your service

@echo off

color 0A

ECHO. ***********************************************************************************************

ECHO.                ExtremeSecurity.blogspot.com - Do It Securely or Not At All 

ECHO.                                Multi OS W32.Downadup Cleaner v2.0

ECHO. ***********************************************************************************************
 
 

ver | find "2003" > nul

if %ERRORLEVEL% == 0 goto ver_2003
 

ver | find "XP" > nul

if %ERRORLEVEL% == 0 goto ver_xp
 

ver | find "2000" > nul

if %ERRORLEVEL% == 0 goto ver_2000
 

ver | find "Version 6.0.6000" > nul

if %ERRORLEVEL% == 0 goto ver_vista-sp0
 

ver | find "Version 6.0.6001" > nul

if %ERRORLEVEL% == 0 goto ver_vista-sp1
 
 

goto exit
 

:ver_2003

echo Enabling BITs ...

sc config bits start= auto

echo Starting BITs ...

net start "Background Intelligent Transfer Service"

echo Enabling Automatic Updates ...

sc config Wuauserv start= auto

echo Starting Automatic Updates ...

net start "Windows Automatic Update Service"

echo Enabling Windows Error Reporting Service (ERSvc) ...

sc config ERSvc start= auto

echo Starting Windows Error Reporting ...

net start ERSvc

echo Enabling Windows Error Reporting Service (WerSvc) ...

sc config WerSvc start= auto

echo Starting Windows Error Reporting ...

net start WerSvc

echo Checking MS WSUS for any missing updates ... 

wuauclt.exe /detectnow

REM echo Removing all AT created scheduled tasks ...

REM AT /Delete /Yes

REM echo Stopping & Disabling Schedule service...

REM sc.exe stop schedule

REM sc.exe config schedule start= disabled

echo Fixing Downadup infection (Silent mode - Check log file in C:\)...

\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt

copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt

echo Patching MS08-067 ...

\\ServerName\ShareName\WindowsServer2003-KB958644-x86-ENU.exe /quiet /norestart

echo Rebooting System ...  

shutdown -r -f -c "Rebooting system"

goto exit
 

:ver_xp

echo Enabling BITs ...

sc config bits start= auto

echo Starting BITs ...

net start "Background Intelligent Transfer Service"

echo Enabling Automatic Updates ...

sc config Wuauserv start= auto

echo Starting Automatic Updates ...

net start "Windows Automatic Update Service"

echo Checking MS WSUS for any missing updates ... 

wuauclt.exe /detectnow

echo Enabling Windows Security Center Service (wscsvc) ...

sc config wscsvc start= auto

echo Starting Windows Security Center ...

net start wscsvc

echo Enabling Windows Error Reporting Service (ERSvc) ...

sc config ERSvc start= auto

echo Starting Windows Error Reporting ...

net start ERSvc

echo Removing all AT created scheduled tasks ...

AT /Delete /Yes

echo Stopping & Disabling Schedule service...

sc.exe stop schedule

sc.exe config schedule start= disabled

echo Disabling "AutoPlay" ...

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f

echo Fixing Downadup infection (Silent mode - Check log file in C:\)...

\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt

copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt

echo Patching MS08-067 ...

\\ServerName\ShareName\WindowsXP-KB958644-x86-ENU.exe /quiet /norestart

echo Rebooting System ...  

shutdown -r -f -c "Rebooting system"

goto exit
 

:ver_2000

echo Enabling BITs ...

sc config bits start= auto

echo Starting BITs ...

net start "Background Intelligent Transfer Service"

echo Enabling Automatic Updates ...

sc config Wuauserv start= auto

echo Starting Automatic Updates ...

net start "Windows Automatic Update Service"

echo Checking MS WSUS for any missing updates ... 

wuauclt.exe /detectnow

echo Removing all AT created scheduled tasks ...

AT /Delete /Yes

echo Fixing Downadup infection (Silent mode - Check log file in C:\)...

\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt

copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt

echo Patching MS08-067 ...

\\ServerName\ShareName\Windows2000-KB958644-x86-ENU.EXE /quiet /norestart

echo Rebooting System ...  

shutdown -r -f -c "Rebooting system"

goto exit
 

:ver_vista-sp0

echo Enabling BITs ...

sc config bits start= auto

echo Starting BITs ...

net start "Background Intelligent Transfer Service"

echo Enabling Automatic Updates ...

sc config Wuauserv start= auto

echo Starting Automatic Updates ...

net start "wuauserv"

echo Checking MS WSUS for any missing updates ... 

wuauclt.exe /detectnow

echo Enabling Windows Security Center Service (wscsvc) ...

sc config wscsvc start= auto

echo Starting Windows Security Center ...

net start wscsvc

echo Enabling Windows Defender Service (WinDefend) ...

sc config WinDefend start= auto

echo Starting Windows Defender ...

net start WinDefend

echo Enabling Windows Error Reporting Service (WerSvc) ...

sc config WerSvc start= auto

echo Starting Windows Error Reporting ...

net start WerSvc

echo Removing all AT created scheduled tasks ...

AT /Delete /Yes

echo Stopping & Disabling Schedule service...

sc.exe stop schedule

reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x4 /f

echo Disabling "AutoPlay" ...

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f

echo Restoring Windows Defender startup key ...

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe hide" /f

echo Enabling TCP Receive Window Auto-tuning ...

netsh interface tcp set global autotuning=normal

echo Fixing Downadup infection (Silent mode - Check log file in C:\)...

\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt

copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt

echo Patching MS08-067 ...

\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart

echo Rebooting System ...  

shutdown /r /f /c "Rebooting system"

goto exit
 

:ver_vista-sp1

echo Enabling BITs ...

sc config bits start= auto

echo Starting BITs ...

net start "Background Intelligent Transfer Service"

echo Enabling Automatic Updates ...

sc config Wuauserv start= auto

echo Starting Automatic Updates ...

net start "Windows Automatic Update Service"

echo Checking MS WSUS for any missing updates ... 

wuauclt.exe /detectnow

echo Enabling Windows Security Center Service (wscsvc) ...

sc config wscsvc start= auto

echo Starting Windows Security Center ...

net start wscsvc

echo Enabling Windows Defender Service (WinDefend) ...

sc config WinDefend start= auto

echo Starting Windows Defender ...

net start WinDefend

echo Enabling Windows Error Reporting Service (WerSvc) ...

sc config WerSvc start= auto

echo Starting Windows Error Reporting ...

net start WerSvc

echo Removing all AT created scheduled tasks ...

AT /Delete /Yes

echo Stopping & Disabling Schedule service...

sc.exe stop schedule

reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x4 /f

echo Disabling "AutoPlay" ...

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f

echo Restoring Windows Defender startup key ...

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe hide" /f

echo Enabling TCP Receive Window Auto-tuning ...

netsh interface tcp set global autotuning=normal

echo Fixing Downadup infection (Silent mode - Check log file in C:\)...

\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt

copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt

echo Patching MS08-067 ...

\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart

echo Rebooting System ...  

shutdown /r /f /c "Rebooting system"

goto exit
 

:exit

Open in new window

0
 
LVL 8

Author Comment

by:MrMintanet
Comment Utility
Thanks for the canned answer.  Please read my question now.
0
 
LVL 23

Expert Comment

by:Admin3k
Comment Utility
Both links work just fine here , could be a temporary down time as you say because of the 1st of April alert
can you get to the Microsoft Malicious software removal tool ?
http://www.microsoft.com/security/malwareremove/default.mspx
also in order for windows update to function properly the BITS service which is affected by Conficker infection needs to be repaired
start>run>services.msc
look for the service named "Background Intelligent Transfer Service", make sure it is running , running under Local system Account & that the path to executable is set to "C:\WINDOWS\system32\svchost.exe -k netsvcs"

also you may want to confirm that there is no DNS / Hosts file hijack , please take a look at HOSTS file on the impacted machine to confirm it does not contain any rogue entries related to windows update
start>run>notepad
notepad c:\WINDOWS\system32\drivers\etc\hosts

the last line there should be 127.0.0.1      localhost
hope this helps.


0
 
LVL 23

Expert Comment

by:Admin3k
Comment Utility
If the problem persists, please psot a hijack this log, this may assist in revealing any remaining infectiosn that could be denying you access to windows update website
0
 
LVL 20

Expert Comment

by:IndiGenus
Comment Utility
Yes, a HijackThis log would help. You may need to download it on another PC and transfer it over on a flash drive, ect....
0
 
LVL 10

Accepted Solution

by:
Michael_MCDST earned 250 total points
Comment Utility

Yes there is a variant of the worm that blocks AV programs and Windows Update website but please see the following below for direct and complete info regarding the 4 actual types of the worm and a descritption of their effects.
Centralized Information About The Conficker Worm
http://blogs.technet.com/mmpc/archive/2009/01/22/centralized-information-about-the-conficker-worm.aspx
 
MSRT Released Today Addressing Conficker and Banload
http://blogs.technet.com/mmpc/archive/2009/01/13/msrt-released-today-addressing-conficker-and-banload.aspx
 
More MS08-067 Exploits
http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx
 
Just in time for New Year's....
http://blogs.technet.com/mmpc/archive/2008/12/31/just-in-time-for-new-years.aspx
 
Worm:Win32/Conficker.D
http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.D
 
Worm:Win32/Conficker.C
http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.C
0
 
LVL 8

Author Comment

by:MrMintanet
Comment Utility
Can anyone else that is in the US tell me if they are able to connect with Microsoft Updates site?  I am thinking that they are getting hit hard by update seekers.  Please confirm.  That's all I am asking.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 20

Assisted Solution

by:IndiGenus
IndiGenus earned 250 total points
Comment Utility
Yes, I'm in the US and can get to MS update sites with no problem. It sounds like you are infected with something. What? We don't know. A HijackThis log would be a good place to start as advised.
0
 
LVL 10

Expert Comment

by:Michael_MCDST
Comment Utility
I work for Microsoft and am politely trying to tell you that one of the variants of the Conflicker worm DOES AFFECT YOUR ABILITY to view our update site amoung other update sites including AV programs. Would you please look thoroughly at the links I have sent you and READ them, thank you.
0
 
LVL 8

Author Comment

by:MrMintanet
Comment Utility
Michael, thanks for the feedback.

More details:

Site actually tries to load and takes aproximately 1-2 minutes to load.  Symantec and Spybot found nothing.  I actually went to Symantec and Spybot's website and downloaded "trial" packages just to test the ability to connect.  The problem is only with MS website.
0
 
LVL 34

Expert Comment

by:Michael-Best
Comment Utility
Run this scan tool"Trend Micro HijackThis 2.0.2" and Copy/paste the list here.
Trend Micro HijackThis 2.0.2 Download:
http://www.softpedia.com/progDownload/Trend-Micro-HijackThis-Download-69011.html
Trend Micro HijackThis 2.0.2
Will scan the registry and will produce a detailed list of your system for me to analyze.
A logfile is not so easy to analyze. Even for an advanced computer user. With the help of this automatic analyzer you are able to get some additional support. Just paste your complete logfile into the textbox at the bottom of this page.
But
MrMintanet said:
"most would be happy for you not to solve their questions"
0
 
LVL 34

Expert Comment

by:Michael-Best
Comment Utility
FREE COMPUTER REPAIR
http://onecare.live.com/site/en-us/default.htm
And run the: "FULL SERVICE SCAN" it will cleanup & speedup your computer, if it won't run then:
You may have been infected with Worm:Win32/Conficker.B
To protect from Conficker apply an emergency patch that Microsoft issued in October - ahead of Conficker's arrival - for a recently discovered flaw in the Windows operating system that Conficker was designed to exploit.
The patch was originally intended to protect Microsoft's customers against a different piece of malicious code, a data-stealing worm called Gimmev.
Conficker could still activate itself, and it's not the most dangerous piece of malicious code out there
Ways to detect and clean a system that has the Win32/Conficker.B worm
http://support.microsoft.com/kb/962007
If on a network, I recommend disabling "Password Lockout" policy for the time being, till you are sure the infection has been contained and cleaned in your network.
(http://technet.microsoft.com/en-us/library/cc781491.aspx)
Also see:
Bit Defender:
http://anti-virus-software-review.toptenreviews.com/
This is  free:
http://www.pctools.com/free-antivirus/
(Regards from Michael Best: I troubleshoot: both, English OS & Japanese OS)
0
 
LVL 8

Author Comment

by:MrMintanet
Comment Utility
Again, Michael Best, please do not give me these copy/paste answers.  Please take the time to read what has already been established since my initial question.  Furthermore, I have no intention of using an automated "clean up tool" on a server.  I also have no intention of posting a hijack this log.
0
 
LVL 1

Expert Comment

by:mbrenes
Comment Utility
As Michael MCDST says. This solution works for me.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

PREFACE The purpose of this guide is to provide information to successfully install the MS SQL client tools for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technology…
UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now