5

I used various tools to remove Conficker, and I pretty much succeeded, but I've had recurring problems afterward.

  • It won't update anymore (with the following error message: 0x800706B5)

I tried everything I found on Google, such as forcing re-installation of the update utility and what-not. Funnily enough, it works on the same user via RDP, but after downloading the updates it fails to install. I've had to download each update manually and update it myself.

  • Keep finding these weird infections

Quarantined files

  • Keep receiving incoming connection from all over the globe

Connection Log

  • Machine became a little sluggish

Can anyone help me out here?

user164144
  • 51
  • 2
  • Conficker has been around for more than 3 years (More than 4?) and it exploits a very old and patched vulnerability (MS08-067). I'm highly interested in the subject, may I ask how did you get infected? – Adi Mar 12 '13 at 15:01
  • Multiple users, lack of update. Simple as that. – user164144 Mar 12 '13 at 15:01
  • Is this machine used as a server? – Adi Mar 12 '13 at 15:03
  • Conficker loves to spread like wildfire, so I also suggest doing a full scan of your network with nmap http://www.sans.org/security-resources/idfaq/detecting-conficker-nmap.php When my org got infected, I made a toolkit to help facilitate removal, but it's long gone. There should be plenty of resources available online to help. IIRC there are some scheduled tasks that need to be deleted, as well as registry entries. – g3k Mar 12 '13 at 15:33

5 Answers5

12

Your server has been infected with a virus. Stop trying to hunt down the problem and just nuke it from orbit. Do a full reinstall of your system and restore from a known safe backup point.

Community
  • 1
4

To add a little to what Terry Chia said, it sounds like your machine has been throuroughly compromised. It has already demonstrated that it is resisting removal. You could continue to try and find all the hooks and remove them, but since it is clearly trying to remain, you can never know if you got all of them. It could come back or remain partially resident in ways that could leave you compromised.

It simply isn't worth the effort required or the risk that remains, thus the best option is to rebuild the server to make sure that all traces are wiped out. It takes less time and is more secure.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
3

Imagine that your machine caught fire and was reduced to a pile of ash. What would you do then ? Well, then do that now. You will never be able to trust this machine again, regardless of what you do. This unabatable source of anxiety would wear you down, destroying your health and ultimately costing much more to your company than the price of a new server and reinstall. If you are a cheapskate you may content yourself with a full software reinstall, boldly ignoring any risk of compromise of the BIOS or any other reflashable firmware.

(You don't have to burn the old server, but if you value the confidentiality of your data, then don't put the old disk on eBay. You may want to study the contents of that disk, in some forensics lab, in order to understand how that virus could enter your server.)

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
1

1. Do what Terry said, nuke it from orbit. Not possible?

2. Do your best and make it possible. Nuke it from orbit. Not possible at all?

This question would likely be closed as too localized. But I've been in your shoes, I was in the exact same situation. So I'll do my best to help you. So, option 3

3. Removal: This is difficult and will not guarantee anything. You can never be sure that the malware has been completely removed. (The following steps are to be tried at your own risk. I usually advise against downloading files that a random guy on the Internet tells you to. But well, if you don't want to nuke it from orbit or consult professional help, this is basically your only option)

  1. Disconnect from the network. Shutdown.

  2. Using a different (clean) machine, download the following tools: Yaman General Removal, Yaman Conficker Removal, AVG Conficker Removal Tool, Kaspersky KidoKiller, Norton Power Eraser, EMeb Remover.

  3. Put them on a USB stick.

  4. Boot the infected machine in safe mood

  5. Run the tools in the order I posted (I don't think it really matters, but it's good to leave the heavy tools till the end). Note: When running Yaman General Removal, make sure to check "Auto Fix Registry Problems".

  6. Whenever requested by the tools to reboot, please do so. Make sure you always boot in safe mode.

  7. After you finish, boot normally. Install the MS08-067 patch.

  8. Update your antivirus and your antivirus database. Run a full-system scan.

  9. Run windows update.

Community
  • 1
Adi
  • 43,808
  • 16
  • 135
  • 167
  • This procedure can be improved by using a Linux Live CD instead of Safe mode. Safe mode can easily be compromised by a virus. A LiveCD is a far more surefire way to avoid both rootkits and other viruses that are still active in safe mode. – AJ Henderson Mar 12 '13 at 17:13
  • @AJHenderson, while I agree with you, many of the mentioned tools will not work in WINE. – Adi Mar 12 '13 at 17:20
  • Think we're missing points 0, and 0.1 through 0.9 - Nuke it from orbit... – Deer Hunter Mar 12 '13 at 19:25
0

Although everyone here are correctly suggesting you to nuke it and get a new server (or at least a full OS install with full disk format), still I remember I once got the same problem on one of my laptop machines. The system was Windows 7 but I got this same update error code (0x800706B5). That was because of a rootkit called TDS on the machine and I removed it through Kaspersky TDSKiller. Just give it a try. If it is indeed TDS that the system is infected with, Kaspersky TDSKiller will detect and remove it. Then you will be able to install the updates. The first thing then is to install the patch of MS08-067.

void_in
  • 5,541
  • 1
  • 20
  • 28