First time (in a long time) coming across a machine infected so badly that it took several hours to repair. The usual routine is download your favourite antivirus, update, scan, done. Then windows update, done.
It wasn’t so easy in this case. All antivirus websites were blocked. I checked the obvious: hosts file, proxy, tcp/ip dns settings, network protocols, nothing. Still could not get to any antivirus website. Everyone one of them blocked, no man left behind.
To add to the fun, the computer was randomly locking up. Windows would freeze, but the mouse and keyboard would continue to function. At first I thought it was the CPU overheating. The CPU heatsink was clogged with crap from here to china, and the owner was obviously a very heavy smoker. Cleaned the heatsink, slapped on some Arctic MX-2, reinstall and now I was ready to continue the battle.
After I don’t know how many hours I decided maybe I should stop trying to get past the DNS issue and focus on the real issue. Then I got the idea to test for rootkits. Downloaded Rootkit Revealer, it showed a few things, among of which was UACd.sys. From the name it sounded fishy, and when I looked it up and it was none other than a rootkit.
After a bit of googling, Combofix to the rescue. Detected the rootkit, and it claimed to have cleaned it after several reboots. Open firefox, same thing. Cannot hit any of the antivirus websites. Checked with Rootkit Revealer, at least the UACd trojan was gone.
I decided I need to get around this DNS issue, I recalled the name of McAfee‘s standalone scanner: Mcafee Stinger. Googled it, found the file on a mirror not blocked by the virus, download, run. Within a few seconds, this pops up: Conficker.c!mem detected. It didn’t take much googling after that to find out this PC had all the symptoms mentioned in the Conficker advisory articles. Now I needed to get rid of it. Remember I couldn’t access any AV sites or Microsoft’s website among others, so this wasn’t going to be easy.
I found a few Conficker removal tools, all were useless. My guess is because of all the versions that exist of this virus: Conficker.A, Conficker.B, Conficker.C, and Conficker.D. Finally I found one on Symantec’s website, Symantec Conficker Removal Tool – D.exe (for some reason, they refer to it as W32.Downadup). Except I was viewing the article using Google’s cache, and the download link still resided on Symantec’s website.
I found a website called Megashare which actually lets me upload from a URL. I gave it the URL to Symantec‘s tool, uploaded it to their servers. Had to wait 10 seconds for “free” access, finally was able to download the file. When it ran, it had a simple interface with no information at all. I clicked scan and it began scanning every file on the PC.
As the tool was running, I kept clicking through some of the search results and came across one genius who had suggested that there is a way around the blocked DNS requests. The command was net stop dnscache. Conficker infected the dnscache service, by shutting it down you force every request to come directly from the DNS server, bypassing the dnscache layer. Lo and behold, sophos.com was accessible, microsoft.com and every other antivirus website.
Finally when Symantec’s Conficker Removal Tool completed successfully, it happily reported 11 infections cleaned successfully. Rebooted, everything appears to be working successfully. I started doing the routine things, downloading/updating AV, and installing Windows Updates. And by the way it wasn’t the CPU overheating causing Windows to hang, it was the Conficker virus.
Many lessons learned. Including the fact that I can survive a 48 hour period with less than 4 hours of sleep.
One might ask the following obvious questions:
1. You freaking n00b. Why didn’t you just format?
- I wanted a challenge, I hadn’t had one in a while.
2. How much time did this consume?
- You don’t want to know
3. Why didn’t you download the av files on a different PC, put them on a flash drive and run them on the infected PC?
- General rule is, when a PC is infected you don’t put rewritable storage on it because it can get infected too.
4. CD/DVD then?
- Too lazy to get up and grab my laptop.
5. Network share with readonly access?
- See response above.
6. Why not use a website like proxybrowsing.com?
- Similar to google cache. Usually they don’t let you download files through the proxy.
7. Is Conficker real?
- Some people say he hides in the shadows, others say he has eyes like Jay Leno. All we know is: he doesn’t like pandas.