Failed to open event cache file at C:\WINDOWS\SoftwareDistribution\EventCache

Reading Time: 2 minutes

1) Copy and paste the below into a notepad, rename to a .bat and run:

net stop wuauserv
regsvr32 /s wuapi.dll
regsvr32 /s wups.dll
regsvr32 /s wuaueng.dll
regsvr32 /s wucltui.dll
regsvr32 /s wuweb.dll
regsvr32 /s wups2.dll
regsvr32 /s msxml3.dll
regsvr32 /s atl.dll
regsvr32 /s qmgrprxy.dll
regsvr32 /s wuanueng1.dll
regsvr32 /s atl.dll
regsvr32 /s msxml.dll
regsvr32 /s msxml2.dll
regsvr32 /s qmgr.dll

c:
cd %windir%\SoftwareDistribution
rd /s/q DataStore
mkdir DataStore
rd /s/q Download
mkdir Download
net start wuauserv
rem Fixes problem with client machines not showing up on the server
rem due to imaging method
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /f
cls
@echo Triggering detection after resetting WSUS client identify
net stop “Automatic Updates”
net start “Automatic Update”
wuauclt /resetauthorization /detectnow
echo susid set to unique>c:\wsusfix.txt

2) After running the above, do the same with the below:

@echo off
Echo This batch file will Force the Update Detection from the AU client:
Echo 1. Stops the Automatic Updates Service (wuauserv)
Echo 2. Deletes the LastWaitTimeout registry key (if it exists)
Echo 3. Deletes the DetectionstartTime registry key (if it exists)
Echo 4. Deletes the NextDetectionTime registry key (if it exists)
Echo 5. Restart the Automatic Updates Service (wuauserv)
Echo 6. Force the detection
Pause
@echo on
net stop wuauserv
REG DELETE “HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update” /v LastWaitTimeout /f
REG DELETE “HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update” /v DetectionstartTime /f
REG DELETE “HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update” /v NextDetectionTime /f
net start wuauserv
wuauclt /detectnow
@echo off
Echo This AU client will now check for the Updates on the Local WSUS Server.
Pause

And finally this:

@echo off
net stop wuauserv
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /f 2>nul: 1>nul:
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /f 2>nul: 1>nul:
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /f 2>nul: 1>nul:
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientIdValidation /f 2>nul: 1>nul:
net start bits 2>nul: 1>nul:
net start wuauserv
wuauclt /resetauthorization /detectnow

Note: you may need to re enter the speech marks (“) after copying and pasting the above codes.

Duplicate computers appear within WSUS

Reading Time: < 1 minute

If you find duplicate computers appearing in wsus, you will need to recreate the susclientid on the duplicate computer. This happens when the same computer is cloned with the same name.

To resolve, copy the below code into a bat file and run.

@Echo off
if exist %systemdrive%\SUSClientID.log goto end
net stop wuauserv
net stop bits
reg delete “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\WindowsUpdate” /v PingID /f  > %systemdrive%\SUSClientID.log 2>&1
reg delete “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\WindowsUpdate” /v AccountDomainSid /f  >> %systemdrive%\SUSClientID.log 2>&1
reg delete “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\WindowsUpdate” /v SusClientId /f  >> %systemdrive%\SUSClientID.log 2>&1
net start wuauserv
wuauclt.exe /resetauthorization /detectnow         
:end
exit

Remove Conficker from network

Reading Time: 2 minutes

Conficker has affected millions of machines from around the world. See Three million hit by Windows worm. It has since affected over 9 millions machines and growing.

To remove Conficker from your network, first download Microsoft Patch here. (KB958644). Conficker will attack machines which do not have this patch installed. You can use a script to push out the update – click here. Or you could push out via WSUS. If you don’t have a WSUS server it’s worth installing one. Carry out tests on a few machines before rolling out to all machines on a network.

Stop the virus from spreading, by clicking here. The link will help you disable auto run and reduce permissions on scheduled tasks. Conficker will also create scheduled tasks and use them to spread. You may find that lots exist on your machines. Such as AT1, AT2, AT3 and if you check the properties of each one you will find that they point to files such as hjskja.dll xldddd.dll and other wierdly named file names. You could use a script to remove such tasks from your machines. See Delete scheduled task via script

Make sure you don’t have any easy to guess usernames and passwords on your network.

Ensure all your machines have AV installed. If you use Sophos AntiVirus and wish to automate the deployment of Sophos AntiVirus see Deploy Sophos AntiVirus via script  (Check machines with AV installed are up dating and reporting no errors.

Run scans on your server and ensure that they are patched with the latest Windows Security and critical updates.

If you rely on system restore on your machines, Conficker will also remove restore points on the machines it infects. To disable system restore via group policy see Disable System Restore via Group Policy

F-Secure have created a list of blacklisted domains which the virus uses which you may want to block – click here

Once you have locked down your network, download the Sophos Removal tool and deploy via group policy – See Sophos Removal Tool (This tool can also be used on non Sophos AV machines)

The standalone version of the Sophos Removal Tool for Conficker can be found at Stand alone Conficker Removal Tool (This tool can also be used on non Sophos AV machines)

Finally deploy http://support.microsoft.com/kb/891716

Note: Test before applying to a live enviroment

It’s not a easy process and will take time before it’s totally removed.

Some useful links below:

McAfee
MSDN