Enter your Keyword, Search here,

Manual Removal of W32/Conficker Worm

Manual Removal of W32/Conficker Worm
W32/Conficker is a worm. The worm will infect Windows systems.
This worm first appeared on March 26, 2009.
Other names of W32/Conficker Worm:
This Worm is also known as
Win32/Downadup, W32/Kido, W32/Conflicker and W32/Pakes
W32/Conficker worm has exploited most of the malware entry points available in the Operating System and exploited to its benefit. Once the computer infected by the worm enters, it alters all the pre-requisite registry location to spread through Network, removable drives (USB sticks). The Worm can enter user's system in multiple ways, it may be through network with Admin$ share (brute force dictionary attack), systems with unsecured shares, systems not patched with vulnerability or USB drive etc. Due to this even though user follows the safe computing practice, system may get infected.


The worm attempts to create a HTTP Server and open a random port between 1024 and 10000 in the victim computer. On successful creation of the HTTP Server, the worm downloads the copy of itself to the victim computer. The worm also resets the Restore point. Most of the Variants of the Conficker worm will trigger the payload on April 1. Though Security industries are conducting lot of research on the payload, the exact payload and the damage it can create on April 1st is still a mystery.

Infection symptoms: 

  • Access to Admin shares are denied
  • Scheduled tasks are created
  • Acess to security related websites is denied
  • Access to Windows Updates site is denied
  • Network response will become considerably slow
  • Domain controllers respond slowly to client request
Damage Level : Medium/High
Distribution Level:
Medium
W32/Conficker Worm Manual Removal Instructions
Recommend Removal from Safe Mode:

How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal
  • [ Kill the Process, Use Killbox if your Access Denied ]
Download W32/Conficker Worm Known File Removal Tool
[In Windows Vista Run As Administrator, After Execution System Will Restart]
  • %Windows\System\ [Random Name.dll ], [Random Name.tmp ]
  • %Programs Files\Internet Explorer\ [Random Name.dll ]
  • %Programs Files\Movie Maker\ [Random Name.dll ]
  • %All Users\Application Data\ [Random Name.dll ]
  • %Windows\Temp\ [Random Name.tmp ]
  • %Program Files\wizard.exe
    [ No Exact Information about Files, search above files in Program files Folder ]
    If you have any of these files in running process from task manger, end the process before removal.
    Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
    [ Right Click - Save Target As/Linked Content As ]
    Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.

W32/Conficker Worm Disabled Windows Services
  • Windows Automatic Update Service (wuauserv)
  • Background Intelligent Transfer Service (BITS)
  • Windows Security Center
  • Windows Defender
  • Windows Error Reporting
W32/Conficker Worm also drops following files in the removable and mapped drives:

Folder - \RECYCLER\
root folder -\autorun.inf


The W32/Conficker Worm attaches itself to the following Windows processes:
  • svchost.exe
  • explorer.exe
  • services.exe
W32/Conficker Worm Entries Manual Removal From Registry
Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
  • Download this UnHookExec.inf, [ Right Click - Save Target As/Linked Content As ]
    and then continue with the removal. Save it to your Windows desktop. Do not run it at this time, download it only.
  • After booting into the Safe Mode or VGA Mode
  • Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]
The W32/Conficker Worm modifies registry at the following locations to ensure its automatic execution at every system startup:

Delete The Entries
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Delete file entry from right side
Search Registry For W32/Conficker Worm File Names listed above to remove completely,
Edit Menu - Find
, enter Keyword and remove all value that find in search.

Exit the Registry Editor,
Restart your Computer.

Recommended Removal Tools:
Killbox (Freeware)

2 comments :

  1. ironically, even if someone used Conficker to steal my credit card info, there wouldn't be any credit there for them to exploit or spend

    ReplyDelete
  2. Yes but may be a chances there... Thanks 4 commenting Coffee fan

    ReplyDelete

Comment on this Post!!

More Posts that you may be interested...