Manual Removal of W32/Conficker Worm
W32/Conficker is a worm. The worm will infect Windows systems.
This worm first appeared on March 26, 2009.
Other names of W32/Conficker Worm:
This Worm is also known as Win32/Downadup, W32/Kido, W32/Conflicker and W32/Pakes
W32/Conficker worm has exploited most of the malware entry points available in the Operating System and exploited to its benefit. Once the computer infected by the worm enters, it alters all the pre-requisite registry location to spread through Network, removable drives (USB sticks). The Worm can enter user's system in multiple ways, it may be through network with Admin$ share (brute force dictionary attack), systems with unsecured shares, systems not patched with vulnerability or USB drive etc. Due to this even though user follows the safe computing practice, system may get infected.
The worm attempts to create a HTTP Server and open a random port between 1024 and 10000 in the victim computer. On successful creation of the HTTP Server, the worm downloads the copy of itself to the victim computer. The worm also resets the Restore point. Most of the Variants of the Conficker worm will trigger the payload on April 1. Though Security industries are conducting lot of research on the payload, the exact payload and the damage it can create on April 1st is still a mystery.
Infection symptoms:
This worm first appeared on March 26, 2009.
Other names of W32/Conficker Worm:
This Worm is also known as Win32/Downadup, W32/Kido, W32/Conflicker and W32/Pakes
W32/Conficker worm has exploited most of the malware entry points available in the Operating System and exploited to its benefit. Once the computer infected by the worm enters, it alters all the pre-requisite registry location to spread through Network, removable drives (USB sticks). The Worm can enter user's system in multiple ways, it may be through network with Admin$ share (brute force dictionary attack), systems with unsecured shares, systems not patched with vulnerability or USB drive etc. Due to this even though user follows the safe computing practice, system may get infected.
The worm attempts to create a HTTP Server and open a random port between 1024 and 10000 in the victim computer. On successful creation of the HTTP Server, the worm downloads the copy of itself to the victim computer. The worm also resets the Restore point. Most of the Variants of the Conficker worm will trigger the payload on April 1. Though Security industries are conducting lot of research on the payload, the exact payload and the damage it can create on April 1st is still a mystery.
Infection symptoms:
- Access to Admin shares are denied
- Scheduled tasks are created
- Acess to security related websites is denied
- Access to Windows Updates site is denied
- Network response will become considerably slow
- Domain controllers respond slowly to client request
Damage Level : Medium/High
Distribution Level: Medium
Distribution Level: Medium
W32/Conficker Worm Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal
End the Following Active Process Before Removal
- [ Kill the Process, Use Killbox if your Access Denied ]
Download W32/Conficker Worm Known File Removal Tool
- %Windows\System\ [Random Name.dll ], [Random Name.tmp ]
- %Programs Files\Internet Explorer\ [Random Name.dll ]
- %Programs Files\Movie Maker\ [Random Name.dll ]
- %All Users\Application Data\ [Random Name.dll ]
- %Windows\Temp\ [Random Name.tmp ]
- %Program Files\wizard.exe
[ No Exact Information about Files, search above files in Program files Folder ]
If you have any of these files in running process from task manger, end the process before removal.
Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg [ Right Click - Save Target As/Linked Content As ]
Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
W32/Conficker Worm Disabled Windows Services
Folder - \RECYCLER\
root folder -\autorun.inf
The W32/Conficker Worm attaches itself to the following Windows processes:
- Windows Automatic Update Service (wuauserv)
- Background Intelligent Transfer Service (BITS)
- Windows Security Center
- Windows Defender
- Windows Error Reporting
Folder - \RECYCLER\
root folder -\autorun.inf
The W32/Conficker Worm attaches itself to the following Windows processes:
- svchost.exe
- explorer.exe
- services.exe
Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
- Download this UnHookExec.inf, [ Right Click - Save Target As/Linked Content As ]
and then continue with the removal. Save it to your Windows desktop. Do not run it at this time, download it only. - After booting into the Safe Mode or VGA Mode
- Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]
The W32/Conficker Worm modifies registry at the following locations to ensure its automatic execution at every system startup:
Delete The Entries
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Delete file entry from right side
Delete The Entries
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Delete file entry from right side
Search Registry For W32/Conficker Worm File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.
Edit Menu - Find, enter Keyword and remove all value that find in search.
Exit the Registry Editor,
Restart your Computer.
Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Killbox (Freeware)
ironically, even if someone used Conficker to steal my credit card info, there wouldn't be any credit there for them to exploit or spend
ReplyDeleteYes but may be a chances there... Thanks 4 commenting Coffee fan
ReplyDelete