January 10, 2011

Conficker Worm Removal

Conflicker is a worm that will restrict you to use your computer as you wish; it will lock some folders and sub-folders, blocks your access to some of the security applications, stops windows automatic update, windows TCP/IP service, and most importantly it deletes the restore points that we have created to prevent its detection. Here are the steps to remove them manually. 

Step 1: Go to the Internet Explorer and block the sites that it will access
  • ajcminmqpeu.com
  • anosb.biz
  • aqgcurmt.net
  • bdfbobhuls.com
  • bjmqxoxbmyq.org
  • bszeu.info
  • cfcpreiwtgx.net
  • cpfgbuwqv.biz
  • And mostly sites with an improper name with an end domain as .biz, .org, .inf  say for example ezhvnjlvuk.org
Step 2: Go to safe mode with networking
Step 3: If you find any unknown services in processes tab in MS Configuration utility, kill those processes generally with random numbers .exe extension under processes tab.
Step 4: Delete these files in the registry 
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random characters}
    ImagePath = %SystemRoot%\system32\svchost.exe -k
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random characters}\Parameters
    ServiceDll = %System%\{its file name}
    Windows NT\CurrentVersion\SvcHost\{random characters}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ filename= rundll32.exe.  to enable auto execution process. 
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    TcpNumConnections = 00FFFFFE

Step 5:  These are the dlls with which it will associate itself %System%[Random].dll
  • %Program Files%Internet Explorer[Randomnumber or name].dll
  • %Program Files%Movie Maker[Random].dll
  • %All Users Application Data%[Random].dll
  • %Temp%[Random].dll 
  • Go to Program files, Application data and Temp folders and delete them completely.
Step 6: Change the registry key values in the following to their default values. 
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS Start = 4 (default=2)
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauservStart = 4 (default=2)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL CheckedValue = 0 (default=1)
Step 7: Finally from system folder  and temp folder %System%[Random].tmp, %Temp%[Random].tmp
Step 8: After that update the Anti-virus definitions of the software you are using and perform a quick system scan.


Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog



Twitter Delicious Facebook Digg Stumbleupon Favorites More