Remove Conficker (Downup, Downadup or Kido)
About Conficker:
If you ever heard about Microsoft (the maker of Windows and a full bundle of problems attached to it), and if you have already heard about Conficker, or also called Downup, Downadup or Kido, I suppose that you’ve already taken steps on protecting yourself and your friends from this computer worm (or computer virus as some may call it!).
I’m writing this urgent post to warn everyone and help my dear visitors protect themselves and repair their infected computers.
Please spread the word and get people to read this article so you can help and save them! (
Immediately)
Conficker was born in October 2008, and targets Microsoft Windows Operating systems, so if you run Windows on your computer, YOU ARE A TARGET FOR CONFICKER! So, let’s get straight to the point, that is how to know if you’re already infected and how to remove the worm and how to protect yourself from later infections.
Symptomes of infection according to Wikipedia are:
- Account lockout policies being reset automatically.
- Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Error Reporting Services are automatically disabled.
- Domain controllers respond slowly to client requests.
- System network gets unusually congested. This can be checked with network traffic chart on Windows Task Manager.
- On websites related with antivirus software, Windows system updates cannot be accessed.
- Launches a brute force dictionary attack against administrator passwords to help it spread through ADMIN$ shares, making choice of sensible passwords advisable.
The worm spreads through movable drives (USB Flash drives, Memory cards, network drives, shared devices with storage memory and networks (the internet, your office’s LAN, your home’s network…) Conficker uses the Autorun feature (if you can call it a feature!! 
) of Windows and a specially crafted RPC query to spread it self. more information and advanced technical details on how the worm operates is available on my other post: Conficker Worm, Advanced Technical Details (Coming Soon)
On the next page(s) I’ll discuss detailed solution to remove the Conficker virus and Patch your computer…
Remove and Patch:
Here’s how I did remove the virus for my friends and patched their computers so they won’t get infected again by this worm!
1 – First of all you need to disable the Autorun “feature” of your computer so that it won’t run CDs, DVDs and USBs automatically.
To do that, Microsoft provides a well describe article that you may read and apply for your Windows. Click : http://support.microsoft.com/kb/967715/ But if you’re already infected, you may not be able to access the Microsoft’s download page to download the required files.
I provide you another workaround which was initally described on US-CERT website :
First, download the autorun_patch.reg file and run it. This file contains the following code and is applied to your Windows Registry:
REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf] @="@SYS:DoesNotExist"
- If you don’t want to download the file, then;
To import the above value to your registry, perform the following steps:
- Copy the text above
- Paste the text into Windows Notepad
- Save the file as "autorun_patch.reg" Note: In certain circumstances, Notepad may automatically add a .txt extension to saved files. To ensure that the file is saved with the proper extension, select All Files in the “Save as type:” section of the “Save As” dialog.
- Navigate to the file location
- Double-click on the file to import it into the Windows registry
According to US-CERT website, Microsoft Windows also caches the AutoRun information from mounted devices in the MountPoints2 registry key. It’s recommended restarting Windows after making the registry change so that any cached mount points are reinitialized in a way that ignores the Autorun.inf file. Alternatively, the following registry key may be deleted:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
Once these changes have been made, all of the AutoRun code execution scenarios described above will be mitigated because Windows will no longer parse Autorun.inf files to determine which actions to take. Further details are available in the CERT/CC Vulnerability Analysis blog. [ref:US-CERT]
2 – Disable System Restore:
Steps for Windows XP:
- Click Start.
- Right-click My Computer, and then click Properties.
- On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives. If you do not see the System Restore tab, you are not logged on to Windows as an Administrator.
- Click Apply.
- When you see the confirmation message, click Yes.
- Click OK.
3 – Install Microsoft Security Update [KB958644] for your Operating System:
Go to this page and download the right update based on your Windows Operating System version: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx In case you cannot access Microsoft website for any reason, I provide you mirror downloads here on Gibni.com: For Windows XP SP2 and Windows Xp SP3 (English) : [Mirror on Gibni] For Windows Vista and Windows Vista SP1 (English): [Mirror on Gibni] Once downloaded, (open/double click/run/execute) the file and procceed with the installation.
4- Download the Conficker Removal Tool of your choice:
You should download a Removal Tool (listed bellow), then save it to a convenient location like your Windows Desktop.
There are free Conficker Removal tools provided by:
- Microsoft Malicious Software Removal Tool (En) : [Direct Download] or use the [Mirror on Gibni]
- ESET: [Direct Download] or use the [Mirror on Gibni]
- Symantec : [Direct Download] or use the [Mirror on Gibni]
- BitDefender : [Direct Download] or use the [Mirror on Gibni]
5 - Now, the next step is to check your computer for infection and clean it!
- Once you have the Removal Tool file, (if neseccary save your work and) close ALL programs and running sotftware.
- Disconnect your computer (PC) by PHYSICALLY disconnecting the network cable or switching OFF the Wi-Fi adapter you have. (You may need to go to Control Panel>Network Connections then right-click on each network connection available and select “Disable”)
- Then run (double-click/open/execute call it what you like!) the Conficker Removal Tool you have!
- Then restart your computer once the Conficker Removal Tool’s job is done.
Follow all the instructions for the conficker removal process. The remaining steps are on the next page(s) …
6 - Install( or update) a good Security solution
I would personally recommend BitDefender Total Security 2009 (http://www.bitdefender.com)
7 - Turn System Restore back ON!
You may want to run the Conficker Removal Tool again to be sure your PC is clean. Keep your Windows and Antivirus UP-TO-DATE!!!! (Check once a month manually at least)
8 – Feel GREAT!
That’s it. Digg this article by using the “ShareThis” button or the Digg It button either below the post, or at the beginning of the post, to help others stay safe. Please spread the word and get people to read this article so you can help and save them! (
Immediately)
You can send it by email to your friends and familly by using the ShareThis button too.
-Read More here:
http://en.wikipedia.org/wiki/Conficker
http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=1
http://www.eset.com/threat-center/blog/?p=511
http://www.bitdefender.com/VIRUS-1000462-en–Win32.Worm.Downadup.Gen.html
loading...
loading...
Thanks for the informative article! I usually don’t look up virus information until i get infected and it’s usually too late by that stage, so thank you for the advanced warning
loading...
loading...
WOW this worms sounds scary! I really truly appreciate all your great information in this blog posts! I try very hard to keep up to date on the latests viruses and worms out there but it seems almost futile as there is a new one cropping up all the time! I really appreciate that you shared the symptoms along with how to remove this! Thank you
Angie
loading...
loading...
Pingback: » Sunday Spotlight, March 8 ~ Wayrift Fantasy Webcomic
This has been spotlighted on my blog. Thanks for a great post! I’m sure this will really be helpful to someone — there’s some pretty nasty viruses out there.
loading...
loading...
hi.
i’m from indonesia.
and i just want to thank you for the information to remove conficker virus.
thank you very much.
if my english is better i really want to say so much more to show my gratitude to you.
thank you very much.
loading...
loading...