Remove and Patch:
Here’s how I did remove the virus for my friends and patched their computers so they won’t get infected again by this worm!
1 – First of all you need to disable the Autorun “feature” of your computer so that it won’t run CDs, DVDs and USBs automatically.
To do that, Microsoft provides a well describe article that you may read and apply for your Windows. Click : http://support.microsoft.com/kb/967715/ But if you’re already infected, you may not be able to access the Microsoft’s download page to download the required files.
I provide you another workaround which was initally described on US-CERT website :
First, download the autorun_patch.reg file and run it. This file contains the following code and is applied to your Windows Registry:
REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf] @="@SYS:DoesNotExist"
- If you don’t want to download the file, then;
To import the above value to your registry, perform the following steps:
- Copy the text above
- Paste the text into Windows Notepad
- Save the file as "autorun_patch.reg" Note: In certain circumstances, Notepad may automatically add a .txt extension to saved files. To ensure that the file is saved with the proper extension, select All Files in the “Save as type:” section of the “Save As” dialog.
- Navigate to the file location
- Double-click on the file to import it into the Windows registry
According to US-CERT website, Microsoft Windows also caches the AutoRun information from mounted devices in the MountPoints2 registry key. It’s recommended restarting Windows after making the registry change so that any cached mount points are reinitialized in a way that ignores the Autorun.inf file. Alternatively, the following registry key may be deleted:
Once these changes have been made, all of the AutoRun code execution scenarios described above will be mitigated because Windows will no longer parse Autorun.inf files to determine which actions to take. Further details are available in the CERT/CC Vulnerability Analysis blog. [ref:US-CERT]
2 – Disable System Restore:
Steps for Windows XP:
- Click Start.
- Right-click My Computer, and then click Properties.
- On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives. If you do not see the System Restore tab, you are not logged on to Windows as an Administrator.
- Click Apply.
- When you see the confirmation message, click Yes.
- Click OK.
3 – Install Microsoft Security Update [KB958644] for your Operating System:
Go to this page and download the right update based on your Windows Operating System version: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx In case you cannot access Microsoft website for any reason, I provide you mirror downloads here on Gibni.com: For Windows XP SP2 and Windows Xp SP3 (English) : [Mirror on Gibni] For Windows Vista and Windows Vista SP1 (English): [Mirror on Gibni] Once downloaded, (open/double click/run/execute) the file and procceed with the installation.
4- Download the Conficker Removal Tool of your choice:
You should download a Removal Tool (listed bellow), then save it to a convenient location like your Windows Desktop.
There are free Conficker Removal tools provided by:
- Microsoft Malicious Software Removal Tool (En) : [Direct Download] or use the [Mirror on Gibni]
- ESET: [Direct Download] or use the [Mirror on Gibni]
- Symantec : [Direct Download] or use the [Mirror on Gibni]
- BitDefender : [Direct Download] or use the [Mirror on Gibni]
5 – Now, the next step is to check your computer for infection and clean it!
- Once you have the Removal Tool file, (if neseccary save your work and) close ALL programs and running sotftware.
- Disconnect your computer (PC) by PHYSICALLY disconnecting the network cable or switching OFF the Wi-Fi adapter you have. (You may need to go to Control Panel>Network Connections then right-click on each network connection available and select “Disable”)
- Then run (double-click/open/execute call it what you like!) the Conficker Removal Tool you have!
- Then restart your computer once the Conficker Removal Tool’s job is done.
Follow all the instructions for the conficker removal process. The remaining steps are on the next page(s) …