Remove Conficker (Downup, Downadup or Kido)

By | 27/02/2009

Remove and Patch:

Here’s how I did remove the virus for my friends and patched their computers so they won’t get infected again by this worm!

1 – First of all you need to disable the Autorun “feature” of your computer so that it won’t run CDs, DVDs and USBs automatically.

conficker To do that, Microsoft provides a well describe article that you may read and apply for your Windows. Click : http://support.microsoft.com/kb/967715/ But if you’re already infected, you may not be able to access the Microsoft’s download page to download the required files.
I provide you another workaround which was initally described on US-CERT website :

First, download the autorun_patch.reg file and run it. This file contains the following code and is applied to your Windows Registry:

REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf] @="@SYS:DoesNotExist"

  • If you don’t want to download the file, then;

To import the above value to your registry, perform the following steps:

  1. Copy the text above
  2. Paste the text into Windows Notepad
  3. Save the file as "autorun_patch.reg" Note: In certain circumstances, Notepad may automatically add a .txt extension to saved files. To ensure that the file is saved with the proper extension, select All Files in the “Save as type:” section of the “Save As” dialog.
  4. Navigate to the file location
  5. Double-click on the file to import it into the Windows registry

According to US-CERT website, Microsoft Windows also caches the AutoRun information from mounted devices in the MountPoints2 registry key. It’s recommended restarting Windows after making the registry change so that any cached mount points are reinitialized in a way that ignores the Autorun.inf file. Alternatively, the following registry key may be deleted:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Once these changes have been made, all of the AutoRun code execution scenarios described above will be mitigated because Windows will no longer parse Autorun.inf files to determine which actions to take. Further details are available in the CERT/CC Vulnerability Analysis blog. [ref:US-CERT]

2 – Disable System Restore:

Steps for Windows XP:

    1. Click Start.
    2. Right-click My Computer, and then click Properties.
    3. On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.  If you do not see the System Restore tab, you are not logged on to Windows as an Administrator.
    4. Click Apply.
    5. When you see the confirmation message, click Yes.
    6. Click OK.


3 – Install Microsoft Security Update [KB958644] for your Operating System:

Go to this page and download the right update based on your Windows Operating System version: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx In case you cannot access Microsoft website for any reason, I provide you mirror downloads here on Gibni.com: For Windows XP SP2 and Windows Xp SP3 (English) : [Mirror on Gibni] For Windows Vista and Windows Vista SP1 (English): [Mirror on Gibni] Once downloaded, (open/double click/run/execute) the file and procceed with the installation.

 

4- Download the Conficker Removal Tool of your choice:

You should download a Removal Tool (listed bellow), then save it to a convenient location like your Windows Desktop.

There are free Conficker Removal tools provided by:


5 – Now, the next step is to check your computer for infection and clean it!

  1. Once you have the Removal Tool file, (if neseccary save your work and) close ALL programs and running sotftware.
  2. Disconnect your computer (PC) by PHYSICALLY disconnecting the network cable or switching OFF the Wi-Fi adapter you have.   (You may need to go to Control Panel>Network Connections then right-click on each network connection available and select “Disable”)
  3. Then run (double-click/open/execute call it what you like!) the Conficker Removal Tool you have!
  4. Then restart your computer once the Conficker Removal Tool’s job is done.

 

Follow all the instructions for the conficker removal process. The remaining steps are on the next page(s) …

5 thoughts on “Remove Conficker (Downup, Downadup or Kido)

  1. Franklin

    Thanks for the informative article! I usually don’t look up virus information until i get infected and it’s usually too late by that stage, so thank you for the advanced warning 🙂

    Reply
  2. Angela Wenke

    WOW this worms sounds scary! I really truly appreciate all your great information in this blog posts! I try very hard to keep up to date on the latests viruses and worms out there but it seems almost futile as there is a new one cropping up all the time! I really appreciate that you shared the symptoms along with how to remove this! Thank you
    Angie

    Reply
  3. Pingback: » Sunday Spotlight, March 8 ~ Wayrift Fantasy Webcomic

  4. Aywren

    This has been spotlighted on my blog. Thanks for a great post! I’m sure this will really be helpful to someone — there’s some pretty nasty viruses out there.

    Reply
  5. Ananda Akbar

    hi.
    i’m from indonesia.
    and i just want to thank you for the information to remove conficker virus.
    thank you very much.
    if my english is better i really want to say so much more to show my gratitude to you.
    thank you very much.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

CommentLuv badge