How to remove Conficker?
What is Conficker?
Conficker (a.k.a Kido, Downup or Downadup) is a worm that has gained notoriety in a very short time. The reason for this is the number of systems infected worldwide. It isn’t clear, exactly how many systems have been infected, but various sources have said it to be somewhere between 3million and 10million, although there have been speculations that the range might be a lot wider than that, with as many as 1 in every 6 systems infected worldwide. According to pretty much every estimate there is, Conficker now has by far the largest botnet in the world.
Conficker typically infects the system by exploiting a buffer overflow vulnerability in the Server Service of Windows, which allows code to be executed remotely. The vulnerability has been patched by Microsoft last year (the patch can be found here). Once inside, the worm will disable a number of Windows services, including Windows Automatic Update, Windows Defender and Windows Security Center. Afterwards it connects to a server, downloads more malware, gathers private information and attaches itself to crucial Windows processes, namely, explorer.exe, services.exe and svchost.exe. Conficker also tries to spread through ADMIN$ shares, by hacking the administrator password through a dictionary attack.
The reason behind Conficker’s success is the algorithm it uses to change domains used to receive instructions. Normally, worms use a few domains, thus making it simple for security companies to block them, which deems them far less detrimental than they would usually be. Since revoking a few domain registrations is useless in fighting Conficker, Kaspersky Labs and OpenDNS botnet protection have teamed up to create a preemptive method of blocking domains. Apparently the people at Kaspersky have studied the worm’s code and found the way Conficker’s algorithm works, which allows them to block domains before they are being used . More information on that can be found here.
At the moment, most anti-spyware and anti-viral software is useless against Conficker, since instead of implementing a separate rootkit, it uses registry permissions. Because of this, manual removal instructions will not work either – registry permissions have to be restored, before registry keys are removed. Symantec, Kaspersky and Microsoft have released removal tools for Conficker, but it is not totally clear just how useful they are.
Until spyware/virus removers have been updated, it seems the most effective way to avoid Conficker infection is to use the registry to block Autorun of external media, use a strong administrator password, use the patch by Microsoft and OpenDNS botnet protection.
How to determine if you are infected with Conficker?
 |
 |
 |
 |
 |
 |
How to interpret:
| Possible combination | Meaning |
 |
This means that your computer is not Infected by Conficker or you are using proxy |
|---|---|
 |
This means that your computer is probably infected by Conficker (C variant or greater) |
 |
This means that your computer is probably infected by Conficker B variant |
 |
Image loading might be turned off in browser |
Chart explanation:
Conficker blocks access to over 100 antivirus and security related websites.
If you can see all six images in the above table, that means that your computer is not infected by Conficker, or you are using a proxy server. In such case test results will be inaccurate, because Conficker won’t be unable to block you from viewing antivirus and security related websites.
If you can’t see the remote images in the first row of the top table above, but the images in the second row are visable, that means that your PC is probably infected by Conficker or some other malicious software.
Conficker is Dangerous
Conficker is a malicious Worm parasite Conficker may install other spyware parasites Conficker will replicate and email itself to contacts in your address book. Conficker may come bundled with or spread other spyware Conficker may prove difficult or impossible to remove Conficker violates your privacy and compromises your security
for Conficker detection
Note: Spyware Doctor trial provides detection of parasite like Conficker and assists in its removal for free. You can remove detected files, processes and registry entries yourself or purchase a full version.
Conficker screenshots
Manual Conficker removal
Important Note: Although it is possible to manually remove Conficker, such activity can permanently damage your system if any mistakes are made in the process, as advanced spyware parasites are able to automatically repair themselves if not completely removed. Thus, manual spyware removal is recommended for experienced users only, such as IT specialists or highly qualified system administrators. For other users, we recommend using Spyware Doctor or other malware and spyware removal applications found on 2-viruses.com.
Stop these Conficker processes:
Disable these Conficker DLL files::
Remove these Conficker Registry Entries:
Remove these Conficker files:
It is impossible to list all file names and locations of modern parasites. You can identify remaining parasites, other Conficker infected files and get help in Conficker removal by using free Spyware Doctor scanner. It comes with free real-time protection module that helps preventing Conficker and similar threats.
Conficker is a typical worm, which means that it is a viral application that spreads itself via internet without any human intervention save for a simple click, which is enough for a worm such as Conficker to infect a system. The main difference between a virus and a worm is that Conficker does not have to attach itself to an existing program.
The most popular way for a worm parasite like Conficker to infect your computer is to spread through email. It usually comes as email file attachment or within an infected email message. Once opened, Conficker will install itself into a user’s computer silently, in the background. Such replication is nearly impossible to notice, as no install wizards, warnings or dialogs are being displayed on your screen.
