Conficker Removal (Update)

[Update: it seems that people who missed the whole MS-DOS/having fun with the C> prompt and batchfiles thing are still struggling with the fact that vendors are releasing cleaning tools that are really command-line tools, so some step-by-step notes are added below.]

I’m sure you’re almost as bored with this issue as I am with the BBC. (I wonder if it’s contemplating buying the Conficker botnet to add to its collection?)

However, it seems that some people are still confused as to how to remove Conficker if it’s already on their system. So here’s a quick summary: some of it it was actually posted by our labs back in January, but it still applies.

  1. Disconnect the infected  computer from the network and the Internet.
  2. Use an uninfected PC to download the respective Windows patches from the following sites: MS08-067 , MS08-068 and MS09-001
  3. Reset your system passwords to admin accounts using more sophisticated ones. [Note that it can spread through shared folders.]
  4. Download an  one-off ESET application (again, using a non-infected PC) which will remove the worm.
  5. Install the updated anti-virus program.
  6. Re-connect the PC to the network and the Internet. 

You might also want to disable Autorun.

Here’s a bit more information about using the standalone utility mentioned in step 4.  

If you access that link and run it rather than save it, you might be confused by the fact that it’s a text mode application opening in a DOS box (that’s the black window that looks like an old-time DOS PC or some form of dumb terminal with a C:  or C> prompt and text output only), not a Windows application. That’s normal for a standalone utility like this, which doesn’t need a multi-menu graphical interface (GUI).

  • If you have more than one PC to check/look after, or a slow connection, or any you might want to save it to the desktop rather than run it from the web site.
  • When you run it, it will, hopefully, tell you that "Conficker worm has not been found active in the memory" and ask you if you want to scan and clean anyway. It’s unlikely to do any harm if you do run it, but if Conficker is not in memory, it probably isn’t anyway on your system and certainly poses no immediate threat. It’s more important at this point to check that your AV is installed and updating properly.
  • It also mentions a couple of options (-autoclean and -reboot). If Conficker isn’t in memory these aren’t very relevant to you. If it is, you’ll probably want to carry on scanning and respond when the utility prompts you. Those options are more relevant to system administrators and power users wanting to run the application from a script and/or on more than one PC. If you want to use them, you’ll have to use them from the command-line, and if you saved it as EConfickerRemover.exe, use that name at the command line, not removaltool, as the program suggests.
  • It may not run with full functionality if you’re not running with administrator rights. It will detect Conficker, if it’s there, but it won’t be able to clean it properly. Of course, we normally advise people not to run as administrator routinely, but for tasks like this you have to be able to either log in as administrator or "run as" administrator.
  • I’ve also had someone mention that if the DOS screen comes and goes to quickly to read if there’s no infection. I haven’t been able to replicate that, so have asked for more information. 

If you have further questions on this, please visit the support pages at http://www.eset.eu/support.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Author David Harley, ESET

  • http://www.eset.com Randy Abrams

    askeset, a mailing address I personally respond to is only for general security questions. I am afraid I cannot address conficker remover tool questions there.

    Thanks,

    Randy

  • me

    How do I know if I have the conficker virus or not? I keep my NOD32 updated continuously. I have run scan and clean weekly, daily for April 1 and 2nd. Nod says I have no viruses.

  • David Harley

    There’s a link you can double-check with at http://www.confickerworkinggroup.org/wiki/: follow the “Check for Infection” link. That’s pretty conclusive for known variants unless you’re using a proxy instead of connecting direct.

    However, NOD32 has been very successful at detecting Conficker variants: if it hasn’t flagged anything and it’s up-to-date and working, I can’t see that you could be infected with a known Conficker infection.

  • Evileex

    So, my sister’s computer catches it big…and I got the removal tool from Symantec, BUT the computer keeps logging out mid run…WTF.
    any suggestions?

    • http://www.smallblue-greenworld.co.uk David Harley

      I’m afraid we’re not really in a position to support Symantec products, even the free ones, and we can’t actually offer support here: we don’t have the necessary resources. Have you tried a different removal tool? We have one here . but there are lots of other free tools around.

  • Evileex

    thanks, Ill give it a shot and get back to you.

  • SteveH

    In our case the virus is not in memory on our SBS2003. It is located on a secondary drive (E:) and though it seems contained by NOD32, the hidden RECYCLER file and jwgkvsq.vmx file (both located in two places on our E drive) cannot be deleted and all the removal tools we have tried fail to be able to delete it. Running those tools, including Eset’s, does not detect anything. However, if I scan those files, NOD32 says there is a variant of the Conficker.AA worm but it cannot delete it because it is in use. Any thoughts?

    • Randy Abrams

      Yes, use the free technical support that is offered to all licensed users.

      Note the blog from David Harley http://www.eset.com/threat-center/blog/2009/10/08/requests-for-support.

      Sorry, we can’t offer technical support in the blog. You can also submit a support request online directly form the help menu in NOD32 and ESET Smart Security with version 4.

  • Mario

    Hi! I have a case similar to SteveH's case, when the Conficker is located in an external Hard Drive that I have installed.I have tried all the removal tools including ESET's and it can't remove it.First of all the ESET's database for Conficker removal tools has nothing on this Conficker type of virus that my NOD32 is detecting all the time that I'm connecting any type of external hard drive on my computer; basically it has infected each and every external hard drive that I have, including the pen drives.The name of the Conficker that I have on my external hard drives is: Conficker.AF as the NOD32 antivirus says.There is nothing related to this type of Conficker on the ESET database or technical support.This type of Conficker.AF is not actually in my computer but ONLY in any external hard drives I connect.It can be detected in the Recycler Files and Autorun Files, which we all know these files are invisible and uncontralable.It hasn't damaged any data that I'm aware of yet, but is really annoying and my quarantine is full.These are some of the files it has infected till now:  I:RECYCLERS-5-3-42-2819952290-8240758988-879315005-3665 ; I:autorun.inf ; J:RECYCLERS-5-3-42-2819952290-8240758988-879315005-3665 ; L:RECYCLERS-5-3-42-2819952290-8240758988-879315005-3665 ; L:autorun.inf ; G:RECYCLERS-5-3-42-2819952290-8240758988-879315005-3665. I don't know if all these informations will help u, but I really need a solution as quick as posible … Please ! Thank you in advance for reading this message and hope we can find a solution ! Thank You !

    • David Harley

      Mario, we’re not able to offer support through the Threatblog, I’m afraid. Apart from the time and resources issues, we’re simply not the best people to offer that service. Please go through the support page at or your supplier.

    • Randy Abrams

      All ESET customers are entitled to free support, but we do not offer support through the blog.
      Files in the recycle bin are controllable. They can be made visible as well. You should be able to empty the recycle bin, but you can go to for support.

  • Reza Iranzad

    some eset costumers cannot clean or delete autorun and old other viruses but my eset can do it. both eset similar version and orginal.

    • Randy Abrams

      Any ESET customer who has difficulty removing a threat is entitled to free support form ESET.

  • Manual Petronzio

    Is Conficker still a threat or has MS patched for it?

Follow Us

Sign up to our newsletter

The latest security news direct to your inbox

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.