Skip to main content

Conficker / Downadup Removal Process

Conficker / Downadup is the one of the most sophisticated forms of malware. The quickest way to identify that a machine is infected with the Conficker / Downadup computer worm is when it comes back after being removed by Malwarebytes Anti-Malware. You may also observe that StartUp Control Panel identifies a randomly named file is being executed upon StartUp. The StartUp entry normally includes rundll32.exe and a randomly named filename. You may then observe this randomly named file in C:\WINDOWS or C:\WINDOWS\SYSTEM32. Using standard methods, this file cannot be deleted and the registry key which executes the DLL file returns after reboot. You may also find that Removal Tools from a variety of antivirus vendors do not in fact remove the worm. To remove this computer worm and the associated registry key, please perform the following steps:
  1. Install Ccleaner. Run Ccleaner.

  2. Install Malwarebytes Anti-Malware. Update Malwarebytes Anti-Malware. Run Malwarebytes Anti-Malware. If you are unable to run Malwarebytes, simply make a copy of mbam.exe and rename it to mbam.com. You can now run Malwarebytes Anti-Malware. Perform a Quick Scan.

  3. After the scan has completed, reboot.

  4. Install Microsoft Windows Defender but do not perform a Manual Scan.

  5. Install Microsoft Security Essentials but do not perform a Manual Scan.

  6. Install Advanced System Care and perform a Manual Scan.

  7. Install Greatis UnHackMe. Run Greatis UnHackMe.

  8. Click Check Me Now!

  9. Click Test Windows Boot Process.

  10. Click Check For Trojans Spyware Adware.

  11. Click Make Scan Now.

  12. Click Fix Problems.

  13. When Greatist UnHackMe identifies a StartUp Item, confirm that the item in question is not a normal StartUp Item. This can easily be determined by the name of the file and/or the directory location of the file. The file is typically a random series of letters or it may titled Webcheck.  The identified file may also have no name for the Author.  While reviewing each StartUp Item, you may want to use Uniblue's Process Library to lookup the name of each file. When you are satisfied that an identified file is malware, click Get Out/ Terminate / Delete.

  14. Click the green right-arrow to move to the next item identified by Greatis Unhackme. Repeat the previous step until you have informed Greatist UnHackMe of each malware item. There is normally only one or two items in StartUp that are malware.

  15. Once you have cycled through all of the StartUp Item, you will be presented with various options including a Reboot option. Click Reboot.

  16. On Reboot, you may need to close Greatis UnHackMe on two separate occasions by clicking the X button.  The registry keys and malware items have now been deleted and the computer is no longer infected.

  17. Once you have confirmed that the computer worm has been removed, you can now uninstall Greatis UnHackMe.

  18. Browse to http://update.microsoft.com to install all Windows Updates.
Labels:

Comments

Post a Comment

Popular posts from this blog

Access Denied (policy_denied). Your system policy has denied access to the requested URL. For assistance, contact your network support team.

While browsing the internet, you may encounter the message: "Access Denied (policy_denied).  Your system policy has denied access to the requested URL.  For assistance, contact your network support team."   This message indicates the internet traffic is being filtered.  The most common source of an internet traffic filter is in corporate environments that use a proxy server or a firewall appliance designed to filter web traffic.  Some businesses are configured as satellite locations using a VPN tunnel.  In these configurations, the VPN may be configured to filter internet traffic.  In rare instances, the Internet Service Provider is filtering internet traffic.  Typically though, your IT Department or a Network Management Team has configured your internet traffic to be filtered.  Isolating Source of Web Filtering In an environment that is unmanaged and the source of the filtering is unknown, following are some steps you may wish to peform: Th...
3 comments
Read more

Event ID: 7001 - Source: VSS - Unable to create a shadow copy

When using Microsoft Windows Server, you may encounter the error message: "Unable to create a shadow copy."  In the Event Viewer, you may find the following Event: "Event ID: 7001 - Source: VSS - Unable to create a shadow copy."  This event involves the Volume Shadow Copy Service (VSS).  Most likely the Server was rebooted while creating a Shadow Copy.  Many websites describe deleting or renaming the C:\WINDOWS\SYSTEM32\WBEM directory used by Windows Management Instrumentation to resolve this issue.  This is not correct.  Following are the steps to resolve this issue: Double-click My Computer. Right-mouse click the Hard Drive causing the problem. Click the Shadow Copies tab. Select the appropriate Volume. Click Disable. Click OK. Click Start - Control Panel - Administrative Tools - Scheduled Tasks. Delete all tasks related to the Volume Shadow Copy Service. Reboot the Server. Double-click My Computer. Right-mouse click the Hard Drive causing the problem. Cl...
Post a Comment
Read more

How do you stop an unstoppable Windows Service?

You may encounter a Windows Service in Services that has the buttons for Start, Stop, Pause and Resume greyed out.  If you attempt to stop the Service using sc stop [servicename], you encounter the error message: "The requested control is not valid for this service."  To resolve this issue, please perform the following steps: Click Start - Control Panel - Administrative Tools - Services. Double-click the relevant Service. Change the Service Start-Up Type to Disabled. Click Apply. Click OK. Hit CTRL-ALT-DEL on your keyboard. Select Task Manger. Perform an End Task on the relevant Service. This issue has been resolved. http://www.smartnetadmin.com
Post a Comment
Read more