Skip to main content

Conficker / Downadup Removal Process

Conficker / Downadup is the one of the most sophisticated forms of malware. The quickest way to identify that a machine is infected with the Conficker / Downadup computer worm is when it comes back after being removed by Malwarebytes Anti-Malware. You may also observe that StartUp Control Panel identifies a randomly named file is being executed upon StartUp. The StartUp entry normally includes rundll32.exe and a randomly named filename. You may then observe this randomly named file in C:\WINDOWS or C:\WINDOWS\SYSTEM32. Using standard methods, this file cannot be deleted and the registry key which executes the DLL file returns after reboot. You may also find that Removal Tools from a variety of antivirus vendors do not in fact remove the worm. To remove this computer worm and the associated registry key, please perform the following steps:
  1. Install Ccleaner. Run Ccleaner.

  2. Install Malwarebytes Anti-Malware. Update Malwarebytes Anti-Malware. Run Malwarebytes Anti-Malware. If you are unable to run Malwarebytes, simply make a copy of mbam.exe and rename it to mbam.com. You can now run Malwarebytes Anti-Malware. Perform a Quick Scan.

  3. After the scan has completed, reboot.

  4. Install Microsoft Windows Defender but do not perform a Manual Scan.

  5. Install Microsoft Security Essentials but do not perform a Manual Scan.

  6. Install Advanced System Care and perform a Manual Scan.

  7. Install Greatis UnHackMe. Run Greatis UnHackMe.

  8. Click Check Me Now!

  9. Click Test Windows Boot Process.

  10. Click Check For Trojans Spyware Adware.

  11. Click Make Scan Now.

  12. Click Fix Problems.

  13. When Greatist UnHackMe identifies a StartUp Item, confirm that the item in question is not a normal StartUp Item. This can easily be determined by the name of the file and/or the directory location of the file. The file is typically a random series of letters or it may titled Webcheck.  The identified file may also have no name for the Author.  While reviewing each StartUp Item, you may want to use Uniblue's Process Library to lookup the name of each file. When you are satisfied that an identified file is malware, click Get Out/ Terminate / Delete.

  14. Click the green right-arrow to move to the next item identified by Greatis Unhackme. Repeat the previous step until you have informed Greatist UnHackMe of each malware item. There is normally only one or two items in StartUp that are malware.

  15. Once you have cycled through all of the StartUp Item, you will be presented with various options including a Reboot option. Click Reboot.

  16. On Reboot, you may need to close Greatis UnHackMe on two separate occasions by clicking the X button.  The registry keys and malware items have now been deleted and the computer is no longer infected.

  17. Once you have confirmed that the computer worm has been removed, you can now uninstall Greatis UnHackMe.

  18. Browse to http://update.microsoft.com to install all Windows Updates.
Labels:

Comments

Post a Comment

Popular posts from this blog

Access Denied (policy_denied). Your system policy has denied access to the requested URL. For assistance, contact your network support team.

While browsing the internet, you may encounter the message: "Access Denied (policy_denied).  Your system policy has denied access to the requested URL.  For assistance, contact your network support team."   This message indicates the internet traffic is being filtered.  The most common source of an internet traffic filter is in corporate environments that use a proxy server or a firewall appliance designed to filter web traffic.  Some businesses are configured as satellite locations using a VPN tunnel.  In these configurations, the VPN may be configured to filter internet traffic.  In rare instances, the Internet Service Provider is filtering internet traffic.  Typically though, your IT Department or a Network Management Team has configured your internet traffic to be filtered.  Isolating Source of Web Filtering In an environment that is unmanaged and the source of the filtering is unknown, following are some steps you may wish to peform: Th...
3 comments
Read more

How do you stop an unstoppable Windows Service?

You may encounter a Windows Service in Services that has the buttons for Start, Stop, Pause and Resume greyed out.  If you attempt to stop the Service using sc stop [servicename], you encounter the error message: "The requested control is not valid for this service."  To resolve this issue, please perform the following steps: Click Start - Control Panel - Administrative Tools - Services. Double-click the relevant Service. Change the Service Start-Up Type to Disabled. Click Apply. Click OK. Hit CTRL-ALT-DEL on your keyboard. Select Task Manger. Perform an End Task on the relevant Service. This issue has been resolved. http://www.smartnetadmin.com
Post a Comment
Read more

The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.

You may encounter the following error message when using the L2TP/IPSec VPN Client that is native to the Windows Operating System: "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer."  This error message typically occurs when you are using the wrong Pre-Shared Key for your L2TP VPN.  This error message can occur when other components of your configuration are incorrect but the first thing to confirm is that you are using the correct Pre-Shared Key. If you are using the wrong Pre-Shared Key, the L2TP VPN connection will say Connecting for a long period of time and then display the error message: "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer." If you are using the wrong username or password, the L2TP VPN will immediately respond with: "The remote connection was denied b...
1 comment
Read more