?
Solved

Conficker Worm

Posted on 2009-12-28
7
Medium Priority
?
692 Views
Last Modified: 2013-11-22
How to clean Conficker Worm

OS Windows XP SP3. Most of the systems effected conflicker. But the trojan sub name is different,  Conflicker.xx. How I can clean those systems. What's the ideal way.
0
Comment
Question by:saleempc
7 Comments
 
LVL 11

Accepted Solution

by:
enriquecadalso earned 668 total points
ID: 26131163
In http://support.kaspersky.com/faq/?qid=208279973 look in the section "Methods of disinfection". In this page you can also download the tools to clean the PCs.
0
 
LVL 5

Assisted Solution

by:Anthony1982
Anthony1982 earned 668 total points
ID: 26131226
http://www.mcafee.com/us/enterprise/confickertest.html
This is the tool have been using to find all the infected PCs on our network.
http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99
This is the tool we have been using to remove it.

With this combo of tools we been able to completely get rid of it.

Here is Microsoft's link to tell you the patches you need.
http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx
0
 
LVL 38

Expert Comment

by:younghv
ID: 26132624
I don't need any points - but I concur with the McAfee tool set that Anthony1982 recommends.

You can really get wrapped up in a lot of extra steps listed by some of these 'other' sites - or you can let the McAfee tool do all the work for you.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 11

Expert Comment

by:enriquecadalso
ID: 26132762
Hello again.

Maybe an easier solution can be found, just keep in mind you have to apply all the Microsoft patches or you will be infected again.

I recommended kaspersky solution because is the antivirus solution used in my company. In fact I had to fight this same infection some months ago in a LAN with 200 PCs. I used the Kaspersky tool combined with GPO, AFTER applying the patches.
0
 
LVL 15

Assisted Solution

by:xmachine
xmachine earned 664 total points
ID: 26134652
This is my working cure for Conficker infections.

1) To start working, first you need to download the required patches + fix tool:

Windows 2000: http://download.microsoft.com/download/4/a/3/4a36c1ea-7555-4a88-98ac-b0909cc83c18/Windows2000-KB958644-x86-ENU.EXE 

Windows 2003: http://download.microsoft.com/download/e/e/3/ee322649-7f38-4553-a26b-a2ac40a0b205/WindowsServer2003-KB958644-x86-ENU.exe 

Windows XP: http://download.microsoft.com/download/4/f/a/4fabe08e-5358-418b-81dd-d5038730b324/WindowsXP-KB958644-x86-ENU.exe 

Windows Vista SP0 + SP1: http://download.microsoft.com/download/d/c/0/dc047ab9-53f8-481c-8c46-528b7f493fc1/Windows6.0-KB958644-x86.msu 

Symantec FixDownadupTool: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/D.exe

2) Create a shared folder on some server to contain the downloaded files (Apply Read-only permission for all users).

3) And you can use Psexec (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) to import a text file that contains the infected machines and run it using a privileged account like a Windows domain admin.

4) In the batch file, you should replace the server name and shared folder name.

so, for example (run this as domain administrator):

c:\psexec @infected.txt -d -c Clean-Downadup.bat

infected.txt should contains one name/ip per line, like:

...
192.168.1.2
192.168.1.3
192.168.1.4
...

Use netscan to ping a range of IP's and save the results as a text file (http://www.softperfect.com/products/networkscanner/)

Another important points:

1)  Review the current Passwords policy, you can configure a Windows GPO that will require a complex password, with a minimum number of characters.

http://technet.microsoft.com/en-us/library/cc736605.aspx
http://labmice.techtarget.com/security/passwordsec.htm

2) Use Nessus (http://www.nessus.org/download/), and scan all machines using this plugin ID (34476) to check if they have MS08-067 patch installed or not. (BTW, you can use a different tool to check for the installed patch, but this just an example)

@echo off 
color 0A 
ECHO. *********************************************************************************************** 
ECHO.                ExtremeSecurity.blogspot.com - Do It Securely or Not At All  
ECHO.                                Multi OS W32.Downadup Cleaner v2.0 
ECHO. *********************************************************************************************** 
  
  
ver | find "2003" > nul 
if %ERRORLEVEL% == 0 goto ver_2003 
  
ver | find "XP" > nul 
if %ERRORLEVEL% == 0 goto ver_xp 
  
ver | find "2000" > nul 
if %ERRORLEVEL% == 0 goto ver_2000 
  
ver | find "Version 6.0.6000" > nul 
if %ERRORLEVEL% == 0 goto ver_vista-sp0 
  
ver | find "Version 6.0.6001" > nul 
if %ERRORLEVEL% == 0 goto ver_vista-sp1 
  
  
goto exit 
  
:ver_2003 
echo Enabling BITs ... 
sc config bits start= auto 
echo Starting BITs ... 
net start "Background Intelligent Transfer Service" 
echo Enabling Automatic Updates ... 
sc config Wuauserv start= auto 
echo Starting Automatic Updates ... 
net start "Windows Automatic Update Service" 
echo Enabling Windows Error Reporting Service (ERSvc) ... 
sc config ERSvc start= auto 
echo Starting Windows Error Reporting ... 
net start ERSvc 
echo Enabling Windows Error Reporting Service (WerSvc) ... 
sc config WerSvc start= auto 
echo Starting Windows Error Reporting ... 
net start WerSvc 
echo Checking MS WSUS for any missing updates ...  
wuauclt.exe /detectnow 
REM echo Removing all AT created scheduled tasks ... 
REM AT /Delete /Yes 
REM echo Stopping & Disabling Schedule service... 
REM sc.exe stop schedule 
REM sc.exe config schedule start= disabled 
echo Fixing Downadup infection (Silent mode - Check log file in C:\)... 
\\ServerName\ShareName\D.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt 
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt 
echo Patching MS08-067 ... 
\\ServerName\ShareName\WindowsServer2003-KB958644-x86-ENU.exe /quiet /norestart 
echo Rebooting System ...   
shutdown -r -f -c "Rebooting system" 
goto exit 
  
:ver_xp 
echo Enabling BITs ... 
sc config bits start= auto 
echo Starting BITs ... 
net start "Background Intelligent Transfer Service" 
echo Enabling Automatic Updates ... 
sc config Wuauserv start= auto 
echo Starting Automatic Updates ... 
net start "Windows Automatic Update Service" 
echo Checking MS WSUS for any missing updates ...  
wuauclt.exe /detectnow 
echo Enabling Windows Security Center Service (wscsvc) ... 
sc config wscsvc start= auto 
echo Starting Windows Security Center ... 
net start wscsvc 
echo Enabling Windows Error Reporting Service (ERSvc) ... 
sc config ERSvc start= auto 
echo Starting Windows Error Reporting ... 
net start ERSvc 
echo Removing all AT created scheduled tasks ... 
AT /Delete /Yes 
echo Stopping & Disabling Schedule service... 
sc.exe stop schedule 
sc.exe config schedule start= disabled 
echo Disabling "AutoPlay" ... 
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f 
echo Fixing Downadup infection (Silent mode - Check log file in C:\)... 
\\ServerName\ShareName\D.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt 
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt 
echo Patching MS08-067 ... 
\\ServerName\ShareName\WindowsXP-KB958644-x86-ENU.exe /quiet /norestart 
echo Rebooting System ...   
shutdown -r -f -c "Rebooting system" 
goto exit 
  
:ver_2000 
echo Enabling BITs ... 
sc config bits start= auto 
echo Starting BITs ... 
net start "Background Intelligent Transfer Service" 
echo Enabling Automatic Updates ... 
sc config Wuauserv start= auto 
echo Starting Automatic Updates ... 
net start "Windows Automatic Update Service" 
echo Checking MS WSUS for any missing updates ...  
wuauclt.exe /detectnow 
echo Removing all AT created scheduled tasks ... 
AT /Delete /Yes 
echo Fixing Downadup infection (Silent mode - Check log file in C:\)... 
\\ServerName\ShareName\D.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt 
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt 
echo Patching MS08-067 ... 
\\ServerName\ShareName\Windows2000-KB958644-x86-ENU.EXE /quiet /norestart 
echo Rebooting System ...   
shutdown -r -f -c "Rebooting system" 
goto exit 
  
:ver_vista-sp0 
echo Enabling BITs ... 
sc config bits start= auto 
echo Starting BITs ... 
net start "Background Intelligent Transfer Service" 
echo Enabling Automatic Updates ... 
sc config Wuauserv start= auto 
echo Starting Automatic Updates ... 
net start "wuauserv" 
echo Checking MS WSUS for any missing updates ...  
wuauclt.exe /detectnow 
echo Enabling Windows Security Center Service (wscsvc) ... 
sc config wscsvc start= auto 
echo Starting Windows Security Center ... 
net start wscsvc 
echo Enabling Windows Defender Service (WinDefend) ... 
sc config WinDefend start= auto 
echo Starting Windows Defender ... 
net start WinDefend 
echo Enabling Windows Error Reporting Service (WerSvc) ... 
sc config WerSvc start= auto 
echo Starting Windows Error Reporting ... 
net start WerSvc 
echo Removing all AT created scheduled tasks ... 
AT /Delete /Yes 
echo Stopping & Disabling Schedule service... 
sc.exe stop schedule 
reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x4 /f 
echo Disabling "AutoPlay" ... 
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f 
echo Restoring Windows Defender startup key ... 
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe hide" /f 
echo Enabling TCP Receive Window Auto-tuning ... 
netsh interface tcp set global autotuning=normal 
echo Fixing Downadup infection (Silent mode - Check log file in C:\)... 
\\ServerName\ShareName\D.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt 
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt 
echo Patching MS08-067 ... 
\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart 
echo Rebooting System ...   
shutdown /r /f /c "Rebooting system" 
goto exit 
  
:ver_vista-sp1 
echo Enabling BITs ... 
sc config bits start= auto 
echo Starting BITs ... 
net start "Background Intelligent Transfer Service" 
echo Enabling Automatic Updates ... 
sc config Wuauserv start= auto 
echo Starting Automatic Updates ... 
net start "Windows Automatic Update Service" 
echo Checking MS WSUS for any missing updates ...  
wuauclt.exe /detectnow 
echo Enabling Windows Security Center Service (wscsvc) ... 
sc config wscsvc start= auto 
echo Starting Windows Security Center ... 
net start wscsvc 
echo Enabling Windows Defender Service (WinDefend) ... 
sc config WinDefend start= auto 
echo Starting Windows Defender ... 
net start WinDefend 
echo Enabling Windows Error Reporting Service (WerSvc) ... 
sc config WerSvc start= auto 
echo Starting Windows Error Reporting ... 
net start WerSvc 
echo Removing all AT created scheduled tasks ... 
AT /Delete /Yes 
echo Stopping & Disabling Schedule service... 
sc.exe stop schedule 
reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x4 /f 
echo Disabling "AutoPlay" ... 
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f 
echo Restoring Windows Defender startup key ... 
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe hide" /f 
echo Enabling TCP Receive Window Auto-tuning ... 
netsh interface tcp set global autotuning=normal 
echo Fixing Downadup infection (Silent mode - Check log file in C:\)... 
\\ServerName\ShareName\D.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt 
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt 
echo Patching MS08-067 ... 
\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart 
echo Rebooting System ...   
shutdown /r /f /c "Rebooting system" 
goto exit 
  
:exit

Open in new window

0
 

Author Comment

by:saleempc
ID: 26136484

Thanks to all. Other tools also good to do the same.

This tool helped me to solve the concern - http://www.sophos.com/products/free-tools/conficker-removal-tool.html
0
 
LVL 4

Expert Comment

by:TrustWise
ID: 26143341
Even though you have cleaned the machine I would also run Malwarebytes and Combofix
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

turn off all anti virus and firewall before you run combofix
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question