Your Ad Here

Wednesday, January 20, 2010

Conficker Manual Removal

Conficker Description
Conficker, also known as W32/Conficker.worm, Win32/Conficker.A, W32.Downadup, Downadup and Kido, is a worm that exploits flaws found in Windows MS08-067 vulnerability. When Conficker infects your PC, it may prevent you from accessing security websites and disables Windows system services such as Windows Security Center, Windows Error Reporting and Windows Defender. The danger with Conficker is its ability to spread itself to other vulnerable computers through network shares. If one computer in a network is infected, then it can spread to other computers within that network. Microsoft has released a patch to fix the Windows vulnerability.
Conficker Manual Removal Instructions
How to Kill Conficker DLL files.
  1. Right-click the Explorer.exe process and choose the option “Properties”.
  2. Click on the “Threads” Tab, locate and highlight the Conficker DLL files listed below.
  3. To kill Conficker DLL files, click the “Kill” button.
  4. Kill the following Conficker DLL files:
  • %All Users Application Data%\[RANDOM FILE NAME].dll

  • %Program Files%\Movie Maker\[RANDOM FILE NAME].dll

  • %Program Files%\Internet Explorer\[RANDOM FILE NAME].dll

  • %Temp%\[RANDOM FILE NAME].dll

  • vhoinp.dll

  • %System%\[RANDOM FILE NAME].dll

Step 1: How to Delete Conficker Registry Keys and Values.
  1. Right-click on your Desktop > select “New” option > select “Text Document” (.txt file) option.
  2. Rename the .txt file as a .reg file and call it “Delete_Registry_Conficker_Entities.reg”. This renamed .reg file is a command that creates a shortcut to your Windows registry and allows you to easily delete registry values.
  3. Right-click and select the “Edit” option.
  4. Copy and paste the Conficker keys listed below.
  5. In the menu bar, go to “File” > select “Save” > then click the “X” button to close the file.
  6. Double-click on the .reg file.
  7. When the message box appears saying “Are you sure you want to add the information in C:DOCUME~1%username%DesktopDELETE~1.REG to the registry?”, click the “Yes” button.
  8. When the message box appears saying “Information in C:DOCUME~1%username%DesktopDELETE~1.REG has been successfully entered into the registry.”, click the “OK” button.
  9. The Conficker registry keys have been deleted from your registry.
  10. Copy and paste the following Conficker keys:Windows Registry Editor Version 5.00
    [-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWSNT\CURRENTVERSION\WINDOWS\APPINIT_DLLS\vhoinp.dll]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\vhoinp.dll]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\vhoinp.dll]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\vhoinp.dll]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\URLSearchHooks\vhoinp.dll]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\vhoinp.dll]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\vhoinp.dll]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars\vhoinp.dll]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\vhoinp.dll]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\vhoinp.dll]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\vhoinp.dll]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX\vhoinp.dll]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\vhoinp.dll]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\vhoinp.dll]
    [-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\vhoinp.dll]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\vhoinp.dll]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\vhoinp.dll]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\vhoinp.dll]
    [-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\vhoinp.dll]
    [-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\vhoinp.dll]
    [-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX\vhoinp.dll]
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)