[Update: it seems that people who missed the whole MS-DOS/having fun with the C> prompt and batchfiles thing are still struggling with the fact that vendors are releasing cleaning tools that are really command-line tools, so some step-by-step notes are added below.]
I’m sure you’re almost as bored with this issue as I am with the BBC. (I wonder if it’s contemplating buying the Conficker botnet to add to its collection?)
However, it seems that some people are still confused as to how to remove Conficker if it’s already on their system. So here’s a quick summary: some of it it was actually posted by our labs back in January, but it still applies.
- Disconnect the infected computer from the network and the Internet.
- Use an uninfected PC to download the respective Windows patches from the following sites: MS08-067 , MS08-068 and MS09-001
- Reset your system passwords to admin accounts using more sophisticated ones. [Note that it can spread through shared folders.]
- Download an one-off ESET application (again, using a non-infected PC) which will remove the worm.
- Install the updated anti-virus program.
- Re-connect the PC to the network and the Internet.
You might also want to disable Autorun.
Here’s a bit more information about using the standalone utility mentioned in step 4.
If you access that link and run it rather than save it, you might be confused by the fact that it’s a text mode application opening in a DOS box (that’s the black window that looks like an old-time DOS PC or some form of dumb terminal with a C:\ or C> prompt and text output only), not a Windows application. That’s normal for a standalone utility like this, which doesn’t need a multi-menu graphical interface (GUI).
- If you have more than one PC to check/look after, or a slow connection, or any you might want to save it to the desktop rather than run it from the web site.
- When you run it, it will, hopefully, tell you that "Conficker worm has not been found active in the memory" and ask you if you want to scan and clean anyway. It’s unlikely to do any harm if you do run it, but if Conficker is not in memory, it probably isn’t anyway on your system and certainly poses no immediate threat. It’s more important at this point to check that your AV is installed and updating properly.
- It also mentions a couple of options (-autoclean and -reboot). If Conficker isn’t in memory these aren’t very relevant to you. If it is, you’ll probably want to carry on scanning and respond when the utility prompts you. Those options are more relevant to system administrators and power users wanting to run the application from a script and/or on more than one PC. If you want to use them, you’ll have to use them from the command-line, and if you saved it as EConfickerRemover.exe, use that name at the command line, not removaltool, as the program suggests.
- It may not run with full functionality if you’re not running with administrator rights. It will detect Conficker, if it’s there, but it won’t be able to clean it properly. Of course, we normally advise people not to run as administrator routinely, but for tasks like this you have to be able to either log in as administrator or "run as" administrator.
- I’ve also had someone mention that if the DOS screen comes and goes to quickly to read if there’s no infection. I haven’t been able to replicate that, so have asked for more information.
If you have further questions on this, please visit the support pages at http://www.eset.eu/support.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
March 29th, 2009 at 8:18 pm
askeset, a mailing address I personally respond to is only for general security questions. I am afraid I cannot address conficker remover tool questions there.
Thanks,
Randy
April 5th, 2009 at 1:14 pm
How do I know if I have the conficker virus or not? I keep my NOD32 updated continuously. I have run scan and clean weekly, daily for April 1 and 2nd. Nod says I have no viruses.
April 6th, 2009 at 2:25 am
There’s a link you can double-check with at http://www.confickerworkinggroup.org/wiki/: follow the “Check for Infection” link. That’s pretty conclusive for known variants unless you’re using a proxy instead of connecting direct.
However, NOD32 has been very successful at detecting Conficker variants: if it hasn’t flagged anything and it’s up-to-date and working, I can’t see that you could be infected with a known Conficker infection.
April 19th, 2009 at 9:11 pm
So, my sister’s computer catches it big…and I got the removal tool from Symantec, BUT the computer keeps logging out mid run…WTF.
any suggestions?
April 20th, 2009 at 2:07 am
I’m afraid we’re not really in a position to support Symantec products, even the free ones, and we can’t actually offer support here: we don’t have the necessary resources. Have you tried a different removal tool? We have one here . but there are lots of other free tools around.
April 20th, 2009 at 6:04 am
thanks, Ill give it a shot and get back to you.
October 14th, 2009 at 8:45 am
In our case the virus is not in memory on our SBS2003. It is located on a secondary drive (E:) and though it seems contained by NOD32, the hidden RECYCLER file and jwgkvsq.vmx file (both located in two places on our E drive) cannot be deleted and all the removal tools we have tried fail to be able to delete it. Running those tools, including Eset’s, does not detect anything. However, if I scan those files, NOD32 says there is a variant of the Conficker.AA worm but it cannot delete it because it is in use. Any thoughts?
October 14th, 2009 at 1:35 pm
Yes, use the free technical support that is offered to all licensed users.
Note the blog from David Harley http://www.eset.com/threat-center/blog/2009/10/08/requests-for-support.
Sorry, we can’t offer technical support in the blog. You can also submit a support request online directly form the help menu in NOD32 and ESET Smart Security with version 4.