How to remove Win32/Conficker.AA infections
Version: 32.3
Revision: 65 Build 10
How to remove Win32/Conficker.AA infections
Introduction: Win32/Conficker.AA worm is also known as W32/Worm.AHGV, Net-Worm.Win32.Kido.bg, Worm:Win32/Conficker, W32/Conficker.worm.gen, Mal/Conficker.
This dangerous infection uses “Microsoft Windows Server Service – RPC Handling Remote Code Execution Vulnerability (MS08-67)” in order to infect other computers in the local network. This worm also blocks users from accessing to other security websites; it deletes all the System Restore points prior to infection, and to protect itself from deletion it!
Problems: If your computer is infected with this worm, you may not experience any symptoms, or you may experience any of the following symptoms:
———————————
-Account lockout and the system policies are being tripped.
-Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.
-Domain controllers respond slowly to client requests.
-The network connection is congested.
-Various security-related Web sites cannot be accessed or shutdown.
1.] Download one of these tools and remove “Win32/Conficker” infections.
———————————
http://www.bitdefender.com/site/Downloads/downloadFile/1584/FreeRemovalTool
http://www.softpedia.com/get/Antivirus/Anti-Downadup.shtml
ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip
———————————
2.] After downloading, just extract the contents to a folder.
3.] Disconnect from the network and unplug your network cable.
If you have wireless connections, please disable your connections and ‘power off’ your router.
4.] Disable “Windows System Restore” to clean all your infected restore points.
Click Start >> Control Panel >> System >> System Restore
5.] Execute the application and choose the best scanning option.
If it asked you to reboot your system, please deny it (don’t click ok) and continue…
6.] After the removal, please go to your registry and check this directory.
This is a safety precaution for all users!
———————————
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- Make sure that you have this: Userinit [REG_SZ] = C:\Windows\System32\userinit.exe,
———————————
If not, please change it and replace the infected strings with the above or the information which is given below.
Value Name: Userinit
Value Type: REG_SZ
Value Data: C:\Windows\System32\userinit.exe,
7.] Reboot your computer when it completes disinfection.
8.] Plug in your network cable and check your firewall before connecting.
9.] Now, we will need to enable: “Windows System Restore,” and create a restore point.
——————————–
- To enable Windows System Restore, right-click on My Computer >> select Properties >> click on System Restore tab >> Uncheck the option: “Turn off system restore on all drives” >> in the warning box, just select: Yes >> Click: Apply >> OK.
Notes: Once “System Restore” is enabled, it will create a ‘restore point’ for you…
10.] Download CCleaner and delete all your Internet Temporary files and system caches.
11.] Done and dusted!
Optional: if you haven’t got “Microsoft Security Bulletin MS08-067″ service update, please use this link; download the patch; install the patch and reboot your system.
Link: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
