banner



Home  ›  How To Remove Win32 Conficker B

How To Remove Win32 Conficker B

Written By Tuesday, June 28, 2022 Add Comment Edit

How to remove the Downadup and Conficker worm (Uninstall Instructions)

  • Filed Nether : Worms
  • January 23, 2009

What is Downadup and Conficker?

Skip this and learn how to remove Downadup and Conficker!

The Downadup, or Conficker, infection is a worm that predominantly spreads via exploiting the MS08-067 Windows vulnerability, but also includes the ability to infect other computers via network shares and removable media. Non since the Sasser and MSBlaster worms have we seen such a widespread infection as we are seeing with the Downadup worm. In fact, co-ordinate to anti-virus vendor, F-Secure, the Downadup worm has infected over 8.nine meg infected computers. Microsoft has addressed the problem by releasing a patch to gear up the Windows vulnerability, but there are still many computers that exercise not have this patch installed, and thus the worm has been able to propagate throughout the world.

When installed, Conficker / Downadup will copy itself to your C:\Windows\System32 folder equally a random named DLL file. If information technology has problems copying itself to the System32 binder, information technology may instead copy itself to the %ProgramFiles%\Internet Explorer or %ProgramFiles%\Movie Maker folders. It will then create a Windows service that automatically loads this DLL via svchost.exe, which is a legitimate file, every time you plough on your figurer. The infection will then change a variety of Windows settings that will allow it to efficiently infect other computers over your network or the Internet.

In one case the infection is running, y'all will observe that yous are no longer able to access a variety of sites such as Microsoft.com and many anti-virus vendors. It does this so that you cannot download removal tools or update your anti-virus programs. It volition and then perform the following deportment in no specific order:

  • End and showtime Organization Restore in social club to remove all your current System Restore points and so that you cannot coil back to a previous date where your figurer was working properly.
  • Cheque for Internet connectivity by attempting to connect to 1 of the post-obit sites:
    • aol.com
    • cnn.com
    • ebay.com
    • msn.com
    • myspace.com
  • Attempts to determine the infection computer's IP address by visiting ane of the following sites:
    • http://www.getmyip.org
    • http://getmyip.co.uk
    • http://checkip.dyndns.org
    • http://www.whatismyip.com/
  • Download other files to be used as necessary.
  • Scan the infected calculator's network for vulnerable computers and try to infect them.

Some symptoms that may hint that you are infected with this malware are as follows:

  • Anti-malware software stating yous are infected with infections using the following names:
    • Net-Worm.Win32.Kido
    • W32/Conficker.worm.gen
    • Worm.Conficker
    • W32.Downadup
    • W32/Downadup.AL
    • W32/Confick-A
    • Win32/Conficker.A
    • Mal/Conficker
    • Worm:Win32/Conficker.B
    • Win32.Worm.Downadup.Gen
  • Automatic updates no longer working.
  • Anti-virus software is no longer able to update itself.
  • Unable to access a variety of security sites, such equally anti-virus software companies.
  • Random svchost.exe errors.


Using the following guide we will walk you through removing this worm from your computer and securing your reckoner so it does not get infected over again with Downadup again. Due to the fact that this worm stops the states from accessing the sites nosotros need to download the removal tools from, you will need to be able to access another computer that is clean and have the ability to re-create files from that calculator to the infected ane. If at all possible, I suggest you copy the files using a burnable DVD or CD in gild to forbid your computer USB drives from maybe becoming infected.

This guide will walk you through removing the Conficker and Downadup worms for gratis. If you would like to read more information about this infection, we have provided some links below.

Reference Links:

F-Secure Downadup information

Windows MS08-067 Patch

Worm:Win32/Conficker.B information from Microsoft

Conficker/Downadup Worm Dubbed 'Epidemic'

Downadup and Conficker Removal Options

Self Help Guide

This guide contains avant-garde information, only has been written in such a style so that anyone tin follow it. Please ensure your information is backed upwards before proceeding.

If you lot are uncomfortable making changes to your computer or following these steps, do not worry! Instead you can get gratis i-on-ane help past asking in the forums.

  1. Impress out these instructions as we will need to close every window that is open later in the fix.
  2. Due to the fact that Downadup and Conficker do not let you to connect to Microsoft and a diversity of security sites yous must first download the Windows patch and the removal tool from another calculator and transfer the file to your infected PC. On a clean computer, download BitDefender's Anti-Downadup tool from the following location and save the file to your desktop. The current name of the file is bd_rem_tool.nada.
    BitDefender's Conficker Removal Tool

  3. Next visit the post-obit link and download the KB958644/MS08-067 security patch for your particular Windows operating system:
    MS08-067 Patch Download Link

    Look through the list and click on the link that corresponds to the version of Windows that is running on the infected machine. Then download the file from the folio that opens and salvage it your desktop.

  4. Now copy bd_rem_tool.zippo and the Windows patch file to a floppy, CD, or USB drive so nosotros tin can copy it to the infected PC.
  5. Once the files are stored on a removable device, copy it back onto your infected PC's Windows desktop.
  6. Once the Windows patch and bd_rem_tool.cypher file are on your infected computer's desktop, you will demand to commencement install the Windows patch. But double-click on the file that you downloaded from Microsoft's web site and follow the prompts to install the patch. This will make information technology and then your computer does non become reinfected again after nosotros clean the current infection. If the patch is already installed, the Microsoft patch will detect that and not reinstall it.
  7. At present nosotros need to excerpt the files from the bd_rem_tool.zip. You can practise this past correct-clicking on the bd_rem_tool.zip and and so selecting the Excerpt All... menu selection as shown in the image beneath.

  8. At the side by side screen, continue clicking the Adjacent push button until you lot see a screen similar to the ane below.


    Now that the file has finished being extracted, click on the Finish button.

  9. A folder will open containing two files. These files are named bd_rem_tool_console.exe and bd_rem_tool_gui.exe. Please double-click on the bd_rem_tool_gui.exe file to start the programme. When yous run this program, Windows may display a warning similar to the epitome shown below.

    If you receive this warning, delight click on the Run button to continue starting Anti-Downadup on your estimator. If you did non receive this warning, then Anti-Downadup should have started and y'all can keep to step nine.

  10. You volition now encounter a screen prompting you to start the scan or close the program.


    Please click on the First push button to take the program scan your figurer and remove any Downadup and Conficker infections on your computer.

  11. Anti-Downadup volition now showtime to scan your computer and determine if you are infected every bit shown beneath.



    This process can take 10 minutes, and then please be patient. When it is done, if your computer is clean it will tell you so and yous can close the program. Otherwise, keep with the rest of the steps.
  12. When Anti-Downadup has finished scanning your computer information technology will prompt you to reboot your computer in order to terminate the cleaning process.

    Press Yes button to allow the infected figurer to be rebooted. If you do not reboot your computer, you volition be left with a blue screen as Explorer was terminated during the cleaning procedure.

  13. When the estimator has finished rebooting you should no longer have the Conficker or Downadup infections on your reckoner. To run into a log of what was deleted you tin open the C:\Win32.Worm.Downladup.Gen.log file in Notepad.

Though the infection is now removed from your figurer, we need to make sure you do not get infected over again. As you should accept already installed the Windows patch, you volition not be able to be infected again via the MS08-067 exploit . This infection, though, does infect you through network shares and removable devices equally well. So please examine your estimator for whatsoever network shares and disable whatever that are not necessary to have open.

The next stride is to disable Autorun on your computer. Autorun is a feature that allows executables to automatically run when you insert removable media such as a CD/DVD, Wink Drive, or other USB device. Having Autorun enabled is a security hazard due to a fact that a virus can spread through the utilize of removable media. For example, if y'all had used your flash drive on a computer infected with a removable media worm, so your flash drive will become infected. Then when you use that infected wink bulldoze on a computer that has Autorun enabled, the infection will automatically run and infect the new computer. As you tin meet, disabling Autorun is an important stride to security your computer. Please note that if you disable this feature, so whatever time you insert a removable media, including a CD or DVD, they will not automatically open up or starting time. Instead you will need to open My Calculator and right click on the specific bulldoze and select Explore or Play in order to access the contents of the media. If yous would prefer security over convenience and then please download the following file and save it on your desktop:

Noauto.reg download link

In one case the file is downloaded, just double-click on it. When Windows asks if you would like to merge the data, click on the Yep button. Now that Autorun is disabled, reboot your estimator to make the setting effective.

Congratulations! Your computer should now be gratuitous of the Downadup and Conficker program and yous will no longer be vulnerable to infection from this malware.

This is a self-help guide. Utilise at your own risk.

BleepingComputer.com tin can not exist held responsible for bug that may occur by using this information. If you lot would like help with any of these fixes, you can enquire for malware removal assistance in our Virus,Trojan,Spyware, and Malware Removal Logs forum.

If you have any questions about this cocky-help guide so please post those questions in our Am I infected? What do I do? and someone will help you.

Source: https://www.bleepingcomputer.com/virus-removal/remove-downadup-conficker

0 Response to "How To Remove Win32 Conficker B"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel