1. The quickest way to know if a Win 2k, 2k3, XP, Vista or 2k8 machine is infected regardless of the conflicker variant (even if it was a user-mode rookit - such rootikit only hides the dll file and its service key) , is by running this command-line:
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" /v netsvcs
I use a batch file to do this. Based on the results, you can then detemine the randomly generated name of the windows service of the infection. e.g. abcde. It is usually found at the end of the list. If there is no randomly named service listed then most likely conficker is not there.
Another quick way to determine if conficker exist, is by running gmer. The results of the quick scan that gmer runs when starting would show that C:\windows\system32\svchost.exe is hidden and highlighted in red. But at the end, you will need to know the service name associated with conficker by going through the netsvcs list.
2. End process of the svchost.exe associated with netsvc, by using tasklist /svc and taskkill pid
3. Browse to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\abcde
You may not view the contents of the key since the permissions were removed by the infection.
right-click the abcde key > permission > add > everyone > select full control > ok > F5 to refresh > go to the parameters key and take not the path of the dll
e.g. c:\windows\system32\wxyz.dll
4. Use fixpolicies.exe to reset policies that were added by the worm, such as disabling viewing system files.
5. Look for the dll file located at C:\windows\system32\
right-click the dll file > properties > uncheck read-only > ok > then delete the file. If the file cannot be deleted try stopping the service first.
In case you cannot find the file, you will need to use gmer and browse for the file from the files tab. Then use the delete button on the right.
6. Use the following command-line to delete the service:
sc delete abcde
7. Reboot the computer
8. You can create a batch file to restore the following windows services:
sc config wscsvc start= auto
sc config winDefend start= auto
sc config wuauserv start= auto
sc config BITS start= auto
sc config ERSvc start= auto
sc config WerSvc start= auto
sc start wscsvc
sc start WinDefend
sc start wuauserv
sc start BITS
sc start ERSvc
sc start WerSvc
9. Finally, make sure the machines has the latest recommended updates from microsoft:
http://windowsupdate.microsoft.com
The most important is that kb958644 is installed.
Posts
This might be confusing for your average PC user, wouldn't it be better if I just installed an Anti-Malware like MalwareFox and be done with it in one/two clicks?
ReplyDelete