Conficker, also known as Downup, Downadup and Kido, is a computer worm that surfaced in October 2008 and targets the Microsoft Windows operating system. The worm exploits a known vulnerability in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 7 Beta. The latest variant will begin checking for a payload to download on April 1, 2009. [wiki]

The news report I got was from CNN regarding the Conficker C computer worm which is expected to activate on April Fool’s Day (April 1, 2009).

Those infections haven’t spawned many symptoms, but on April 1 a master computer is scheduled to gain control of these zombie machines, said Don DeBolt, director of threat research for CA, a New York-based IT and software company.

…

The program could delete all of the files on a person’s computer, use zombie PCs — those controlled by a master — to overwhelm and shut down Web sites or monitor a person’s keyboard strokes to collect private information like passwords or bank account information, experts said.

The Tech Herald is on the same note regarding the Conficker.

“This worm, detected as Win32/Conficker.C, is getting ready for April Fool’s Day on 1 April, although it definitely won’t be fooling around. On that day, Conficker.C will commence its attempt to generate 50,000 URLs daily and try to access (download or report back to) 500 of them. It is a clever strategy, but the security industry is certainly on the lookout.”

Conficker A was reportedly released around November 2008. While Conficker B evolved around January 2009. Conficker C is the latest version of this worm which most systems now are already affected, and is said to activate on April 1, 2009.

I have already posted a similar topic a couple of days ago titled “How to remove the jwgkvsq.vmx worm virus” which was when I started to notice the virus in our network, it was the Conficker worm. I dismissed it as an ordinary virus. But it seems that it has been spreading around a lot lately. Now its security level is ‘highly dangerous’.

Symptoms to check if your computer is infected with this:

• Show all hidden files and folders are not working
• Can’t access anti-virus websites like: Bitdefender.com Symantec.com, and patch sites like Microsoft.
• The existence of a file named: jwgkvsq.vmx inside the RECYCLED folder.
• Creates autorun.inf files on USB devices plugged in an infected machine. Also other viruses does this.
• Account lockout policies being reset automatically.
• Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Error Reporting Services are automatically disabled.
• Domain controllers respond slowly to client requests.
• System network gets unusually congested. This can be checked with network traffic chart on Windows Task Manager.
• Launches a brute force dictionary attack against administrator passwords to help it spread through ADMIN$ shares, making choice of sensible passwords advisable.

Remove the virus:

Some of the well-known security companies came up with tools for removing the Conficker/Downandup worm virus. Removal tools can be freely downloaded from any of the following security sites:

• Microsoft
• BitDefender
• ESET
• Symantec
• Sophos
• Kaspersky Lab
• McAfee Anti-virus with updated detections can remove this by scanning your system.
• AVG can also remove it via system scan, if you have it installed and updated.

How to remove the Conficker/Downandup worm virus?

1. Download Conficker/Downandup removal tools from the given sites above.
2. Disconnect from the internet, and remove any network cables at the back of your PC/laptop, and also remove any plugged-in USB devices.
3. Login as Administrator on your computer, or any account that has administrator privileges.
4. Run the removal tool. My recommendation is to use the removal tools from BitDefender (quick scan) and Symantec (thorough scan). But if you are not content, just run all the removal tools for greater detection.Simple-case: The removal tool will detect and remove the Conficker worm and ‘may’ require that you restart your computer.
   Extreme-case: The removal tool won’t run because the virus is preventing it from running. Quick solution:
   1. Open task manager (CTRL+ATL+DEL)
   2. Terminate (End) the process with these names: explorer.exe and svchost.exe
   3. A countdown timer will appear requiring you to restart your computer. DO NOT DO ANYTHING AT THIS POINT EXCEPT… Immediately run the BitDefender Tool (quick scan) so that it will remove the virus before your computer restarts.
   4. If the tool won’t still run, ‘end process’ all the svchost.exe and try running the removal tool again.

It only affects Windows system that aren’t patched with the latest update. Run autoupdate and patch your Windows. It is critical that these patches be installed:

Microsoft Security Bulletin MS08-067 – Critical
Vulnerability in Server Service Could Allow Remote Code Execution (958644)
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx (download for XP)

Microsoft Security Bulletin MS08-068 – Important
Vulnerability in SMB Could Allow Remote Code Execution (957097)
http://www.microsoft.com/technet/security/bulletin/ms08-068.mspx (download for XP)

Microsoft Security Bulletin MS09-001 – Critical
Vulnerabilities in SMB Could Allow Remote Code Execution (958687)
http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx (download for XP)

For manual download of patches for Windows XP and Vista go to http://www.softwarepatch.com/windows/

TAKE NOTE:

The virus spreads via network, so plugging your computer/laptop again through the network the virus may infect it if your software isn’t patched.

The virus also spreads via autorun.inf on USB devices, plugging an infected USB device may infect your computer.

For questions regarding the removal of this virus and other inquiries regarding the topic feel free to leave a comment, and I’ll get back to you.

Extra resources you may find useful:
Removing Downadup and Repairing [downadup.com]

If your computer is infected, you won’t be able to visit sites (error timed out) with these keywords on their domain name:

• virus
• spyware
• malware
• rootkit
• defender
• microsoft
• symantec
• norton
• mcafee
• trendmicro
• sophos
• panda
• etrust
• networkassociates
• computerassociates
• f-secure
• kaspersky
• jotti
• f-prot
• nod32
• eset
• grisoft
• drweb
• centralcommand
• ahnlab
• esafe
• avast
• avira
• quickheal
• comodo
• clamav
• ewido
• fortinet
• gdata
• hacksoft
• hauri
• ikarus
• k7computing
• norman
• pctools
• prevx
• rising
• securecomputing
• sunbelt
• emsisoft
• arcabit
• cpsecure
• spamhaus
• castlecops
• threatexpert
• wilderssecurity
• windowsupdate
• nai.
• ca.
• avp.
• avg.
• vet.
• bit9.
• sans.
• cert.

Related Posts

• How to remove the ACROBAT.COM.EXE worm virus
• How to remove the jwgkvsq.vmx worm virus
• How to remove the lkhd.exe / cqtvs.exe virus

© Ryman for Techie Bubble, 2009. | Permalink | 5 comments
Post tags: anti-malware, anti-virus, Conficker, Downadup, removal, virus, worm
This Feed is for personal non-commercial use only. If you are not reading this material in your Feed Reader, News Aggregator, or RSS Reader, then the site you are looking at is guilty of copyright infringement. Please contact infinity@eternalmoonlight.net so we can take legal action immediately.

It also spreads via USB drives.

If you found a file with the name lkhd.exe or cqtvs.exe residing on your computer, or is running on a process (task manager), or in a startup program, it maybe a virus.

It is a variant of YDGP.EXE virus.

To remove the lkhd.exe or cqtvs.exe virus?
Just download and run the Prevx CSI scanner. It will remove any trace of the virus.

After downloading, installing, and running the program it will ask you for a purchase code to cleanup the infections it found. Don’t worry, you don’t have to pay, just navigate to the directory (in the report) where the infected file is located, and just delete it manually.

Related Posts

• Remove Conficker/Downadup/Kido worm virus before April 1, 2009
• How to remove the ACROBAT.COM.EXE worm virus
• How to remove the jwgkvsq.vmx worm virus

© Ryman for Techie Bubble, 2009. | Permalink | No comment
Post tags: cqtvs.exe, lkhd.exe, trojan, virus, ydgp.exe
This Feed is for personal non-commercial use only. If you are not reading this material in your Feed Reader, News Aggregator, or RSS Reader, then the site you are looking at is guilty of copyright infringement. Please contact infinity@eternalmoonlight.net so we can take legal action immediately.

How to remove the acrobat.com.exe virus?
Just download and run the Prevx CSI scanner. It will remove any trace of the virus.

After downloading, installing, and running the program it will ask you for a purchase code to cleanup the infections it found. Don’t worry, you don’t have to pay, just navigate to the directory (in the report) where the infected file is located, and just delete it manually.

Related Posts

• Remove Conficker/Downadup/Kido worm virus before April 1, 2009
• How to remove the jwgkvsq.vmx worm virus
• How to remove the lkhd.exe / cqtvs.exe virus

© Ryman for Techie Bubble, 2009. | Permalink | 2 comments
Post tags: Acrobat.com.exe, virus, worm
This Feed is for personal non-commercial use only. If you are not reading this material in your Feed Reader, News Aggregator, or RSS Reader, then the site you are looking at is guilty of copyright infringement. Please contact infinity@eternalmoonlight.net so we can take legal action immediately.

It is also known as:

• W32/Confi
• W32/Conficker.worm!inf
• Win32/Conficker.B – CA

It exploits Microsoft Windows vulnerability:
Microsoft Security Bulletin MS08-067 – Critical
Vulnerability in Server Service Could Allow Remote Code Execution (958644)
Published: October 23, 2008

Symptoms:

• ‘Show hidden files and folders’ doesn’t work. You can check this by going to a folder, then click Tools, then Folder Options, then View tab. Select the ‘Show hidden files and folders’ then click Apply, then Ok. Open Folder Options again, if it reverted back to ‘Do not show hidden files and folders’ then you have this virus.
• Evey time you plug in a USB device on your computer, it creates an autorun.inf file, and a RECYCLER folder with the jwgkvsq.vmx virus file.
• You can’t access anti-virus websites an other popular websites like microsoft.com or yahoo.com
• Windows won’t boot into Safe Mode. This happens on extreme cases. When you try to boot into Safe Mode, your computer restarts/shuts down

Side-effects

• Since this is a worm, system slowdown may (or may not) happen.
• Quickly spreads through networked computers and USB devices. Which includes flash drives, portable external hard drives, mobile phones, mp3 players, and anything that can be plugged into a USB port.
• Won’t let you access some websites.

Now let’s go back to the topic. Remember that this guide will only help you remove the jwgkvsq.vmx virus.

Click through the link to continue…

Here is a quick step to remove this virus from your computer, and from your USB devices.

Preparation:

• Download FixDownadup.exe from Symantec.com
• Download anti-Downadup-EN.zip from BitDefender.com (just in case the first one doesn’t work).
• Download Process Explorer and AutoRuns from Sysinternals (we may or may not use this).
• Download MoSo Force Delete (just in case we need to delete something that can’t be deleted).

Now let’s start…

Removing the jwgkvsq.vmx virus from your computer

1. Disconnect your computer from the network, if it is connected. Removing the network cable from your PC should do the trick.
2. Just run the FixDownadup.exe we downloaded from Symantec. It should clean the virus of the PC. This works if the infection is in a low-level state. Meaning you have anti-virus software already running and the infection is isolated.
3. After scanning you should see a report popup, and an option to go to Microsoft website to patch your computer with a critical security update.
4. Restart your computer. When you’re back on the desktop, check your programs/softwares if it is still running.
5. Turn of System Restore to delete all entries, which sometimes contains remnants of the virus. To do this:
   1. Right-click My Computer, select Properties.
   2. Click System Restore tab.
   3. Check ‘Turn off System Restore on all drives’. Click Apply, then Ok.
   4. Restart your computer.
   5. Then, uncheck ‘Turn off System Restore on all drives’ to enable it again.

Removing the jwgkvsq.vmx virus from your USB device

1. First. Start your computer on Safe Mode
   1. Shut down your computer
   2. Turn it back on, before the Windows loading screen comes up, press F8. Or just press it repeatedly after starting your computer
   3. Select Safe Mode on the menu by pressing the arrow keys and hitting Enter.
2. Plug your USB device. Notice that the autorun.inf won’t run in safe mode.
3. Enable the ‘Show hidden files and folders’. Instructions are listed on the Symptoms section above.
4. Delete autorun.inf file. It is usually located on the root of the USB drive.
5. Delete the hidden/system folder RECYCLER.
   1. If you can’t delete it, you have to disable it’s function (for external/portable hard drives). Right-click on the Recycle Bin icon on your desktop, then select Properties. Select ‘Configure drives independently’. Then tab to the external drive, and check ‘Do not move files to the Recycle Bin.’ Hit Apply, then Ok’
   2. If it is a flash drive or other USB device, use MoSo Force Delete, we’ve downloaded earlier on this guide.

Just in case the virus registered itself on the registry. Open the Run dialog box from the start menu, then type regedit. Then search for the file name jwgkvsq.vmx. If you found an entry, just press DEL to delete it.

If your computer is in a network, better check all the other computers connected to it. Also download and install the automatic update (Microsoft vulnerability) which I’ve posted at the beginning of this post.

In extreme cases, your computer won’t initiate Safe Mode and after using the removal tool above, your system may report a missing .dll file or something.

Credits (and for reference refer) to these two sites:
http://tuxvoid.blogspot.com/
http://arpeex.blogspot.com/

For any additional support or inquiry regarding this problem, just leave a comment here, and I’ll reply as soon as I can.

Related Posts

• Remove Conficker/Downadup/Kido worm virus before April 1, 2009
• How to remove the ACROBAT.COM.EXE worm virus
• How to remove the lkhd.exe / cqtvs.exe virus

© Ryman for Techie Bubble, 2009. | Permalink | 23 comments
Post tags: jwgkvsq.vmx, network virus, USB virus, virus, W32/Confi, worm
This Feed is for personal non-commercial use only. If you are not reading this material in your Feed Reader, News Aggregator, or RSS Reader, then the site you are looking at is guilty of copyright infringement. Please contact infinity@eternalmoonlight.net so we can take legal action immediately.