This post is part of a project to move my old reference material to my blog. Before 2012, when I accessed the same pieces of code or general information multiple times, I would write a quick HTML page for my own reference and put it on a personal site. Later, I published these pages online. Some of the pages still get used and now I want to make them available on my blog.
Photo by Denys Nevozhai
Positively Identify
Make sure the system is infected with Conficker before treating for it. There is a good chance the system is infected if the following sites cannot be accessed:
Also, http://www.confickerworkinggroup.org/infection_test/cfeyechart.html may be a helpful resource in identifying Conficker.
Stop Spreading
Remove Network Access
Once you’re sure the problem is the Conficker virus, disconnect the system from any networks it may be attached to. If you have a wired connection, unplug the network cable. If you have a wireless connection, turn off or unplug the router.
Disable Autoplay
Click Start
Click Run
Type gpedit.msc and press Enter
In the window that opens, expand Administrative Templates under Computer Configuration
Click System
In the right pane, double-click Turn off Autoplay
In the window that opens, select Enabled and click OK
Gather Resources
Use a computer that is not infected to download Symantec’s removal tool at: http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99
Transfer the downloaded file to the infected computer. You will have to use some media such as a burned CD-ROM or a USB flash drive.
Note: If you use a flash drive, the virus will spread itself to the flash drive as soon as you insert it. It is important not to insert the flash drive into any other PC until it is cleaned. See the section below titled Clean an Infected Flash Drive.
Scan and Remove Virus
On the infected system, run the removal tool you downloaded. It will ask you to accept an agreement and then start the scan. Let it run for as long as needed.
When it completes, follow the instructions given by the tool. You may need to restart your machine.
Protect Yourself
When the removal process is finished, open Internet Explorer and visit http://update.microsoft.com and install any priority updates. You may have to restart many times throughout the process. After each restart, visit Microsoft Update again until there are no more priority updates to install.
Clean and Infected Flash Drive
As long as your computer has the latest updates from Microsoft (covered in the Protect Yourself section) and autoplay is disabled (covered in the Stop Spreading section), you can safely use it to clean an infected flash drive.
Clean
Insert the drive
Transfer any files or folders on the drive that you may want to keep to the computer
Open My Computer
Right-click the drive
Click Format…
In the window that appears, click Start
You may want to repeat these steps for any flash drive you own.
Protect
Conficker spreads by creating/modifying the autorun.inf file on the root of a flash drive. You can protect a drive by preventing the creation of this file. All you have to do is create a folder called autorun.inf. With that done, it is impossible to create a file with the name autorun.inf. You may want to make the folder read-only:
Right-click the folder
Click Properties
Check Read Only
Click OK
Go a Step Further
You can further scan your system for more infections by using Microsoft’s removal tool: Click Start, Run, type mrt and press Enter, follow the steps. You can also scan for spyware using Spybot.