How to remove Conficker B++ ?

Conficker, also known as downadup or Kido, has infected 10.5 million computers around the world with all of its variants. The Conficker B++ infection may post a much more serious threat as it was only discovered in mid February 2009 by SRI International to have a different method for avoiding rendezvous points that the previous Conficker infection was programmed to do.

Conficker B++ is somewhat similar to Conficker B, with 294 of 297 sub-routines the same and 39 additional subroutines. The latest variant, first spotted on 16 February, is even more sneaky than its previous incarnations, SRI explains.

Conficker B++ is no longer limited to reinfection by similarly structured Conficker DLLs, but can now push new self-contained Win32 applications. These executables can infiltrate the host using methods that are not detected by the latest anti-Conficker security applications.


The malware also creates an additional backdoor on compromise machines to create an altogether trickier infectious agent, SRI explains.

In Conficker A and B, there appeared only one method to submit Win32 binaries to the digital signature validation path, and ultimately to the CreateProcess API call. This path required the use of the Internet rendezvous point to download the binary through an HTTP transaction.

Under Conficker B++, two new paths to binary validation and execution have been introduced to Conficker drones, both of which bypass the use of Internet Rendezvous points: an extension to the netapi32.dll patch and the new named pipe backdoor. These changes suggest a desire by the Conficker's authors to move away from a reliance on Internet rendezvous points to support binary update, and toward a more direct flash approach.

SRI reckons that Conficker-A has infected 4.7m machines, at one time or another, while Conficker-B has hit 6.7m IP addresses. These figures, as with previous estimates, come from an analysis of the number of machines that have ever tried to call into malware update sites. The actual number of infected hosts at any one time is lower than that. SRI estimates the botnet controlled by Conficker-A and Conficker-B is around 1m and 3m hosts, respectively, or a third of the raw estimate.

Conficker B++ Manual Removal Instructions

This manual removal method is for techie computer users. Conficker B++ manual removal may be difficult and time consuming to remove. There’s no guarantee that Conficker B++ will be removed completely. So read the Conficker B++ removal steps carefully and good luck.

Before you start: Close all programs and Internet browsers. Also back up your computer in case you make a mistake and your computer stops working.

1. Uninstall Conficker B++ Program
Click on Start > Settings > Control Panel > Double-click on Add/Remove Programs. Search for and uninstall Conficker B++ if found.

2. To stop Conficker B++ processes (view process removal steps)
Go to Start > Run > type taskmgr. The click the Processes tab and you’ll see a list of running processes.
Search and stop these Conficker B++ processes:
services.exe
svchost.exe
explorer.exe
For each unwanted process, right-click on it and then select “End task”.

3. To Unregister Conficker B++ DLLs (view DLL removal steps)
Search and unregister these Conficker B++ DLLs:
%All Users Application Data%\[RANDOM].dll
%Program Files%\Internet Explorer\[RANDOM].dll
%Temp%\[RANDOM].dll
%Program Files%\Movie Maker\[RANDOM].dll %System%\[RANDOM].dll

To locate the Conficker B++ DLL path, go to Start > Search > All Files or Folders. Type Conficker B++ and in the Look in: select either My Computer or Local Hard Drives. Click the Search button.
Once you have the Conficker B++ DLL path, go to Start and then click on Run. In the Run command box, type cmd, and then click on OK.
To locate the exact DLL path, type cd in order to change the current directory. To display the contents of the directory, use the dir command. To remove the DLL file type regsvr32 /u FILENAME.dll (FILENAME is the name of the file that you want to unregister).

4. To unregister Conficker B++ registry keys (view registry keys removal steps)
Go to Start > Run > type regedit > press OK.
Edit the value (on the right pane) by right-clicking on it and selecting the Modify option. Select the Delete option.
Search and delete these Conficker B++ registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"TcpNumConnections" = dword:0?00FFFFFE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\"ServiceDll" = "Path to worm"

5. If your homepage has been changed, go to Start > Control Panel > Internet Options > click on the General > click Use Default under Home Page. Add the your desired default homepage, then click Apply > click OK. Open a new web browser to check that you have your desired default homepage.

6. Remove Conficker B++ Directories.
To find Conficker B++ directories, go to Start > My Computer > Local Disk (C:) > Program Files > Show the contents of this folder.

Right-click on the Conficker B++ folder and select Delete.

A message will appear saying ‘Are you sure you want to remove the folder Conficker B++ and move all its contents to the Recycle Bin?’, click Yes.
Another message will appear saying ‘Renaming, moving or deleting Conficker B++ could make some programs not work. Are you sure you want to do this?’, click Yes.

7. To remove Conficker B++ icons on your Desktop, drag and drop them to the Recycle Bin.

You’ve completed the Conficker B++ manual removal instructions!
I hope this article has helped you solve your Conficker B++ problems. If you want to contribute to this article, post your comment below.

Conficker B++ Automatic Removal Instructions ( By spyware)

This automatic removal method is for non-techie computer users. If you’re too lazy to learn about spyware removal or how to access sensitive files in your computer, then this is the method for you.

Before you start: Print or bookmark these instructions because you’ll have to reboot into Safe Mode. Also back up your computer in case you make a mistake.

1. Download and save SmitFraudFix to your desktop.

2. Restart your computer in Safe Mode . Once the desktop appears, double click on the SmitfraudFix.exe on your desktop.

3. After the credits screen, you’ll see a menu. Select the option number 2, which is ‘Clean (safe mode recommended)’, and then
press Enter to delete infect files.

4. SmitFraudFix will begin cleaning your computer and take a series of cleanup processes. When the process is over, it will automatically begin the Disk Cleanup program.

5. Once the Disk Cleanup program is complete, you will be prompted with the message ‘Registry cleaning - Do you want to clean the registry’. Answer Y (Yes) and hit Enter. Reboot your computer.

6. SmitFraudFix will now check if wininet.dll is infected. SmitFraudFix will ask you whether to replace the infected file (if there’s any) ‘Replace infected
file?’ Answer by typing Y (Yes) and hit Enter.

7. Reboot your computer to complete the cleaning process.

8. After reboot, a Notepad screen may appear containing a log of all the files
removed from your computer. If it doesn’t appear, a file will be created called
rapport.txt in the root of your drive, (Local Disk C:).

9. Restart your computer in Safe Mode (how to do safe mode).

10. Go to C:\Windows\Temp, click Edit, click Select All, press DELETE, and then
click Yes to confirm that you want all the items to go to the Recycle Bin.

11. Go to C:\Documents and Settings\[LISTED USER]\Local Settings\Temp, click Edit, click Select All, press DELETE, and then click Yes to confirm that
you want all the items to go to the Recycle Bin.

12. Reboot your computer back to normal mode. Go to Windows Update and download all critical updates.



Disclaimer: This article is for educational purposes. By using this information you agree to be bound by the disclaimer. There’s no guarantee that Conficker B++ will be completely removed from your computer. Seek professional help if your computer continues to experience problems.


Via [SpyWareTechie, Schneier, Hackinthebox, Chainscriptz]