Procedimento para removê-lo
Manual steps to remove the Conficker.b variant
2. Stop the Server service. This removes the Admin shares from the system so that the malware cannot spread by using this method.
3. Remove all AT-created scheduled tasks. To do this, type AT /Delete /Yes at a command prompt.
4. Stop the Task Scheduler service.
5. Download and manually install security update 958644 (MS08-067). For more information, visit the following Microsoft Web site:
6. Reset any Local Admin and Domain Admin passwords to use a new strong password. For more information, visit the following Microsoft Web site:
7. In Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
8. In the details pane, right-click the netsvcs entry, and then click Modify.
10. Delete the line that contains the reference to the malware service. Make sure that you leave a blank line feed under the last legitimate entry that is listed, and then click OK.
Note All the entries in the following list are valid. Do not delete any of these entries. The entry that must be deleted will be a randomly generated name that is the last entry in the list.
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
EventSystem
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Messenger
Netman
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
Sacsvr
Schedule
Seclogon
SENS
Sharedaccess
Themes
TrkWks
TrkSvr
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
wuauserv
BITS
ShellHWDetection
uploadmgr
WmdmPmSN
xmlprov
AeLookupSvc
helpsvc
axyczbfsetg
11. Restrict permissions on the SVCHOST registry key so that it cannot be written to again. To do this, follow these steps.
Notes
* You must restore the default permissions after the environment has been fully cleaned.
* In Windows 2000, you must use Regedt32 to set registry permissions.
1. In Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
2. Right-click the Svchost subkey, and then click Permissions.
3. In the Permissions Entry for SvcHost dialog box, click Advanced.
4. In the Advanced dialog box, click Add.
5. In the Select User, Computer or Group dialog box, type everyone, and then click Check Names.
6. Click OK.
7. In the Permissions Entry for SvcHost dialog box, select This key only in the Apply onto list, and then click to select the Deny check box for the Set Value permission entry.
8. Click OK two times.
9. Click Yes when you receive the Security warning prompt.
10. Click OK.
12. In a previous procedure, you noted the name of the malware service. In our example, the name of the malware entry was "gzqmiijz". Using this information, follow these steps:
1. In Registry Editor, locate and then click the following registry subkey, where BadServiceName is the name of the malware service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BadServiceName
For example, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gzqmiijz
2. Right-click the subkey in the navigation pane for the malware service name, and then click Permissions.
3. In the Permissions Entry for SvcHost dialog box, click Advanced.
4. In the Advanced Security Settings dialog box, click to select both of the following check boxes:
Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here.
Replace permission entries on all child objects with entries shown here that apply to child objects
13. Press F5 to update Registry Editor. In the details pane, you can now see and edit the malware DLL that loads as "ServiceDll" To do this, follow these steps:
1. Double-click the ServiceDll entry.
2. Note the path of the referenced DLL. You will need this information later in this procedure. For example, the path of the referenced DLL may resemble the following:
%SystemRoot%\System32\emzlqqd.dll
Rename the reference to resemble the following:
%SystemRoot%\System32\emzlqqd.old
3. Click OK.
14. Remove the malware service entry from the Run subkey in the registry.
1. In Registry Editor, locate and then click the following registry subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
2. In both subkeys, locate any entry that begins with "rundll32.exe" and also references the malware DLL that loads as "ServiceDll" that you identified in step 13b. Delete the entry.
3. Exit Registry Editor, and then restart the computer.
15. Check for Autorun.inf files on any drives on the system. Use Notepad to open each file, and then verify that is a valid Autorun.inf file. The following is an example of a typical valid Autorun.inf file.
[autorun]
shellexecute=Servers\splash.hta *DVD*
icon=Servers\autorun.ico
A valid Autorun.inf is typically 1 to 2 kilobytes (KB).
16. Delete any Autorun.inf files that do not seem to be valid.
17. Restart the computer.
18. Make hidden files visible. To do this, type the following command at a command prompt:
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 0x1 /f
19. Set Show hidden files and folders so you can see the file. To do this, follow these steps:
1. In step 13b, you noted the path of the referenced DLL file for the malware. For example, you noted a path that resembles the following:
%systemroot%\System32\emzlqqd.dll
In Windows Explorer, open the %systemroot%\System32 directory, or the directory that contains the malware.
2. Click Tools, and then click Folder Options.
3. Click the View tab.
4. Select the Show hidden files and folders check box.
5. Click OK.
20. Select the DLL file.
21. Edit the permissions on the file to add Full Control for Everyone. To do this, follow these steps:
1. Right-click the DLL file, and then click Properties.
2. Click the Security tab.
3. Click Everyone, and then click to select the Full Control check box in the Allow column.
4. Click OK.
22. Delete the referenced DLL file for the malware. For example, delete the %systemroot%\System32\emzlqqd.dll file.
23. Enable the BITS, Automatic Updates, Error Reporting, and Windows Defender services by using the Services Microsoft Management Console (MMC).
24. Turn off Autorun to help reduce the effect of any reinfection. To do this, follow these steps:
1. Depending on your system, install one of the following updates:
* If you are running Windows 2000, Windows XP, or Windows Server 2003, install update 967715. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
967715 (
http://support.microsoft.com/kb/967715/ ) How to correct "disable Autorun registry key" enforcement in Windows
* If you are running Windows Vista or Windows Server 2008, install security update 950582. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
950582 (
http://support.microsoft.com/kb/950582/ ) MS08-038: Vulnerability in Windows Explorer could allow remote code execution
Note Update 953252 and security update 950582 are not related to this malware issue. These updates must be installed to enable the registry function in step 24b.
2. Type the following command at a command prompt:
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t REG_DWORD /d 0xff /f
25. If the system is running Windows Defender, re-enable the Windows Defender autostart location. To do this, type the following command at the command prompt:
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe –hide" /f
26. For Windows Vista and later operating systems, the malware changes the global setting for TCP Receive Window Auto-tuning to disabled. To change this setting back, type the following command at a command prompt:
netsh interface tcp set global autotuning=normal
Verify that the following services are started:
* Automatic Updates (wuauserv)
* Background Intelligent Transfer Service (BITS)
* Windows Defender (windefend) (if applicable)
* Windows Error Reporting Service
To verify the status of the SvcHost registry subkey, follow these steps:
1. In Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
2. In the details pane, double-click netsvcs, and then review the service names that are listed. Scroll down to the bottom of the list. If the computer is reinfected with Conficker.b, a random service name will be listed. For example, in this procedure, the name of the malware service is "gzqmiijz".
After the environment is fully cleaned, do the following:
* Re-enable the Server service.
* Restore the default permissions on the SVCHOST registry key.
* Update the computer by installing any missing security updates. To do this, use Windows Update, Microsoft Windows Server Update Services (WSUS) server, Systems Management Server (SMS), System Center Configuration Manager (SCCM), or your third-party update management product. If you use SMS or SCCM, you must first re-enable the Server service. Otherwise, SMS or SCCM may be unable to update the system.