Conficker keeps coming back

Posted on


I hadn’t run into anyone who actually got this virus until recently when dealing with a new client that didn’t believe in patching their systems and consquently have been hit with this pest.

I was under the impression that if you have KB958644 installed and ran the latest malicious software removal tool that conficker would be squashed. I have several systems that are fully patched, MSRT has removed the virus yet the bugger keeps coming back. This has even happened to a file server and a Domain Controller.

What am I missing here? They are running AVG which I used to recommend but I have been doubting it’s effectiveness over the past year or so.


1- Have you turned off system restore and then run a virus scan? Disable system restore and check that windows update services are running.

2- Download Microsoft Security Essentials antivirus and run in conjunction with AVG. Do not restart your computer before scanning.

3 -Boot into safemode and check your registry for localhost and localcomputer, runonce sections. remove strange .dll instances from here.

4- Attempt an online scan from Trend Micro or other.

There may be another system on the network re-infecting the systems. Conficker has been known to be unusually difficult to counter because of its malware uses.

Agree, free version of AVG dubious. Run both MS security essentials and see what you come up with.

read this link

Conficker is an extremely hard worm to counter because of its combined use of many advanced malware techniques. There are several ways Conficker can propagate, and if any of them are not secured on your network, the worm will be able to spread freely. A list of the Conficker variants A-E is available on its Wikipedia page.

There’s also a part about Conficker removal and detection on its Wikipedia page that recommends off- and online scanners that claim to be able to detect and remove the worm. There are two versions of Conficker (D and E) that also kill known anti-malware programs. It’s possible that the AVG had already been disabled before the patch had been applied.

A simplified diagram that shows the most common propagation routes of Conficker:

enter image description here

This gives a very good rundown:

Symantec has a conficker removal tool which I have tested and used. You can get it from following link:

  • Get the Symantec tool and the patch from the Microsoft (security update 958644 (MS08-067)) on the infected machine and then remove the machine from the network. You may have to use an uninfected machine to download the tool and the patch as the worm tries to block access to AV vendor and Microsoft sites.
  • Run the Symantec tool to remove the worm.
  • After the conficker worm is removed, install the Microsoft windows patch.

This is important as the worm can infect the machine again if it remains on the network. Only after the patch is installed, should the machine be connected back to the network.

Leave a Reply

Your email address will not be published. Required fields are marked *