Your best source of information and news about xp, xp and drivers on the internet

Vista ARTICLES TOP 50 Spyware Virus Vista SOFT Vista HELP

BITS

You are currently browsing the articles from MS Windows Vista Compatible Software matching the category BITS.

Manual Removal of W32/Conficker Worm

Manual Removal of W32/Conficker Worm
W32/Conficker is a worm. The worm will infect Windows systems.
This worm first appeared on March 26, 2009.
Other names of W32/Conficker Worm:
This Worm is also known as Win32/Downadup, W32/Kido, W32/Conflicker and W32/Pakes
W32/Conficker worm has exploited most of the malware entry points available in the Operating System and exploited to its benefit. Once the computer infected by the worm enters, it alters all the pre-requisite registry location to spread through Network, removable drives (USB sticks). The Worm can enter user’s system in multiple ways, it may be through network with Admin$ share (brute force dictionary attack), systems with unsecured shares, systems not patched with vulnerability or USB drive etc. Due to this even though user follows the safe computing practice, system may get infected.


The worm attempts to create a HTTP Server and open a random port between 1024 and 10000 in the victim computer. On successful creation of the HTTP Server, the worm downloads the copy of itself to the victim computer. The worm also resets the Restore point. Most of the Variants of the Conficker worm will trigger the payload on April 1. Though Security industries are conducting lot of research on the payload, the exact payload and the damage it can create on April 1st is still a mystery.

Infection symptoms: 

  • Access to Admin shares are denied
  • Scheduled tasks are created
  • Acess to security related websites is denied
  • Access to Windows Updates site is denied
  • Network response will become considerably slow
  • Domain controllers respond slowly to client request

Damage Level : Medium/High
Distribution Level: Medium
Removal Patch for W32/Conficker Worm By Microsoft
Removal Tool For W32/Conficker Worm By Protector Plus

W32/Conficker Worm Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal
  • [ Kill the Process, Use Killbox if your Access Denied ]
Download W32/Conficker Worm Known File Removal Tool

[In Windows Vista Run As Administrator, After Execution System Will Restart]

  • %Windows\System\ [Random Name.dll ], [Random Name.tmp ]
  • %Programs Files\Internet Explorer\ [Random Name.dll ]
  • %Programs Files\Movie Maker\ [Random Name.dll ]
  • %All Users\Application Data\ [Random Name.dll ]
  • %Windows\Temp\ [Random Name.tmp ]
  • %Program Files\wizard.exe
    [ No Exact Information about Files, search above files in Program files Folder ]
    If you have any of these files in running process from task manger, end the process before removal.
    Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg [ Right Click - Save Target As/Linked Content As ]
    Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
W32/Conficker Worm Disabled Windows Services

  • Windows Automatic Update Service (wuauserv)
  • Background Intelligent Transfer Service (BITS)
  • Windows Security Center
  • Windows Defender
  • Windows Error Reporting

W32/Conficker Worm also drops following files in the removable and mapped drives:

Folder - \RECYCLER\
root folder -\autorun.inf

The W32/Conficker Worm attaches itself to the following Windows processes:

  • svchost.exe
  • explorer.exe
  • services.exe

W32/Conficker Worm Entries Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
  • Download this UnHookExec.inf, [ Right Click - Save Target As/Linked Content As ]
     and then continue with the removal. Save it to your Windows desktop. Do not run it at this time, download it only.
  • After booting into the Safe Mode or VGA Mode
  • Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]
The W32/Conficker Worm modifies registry at the following locations to ensure its automatic execution at every system startup:

Delete The Entries
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Delete file entry from right side
Search Registry For W32/Conficker Worm File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,
Restart your Computer.

Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Killbox (Freeware)
Ultimate Links PC Tips

Written by FireFly on March 27th, 2009 with no comments.
Read more articles on W32/Conficker and Services.exe and worm removal and manual removal and BITS and otherSoftware and Windows.

Manual Removal of W32/Downadup.AL Worm

Manual Removal of W32/Downadup.AL Worm.
W32/Downadup.AL is a Worm. The worm will infect Windows systems.
This worm first appeared on January 19, 2009.
Other names of W32/Downadup.AL Worm:
This Worm is also known as Win32/Conficker, W32/Conficker.worm.gen, Mal/Conficker.
Read F-Secure Downadup.AL Details
Read Symantec Downadup.AL Details
Damage Level : Medium/High
Distribution Level: Medium
Symantec Removal Tool for W32/Downadup.AL Worm
F-Secure Removal Tool for W32/Downadup.AL Worm
Worm Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal
  • [ Kill the Process, Use Killbox if your Access Denied ]
  • The Worm copies itself with the random name with *.dll extension in the following locations
  • %Windows System
  • %Programs Files\Internet Explorer
  • %Programs Files\Movie Maker
  • %All Users Application Data
  • %Windows Temp
    ———————————————
  • %System%\[Random].dll
  • %Program Files%\Internet Explorer\[Random].dll
  • %Program Files%\Movie Maker\[Random].dll
  • %All Users Application Data%\[Random].dll
  • %Temp%\[Random].dll
  • %System%\[Random].tmp
  • %Temp%\[Random].tmp
  • %DriveLetter\RECYCLER\[Folder]\[1fe.a3d][3 random characters]
  • %DriveLetter%\autorun.inf
  • The Worm copies itself with the random name with .tmp extension in the following locations
  • Windows System
  • Windows Temp
  • The worm disables the following services:
  • Windows Automatic Update Service (wuauserv)
  • Background Intelligent Transfer Service (BITS)
  • Windows Security Center Service (wscsvc)
  • Windows Defender Service (WinDefend)
  • Windows Error Reporting Service (ERSvc)
  • Windows Error Reporting Service (WerSvc)
  • The worm attempts to block the access to the following security sites which contain the following strings
  • virus, spyware, malware, rootkit, defender, microsoft, symantec, norton, mcafee, trendmicro, sophos, panda, etrust, networkassociates, computerassociates, f-secure, kaspersky, jotti, f-prot, nod32, eset, grisoft, drweb, centralcommand, ahnlab, esafe, avast, avira, quickheal, comodo, clamav, ewido, fortinet, gdata, hacksoft, hauri, ikarus, k7computing, norman, pctools, prevx, rising, securecomputing, sunbelt, emsisoft, arcabit, cpsecure, spamhaus, castlecops, threatexpert, wilderssecurity, windowsupdate, nai, ca, avp, avg, vet, bit9, sans, cert
    If you have any of these files in running process from task manger, end the process before removal.
    Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
    Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
Worm Entries Manual Removal From Registry
Click Start, Run,Type regedit,Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
  • Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
  • After booting into the Safe Mode or VGA Mode
  • Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]
The Worm modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    “TcpNumConnections” = dword:0×00FFFFFE
  • The worm deletes a number of keys from the registry, in order to deactivate the Security Center Notifications and prevent Windows Defender from starting. It also bypasses the Windows Firewall by creating the following registry entry, so that the system can download a copy of the worm:
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List, [PortNumber]:TCP = “[PortNumber]:TCP:*Enabled:[random]”
  • To hide its presence in the system, the worm deletes any System Restore points created by the user, then modifies the following registry keys:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHO WALLCheckedValue = dword:00000000
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost, netsvcs = %Previous data% and %Random%
  • During infection, the worm may create a temporary (TMP) file in the the System or Temp folders. The TMP file created is registered as a service kernel driver using the following registry entry:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[random]
    Type = dword:00000001
    Start = dword:00000003
    ErrorControl = dword:00000000
    ImagePath = “\…\%Path%\[random].tmp”
    DisplayName = [Random]
  • Once the key is created, the file %MalwarePath%\[random].tmp is deleted.An interesting change the worm makes to the registry involves the following registry entries:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    DisplayName = %ServiceName%
    Type = dword:00000020
    Start = dword:00000002
    ErrorControl = dword:00000000
    ImagePath = “%SystemRoot%\system32\svchost.exe -k netsvcs”
    ObjectName = “LocalSystem”
    Description = %description%
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[random]\Parameters
    ServiceDll = %Path%
Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,
Restart your Computer.

Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Killbox (Freeware)

Written by FireFly on January 20th, 2009 with no comments.
Read more articles on W32/Downadup.AL and TMP and worm removal and manual removal and BITS and otherSoftware and Windows XP.

Important Update for Windows Vista: KB939159

UpdatesDescription: Install this update to resolve an issue in the Background Intelligenct Transfer Service (BITS).

Update type: Important

Release date: August 27, 2007

Applies to: All versions

Knowledge base: support.microsoft.com/kb/939159

Download link: 32-bit | 64-bit

Comments: When updates are being downloaded from Windows Update on a Windows Vista-based computer, you may experience the following symptoms:

  • A dialog box appears that indicates that the host process for Windows Services has stopped working.
  • After you restart the computer, you receive the following error message in a Windows Update dialog box:

    Some Updates were not installed
    Failed: xx updates
    Error(s) Found:
    Code 800706BA

  • An event that resembles the following is logged in the Application log:

    Event Type: Error
    Event Source: Application Error
    Event Category: None
    Event ID: 1000
    Date: date
    Time: time
    Computer: computer name
    User: N/A
    Description: Faulting application svchost.exe_BITS, version 6.0.6000.16386, time stamp 0×4549adc4, faulting module qmgr.dll, version 7.0.6000.16386, time stamp 0×4549bd9f, exception code 0xc0000005

This problem occurs because the Background Intelligent Transfer Service (BITS) state files are corrupted. This problem stops the host process for Windows Services. This behavior prevents you from using BITS to transfer files.

KB939159

Written by Joe on August 28th, 2007 with 1 comment.
Read more articles on BITS and Updates.