Your risk of exposure to the Win32/Conficker threat is due to a Microsoft operating system vulnerability (Microsoft released a patch for this vulnerability in October 2008). To help avoid infection caused by Microsoft operating system vulnerabilities make sure your computer (and all computers on your network) is always up to date with the latest Microsoft Windows update. You can find the latest updates at http://update.microsoft.com/.
To protect yourself from Conficker, follow the step-by-step instructions in this article. Or, click the appropriate link below to skip to a specific section:
You may want to disable the Autorun and Autoplay features in your Windows system to prevent malicious software makers from abusing these security flaws. USB drives and other removable media, which are accessed by the Autorun/Autoplay functionalities each time (by default) you connect them to your computer, are the most frequently used virus carriers these days.
Microsoft Windows Autorun and Autoplay are features that were at first intended to simplify running CD content by automatically:(i) executing the Autorun.inf file (and whatever possible malicious instructions it contains) - Autorun vulnerability(ii) opening a pop-up window with available actions (some of which may be hostile triggers taken over from a malicious Autorun.inf) - Autoplay vulnerability
If you need to undo the changes you have made following the instructions in section B (above) right-click this link to download the ReenableAutorun.reg file and repeat the instructions from section B (above) only this time use the ReenableAutorun.reg file.
Disconnect the infected computer from the network and the internet.
Use an uninfected PC to download the respective Windows patches from section A above. Install all patches.
Reset your system passwords to admin accounts using more sophisticated ones. Note that the infiltration can spread through shared folders.
(i.) Press CTRL+ALT+DELETE, and then click Change password...
(ii.) Type your old password, type your new password, type your new password again to confirm it, and then press ENTER.
Download an one-off ESET application (again, using a non-infected PC) which will remove the worm. If you do not have an ESET product (3.0 or later) installed, you can download (using a non-infected PC) and run our free stand-alone cleaner:
Download and Install the latest version of your ESET software.
To verify that the standalone cleaner removed the Conficker threat, rerun the standalone cleaner and then run a scan with your ESET product.
After successfully running the ESET standalone cleaner, we recommend that you read the following Microsoft article for information about important security patches and recommended group changes:
For maximum protection against future threats, make sure your operating system is patched according to Microsoft's recommendations and that your ESET product is up to date.
Run the ESET Conficker Removal Tool on each machine:
at /delete /yes
If the above steps do not resolve the issue, reset all passwords and then perform the following steps to identify which machines are still attempting to spread the infection:
Turn on auditing of failed Logon Events:
On your Domain Controllers, click Start → Administrative Tools → Domain Control Security Policy.
Navigate to Security Settings → Local Policies → Audit Policy → Audit Logon Events.
Ensure that Audit Logon Events is set to record all Success and Failure events.
After completing the above steps for Cleaning Steps (Network), all Administrative passwords should be changed again to ensure that Conficker does not have any of these passwords. If Conficker is still showing threats after all machines are patched, then there is either an unpatched machine still remaining or ESET is not installed and updated on a machine.