jwgkvsq.vmx - Conficker virus manual removal
Intro
Well this is one of the new emerging popular virus. It has spread rapidly, and most of your computers are infected. Conficker spreads via the USB pendrive along with the autorun.inf
or via network by exploiting bugs in the Network Stack on Windows systems.
Skip to Manual Removal steps.
Spreading via USB Drives
Conficker spreads on USB Drives by creating an autorun.inf,
A folder structure
RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\
with
jwgkvsq.vmx
The file is a DLL file, which is executed by the obfuscated autorun.inf.
The DLL file is loaded with RunDLL
[AUTorUN
icon=%syStEmrOot%\sySTEM32\sHELL32.Dll,4
shelLExECUte=RuNdLl32.EXE.\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
useAuTopLAY=1
The presence of conficker can be detected by looking at the ICON of the USB Pen drive. If it is a folder icon, then its almost sure that the drive is infected with "conficker".
Manual Detection and Removal
Conficker disables the Background Intelligent Transfer Service (BITS) and Windows Automatic Updates. So If you find these services disabled, be alert. (To checkout what services are running and their statuses Run > services.msc.
Follow these steps to detect and remove Conficker virus:
Run regedit.exe registry editor
Goto HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\SvcHost\netsvcs
Double click the key to see if there is a random value at its end.
Note the "zbtthjd" at the end, this is the virus. A list of valid entries in the field (from Microsoft) is given below to help you find the random string. (Usually at the end).AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
EventSystem
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Messenger
Netman
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
Sacsvr
Schedule
Seclogon
SENS
Sharedaccess
Themes
TrkWks
TrkSvr
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
wuauserv
BITS
ShellHWDetection
uploadmgr
WmdmPmSN
xmlprov
AeLookupSvc
helpsvc- Note the random string. (in this case "zbtthjd")
- Now goto HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zbtthjd\Parameters, note the ServiceDLL Parameter, It would be something like c:\windows\system32\<randomstring>.dll
- Take a Command prompt and run
svchost -k netsvcs
. This should stop the netsvcs and the virus. - Try deleting the DLL file or else rename the DLL file to something else
- Restart the System.
- Renable Services Automatic Updates and BITS.
Note if you find these methods not applicable in your case, the virus must have morphed to some other form.
Hope it works :)
Labels:
Virus Removal
Bookmark me on :
9 comments:
It really works man, Thanks !!
I found this random string, opgxdps. It's the last one on the list. But I can't find the dll file, what should I do? Thanks!
same problem with earth angel. ls help!
Thanks, it helped me to remove the virus easily.
vwnwhms---it is the random string! but cant find any dll file.Any suggestion? I thing earth angel is facing the same problem.why there is no reply!
For those who cant find the dll file the virus would have plymorphed to some other form when you connected to the internet.
mee too i was not able to find the random.dll, because the regedit cant show the parameters of the last service on the list.
I try to find a wierd dll which create in this days.
But i remove this name from that list, the virus is not bother me.
Thanks a lot.
Thanks for the great info. It worked on two systems that were infected, and now are malware free. I am a senior IT consultant and remove viruses for a living. I had spent many hours trying to find this one, and none of the best anti-virus software could find it. -Scott
The jwgkvsq.vmx is a worm-type virus, which spreads via USB/portable drives and through the network. It also makes autorun.inf file on your USB device as well as a hidden system folder called RECYCLER which contains the jwgkvsq.vmx file. I’m not sure if this is an old virus, but it seems it’s been spreading a lot lately. And most anti-virus doesn’t detect this, but for those who does, it can’t remove it.
Post a Comment