Tuesday, April 7, 2009

jwgkvsq.vmx - Conficker virus manual removal

Intro
Well this is one of the new emerging popular virus. It has spread rapidly, and most of your computers are infected. Conficker spreads via the USB pendrive along with the autorun.inf
or via network by exploiting bugs in the Network Stack on Windows systems.
Skip to Manual Removal steps.

Spreading via USB Drives
Conficker spreads on USB Drives by creating an autorun.inf,
A folder structure

RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\

with
jwgkvsq.vmx


The file is a DLL file, which is executed by the obfuscated autorun.inf.
The DLL file is loaded with RunDLL

[AUTorUN
icon=%syStEmrOot%\sySTEM32\sHELL32.Dll,4
shelLExECUte=RuNdLl32.EXE.\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
useAuTopLAY=1


The presence of conficker can be detected by looking at the ICON of the USB Pen drive. If it is a folder icon, then its almost sure that the drive is infected with "conficker".

Manual Detection and Removal

Conficker disables the Background Intelligent Transfer Service (BITS) and Windows Automatic Updates. So If you find these services disabled, be alert. (To checkout what services are running and their statuses Run > services.msc.

Follow these steps to detect and remove Conficker virus:

  • Run regedit.exe registry editor
    Goto HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\SvcHost\netsvcs
    Double click the key to see if there is a random value at its end.





    Note the "zbtthjd" at the end, this is the virus. A list of valid entries in the field (from Microsoft) is given below to help you find the random string. (Usually at the end).
    AppMgmt
    AudioSrv
    Browser
    CryptSvc
    DMServer
    EventSystem
    HidServ
    Ias
    Iprip
    Irmon
    LanmanServer
    LanmanWorkstation
    Messenger
    Netman
    Nla
    Ntmssvc
    NWCWorkstation
    Nwsapagent
    Rasauto
    Rasman
    Remoteaccess
    Sacsvr
    Schedule
    Seclogon
    SENS
    Sharedaccess
    Themes
    TrkWks
    TrkSvr
    W32Time
    WZCSVC
    Wmi
    WmdmPmSp
    winmgmt
    wuauserv
    BITS
    ShellHWDetection
    uploadmgr
    WmdmPmSN
    xmlprov
    AeLookupSvc
    helpsvc

  • Note the random string. (in this case "zbtthjd")

  • Now goto HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zbtthjd\Parameters, note the ServiceDLL Parameter, It would be something like c:\windows\system32\<randomstring>.dll

  • Take a Command prompt and run
    svchost -k netsvcs
    . This should stop the netsvcs and the virus.

  • Try deleting the DLL file or else rename the DLL file to something else

  • Restart the System.

  • Renable Services Automatic Updates and BITS.



Note if you find these methods not applicable in your case, the virus must have morphed to some other form.
Hope it works :)

24 comments:

Raveendra Pai G said...

It really works man, Thanks !!

earth angel said...

I found this random string, opgxdps. It's the last one on the list. But I can't find the dll file, what should I do? Thanks!

christian philip said...

same problem with earth angel. ls help!

Anonymous said...

Thanks, it helped me to remove the virus easily.

Anonymous said...

vwnwhms---it is the random string! but cant find any dll file.Any suggestion? I thing earth angel is facing the same problem.why there is no reply!

Arun Prabhakar said...

For those who cant find the dll file the virus would have plymorphed to some other form when you connected to the internet.

Anonymous said...

mee too i was not able to find the random.dll, because the regedit cant show the parameters of the last service on the list.

I try to find a wierd dll which create in this days.

But i remove this name from that list, the virus is not bother me.

Thanks a lot.

Anonymous said...

Thanks for the great info. It worked on two systems that were infected, and now are malware free. I am a senior IT consultant and remove viruses for a living. I had spent many hours trying to find this one, and none of the best anti-virus software could find it. -Scott

Computer Support said...

The jwgkvsq.vmx is a worm-type virus, which spreads via USB/portable drives and through the network. It also makes autorun.inf file on your USB device as well as a hidden system folder called RECYCLER which contains the jwgkvsq.vmx file. I’m not sure if this is an old virus, but it seems it’s been spreading a lot lately. And most anti-virus doesn’t detect this, but for those who does, it can’t remove it.

Richester said...

"wnasnx" i found this it's the last one list. but no parameters dll. and i can't delete it. help me please. thanks!

Richester said...

i found this random string "wnasnx" last list. but i can't find the dll and no parameters key. and i can't delete. please help me. thanks

Anonymous said...

The exact size of file: 168096 byte. Search the system for this file size, and you will find the missing dll file in system32 folder! (It has another name of course.)

blubbi said...

found the random string but not the dll file. in system 32 and whole c:\windows partition is no file with the exact size of 168096 byte.
Is it a good idea to delete or rename my "random string" folder:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ygxdsx

???

Neven Boyanov said...

I couldn't find the DLL names in the registry but I've noticed that the modification date of the jwgkvsq.vmx is the same as the kernel32.dll file in the C:\WINDOWS\system32 ... so that's how I found the file. In my case that was eecsfqhw.dll which I renamed in safe mode. Its size and date were: 162,941 / 2009-03-21 17:06

I hope that helps others

Anonymous said...

cannot run services.msc
cannot run regedit.exe
now what else can i do?

Sturmvogel said...

To Neven Boyanov: I'm sorry for a stupud question, but how did the coincidence of the modification date of kernel32 and jwgkvsq help you? In fact, I've got the same problem, and the modification date of kernel32 is the same as one of jwgkvsq (19:52 16th April 2007). Couldn't you be so kind to share with me the way you find the dll file after that discovery?

Anonymous said...

hey thanks for the help, I'm just like the others who couldn't find the parameter, so I searched for a file with the exact size of my jwgkvsq.vmx file, it was a dll, and no surprise it was hidden, not accessible... so I modified the permission so I can delete it, I used processXP to end any open handle of that file (svchost was using it), and finally I deleted it and then restarted and voila !!
so I guess the whole registry move was useless to me, but it was a start.. thanks for the info.
Abdelrhman.

Anonymous said...

Thank You It Worked

Anonymous said...

hi 2 all..

In mine its under drivers with random name and has got no parameter in regstry.. Jus got a link to a file c:\windows\system32\03.tmp

Anonymous said...

microsoft malicious software removal tool did it for me

hemiro said...

Miklos:
I found the random string in regedit and deleted it, then I ran cmd: svchost -k netsvcs. The random dll I could not find. Is that ok?

Asher said...

Guys download the malicious s/w remover from Microsoft.. worked like a charm.. My antivirus was able to detect it and delete it but once I rebooted the system, the damn virus was back again in the scan. Took me 2 hours to try this. a 500G portable drive so lots of data to scan :D anyways as people have said above as well.. Download the malicious S/w remover from MS and run it.

Anonymous said...

the worm is more malicious,because he blocks the access to Microsoft..
and to other antivirus site
you cannot download mce..

the best way is to delete the name of the service on the end of the list.
if you don't find the dll in system32 ,it's not important.
it is not activated anymore when you restart.

Jasmine Gomez said...

Thanks for the tutorial. It worked on my PC. This is the random string on my PC which does not appear on your list: mwshl

I hope you could add it on your list. Thanks!