jwgkvsq.vmx - Conficker virus manual removal

Intro
Well this is one of the new emerging popular virus. It has spread rapidly, and most of your computers are infected. Conficker spreads via the USB pendrive along with the autorun.inf
or via network by exploiting bugs in the Network Stack on Windows systems.
Skip to Manual Removal steps.

Spreading via USB Drives
Conficker spreads on USB Drives by creating an autorun.inf,
A folder structure

RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\

with

jwgkvsq.vmx

The file is a DLL file, which is executed by the obfuscated autorun.inf.
The DLL file is loaded with RunDLL

[AUTorUN
icon=%syStEmrOot%\sySTEM32\sHELL32.Dll,4
shelLExECUte=RuNdLl32.EXE.\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
useAuTopLAY=1

The presence of conficker can be detected by looking at the ICON of the USB Pen drive. If it is a folder icon, then its almost sure that the drive is infected with "conficker".

Manual Detection and Removal

Conficker disables the Background Intelligent Transfer Service (BITS) and Windows Automatic Updates. So If you find these services disabled, be alert. (To checkout what services are running and their statuses Run > services.msc.

Follow these steps to detect and remove Conficker virus:

• 
  Run regedit.exe registry editor
  Goto HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\SvcHost\netsvcs
  Double click the key to see if there is a random value at its end.
  
  
  
  
  
  Note the "zbtthjd" at the end, this is the virus. A list of valid entries in the field (from Microsoft) is given below to help you find the random string. (Usually at the end).
  

  AppMgmt
  AudioSrv
  Browser
  CryptSvc
  DMServer
  EventSystem
  HidServ
  Ias
  Iprip
  Irmon
  LanmanServer
  LanmanWorkstation
  Messenger
  Netman
  Nla
  Ntmssvc
  NWCWorkstation
  Nwsapagent
  Rasauto
  Rasman
  Remoteaccess
  Sacsvr
  Schedule
  Seclogon
  SENS
  Sharedaccess
  Themes
  TrkWks
  TrkSvr
  W32Time
  WZCSVC
  Wmi
  WmdmPmSp
  winmgmt
  wuauserv
  BITS
  ShellHWDetection
  uploadmgr
  WmdmPmSN
  xmlprov
  AeLookupSvc
  helpsvc

  
  
• Note the random string. (in this case "zbtthjd")


• Now goto HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zbtthjd\Parameters, note the ServiceDLL Parameter, It would be something like c:\windows\system32\<randomstring>.dll


• Take a Command prompt and run

  svchost -k netsvcs

  . This should stop the netsvcs and the virus.


• Try deleting the DLL file or else rename the DLL file to something else


• Restart the System.


• Renable Services Automatic Updates and BITS.

Note if you find these methods not applicable in your case, the virus must have morphed to some other form.
Hope it works :)