Removing Conficker

Before you begin removing Conficker, make sure it is detected as such by Avira, i.e. while scanning; Avira detected it exactly with the name Conficker. If not, please let us know, because you cannot remove it, until it is detected as "Conficker".

For removing Conficker, please follow these steps:

  1. Run the step under Mitigation steps on the following website. (You can skip steps 3 and 7, as they will be done in further steps)
    http://support.microsoft.com/kb/962007
  2. On the Servers:
    1. Download the following files:
    2. Microsoft Patches:
    3. Disconnect the servers from the network (unplug the network cable or turn off the switch)
    4. Install the Microsoft Patches (if not installed already)
    5. Run a manual update:
      1. Stop Avira services:  Avira Server Realtime Protection and Avira Security Scheduler
      2. Unpack the files in the folder C:\Programs\Avira\AntiVir Server\, overwriting the existing files.
      3. Restart the above mentioned services.
    6. Run a complete scan over all hard disks with Avira Server Security, from Scheduler → Create new task → Scan task → Complete system scan
    7. Connect the server to the network again
    8. If the server should get infected again (services shutting down) please run the Scanner again (with Avira Server Security) and send us the logfiles:
      • Windows Server 2000/2003: C:\Documents and Settings\All Users\Applicationdata\Avira\AntiVir Server\logfiles
      • Windows Server 2008: C:\ProgramData\Avira\AntiVir Server\logfiles
  3. On the clients:
    1. Download the following Microsoft Patches:
    2. Install the patches on all PCs. Alternatively you can use the Microsoft WSUS to update the clients (http://technet.microsoft.com/de-de/wsus/default.aspx)
    3. Deactivate the System Restore on all clients
    4. Update Avira IUM and all Avira software in your network
    5. Now open Avira SMC and right click on the Security Environment. Choose Installation → Product (Avira Professional Security or Avira Server Security) → Copy files. Add the following files: Important: First add the file Conficker_registry_fix.reg and then the file conficker_reg.bat. For the file conficker_reg.bat click the checkbox for the option Execute selected file after copy operation.
      With this step you will disable the autorun for CDs and USB Sticks. This is recommended, because the Conficker virus spreads over this function.
      • Conficker_registry_fix.reg
      • conficker_reg.bat
    6. Restart the clients
    7. Setup a configuration task for the Clients (Right-click on the Security Environment → Configuration → Avira Professional Security → Configure) and setup the System Scanner option Action for concerning files to automatic, Primary Action = Repair and Secondary Action = Rename.
    8. With this option you can make sure nobody interrupts the removal process.
    9. Use the function Avira Professional Security → Copy files again and copy the following files: First copy the file rootkit.avp and then the file rootkit_scan.bat.
      Execute the file rootkit_scan.bat. This will start the Rootkit search to remove Conficker.
      • rootkit.avp
      • rootkit_scan.bat
    10. Reboot the PCs.
    11. Start a normal scan on all local drives.
    12. If you further notice a virulent behaviour on a PC or if the System Scanner detects an infection, please run the Avira Support Collector on that computer (Downloads) and send us the logfiles by email.

You could still receive virus warnings on the PCs, until you remove all Conficker instances in the network.

Affected products

  • Avira AntiVir Support Collector [Windows]
  • Avira Professional Security [Windows]
  • Avira Server Security [Windows]
  • Avira Rescue System [Not relevant]
  • Avira Professional Security, Version 2012 [Windows]
  • Avira Server Security, Version 2012 [Windows]
  • Avira Small Business Security Suite [Windows]
  • Created : Friday, August 14, 2009
  • Last updated: Tuesday, May 21, 2013
  • Rate this article
Was this helpful?