Let's assume you are on the receiving end of the worst April Fool's Day joke of 2009: your computer has been infected with the Conficker worm. It is a frustrating but not insurmountable problem. This guide will walk you through how to cleanse your computer and inoculate against other Conficker variants.
First off, make sure that you are infected. There are not many warning signs, but a few will stand out if you know what to look for.
One fast way to check is to try to visit any major security software publisher's website. If you have cleared your browser cache beforehand, and you can load the sites of Symantec, Eset, Avira or AVG, you are clean because Conficker blocks access to them.
Another good litmus test is to check on the status and functionality of Windows services such as Automatic Updates, the Background Intelligent Transfer Service, Windows Defender and Error Reporting Services. If any of those have been disabled without your consent, or if your account lockout policies have changed without approval, you might be infected. Other warning signs include unusually high traffic on your local area network, and domain controllers responding slowly to client requests.
If you are running an up-to-date virus scanner, it is unlikely you will get infected unless you have configured your computer to not receive automatic Windows updates. Checking your list of installed updates for security update MS08-067 (KB 958644) is not recommended because the worm, alternatively known as Kido, Downup or Downadup, fakes the patch job.
Removal tools
Assuming you do have the virus, the next step is to download one of several free removal clients. The Conficker-specific tools are McAfee's Stinger, Eset's Win32/Conficker Worm Removal Tool, Symantec's W32.Downadup Removal Tool, and Sophos's Conficker Cleanup Tool.
Avira specifically mentions on its website that Antivir will prevent infection and remove the virus if you have it (although we do not have an infected machine to confirm this against). AVG states that AVG Free will protect you against the virus, but does not say if it can remove it once you have been infected.
If none of these programs works for you, Avira also offers Conficker-specific instructions on how to use their rescue CD to fix your computer. This requires a secondary computer so you can create the CD, if you have not done so prior to infection.
It is strongly recommended that if you are infected and you have the luxury of a second machine, disconnect the infected computer from the internet and install any repair programs or other fixes via CD or USB key.
Disable AutoRun
One of the most common infection vectors for Conficker and its ilk is the Windows AutoRun feature. Eset claims that one out of every 15 threats they detected in 2008 used autorun.inf. Unfortunately, disabling it is not as simple as you may think, because even when disabled through conventional means, it still parses most of the autorun.inf file, instead of not reading it at all.
To disable it completely, users will need to copy the text below into Notepad. It should be one line from the left bracket to the final quotation mark.
REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\IniFileMapping\Autorun.inf]@="@SYS:DoesNotExist"
Save it as something memorable, such as StopAutoRun.REG. Double-click on the saved file, and you close the AutoRun loophole. You will not be able to automatically play DVDs just by putting them in the disc drive now, but that seems a reasonable price to pay for slamming the door on this gaping security flaw.
Once you have made your computer clean and killed off the AutoRun feature, there is still more to do. These changes, however, are behavioural. Stay on top of Windows security updates from Microsoft, do not under any circumstances click on any web-based 'free virus scan' offers, and make sure you are not only running a reputable security suite, but that it is configured for daily virus definition file updates.
For the latest news and updates on Conficker, check out ZDNet UK's roundup.
Talkback
Seth Rosenblatt. With respect to your post instructing how to check for and remove the Conflicker worm, please note that the quoted registry entry to disable Autorun is incomplete. However I believe the registry entry to disable autorun is different for different versions of Windows.
There are plenty of guidelines explaining how to disable Autorun on the Internet.