blog.eddsn.com

The Conficker worm is one of the more popular these days. It is also very difficult to remove. I have found a quite ‘simple’ solution to it, but it requires some sideway paths to solve it.

It is possible to remove the virus manually, like I described in one of my previous posts, but the catch here is that you need to know exactly where the virus is ‘hiding’ (and it requires also more technical experenice).

Before I present the solution, note the symptoms of the Conficker worm [1][2]:

• Access to security related web sites is blocked.
• Disables AutoUpdate

It blocks all (or almost all) antivirus companies, disables the autoupdate, for it is very hard to remove. The real problem with using an antivirus is that you need some recent definitions to be able to remove the virus.

So one of the possible solutions here is to use simply an antivirus to do the work. Luckily for the ones that don’t like to pay for an antivirus there is the free Microsoft Security Essentials, which in my case did the job (you need to pass the genuine windows check to be able to install it).

However, we still get back to the problem that all the Microsoft domains are blocked by Conficker, so we have to download it elsewhere.

I’ve found it on Softpedia and you can download it here:

• http://www.softpedia.com/get/Antivirus/Microsoft-Security-Essentials.shtml

Next, we need the definitions. But because Conficker blocks the Microsoft domain, it will not be possible to download it via the usual update function. Even for this problem, there is a solution. You can download it manually (also from the Microsoft site):

• http://support.microsoft.com/kb/971606 (about 40MB)

You can download this on a machine that is not infected, upload it on Rapidshare, send the link via mail and open it on the infected machine. Another possibility is USB, FTP or whatever.

When downloaded, just install it and you should have your definitions up to date. Next do a “Full scan” and after a while the antivirus will probably ask you to reboot the system so that it can remove the virus.

Finally, if it succeeds, you can test it by accessing the Microsoft site (previously blocked).

Future preventions

• You can disable the Server service (RUN: services.msc) because it is probably outdated
• Don’t disable the Server service and just get all the latest updates (including SP3 on XP)
• Keep the antivirus up to date

References
[1] http://en.wikipedia.org/wiki/Conficker
[2] http://www.pc1news.com/news/0486/how-to-remove-and-avoid-the-win32-conficker-worm.html

In the previous post when I was building the WLM Uninstaller tool, my choice was to write the app in Pascal (Lazarus).

When you compile a project in Lazarus, you might end up with large executables. In my case, it was about 100 lines of code but compiled to a 12MB executable!

Luckily, I found out how to significantly compress the file. In Lazarus there is a file called strip.exe that, as the name suggests, strips the file from any unnecessary mess. The file on my installation is located in C:\lazarus\fpc\2.2.2\bin\i386-win32. You can simply use it as follows: “strip file.exe”. The file I compiled went from 12MB to 1.77MB!

A further decrease can be accomplished by using a packer like UPX ( “upx -9 -o outputfile.exe inputfile.exe” ). In my case this was a further jump from 1.77MB to 668kB (5,4% of the original size!).

This is the first public version of the Windows Live Messenger Uninstaller (v0.01).

What the tool does is basically remove a broken Windows Live Messenger installation. It really uses only the windows installer (msiexec.exe) to do the job combined with the CLSID of the installation that uniquely identifies the WLM version.
The symptoms might be that when you want to reinstall the application it might say that it is already installed, while actually it is not. When trying to remove it with the usual Configuration – Add/Remove software steps, it might not even appear in the list, while the setup of the WLM says it is really installed.

I decided to build this tool since there are a lot of people strugling with this problem [1][2][3][4]. All these existing solutions presented by people on these sites use the single command with a CLSID key (eg. msiexec /x {B1403D7D-C725-4858-AACC-7E5FA2D72859}), but since the key is different for each WLM version such a solution might only be useful if you have that exact version. It can also be done manually by changing the registry keys, but I thought this would speed up the work significantly since there might be a lot of keys to search in (The location we are talking about here is: [HKEY_CLASSES_ROOT\Installer\Products\])

I heard of people formatting the entire hard drive because of not being able to resolve this, so I really hope this gets around and avoids a lot of headaches.

You can download this first version of the tool below.

Download binary | Download source code (pascal)

MD5 hash binary: 7525a442da4b4515c8166debfc4a4d01
MD5 hash source code: 28efa8f882c5354c6c4845393724e99a

Requirements
The tool is tested on Windows 7, Vista and XP.

Usage
The tool is very simple to use. If it finds an installation it will give you the uninstall command that you can use to manually remove it. You can also press RUN and it will run the command automatically for you.

Note: This software comes with absolute no warranty! By using this program you agree that I am not responsible for anything caused by this software whatsoever.

Future releases
If you have any comments, suggestions or bugs, please put them here in the comments. If it is useful I might add/fix it in the next release.

Currently I’m planning to build a more general remover for the Windows Live series, since there are also other components that could get broken.

References
[1] http://ask-leo.com/how_do_i_uninstall_windows_messenger.html#comments
[2] http://ayumilove.wordpress.com/2009/03/14/how-to-install-remove-windows-live-messenger-2009/
[3] http://www.mydigitallife.info/2006/02/11/remove-and-uninstall-windows-messenger/
[4] http://www.vistax64.com/live-messenger/185883-cannot-uninstall-windows-live-messenger-beta-2009-a.html

Untrue descriptions on other sites linking to this page
The link to this topic is already published on several sites, but unfortunately the presented description of the tool is misleading. For it says that I’m claiming to have a better tool than all the other existing solutions, which is of course not true. This is only another alternative that may solve the problem.
In my description I was only referring to the existing solutions presented on the topics and comments on these that I used as references (see above [1][2][3][4]) and not on any other existing tool that probably uses other methods.

Softpedia certification

The tool can now also be downloaded from Softpedia.

Windows Live Essentials Uninstaller
If you also want to remove other Windows Live Essentials components like Windows Live Mail or Windows Live Movie Maker, then try a similar tool that I have built called Windows Live Essentials Uninstaller. This tool can remove any component installed by Windows Live Essentials.