Conficker – How To Kill DLL Files And Delete Registry Keys And Values

killing Conficker DLL files

The Conficker virus is now known by many names, including –

  • W32/Conficker.worm
  • Win32/Conficker.A
  • W32.Downadup
  • Downadup
  • Kido
  • Confiker

but it doesn’t really matter what you call it – it is a total and far-reaching menace that has spread far and wide across the internet.

You need to a flashplayer enabled browser to view this YouTube video

Exploiting flaws found in Windows MS08-067 vulnerability, Conficker continues to infect machines worldwide and may now be installed on as many as 15 million computers across the globe.

You need to a flashplayer enabled browser to view this YouTube video

If you are unfortunate enough to become infected with Conficker then you will probably quickly discover that you cannot access security websites and that services such as Windows Security Center, Windows Error Reporting and Windows Defender have been disabled.

Not only that but Conficker has the ability to spread itself to other vulnerable computers via many means, including networks and external drives.

killing Conficker DLL files

killing Conficker DLL files

So, if one computer in a network is infected, then all the others are likely to become infected too.

Microsoft has released a patch to fix the Windows vulnerability and here is how you can manually remove Conficker from your system –

Killing off the Conficker DLL files

This is a fairly simple task, as detailed below –

1. Right-click the Explorer.exe process and choose the option “Properties”.
2. Click on the “Threads” Tab, locate and highlight the Conficker DLL files listed below.
3. To kill Conficker DLL files, click the “Kill” button.
4. Kill the following Conficker DLL files:

%All Users Application Data%\[RANDOM FILE NAME].dll
%Program Files%\Movie Maker\[RANDOM FILE NAME].dll
%Program Files%\Internet Explorer\[RANDOM FILE NAME].dll
%Temp%\[RANDOM FILE NAME].dll
vhoinp.dll
%System%\[RANDOM FILE NAME].dll

Deleting Conficker Registry Keys and Values

1. Right-click on your Desktop > select “New” option > select “Text Document” (.txt file) option.
2. Rename the .txt file as a .reg file and call it “Delete_Registry_Conficker_Entities.reg”. This renamed .reg file is a command that creates a shortcut to your Windows registry and allows you to easily delete registry values.
3. Right-click and select the “Edit” option.
4. Copy and paste the Conficker keys listed below –

[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWSNT\CURRENTVERSION\WINDOWS\APPINIT_DLLS\vhoinp.dll]
[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\vhoinp.dll]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\vhoinp.dll]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\vhoinp.dll]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\URLSearchHooks\vhoinp.dll]
[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\vhoinp.dll]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\vhoinp.dll]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars\vhoinp.dll]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\vhoinp.dll]
[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\vhoinp.dll]
[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\vhoinp.dll]
[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX\vhoinp.dll]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\vhoinp.dll]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\vhoinp.dll]
[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\vhoinp.dll]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\vhoinp.dll]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\vhoinp.dll]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\vhoinp.dll]
[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\vhoinp.dll]
[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\vhoinp.dll]
[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX\vhoinp.dll]

5. In the menu bar, go to “File” > select “Save” > then click the “X” button to close the file.
6. Double-click on the .reg file.
7. When the message box appears saying “Are you sure you want to add the information in C:DOCUME~1%username%DesktopDELETE~1.REG to the registry?”, click the “Yes” button.
8. When the message box appears saying “Information in C:DOCUME~1%username%DesktopDELETE~1.REG has been successfully entered into the registry.”, click the “OK” button.
9. The Conficker registry keys have now been deleted from your registry.

Hopefully that should do the trick for you and you can continue surfing without being bothered by Conficker again – just remember to keep your operating system fully patched and updated!

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.

Speak Your Mind

*