Remove Conficker.B worm

The Conficker worm is one of the more popular these days. It is also very difficult to remove. I have found a quite ‘simple’ solution to it, but it requires some sideway paths to solve it.

It is possible to remove the virus manually, like I described in one of my previous posts, but the catch here is that you need to know exactly where the virus is ‘hiding’ (and it requires also more technical experenice).

Before I present the solution, note the symptoms of the Conficker worm [1][2]:

  • Access to security related web sites is blocked.
  • Disables AutoUpdate

It blocks all (or almost all) antivirus companies, disables the autoupdate, for it is very hard to remove. The real problem with using an antivirus is that you need some recent definitions to be able to remove the virus.

So one of the possible solutions here is to use simply an antivirus to do the work. Luckily for the ones that don’t like to pay for an antivirus there is the free Microsoft Security Essentials, which in my case did the job (you need to pass the genuine windows check to be able to install it).

However, we still get back to the problem that all the Microsoft domains are blocked by Conficker, so we have to download it elsewhere.

I’ve found it on Softpedia and you can download it here:

Next, we need the definitions. But because Conficker blocks the Microsoft domain, it will not be possible to download it via the usual update function. Even for this problem, there is a solution. You can download it manually (also from the Microsoft site):

You can download this on a machine that is not infected, upload it on Rapidshare, send the link via mail and open it on the infected machine. Another possibility is USB, FTP or whatever.

When downloaded, just install it and you should have your definitions up to date. Next do a “Full scan” and after a while the antivirus will probably ask you to reboot the system so that it can remove the virus.

Finally, if it succeeds, you can test it by accessing the Microsoft site (previously blocked).

Future preventions

  • You can disable the Server service (RUN: services.msc) because it is probably outdated
  • Don’t disable the Server service and just get all the latest updates (including SP3 on XP)
  • Keep the antivirus up to date


Large file sizes after compiling with Lazarus

In the previous post when I was building the WLM Uninstaller tool, my choice was to write the app in Pascal (Lazarus).

When you compile a project in Lazarus, you might end up with large executables. In my case, it was about 100 lines of code but compiled to a 12MB executable!

Luckily, I found out how to significantly compress the file. In Lazarus there is a file called strip.exe that, as the name suggests, strips the file from any unnecessary mess. The file on my installation is located in C:\lazarus\fpc\2.2.2\bin\i386-win32. You can simply use it as follows: “strip file.exe”. The file I compiled went from 12MB to 1.77MB!

A further decrease can be accomplished by using a packer like UPX ( “upx -9 -o outputfile.exe inputfile.exe” ). In my case this was a further jump from 1.77MB to 668kB (5,4% of the original size!).

Windows Live Messenger Uninstaller v0.01

This is the first public version of the Windows Live Messenger Uninstaller (v0.01).

What the tool does is basically remove a broken Windows Live Messenger installation. It really uses only the windows installer (msiexec.exe) to do the job combined with the CLSID of the installation that uniquely identifies the WLM version.
The symptoms might be that when you want to reinstall the application it might say that it is already installed, while actually it is not. When trying to remove it with the usual Configuration – Add/Remove software steps, it might not even appear in the list, while the setup of the WLM says it is really installed.

I decided to build this tool since there are a lot of people strugling with this problem [1][2][3][4]. All these existing solutions presented by people on these sites use the single command with a CLSID key (eg. msiexec /x {B1403D7D-C725-4858-AACC-7E5FA2D72859}), but since the key is different for each WLM version such a solution might only be useful if you have that exact version. It can also be done manually by changing the registry keys, but I thought this would speed up the work significantly since there might be a lot of keys to search in (The location we are talking about here is: [HKEY_CLASSES_ROOT\Installer\Products\])

I heard of people formatting the entire hard drive because of not being able to resolve this, so I really hope this gets around and avoids a lot of headaches.

You can download this first version of the tool below.

Download binary | Download source code (pascal)

MD5 hash binary: 7525a442da4b4515c8166debfc4a4d01
MD5 hash source code: 28efa8f882c5354c6c4845393724e99a

The tool is tested on Windows 7, Vista and XP.

The tool is very simple to use. If it finds an installation it will give you the uninstall command that you can use to manually remove it. You can also press RUN and it will run the command automatically for you.

Note: This software comes with absolute no warranty! By using this program you agree that I am not responsible for anything caused by this software whatsoever.

Future releases
If you have any comments, suggestions or bugs, please put them here in the comments. If it is useful I might add/fix it in the next release.

Currently I’m planning to build a more general remover for the Windows Live series, since there are also other components that could get broken.


Untrue descriptions on other sites linking to this page
The link to this topic is already published on several sites, but unfortunately the presented description of the tool is misleading. For it says that I’m claiming to have a better tool than all the other existing solutions, which is of course not true. This is only another alternative that may solve the problem.
In my description I was only referring to the existing solutions presented on the topics and comments on these that I used as references (see above [1][2][3][4]) and not on any other existing tool that probably uses other methods.

Softpedia certification

The tool can now also be downloaded from Softpedia.

Windows Live Essentials Uninstaller
If you also want to remove other Windows Live Essentials components like Windows Live Mail or Windows Live Movie Maker, then try a similar tool that I have built called Windows Live Essentials Uninstaller. This tool can remove any component installed by Windows Live Essentials.

LaTeX MSC package error

While using the MSC (Message Sequence Chart) package (msc.sty) I couldn’t compile my document by using PDF Texify in WinEdt. With the following sample code



\declinst{m1}{Machine 1}{control}
\declinst{m2}{Machine 2}{drill}
\declinst{m3}{Machine 3}{test}




I get this error

! Undefined control sequence.

I don’t know why exactly this happens, but the error suggests that it probably calls a command that doesn’t exist. Anyway, a quick fix (in WinEdt – MikTeX) is to do the following:

  1. LaTeX compile it (Shift+Ctrl+L).
  2. Then convert the .dvi file to .ps with DVIPS.
  3. Finally use PS2PDF to get the PDF.

Any other sugestions are welcome.

Realtek High Definition Audio not recognized on Windows 7

Overall, old drivers like Windows XP drivers are well supported on Windows 7. But as usual, not everything goes always as planned.

In this case I had to fix a not working sound card. To be more specific, it was a Realtek High Definition Audio onboard sound card. The card was just not recognized by Windows 7, while it did when I was running XP on that same machine. And this was was very strange.

My situation was fixed with a really simple fix. You might try the following:

1. Start your computer and enter your BIOS by directly pressing F1 (or F10 or any other key depending on your machine)

2. Go to the advanced menu or somewhere where you can see Onboard Audio.

3. You might now have 3 options to choose. Disabled, Enabled and Automatic.

4. If it is set on Automatic then change it to Enabled and start Windows as usual.

5. If you’re lucky Windows might now recognize the driver and even directly install it. 🙂

If it the above doesn’t work for you:

  • Try my alternative solution here.
  • You can try installing the driver by downloading the Realtek HD Audio driver for Windows 7 from the official site.
  • In some cases you might also necesseraly need to install the chipset drivers for your motherboard.
  • You can also try deleting the current audio drivers and reinstalling them.

Windows 7 Update Settings Disabled

Strange things happen. So is it in this story, in the world of the new Windows 7 (which is quite an improvement after Vista but we all know that).

So on a nice shiny day, a nice update comes in and the part that bothers me the most is when it does automatically installing without my approval. Then just change the settings, I thought. But you might be as suprised as I was when I saw that this option was simply greyed out, which was of course even more bothering.

Windows 7 Update Settings
Windows 7 Update Settings

Anyway, the solution is quite simple as was in one of my previous posts with getting rid of that Officepluginres error message. You just fire up your registry editor and go to the following key:


Then you’ll find a key named AUOptions. You can change these values to 1..5 which represent the following options (the first four do grey out the option box in my case):

1: Download updates but let me choose wether to install them
2: Check for updates but let me choose wether to download and install them
3: Download updates but let me choose wether to install them
4: Install updates automatically
5: Enable the option box to choose manually

When you change it to 5, it will enable the option box and let you choose manually. There might be some other tweaks on this by changing the Group Policy, but this quick fix should also do the work.

AUOptions setting in Registry Editor
AUOptions setting in Registry Editor

Bosnian alphabet characters in LaTeX

While working on a document in LaTeX I had to insert a specific character which I was not able to find in WinEdt. Wiki was only of temporal help because it showed only the latex code for the character č and not ć which i actually was looking for. After googling a lot more than I initially thought I would need, I found the trick by using \v{c} and puzzled the rest by myself.

Anyway, I thought it would be helpful to post all of the Bosnian special characters in one neat table. So here it is.

You can also download this nice PDF if you need it locally for a quick reference.

Bosanski opis:
Tabela ispod pokazuje sva naša slova i u koloni pored kod za latex. Kod dva
slučaja, kod slova đ i Đ je potrebno instalirati dodatni paket pošto ova slova
nisu standardno podržana (to je barem kod mene trenutno slučaj). U svakom
slučaju ce ovo dati željeni rezultat.

U ovom pdf-u se moze naći ovaj sav sadržaj.

Made my contribution to the Bosnian wikipedia. 😀


How to remove rootkit/spyware Virtumonde

You can read a lot about antivirus and antispyware software failing to catch up with the explosive growth of viruses that are surrounding the net. For the first time, I saw all the software really failing to remove a virus, even if it knew that it was there.

My first encountering of the spyware was a few weeks ago (on a machine not of my own). I lost an entire day searching for a remedy, that resulted in nothing. My first try was to just do a basic scan with the available software (NOD32 and SpyBot), which detected the virus, but couldn’t do anything to remove it. Trying in safemode, was the obvious next step. I was surprised to see that virtumonde even loaded in safemode, and therefore I couldn’t remove it. Then I began my search on the net with the hope to find some quick solution (time is precious). Hours after trying to remove it from starting, various virtumonde “fixes”, other antivirus and spyware software, it ended in nothing.
I was really determined not to surrender to this nasty peace of software, and therefore I had one last hope: isolate XP, and remove the damn thing manually. So I booted with Hiren’s Boot CD a mini version of XP, with which I hoped to remove virtumonde while it wasn’t active. I did in advance locate the files and registry keys (which I got by scanning with Spybot). And finally, when I deleted the files, removed the registry keys, booted up the machine, the virus was eliminated! 😀

To sum things up, the spyware is nasty, really nasty. Haven’t seen any other spyware that was more persistent than this. If you get infected by something like this, you end up either formatting your drive or do it manually like I did. There may be other, maybe easier ways, to overcome this problem, but here’s one solution that worked for me:
1. Scan the system with SpyBot and locate the files that it found
2. Delete them with SpyBot and reboot the system
3. Boot mini XP with Hiren’s boot CD
4. Now go to the windows system folder (or there where the files were reported), and sort the files by modification date. Because we deleted the files in step 2, the virus should have recreated itself again. So this is a quick way to identify all the files, since these are the last created ones.
5. Remove these files and any other files that were reported in step 1
6. Reboot the system and do a final scan with spybot, to make sure it is completely removed
7. You should be very happy now. 😀

Unable to load OfficePluginRes.dll

Haven’t seen much of solutions on the net about this, so here’s my own workaround.

There are some “addins” that are used by all office programs, and apparently the contribute plugin somehow got broken on my system.

The error while starting any of the office programs might look something like this:
“Unable to load OfficePluginRes.dll. Contribute may not be installed properly.”

The fix is to disable the loading of this addin by simply doing the following:
1. Run regedit
2. Go to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\
3. Pick your program where the error occurs (in my case Outlook)
4. Open: Adobe.Contribute.OfficePlugin
5. The DWORD value “LoadBehavior” should be set on 3. Change it to 0.

This should be a quick fix to get rid of that nasty message.


Welcome everyone!

This blog is a continuation of the previous blog I had on I created this blog mainly for own purposes, but it might as well suit yours.

All comments/suggestions are welcome on any topic you find here. You can also contact me via mail.

Enjoy your stay.