8 Tools Conficker Killer

8 Tools Conficker Killer

Conficker the virus is also known by the name of Kido or Downadup it is certainly familiar in our ears all this in 2009. One type of worm virus comments that make the distribution of the very tremendous and has a very serious impact of computers on the network.

Now the race-vendor security tools and the race issue "claiming" as the most good and most powerful to eradicate Conficker.

Under this type of tool and symptoms:

Conficker and symptoms

some symptoms of computer infected Conficker:

!!. Can not access the domain name & web security can not update antivirus
This is one of the characteristics of conficker. Please check with the web access on some security such as www.microsoft.com, and www.norman.com www.kaspersky.com. Compare with access through the ip from the web page, http://65.55.12.249 (microsoft), http://195.27.181.34 (Kaspersky) and http://87.238.48.130 (norman). If your browser can not mengkases site by typing in the address on the site can be accessed BUT if the address Ipnya, the need to believe that the suspect komptuer infected Conficker (99%). This is done by Conficker with how to patch the DNS Query, DNS, so if access is blocked by certain akan conficker.

!!.  shut-disabled men and some of the Windows Service.

To facilitate infection effectively, Conficker turn off some services such as Automatic Updates (wuauserv), Background Intelligent Transfer Service (Bits), Error Reporting Service (ERSvc), Help and Support (helpsvc), the Security Center (wscsvc).

!!.  Create and run a new service with mendompleng svchost.
This is so easy and menginfeksi on another computer and download a virus file.

!!.  Create a new firewall rule.
This can be used so that conficker exit (menginfeksi another computer) and enter (a new virus update) easily. Conficker use the port between 1024 s / d 10,000. if the port is used with the same virus program our application, the application will be delayed.

!!.  Create a Scheduled task.

This used to be still running on the infected computer. To be optimal, some Conficker Scheduled task that running all the time.

!!. Disable Show Hidden Files & System Restore.
This is used so that the victim is not easy to do cleaning on the virus that had been successful and menginfeksi computers and flash drives / external.

!!.  Disable System Restore.
Function so that the computer can not restore the victim to the computer before setting early in infection Conficker. As we know, is the System Restore feature in Windows XP / vista as a working time machine that can help us if there is one install / where the virus infected only with a few clicks we can restore the computer settings on the day / time before the virus infected the computer / installed incorrectly .


The Tools, Conficker Killer ...

Here are some tools that tesedia as follows:

1) AVP Kaspersky Removal Tool
Tools is the mainstay of Kaspersky Lab created as a substitute for anti-virus tools. You can download for free. But unfortunately, these tools must be installed first before using it, so if the computer has been infected with the virus if the virus is very difficult to block the installation of security tools or applications. To conficker / kido, AVP already includes its database. Interface design is very similar to its anti-virus interface. Unfortunately not able to repair registry, repair service and repair by the host that the virus changed.

2) Norman Malware Cleaner
Compared to previous versions, FREE tools made by the Norman www.norman.com progress rapidly. Tools can be used as an alternative if the computer infected with a virus, because it is able to restore the registry, and hosted service created by virus / spyware. To conficker, these tools can be used as an alternative to cleaning. Unfortunately, if this has the tools expire (± 14 days), so you will be required to download the latest version of the website norman http://norman.com/Virus/Virus_removal_tools/24789/. The actions that can be done Norman Malware

Cleaner is:
- Stopping the virus that is running.
- Memberishkan virus from the media file (Flash Disk, Harddisk etc), including ActiveX components and BHO (Browser Helper Object) that many in the exploitation by Spyware.
- Finding and killing rootkit.
- Restore the registry value was changed by a virus (not available on other removal tools)
- Clearing the changes in the hosts file (not available in the other removal tools).
- Justify the Windows Firewall rule made by the virus.

3) McAfee AVERT Stinger
McAfee user for you, of course familiar with this name. Stinger made AVERT that had become one of the precursor virus cleaning tools are the computer users in the early appear. Unfortunately, the development tools is a bit slow to get so many competing tools-new tools. To conficker, already include the stinger database. Still has a simple design as before but if it is used to eradicate Conficker, sometimes quite difficult to inject if the virus is a file system failed and the windows cleaned.

4) Microsoft Malicious Software Removal Tool
Belonging to the Microsoft tools can be used as an alternative to virus scan only. Tools can be downloaded automatically each month with features automatic updates of windows. Location of this file is located in C: \ WINDOWS \ system32, the name MRT.exe. Tools features the scan that can be adjusted with yours. If you find the virus active in memory, MRT will request the user to restart. Although it can detect conficker, but the tools are used only for virus scanning alone, without merepair registry that has been created by the virus.

While some of the special tools made for killing conficker is as follows:

1) KidoKiller (Kaspersky)
Special tools made to Kaspersky Lab virus Conficker. Tools have been signed in this revision 3 to detect the virus conficker versions of C / III. Feature was added continuously to be able to detect and mendelete Scheduled task, and able mngembalikan system restore. The advantages this tool that is able to function without a DNS Query must restart the computer. Tools is running at the command prompt. Unlike the Symantec, scanning tools are only on a certain path are suspected of being infected conficker, so that the scanning time becomes faster.

2) Fix Downad (Trend Micro)
Tools output for the Trend Micro conficker unfortunately this does not include database / patternnya when downloading, so we have to first download the pattern / its database. The database / page can be scanning pattern of the virus / worm another, so it can clean up another virus. If other tools consist of only one file, these tools have some good exe file and another file that consists of checking the database / pattern, check schedule task, checking the windows patch, virus checks, registry checks and check services. Even if it consists of many files, we just run the bat just 1 file (batch file), which will then execute the other file.

3) Removal W32.Downadup (Symantec)
Consistent with its name, this tool made by Symantec antivirus companies to overcome the virus conficker / downadup / kido. Overview of tools is very simple, there is only the start menu, and cancel about. This tool does not have the option of scanning the drive you want. For scanning, this tool is able to kill the virus, the virus mendelete file and fix the registry that has been modified by the virus. Unfortunately this tool does not remove the task schedule is created by the virus, does not remove the firewall rule is created by the virus and does not restore the system restore back to normal. But this tool gives a warning to the user so that immediate patching windows with MS08-067.

4) EConfickerRemover (ESET/NOD32)
ESET also issued conficker special tools for its users. This tool is very simple, in fact if a simple and powerful that it sought. Tools other than this virus can kill the process and mendeletenya.

Some of the changes made by Conficker that need to be a concern even have to use cleaning tools are as follows:

- Task Schedule
Delete schedule task that has been created by the virus.

- Firewall Rule
Delete a firewall rule is created by the virus.

- Registry Repair
Repair registry changed by the virus (the windows service is dead and show hidden files). Create a script in the notepad, then save as a repair.inf.

[Version]
Signature = "$ Chicago $"
Provider = Vaksincom
[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del
[UnhookRegKey]
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced, Hidden, 0 × 00000001.1
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced, SuperHidden, 0 × 00000001.1
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL, CheckedValue, 0 × 00000001.1
HKLM, SYSTEM \ CurrentControlSet \ Services \ Bits, Start, 0 × 00000002.2
HKLM, SYSTEM \ CurrentControlSet \ Services \ ERSvc, Start, 0 × 00000002.2
HKLM, SYSTEM \ CurrentControlSet \ Services \ wscsvc, Start, 0 × 00000002.2
HKLM, SYSTEM \ CurrentControlSet \ Services \ wuauserv, Start, 0 × 00000002.2
[del]
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ applets, dl
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ applets, ds
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ applets, dl
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ applets, ds
HKLM, SYSTEM \ CurrentControlSet \ Services \ TCPIP \ Parameters, TcpNumConnections

- Clean temporary files
Clean up temporary files, use disk cleanup, or can use tools such as cleaner ATF Cleaner.

Prevention ...
although the virus has been cleaned but / worm is still very easy to enter due to several factors as follows:

- Autoplay / Autorun Windows
Do with the prevention of men-disable autoplay function. This function makes it easy conficker entry and menginfeksi computer.

- Default Windows Share
This function is easy for the virus / worm attempted entry through the network easily. Disable this function if not needed. As an alternative if needed use a computer password (both local and network) that is unique and not standard and common letter combinations angkadan.

- Windows Patch
Always diligent patch windows. This will prevent the virus from attack at an internet connection. Would be better if you enable Automatic Updates.

- Install and Update Antivirus
Finally, do the installation of antivirus and always make sure to update both.

source: Vaksin