Jakarta - Virus' Conficker.DV 'using the distribution method that is different from preceding. With the powerful, the virus tried to access the network using a slit windows' Default Share '(ADMIN $ \ system32) with the administrator password.
In addition 'Conficker.DV' also create a file on removable media such as flash, hard drive and card reader to save the file hidden on the root drive.
While the action the same as preceding, that is trying mengexploitasi MS08-067 security cleft or Windows, or Windows Server Service SVCHOST.exe. Many users are not infected because the Automatic Updates feature and does not do windows patch MS08-067.
If you are like this, see step 7 short of the virus analyst Adi Saputra Vaksincom to eradicate the virus' Conficker.DV 'received detikINET, Wednesday (28/1/2009):
1. Disconnect the computer that will be cleared from the network / internet.
2. Turn off system restore (Windows XP / Vista).
3. Turn off the virus is active in the services. Use the removal tool from Norman to clean the virus is active. If you do not have, can be downloaded at the site norman.
4. Delete the service svchost.exe fake virus on ditanamkan registry. You can search manually in the registry.
5. Delete Task Schedule is created by the virus. (C: \ WINDOWS \ Tasks)
6. Remove the registry string is created by the virus. To facilitate the registry can use the script below:
[Version]
Signature = "$ Chicago $"
Provider = Vaksincom Oyee
[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del
[UnhookRegKey]
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced,
Hidden, 0 × 00000001.1
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced,
SuperHidden, 0 × 00000001.1
HKLM,
SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL,
CheckedValue, 0 × 00000001.1
HKLM, SYSTEM \ CurrentControlSet \ Services \ Bits, Start, 0 × 00000002.2
HKLM, SYSTEM \ CurrentControlSet \ Services \ ERSvc, Start, 0 × 00000002.2
HKLM, SYSTEM \ CurrentControlSet \ Services \ wscsvc, Start, 0 × 00000002.2
HKLM, SYSTEM \ CurrentControlSet \ Services \ wuauserv, Start, 0 × 00000002.2
[del]
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ applets, dl
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ applets, ds
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ applets, dl
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ applets, ds
HKLM, SYSTEM \ CurrentControlSet \ Services \ TCPIP \ Parameters, TcpNumConnections
Use the notepad, then save with the name 'repair.inf', then 'Save As Type' to 'All Files' so that the error does not occur. Repair.inf run with the right click, then select install.
Meanwhile, for the active file on startup, you can disable via 'msconfig' or you can manually mendelete on the string: 'HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'
7. For cleaning the virus W32/Conficker.DV optimally and prevent re-infection, you should use and update anti-virus that is able to detect this virus with both your computer and the patch with the official patch from Microsoft to prevent re-infection.
In addition 'Conficker.DV' also create a file on removable media such as flash, hard drive and card reader to save the file hidden on the root drive.
While the action the same as preceding, that is trying mengexploitasi MS08-067 security cleft or Windows, or Windows Server Service SVCHOST.exe. Many users are not infected because the Automatic Updates feature and does not do windows patch MS08-067.
If you are like this, see step 7 short of the virus analyst Adi Saputra Vaksincom to eradicate the virus' Conficker.DV 'received detikINET, Wednesday (28/1/2009):
1. Disconnect the computer that will be cleared from the network / internet.
2. Turn off system restore (Windows XP / Vista).
3. Turn off the virus is active in the services. Use the removal tool from Norman to clean the virus is active. If you do not have, can be downloaded at the site norman.
4. Delete the service svchost.exe fake virus on ditanamkan registry. You can search manually in the registry.
5. Delete Task Schedule is created by the virus. (C: \ WINDOWS \ Tasks)
6. Remove the registry string is created by the virus. To facilitate the registry can use the script below:
[Version]
Signature = "$ Chicago $"
Provider = Vaksincom Oyee
[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del
[UnhookRegKey]
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced,
Hidden, 0 × 00000001.1
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced,
SuperHidden, 0 × 00000001.1
HKLM,
SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL,
CheckedValue, 0 × 00000001.1
HKLM, SYSTEM \ CurrentControlSet \ Services \ Bits, Start, 0 × 00000002.2
HKLM, SYSTEM \ CurrentControlSet \ Services \ ERSvc, Start, 0 × 00000002.2
HKLM, SYSTEM \ CurrentControlSet \ Services \ wscsvc, Start, 0 × 00000002.2
HKLM, SYSTEM \ CurrentControlSet \ Services \ wuauserv, Start, 0 × 00000002.2
[del]
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ applets, dl
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ applets, ds
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ applets, dl
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ applets, ds
HKLM, SYSTEM \ CurrentControlSet \ Services \ TCPIP \ Parameters, TcpNumConnections
Use the notepad, then save with the name 'repair.inf', then 'Save As Type' to 'All Files' so that the error does not occur. Repair.inf run with the right click, then select install.
Meanwhile, for the active file on startup, you can disable via 'msconfig' or you can manually mendelete on the string: 'HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'
7. For cleaning the virus W32/Conficker.DV optimally and prevent re-infection, you should use and update anti-virus that is able to detect this virus with both your computer and the patch with the official patch from Microsoft to prevent re-infection.
No comments:
Post a Comment