Remove Virus Downadup.C , Conficker , Kido

Seperti yang kubahas di Microsoft vs Virus Downadup, Conficker, Kido tentang saling serang antara virus worm downadup, conficker, kido dengan Microsoft dengan beberapa perusahaan antivirus dan security. Dan Varian Virus Downadup.C , Conficker , Kido tentang munculnya varian baru virus downadup, conficker, kido yang ditemukan oleh beberapa perusahaan antivirus terkemuka.

Maka disini akan kami bahas, cara me remove varian dari virus ini yang dapat kita lakukan, walaupun untuk menuju remove yang benar-benar bersih masih dalam penyelidikan perusahaan antivirus terbesar terutama symantec

REMOVAL  BY SYMANTEC

1. Disable System Restore (Windows Me/XP).

When you are completely finished with the removal procedure and are satisfied that the threat has been removed, reenable System Restore by following the instructions in the aforementioned documents.

2. Update the virus definitions.

Running LiveUpdate, which is the easiest way to obtain virus definitions.

3. Find and stop the service.

1. Click Start > Run.
2. Type services.msc, and then click OK.
3. Locate and select the service that was detected.
4. Click Action > Properties.
5. Click Stop.
6. Change Startup Type to Manual.
7. Click OK and close the Services window.
8. Restart the computer.

4. Run a full system scan.

Start your antivirus program and make sure that it is configured to scan all the files. Run a full system scan. If any files are detected, follow the instructions displayed by your antivirus program. After the files are deleted, restart the computer in Normal mode and proceed with the next section. Warning messages may be displayed when the computer is restarted, since the threat may not be fully removed at this point. You can ignore these messages and click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following :
Title: [FILE PATH]
Message body: Windows cannot find [FILE NAME]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

..

5. Delete any values added to the registry.

1. Click Start > Run.
2. Type regedit
3. Click OK.
4. Navigate to and delete the following registry subkeys :
   • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 1]
   • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 1]
5. Navigate to and delete the following registry entries:
   • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\”[RANDOM CHARACTERS]” = “rundll32.exe “[RANDOM DLL FILE NAME]“, [RANDOM PARAMETER STRING]“
   • HKLM\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\”ImagePath” = “%System%\svchost.exe -k netsvcs”
   • HKLM\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\Parameters\”ServiceDll” = “[PATH TO THE THREAT]“
   • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\”[WORD 1][WORD 2]” = “[BINARY DATA]“
   • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\”[WORD 1][WORD 2]” = “[BINARY DATA]“
   • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\”[WORD 1][WORD 2]” = “[BINARY DATA]“
   • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\”[WORD 1][WORD 2]” = “[BINARY DATA]“
   • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\”[WORD 1][WORD 2]” = “[BINARY DATA]“
   • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\”[WORD 1][WORD 2]” = “[BINARY DATA]“
6. Restore the following registry entries to their previous values, if required:
   • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”Windows Defender”
   • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
   • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
7. Exit the Registry Editor.Note: If the risk creates or modifies registry subkeys or entries under HKEY_CURRENT_USER, it is possible that it created them for every user on the compromised computer. To ensure that all registry subkeys or entries are removed or restored, log on using each user account and check for any HKEY_CURRENT_USER items listed above.