After checked it with this small tools memory checker finally I found the problem, my computers infected with Conficker.B Variant, It’s really funny when commercial antivirus say my computer clean.. LOL..

The Conficker.B variant a little strange, I still can open Microsoft website. The important key to sense if your computers infected is if your computer run slow than usual. Check with that small memory tools and you may find something

How to to remove Conficker.A and Conficker.B Variant

I’m to lazy for writing manual step, because conficker has to many variant I won’t you blame me if some conficker variant manual removal won’t work for yourself. Just download this conficker removal tools and before run it make sure you’re disconnected from any local network or Internet. There is fourth (4) step you have to follow using this tools.

After you kicked out this conficker you should update your computers security!!! It’s to prevent this worm back and anoying you once again. This really happen to me when I’m to lazy for update my windows the virus back again in just 1 hours haha..

Have a nice day everyone

1. Kaspersky AVP Removal Tool

Download Here

2. Norman Malware Cleaner

Download Here

3. McAfee AVERT Stinger

Download Here

4. Microsoft Malicious Software Removal Tool

You can get this program free by updated your windows, this tool location on %systemroot%\WINDOWS\system32\MRT.exe

5. KidoKiller (Kaspersky)

Download Here

6. Fix Downad (Trend Micro)

Download Here

7. W32.Downadup Removal (Symantec)

Download Here

8. EConfickerRemover (ESET/NOD32)

Download Here

After using this tools you might need to do a little manual modification to make sure your system 100% safe from this shit.

1. Deleted all scheduled task has been made by virus.

2. Deleted all firewall rules has been made by virus.

3. Install this repair.inf

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, Hidden, 0×00000001,1
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, SuperHidden, 0×00000001,1
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, CheckedValue, 0×00000001,1
HKLM, SYSTEM\CurrentControlSet\Services\BITS, Start, 0×00000002,2
HKLM, SYSTEM\CurrentControlSet\Services\ERSvc, Start, 0×00000002,2
HKLM, SYSTEM\CurrentControlSet\Services\wscsvc, Start, 0×00000002,2
HKLM, SYSTEM\CurrentControlSet\Services\wuauserv, Start, 0×00000002,2

[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Applets, dl
HKCU, Software\Microsoft\Windows\CurrentVersion\Applets, ds
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Applets, dl
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Applets, ds
HKLM, SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, TcpNumConnections

4. Clean all temporary files.

5. Checks your hosts file.

Good luck!!

First before we remove this worm, to prevent it’s spreading in networks and infected many computers please follow this step.

• Install Patch from Microsoft for MS08-067, MS08-068, and MS09-001.
• Make sure Administrator password not easy to guess.
• Turn off autoplay on removable devices.

Follow this step to remove Kido

1. Download KKiller_v3.4.3.zip, extract it.

2. Run KKiller.exe program. When scan process completed you might see many command prompt in your desktop, just press any key to close it. If you want to close it automatically please use parameter “-y”

3. Wait untill scan process completed, then restart your computer and scan it again with your trusted AntiVirus.

Good Luck

How to detect if your computer infected by conficker? There many sign like…. Error message Generic Host Process, You can’t access some important site ex: www.microsoft.com,  www.symantec.com,  www.norman.com,  www.clamav.com,  www.grisoft.com,  www.avast.com, etc. You can’t update your antivirus, Many application not working like usually specially network application, and many more sign.

This virus created with UPX compression with size 162kb, You might get trouble when try to killed this virus process because it’s (again) using lame technique by running .dll files following fake svchost.exe file. Virus is not automatically active, it will starts download some images files and created temporary files then building himself (again) LAME! *lol*

Once virus build completed it will starts to disabled some windows services, Virus will blocking any string he found on each active application, here is the list:

Ccert.
sans.
bit9.
windowsupdate
wilderssecurity
threatexpert
castlecops
spamhaus
cpsecure
arcabit
emsisoft
sunbelt
securecomputing
rising
prevx
pctools
norman
k7computing
ikarus
hauri
hacksoft
gdata
fortinet
ewido
clamav
comodo
quickheal
avira
avast
esafe
ahnlab
centralcommand
drweb
grisoft
nod32
f’prot
jotti
kaspersky
f’secure
computerassociates
networkassociates
etrust
panda
sophos
trendmicro
mcafee
norton
symantec
microsoft
defender
rootkit
malware
spyware
virus

wow, they all killed by one shoot hahaha *lol* lame technique (again) virus will try download and executed some images files from some website, I want to giving site list in here but I think you will get bored when read it so let’s skip this! Virus will make firewall rule that can make your computer attacked from outside and totally control your computer (scary…. some people know this as botnet).

Virus Spreading:

1. Brute force default share administrator account (There is dictionary).
2. Lame autorun.inf and hidden file on recycler folder (mostly on each drive with hidden attributes)
3. SVCHOST.exe exploited (that’s why there is microsoft update).

Alright enough, before you guy’s really get mad here is the 7 simple steps to remove conficker:

1. Unplug every computers from network.

2. Deactivated system restore service (XP/Vista)

3. Kill active virus in background service, you can use Norman Malware Cleaner. (Since this virus using UPX compression, the easiest way to detect it is by using Ansav Utility and killed any UPX packet in background)

4. Delete fake SVSHOST.exe in registry.

5. Delete “Schedule Task” that virus created (%systemrot%\WINDOWS\Tasks)

6. Repair your registry using code below or download repair.inf

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, Hidden, 0×00000001,1
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, SuperHidden, 0×00000001,1
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, CheckedValue, 0×00000001,1
HKLM, SYSTEM\CurrentControlSet\Services\BITS, Start, 0×00000002,2
HKLM, SYSTEM\CurrentControlSet\Services\ERSvc, Start, 0×00000002,2
HKLM, SYSTEM\CurrentControlSet\Services\wscsvc, Start, 0×00000002,2
HKLM, SYSTEM\CurrentControlSet\Services\wuauserv, Start, 0×00000002,2

[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Applets, dl
HKCU, Software\Microsoft\Windows\CurrentVersion\Applets, ds
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Applets, dl
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Applets, ds
HKLM, SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, TcpNumConnections

*NOTE: For files active on startup you can disabled it from msconfig or using hijackthis or deleted it manually in registry “HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run”

7. Scan with your best and updated antivirus to stop virus coming back in the future, and update your computer with this patch http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

99. Pay me (joke)

Good luck