-=PCTechTalk=- The final word on Confickr/Downadup/Kido including removal instructions

From Windows Secrets newsletter:

How to update your PC and remove Conficker

The following steps should prevent infection by Conficker and eliminate the 
worm, if your PC has it. One positive side effect is that you'll enjoy a 
computer with up-to-date patches:

  a.. Step 1. Attempt to run Microsoft Update. The Conficker worm can infect 
vulnerable computers merely by connecting to them remotely via the Internet. 
For this reason, you should first try to patch Windows before removing 
Conficker, lest your machine quickly become infected again. It's 
particularly important to install Microsoft patch 958644 (security bulletin 
MS08-067). This patch closes a hole in Windows' Remote Procedure Call, which 
Conficker exploits.

  If you can't find Microsoft Update (or the more limited Windows Update) on 
your PC's Start menu, visit the Microsoft Update page on the Web. Internet 
Explorer is required.

  Microsoft Update might complete successfully, or you might not be able to 
access Microsoft.com at all. In either case, do Step 2.


  b.. Step 2. Attempt to update your third-party security software. Having 
the latest antivirus signatures will help eradicate Conficker and other 
malware that may be lurking on your PC. Use your security software's menu to 
manually update to the latest defenses.

  Have no security software? Read the WS Security Baseline, which summarizes 
the products that are currently rated the highest by respected reviewers.

  • If your updated security software deems your PC to be cleaned up, but 
you couldn't previously access Microsoft.com, go back to Step 1 and run 
Microsoft Update.

  • If you couldn't access your security vendor's site at all, do Step 3.

  • If you finished both Steps 1 and 2 successfully, you should be able to 
skip Step 3 and do Step 4.


  c.. Step 3 (optional). Run a standalone Conficker removal tool, if need 
be. The Conficker Working Group — a coalition of Microsoft, Cisco, SRI, 
F-Secure, Kaspersky, and many other security vendors — maintains a list of 
certified detection and repair tools, any of which should remove Conficker. 
(My thanks to Susan Bradley for her help with this tip.)

  Unfortunately, most the links in the Working Group's list are inaccessible 
on a Conficker-infected PC. A victim can't even reach the Working Group's 
site, because it has in its URL the string conficker, which triggers the 
worm's blocking behavior.

  As I mentioned earlier, security firm BitDefender has set up a new domain 
from which users can download free Conficker disinfectant utilities. This 
site, BDTools.net, is not currently blocked by the worm, to the best of my 
knowledge. The site offers three options: (a) a free online scan; (b) a 
free, downloadable Single PC Removal Tool for individual users; and (c) a 
free Network Removal Tool, an .exe file that IT admins can use to disinfect 
an entire LAN.

  BDTools.net: Visit BitDefender's download site.

  If you can't access BDTools.net or any other security site from your PC, 
find a machine that isn't infected (such as a public-access workstation at a 
library). Don't use a search engine to look for removal tools, some of which 
are bogus. Instead, download a removal tool from the Working Group's 
certified list onto a USB drive, and then use that drive to run the software 
on the infected PC.

  • After removing Conficker, if you couldn't previously complete Steps 1 
and 2 successfully, go back now and finish those steps to update Windows and 
your security software.

  • Once you've completed Steps 1 and 2, do Step 4.


  d.. Step 4. Run Secunia's Software Inspector to catch missing application 
patches. Third-party applications, especially media players, are more likely 
to suffer from security holes than Windows itself is. The security firm 
Secunia.com offers a free scan, informing you when your PC is running an 
insecure version of an application that has a security patch available.

  Like BDTools.net, the Secunia Software Inspector offers three options: (a) 
a free online scan; (b) a free download for individual users; and (c) a LAN 
utility for IT admins. Unlike BDTools' network tool, which is free, 
Secunia's LAN product costs €5,000 (U.S. $6,500) per year and up, depending 
on the size of your company.

  To run Software Inspector, see Secunia's vulnerability scanning page.

  In my opinion, everyone should use Software Inspector at least once a 
month, right after installing Microsoft's patches the week of Patch Tuesday.


  e.. Step 5 (optional). Advanced users — use OpenDNS to restrict infected 
PCs. OpenDNS, a San Francisco–based company, provides a free, real-time 
service that prevents PCs from accessing phishing and hacker sites, among 
others. Admins of small and large LANs can use OpenDNS as a Domain Name 
System server.

  The firm introduced on Feb. 9 a new, Conficker-specific feature. If an 
infected PC on a LAN somehow evaded detection, OpenDNS will prevent it from 
contacting Conficker's control servers. Best of all, admins can read a 
report showing which PC tried to connect to a Conficker server.

  For details, read Dan Gookin's Register article and OpenDNS's 
announcement.


New instructions from the worm's author will probably make the bots disable 
a PC's access to BDTools, Secunia, and many other sites that were not on 
Conficker's original block list. Some security researchers have speculated 
that an update to Conficker will even prevent infected PCs from installing 
MS08-067.

It's best to strengthen your defenses before April 1 rather than waiting to 
see what bad things might happen.


Peace,
Gman
http://www.bornagainamerican.org

"The only dumb questions are the ones we fail to ask"

---------------------------------------------------------------
Please remember to trim your replies (including this sentence and everything 
below it) and adjust the subject line as necessary.

To subscribe, unsubscribe or modify your email settings:
http://www.freelists.org/webpage/pctechtalk

To access our Archives:
http://groups.yahoo.com/group/PCTechTalk/messages/
http://www.freelists.org/archives/pctechtalk/

To contact only the PCTT Mod Squad, write to:
pctechtalk-moderators@xxxxxxxxxxxxx

To join the PCTableTalk off-topic group, send a blank email to:
pctabletalk+subscribe@xxxxxxxxxxxxxxxx
---------------------------------------------------------------

Other related posts: