Kk.exe Conficker
In my I have talked about how to manually clean and remove the downadup worm. I wrote that article back in March, 2009 when new variants of downadup started to appear in which antivirus venders haven't yet developed definitions for. However, since mid-April I havent personally encountered any new or unique variants of downadup.
I started to do a quick evaluation of almost all the conflicker removal tools listed here:The tests were made on infected live machines and networks. The results I have found are:The best downadup detection tool:Mcafee Conficker Detection Tool:This program ROCKS! The only two products from Mcafee that I would recommend every enterprise to have: Secureweb and Mcafee Conficker Detection Tool.The detection tool requires no installation, very easy to use and extremely fast. I have been using this tool since April after Mcafee fixed a bug in it. Every business that I have recommended the tool to them have highly praised it and love it so much.The best downadup removal tool:I have found that the is the best so far.
It requires no installation and no reboot for removal. It is very fast and effective. It has worked with different variants that I have come across offline. The quickest way to know if a Win 2k, 2k3, XP, Vista or 2k8 machine is infected regardless of the conflicker variant (even if it was a user-mode rookit - such rootikit only hides the dll file and its service key), is by running this command-line:reg query 'HKEYLOCALMACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvcHost' /v netsvcsI use a batch file to do this. Based on the results, you can then detemine the randomly generated name of the windows service of the infection. It is usually found at the end of the list. If there is no randomly named service listed then most likely conficker is not there.Another quick way to determine if conficker exist, is by running gmer.
The results of the quick scan that gmer runs when starting would show that C:windowssystem32svchost.exe is hidden and highlighted in red. But at the end, you will need to know the service name associated with conficker by going through the netsvcs list.2. End process of the svchost.exe associated with netsvc, by using tasklist /svc and taskkill pid3. Browse to the following registry key:HKEYLOCALMACHINESYSTEMCurrentControlSetservices abcdeYou may not view the contents of the key since the permissions were removed by the infection.right-click the abcde key permission add everyone select full control ok F5 to refresh go to the parameters key and take not the path of the dlle.g. C:windowssystem32 wxyz.dll4. Use to reset policies that were added by the worm, such as disabling viewing system files.5. Look for the dll file located at C:windowssystem32right-click the dll file properties uncheck read-only ok then delete the file.
If the file cannot be deleted try stopping the service first.In case you cannot find the file, you will need to use gmer and browse for the file from the files tab. Then use the delete button on the right.6. Use the following command-line to delete the service:sc delete abcde7. Reboot the computer8. You can create a batch file to restore the following windows services:sc config wscsvc start= autosc config winDefend start= autosc config wuauserv start= autosc config BITS start= autosc config ERSvc start= autosc config WerSvc start= autosc start wscsvcsc start WinDefendsc start wuauservsc start BITSsc start ERSvcsc start WerSvc9. Finally, make sure the machines has the latest recommended updates from microsoft:The most important is that kb958644 is installed.A. FOR HJT HELPERSCategorizing the rootkit detection and removal method is solely based on my personal opinion.
I will appreciate any feedback or reports of inaccuracies, fallacies, found in this article:abuibrahim 0 AT gmail DOT comImportant Guidelines Before Removing a Rootkit if a rootkit is found on a machine:1. Backup all important data, emails, documents, etc.Þ this is just for safety measures. Removing a rootkit can cause system instability and a antirootkit software may sometimes remove a system file along with the rootkit. This step is particular important when using automatic tools for rooktit detections and removal.2. Disconnect from the internet3.
Close down All Scheduling/Updating + Running Background tasks etc.4. Disable real-time monitoring programs5. When scanning for a rootkit, do not use the computer at all6. Use 2 or more rootkit scannersÞ Never rely on the results of one anti-rootkit software. Rootkits uses different technologies for hiding and no single anti-rootkit can find all rookit techniques.Methods of Detecting and Removing Rootkits:1. Automatic Detection and Removal2.
Semi-automatic Detection and Removal3. Manual Detection and Removal4. Advanced Detection and Removal1) Automatic Detection and Removal:Tools that automates the process of detecting a rootkit and removes them. Minimal skills are required to uses these tools.Examples:1. F-secure online scan:2. AVG antirootkit3.
Trend-micro Rootkit Buster4. Panda Antirootkit5. Avira Antirootkit6. Mcafee Rootkit Detective7. Sophos AntirootkitDisadvantage of using these Automated tools:1. Highly unstable software.
Have used it once at the rootkit revelations forum and it destroyed windows beyond repair2. Highly unpredicatable - they sometimes report that they remove a rootkit and they actually did nothing3. Highly unreliable - cannot find rootkits that use newer techniques.The automatic tools are good though if you are removing the most popular or classic rootkits such as pe386.2) Semi-automatic Detection and Removal:- For more experienced users- You will need to distinguish rootkits from false positives- Such tools will highlight entries that are predicted to be rootkits. For example Icesword and GMER will highlight services and processes that are rootkits. RKunhooker will tag what are hidden.Examples:1. Rootkit Unhooker4.
RootRepealDetection and Removal are split into two ways:1. Rookits that use drivers (more common):- Two important indicators are: hidden service, and rootkit files.Rootkit files can be found at processes list (ex. Icesword), SSDT list (ex Icesword), rootkit file scan (ex. GMER), rootkit file browsing (ex. Darkspy) or from the service image path in the registry.- Rootkit Removal steps:Step1: Stop or Disable ServiceStep2: End executable process(s)Step3: Delete service and related files2.
Rootkits that use inline hooking or DLL hooking such as Vanquish (less common):- One important indicator: presence of a dll fileThe dll file can be found by two ways: 'Code Hook' scan using RKunhooker (recommended), the other way is doing a full file scan using GMER or any other anti-rootkit toolNote: GMER and Icesword do not automatically find these kind of rookits. Only when a full file scan is performed or rootkit file browsing, some hidden files may appear.Also- Removal steps:Step1: perform 'Code Hook' scan using RKunhookerStep2: highlight all entries related to culprit dll file and click 'unhook selected'Step3: End executable related process(s) if applicable (ex. Vanquish.exe)Step4: Delete dll and related files3) Manual Detection and Removal:¨ Manual Detection Tools:1. Rootkit Hook Analyzer3. SysprotFor how to know if there is a rootkit present in the rootkitrevealer results:To know how to intepret rootkitrevealer logs:¨ Manual Removal Methods:1. Manually deleting files in safe mode» given that the rootkit does not use SafeBoot keys to be hidden in safe mode as well2. DOS commands» may or may not work.
HackerDefender can be completely deactivated and cleaned up using this methodsuch as:Sc stop RKserviceSc delete RKserviceNet stop RKserviceREG DELETE RKregpath3. Manual Removal ToolsExample:- Delete on reboot using killbox- Avenger- CombofixIn combofix the rootkit:: directive is not always needed. I found that file::, driver:: and killall:: are enough with most rootkits I have encountered.4) Advanced Detection and Removal:1. Slaving hard-drive to another computer and perform a normal anti-virus scan2. Using a Bootable CD-ROM such as BartPE and UBCD4Win3.
Offline file comparisons:MBR Rootkits:- Detection: seeas you can observe the presence of the phrase: ' DeviceHarddisk0DR0 ' any where in a GMER log is an indication of an MBR rootkit regardless of its variant. Sony icd-p620 manuale. However, you may need to verify first that changes done to MBR is not perfomed by a legitimate application such as acronis.- Removal:1. Windows Recovery Console:Windows XP/2k: fixmbrWindows Vista: bootrec.exe /fixmbr2. Stealth MBR rootkit detector 0.2.2 by Gmer:3. ESET Mebroot Remover:Recommended readings:A. FOR HJT HELPERS ONLY.When replying to a hijackthis log either it is a practice log or a live log, you will need to do the following actions in order:1.
The first thing is to make sure that hjt log posted is not an attachment. Do not open the log attachment. Ask the OP to copy and paste the logfile into a new post. A lot of forums have policies that the OP's should post the contents of the log file and not attach files unless requested to do so.2. If the user posted an unreadable log or one with spaces in between the entries, have them rescan with HijackThis and when notepad opens, go to 'Format' and uncheck 'Word Wrap.' Otherwise this will waist a lot of time for helpers to read the logfile.3.
Kk.exe
Make sure:- that hijackthis program used is the latest version- the log file is not cut-off (incomplete log)- hijackthis is not running from a temporary folder- the date stamp of the log file is not more than a week old. You can ask the OP to post an updated logfile- the OP is authorized to remove files from the company PC- the OP is not being helped at another forum for the same log4. Do not assist the OP at all if p2p programs are found within the log or mentioned anywhere by the OP. Request the OP to remove all the P2P programs before proceeding with the cleanup or advising any further instructions.5. If there is any hints from the OP posts/log, or doubt that the OP may not be using a legitimate windows copy, then ask the OP to download and run the MGA diagnostics tool from microsoft to verify that the windows copy is valid. The tool can be downloaded from here:If the windows copy is not legitimate, the thread should be locked immediately. The thread will also be locked if the OP has any cracks or warez to any other commercial software.Hints of non-legitimate copies could be: wgatray.exe process is running.
Or If the OP has a very old service pack, like XP no-SP, XP SP1, Vista no-SP, Win 2k SP3. However, XP SP3 is relatively new so an OP with XP SP2 only should not raise an alarm.6.
If two or more antivirus programs are found, then ask the OP to uninstall one of them. Two antivirus programs are enough to make the computer unusable. So ask the OP to do so before or within the same post when providing malware removal instructions.7. If the OP is infected with a malware, then It is a good practice to double-check if the malware is a backdoor+password stealer. In this case you will have to inform the OP about the compromise and to change passwords, contact banks, etc.For more information about this, please see:8. If there is no firewall or anti-virus and the OP does not have a serious infection. Then ask the OP to download, install, update and scan the computer before posting any removal instructions.
However, if the OP has by definition a worm, a virus, backdoor, malicious keylogger, botnets, or an unknown malware that uses a service, then it is better to install the anti-virus after removing the malware. Viruses in particular are known to either disrupt, infect or delete anti-virus software especially if they aren't installed yet.9. If the OP has any of the protection programs listed, then ask the OP to temporarily disable the real time protection tools when providing instructions for malware removal. Once the malware is removed, remember to re-enable the protections tools. An exception to this is when the malware removal procedure is done in safe mode.10.
Once all of the above is cleared, then you can post removal instructions in any form that is applicable, using online scans, manually deleting files, hijackthis fixes, combofix, etc.
Kk.exe Kaspersky
Automatic actionBased on the of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.NoteDownadup makes use of random extension names in order to avoid detection. During disinfection, Scanning Options should be set to:. Scan all filesRemoval Tool: F-DownadupSpecific tool with heuristics for Downadup worm variants:. This is a command line tool. Please read the text file included in the ZIP for additional details. Note: Some variants of the Downadup worm attempt to block execution of F-Secure malware removal tools. If the downloaded tool does not work, please rename the file.
Example: from 'f-downadup.exe' to 'file.exe' or 'explorer.exe'. Then try running the tool again.Microsoft Help and SupportKnowledge Base Article 962007 provides numerous details for manual disinfection of Conficker.B (alias Downadup):. Suspect a file is incorrectly detected (a False Positive)?A is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:.Check for the latest database updatesFirst check if your F-Secure security program is using the, then try scanning the file again.Submit a sampleAfter checking, if you still believe the file is incorrectly detected, you can of it for re-analysis.NOTE If the file was moved to quarantine, you need to before you can submit it.Exclude a file from further scanningIf you are certain that the file is safe and want to continue using it, you can by the F-Secure security product.Note You need administrative rights to change the settings.