This blog provides tips and tricks of the computing world....If you have any problem feel free to mail me

Tuesday, March 31, 2009

Beware win32 Conficker VIRUS

What Happens on April 1, 2009?

Systems infected with the latest version of Conficker will begin to use a new algorithm to determine what domains to contact. Microsoft has not identified any other actions scheduled to take place on April 1, 2009. It is possible that systems with the latest version of Conficker may be updated with a newer version of Conficker on April 1 by contacting domains on the new domain list. However, these systems could be updated on any date before or after April 1 as well using the "peer-to-peer" updating channel in the latest version of Conficker.

On February 12, 2009, Microsoft announced a U.S. $250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet. Microsoft's reward offer stems from the company's recognition that the Conficker worm is a criminal attack. Microsoft wants to help the authorities catch the criminals responsible for it. Residents of any country are eligible for the reward, in accordance with the laws of that country, because Internet viruses affect the Internet community worldwide. (source)

Once this virus infects a computer it does a number of things including:

  • Extracts all of its files to the %System% directory with random DLL file names, which can wreak havoc on your computer.
  • Deletes the user's Restore Points.
  • Registers a services called Netsvcs
  • Creates scheduled tasks that execute all of the DLL files.
  • Creates it's own simple HTTP server on the infected computer and spreads the worm to other computers in the network through file shares.
  • Creates an Autorun.inf file in file shares to execute the warm files once the share is accessed by another computer.
  • Connects to external sites to download additional files.
Alternative names for conficker
  • Kido
  • Downadup

Firstly you may download Microsoft Windows Malicious Software Removal Tool
This tool checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove the infection if it is found. Microsoft will release an updated version of this tool on the second Tuesday of each month.

The most critical and obvious protection is to make sure the Microsoft patch is applied. Network administrators can also use a blocklist provided by F-Secure to try and stop the worm's attempts to connect to Web sites.

And finally, you can disable Autorun so that a PC won't suffer automatic attack from an infected USB drive or other removable media when it's connected. The Internet Storm Center links to one method for doing so at, but the instructions involve changing the Windows registry and should only be attempted by adminstrators or tech experts. Comments under those instructions also list other potential methods for disabling autorun.

Saturday, March 28, 2009

Prevent Virus & Malware Spreading through USB / Thumb drives

Removable USB/thumb drives use the Autorun feature to load files when the drives are plugged into the USB port. Malware exploits the Autorun feature to spread from thumb drive to PC. Disable the autorun feature to prevent malware from spreading.

  1. Windows XP Pro users: Click Start and then click Run. Type gpedit.msc and click OK. The Group Policy window will open. In the left pane, double-click Administrative Templates
  2. In the right pane, double-click System, scroll down the list and double-click Turn Off Autoplay
  3. In the Turn Off Autoplay Properties window, select Enabled. From the dropdown next to Turn Off Autoplay on, select All drives and then click OK. Exit Group Policy by selecting File, then choosing Exit from the menu.

  1. XP Home users will need to make the changes by editing the registry directly. To begin, click Start and then click Run
  2. Type regedit and click OK. The Registry Editor window will open.
  3. In the left pane, navigate to:
  4. With Explorer highlighted, in the right-pane right click the value NoDriveTypeAutoRun and select Modify from the drop down menu. The base value will be set to Hexadecimal. If not, select Hexadecimal.
  5. Type 95 and click OK.
    Note that this will stop Autorun on removable/USB drives, but still allow it on CD ROM drives. If you want to disable autorun on both, substitute b5 for the 95. (Thanks to Ian L. of Manitoba for the tip).
  6. Exit Registry Editor by selecting File, then choosing Exit from the menu.
  7. You will now need to reboot your computer for the changes to take effect.

problem to get rid of stubborn virus!!! Avast BOOT TIME SCAN is here..

"I recently encountered a virus. I thought I got rid of it but apparently it is still there. I have been looking through my files and for the ones I don't know what they are I delete them. However, some of the files it says the file or folder and then says "It is being used by another person or program"." Do you encounter the same problem?? Dont worry, avast can solve them for you, :D

AVAST AV(click to download avast - its freeware) provide schedule boot scan before window start. if your PC got infected by virus, try to run a schedule boot scan before window start. This is to make sure the virus can’t load itself into the system memory while window start.

To schedule boot scan follow the steps below:-

  • Right click on the Avast system tray icon
  • Click on “Start Avast Anti Virus”
  • Avast anti virus window will pop up and run a memory scan
  • Once memory scan finish, you can right click on the Avast anti virus window and select “Schedule Boot Time Scan”
  • “Schedule Boot Time Scan” window will popup, select “Scan all local disk” and check on “Advanced Options”
  • For normal infected file select “Move infected files to Chest” and select “No action” for system files and Press “Schedule” button.
  • Avast will prompt you for restart to perform Boot time scan and click “Yes” to reboot and start the scan.
  • Done. Congratsss.. ;)