Virustotal
What it does to your computer:
- Starts with windows
- Makes a copy of all files from USB drive to Rotinom folder on Drive C: thus reducing its free space.
- Infects USB or external drives. Hides all folders and replaces them with shortcuts.
Notice the difference in the icons.
Changes in the registry:
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Name: Startup
Value: C:\Users\admin\AppData\Local\Start
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Name: Startup
Value: C:\Users\admin\AppData\Local\Start
Manual Removal Instruction:
- Since TaskMan is not disabled, we can use it to terminate update.exe.
- Navigate to "%LocalAppData%\Start" and delete update.exe
- Search for Rotinom folder. Easiest way to do that is search using Everything.
- Delete the folder. Also delete its parent folder. Empty you Recycle Bin
Cleaning USB and external drives:
- Delete all files associated with Rotinom. All *.exe files with folder icon and also the Usb 2.0 Driver folder.
POST:
- Scan with an updated Antivirus/Antimalware.
- Unhide files and folders at the CMD prompt.
ATTRIB -S -H /S /D
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- Repair the registry. Replace the value indicated in blue.
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Name: Startup
Value: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Name: Startup
Value: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu
Value: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Name: Startup
Value: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu
All content ("Information") contained in this report is the
copyrighted work of WinXPert: Virus and Malware Removal.
Copyright © 2019 WinXPert. All rights reserved. All other
trademarks are the sole property of their respective owners.
To GOD be the glory!
The Information is provided on an "as is" basis. WinXPert
disclaims all warranties, whether express or implied, to the maximum
extent permitted by law, including the implied warranties that the
Information is merchantable, of satisfactory quality, accurate, fit for
a particular purpose or need, or non-infringing, unless such implied
warranties are legally incapable of exclusion. Further, WinXPert does
not warrant or make any representations regarding the use or the
results of the use of the Information in terms of their correctness,
accuracy, reliability, or otherwise.
To GOD be the glory!
No comments:
Post a Comment