WinXPert Reload: manual removal

Showing posts with label manual removal. Show all posts

Wednesday, May 8, 2019

Malware Removal 101: Worm (Files.bat)

I got this sample a few days ago from a customer's USB drive:

Virustotal

User's files and folders are replaced with shortcuts. Files are hidden and moved to Files folder.

Manual Removal

Using System Explorer, terminate the running malware process. If you have multiple running instances of the worm, select the parent process and End Process Tree instead.

Locate the files using CCleaner. Select Start.lnk | Right click and click on File Directory Explore.

Delete all files including the parent folder.

Using Explorer, delete at shortcut in your USB drive.

Unhiding the files. You can use Attrib or Explorer.

Attrib

Launch CMD and type the following:

CD drive:

ATTRIB -S -H /S /D

Replace drive: with the corresponding drive assignment of your USB drive. Ex. F:

Explorer

At Folder Options enable Show hidden files, folders and drives

Navigate to Files folder

Move all files and folders to your root directory

Select all hidden folders and unhide using Properties

Delete Files folder

Back at System Explorer delete Start.lnk

Note: If you have multiple instances of the malware running in memory, do not use TaskMan to terminate its process because there is a chance that your PC would reboot. Use System Explorer instead. Suspend all processes first then end them one by one.

POST: Scan your system and USB drives with an updated Antivirus.

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2019 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

To GOD be the glory!

Saturday, May 4, 2019

Malware Removal 101: Rotinom

Problem: Drive C is running out of disk space every time you insert an external HDD or a USB drive? Chances are you are infected with Rotinom.

Virustotal

What it does to your computer:

Starts with windows

Makes a copy of all files from USB drive to Rotinom folder on Drive C: thus reducing its free space.

Infects USB or external drives. Hides all folders and replaces them with shortcuts.

Notice the difference in the icons.

Changes in the registry:

Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Name: Startup
Value: C:\Users\admin\AppData\Local\Start

Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Name: Startup
Value: C:\Users\admin\AppData\Local\Start

Manual Removal Instruction:

Since TaskMan is not disabled, we can use it to terminate update.exe.

Navigate to "%LocalAppData%\Start" and delete update.exe

Search for Rotinom folder. Easiest way to do that is search using Everything.

Delete the folder. Also delete its parent folder. Empty you Recycle Bin

Cleaning USB and external drives:

Delete all files associated with Rotinom. All *.exe files with folder icon and also the Usb 2.0 Driver folder.

POST:

Scan with an updated Antivirus/Antimalware.

Unhide files and folders at the CMD prompt.

ATTRIB -S -H /S /D

Repair the registry. Replace the value indicated in blue.

Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Name: Startup
Value: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu

Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Name: Startup
Value: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

Copyright © 2019 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

To GOD be the glory!

Saturday, July 12, 2014

How to remove Smart Guard Protection Part 2

How to remove Smart Guard Protection Part 1

Here is another way to disable and remove this fake antivirus

Copy Task Manager to Windows folder and rename it as CMD.exe

Launch the renamed file and terminate the fake AV process. Smart Guard Protection will not block CMD.exe. You can also copy File Assassin or any program to the Windows folder and rename it to trick Smart Guard Protection.

Now that the fake AV is no longer running in the background, we can start deleting the files and registry entry to prevent it from starting with Windows again

On your Desktop right click on Smart Guard Protection icon and click Properties. Click the Find Target... button. This will launch explorer to the location of the fake AV file. Delete the entire folder.

Launch regedit and navigate to

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

Delete the value AS2014

Alternative: If you have CCleaner, launch it and go to Tools | Startup and delete AS2014

Scan your computer with MBAM to reverse the changes made by Smart Guard Protection. Here is the result of the scan.

Registry Values: 1
Hijack.SecurityCenter, HKU\S-1-5-21-746137067-1078145449-682003330-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\CONTROL PANEL\DON'T LOAD|wscui.cpl, No, Quarantined, [e5be7d215d1e4ee8d3e93b1110f303fd]

Registry Data: 3
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|AntiVirusDisableNotify, 1, Good: (0), Bad: (1),Replaced,[5350ccd2b1ca8fa79b556c2b8d7713ed]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|FirewallDisableNotify, 1, Good: (0), Bad: (1),Replaced,[6c375648b5c6d462f1003661e71d04fc]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|UpdatesDisableNotify, 1, Good: (0), Bad: (1),Replaced,[a8fb1886037811256f836433aa5ac63a]

Wednesday, July 9, 2014

How to remove Smart Guard Protection

Smart Guard Protect (Fake Antivirus)

Performing a bogus scan.

After the scan it shows the threats found.

If you click Repair All, it will show this screen.

After clicking Buy Full Edition you get this. At this stage, don't get scared and never spend a dime on it.

While it is active and you want to launch for example taskman, you'll get this warning screen. With the exception of explorer, mspaint and cmd anything else you run gives a warning.

Analysis

Values added

HKU\S-1-5-21-746137067-1078145449-682003330-1003\Software\Microsoft\Windows\CurrentVersion\RunOnce\AS2014: "C:\Documents and Settings\All Users\Application Data\d9ngVr33\d9ngVr33.exe"

Files Added

C:\Documents and Settings\All Users\Application Data\d9ngVr33\d9ngVr33.exe
C:\Documents and Settings\All Users\Application Data\d9ngVr33\d9ngVr33.exe.manifest
C:\Documents and Settings\All Users\Application Data\d9ngVr33\d9ngVr33.ico
C:\Documents and Settings\All Users\Application Data\d9ngVr33\d9ngVr33aQDsaggg.in
C:\Documents and Settings\All Users\Application Data\d9ngVr33\d9ngVr33aQDsaggg.lg

Folder added

C:\Documents and Settings\All Users\Application Data\d9ngVr33

Virustotal Scan

Removal

Since CMD is not disabled we will be using it kill the Fake AV's process. Launch CMD and run the following commands

TASKLIST

Take note of the RandomName.exe on the list

TASKKILL /F /IM snUa339g.exe

We can use explorer and regedit to remove Smart Guard Protection

Launch regedit. Navigate to

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

and delete the entry. Take note of the path of snUa339g.exe

Launch explorer and navigate to the path of snUa339g.exe and delete the folder.

Run an updated MBAM to finish the cleaning process

Note: This is just a quick analysis. I'll update in case there are other registry keys that I've missed.