Saturday, May 4, 2019

Portable Antivirus: Avira PC Cleaner

On yesterdays post I mentioned about Avira PC Cleaner. Here is a guide for those not familiar with this program.

Download the program

Launch avira_pc_cleaner_en.exe

After finishing the download, you'll be greeted with this screen. You the option of scanning or copying to a USB Device

Scanning

Copying to USB Device

Now that you have a copy in your USB drive, all you need to do is run Cleaner-launcher.exe located at the root directory of your USB drive. It will update before first before you can scan. I regularly update this program just in case I use it in a PC without internet connection due to malware.

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2019 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

To GOD be the glory!

Thursday, May 2, 2019

Malware Removal 101

It's been a long time since my last post so here goes.

Here are the lists of techniques you can do to remove malwares. Some of these are easy no brainer, to moderately difficult to extremely hard (for the average Joe, and some technicians included).

Here are the easiest solution though you need some preparations for these to work like downloading the iso and burning or making a bootable USB drive.

Using a Bootable CD/DVD/USB of any AntiVirus. Advisable to update the antivirus signatures before scanning. Here are a few examples:

Booting on a Live Windows environment and running an updated Portable AV like Avira PC Cleaner or Emsisoft Emenrgency Kit

Performing a scheduled Boot Scan (Ex. Avast!)

Booting in Safe Mode with Networking and running MBAM Chameleon

I'll add Hiren's Boot CD. Unless you have the latest version of an antivirus with the option of updating the AV signatures, you might miss a zero-day malware or newer strains by scanning with an outdated AV. (Note: I use HBCD ver. 10 so I never use it for scanning)

Scanning the infected HDD as a slave on a clean system with updated antivirus

This one requires that you know where to look for malwares

Booting with Live Windows CD/DVD or any Linux distro and manually deleting the malware that starts with Windows. With Windows, I'd start with the registry (research offline registry editing) and work my way in reverse. If you don't know your way around the registry, you can use programs like Autoruns. For Linux, I'll look for the usual places where a malware may reside. Temp folder is a good place to start.

There are times when malware will not let you boot in Safe Mode, in cases that you can, you can try the following:

Boot in Safe Mode with Networking so you can update your antivirus prior to scanning.

Last is removing the malware while it is active in memory in Normal Mode. The steps are simple.

Search and Destroy

Search - Using Tasklist, TaskMan or any similar program to look for suspicious running processes. Or other suspicious programs that starts with Windows

Mostly these are processes with gibberish filename (Ex. sfhkewj.exe)
Something that looks like a legit Windows file but in the wrong place (Ex. C:\Windows\System\csrss.exe)
Shortcuts, *.pif or *.vbs/vbe in Startup folder
Other programs that starts from AppData or Temp folders

Destroy - Terminating the running malware processes using TaskMan or similar app and deleting the malware plus other drop files.

Another way to look for malware file location is to look at the registry. Here are some of the key locations:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Using enumerators or AV tools to look for malware. You base your search on the report logs

OTL
RunScanner - Some say this is obsolete but I still use it and still works for me
Farbar Recovery Scan Tool (FRST)
HiJackThis Fork - Still works for low to medium risk malware
Spyderman - A short script I wrote to look for Brontok worm

After you terminated the malware from running, it's time to do a scan using an updated antivirus/antimalware

Scan also all external/USB drives. Unhide all folders and files in case you were infected with a shortcut worm like Ramnit.

Note: For other high risks malware/worm (Ex. sality, virut) always use a dedicated removal tool.

Other tools for malware removal worth mentioning that I still use:

File Assassin - Use this to delete stubborn malware
Unlocker - Same function as File Assassin
Blitzblank - My Go tool when File Assassin or Unlocker failed to delete malware. Must have prior knowledge of files and registry items to delete.

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

Copyright © 2019 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

To GOD be the glory!

Saturday, September 3, 2016

How to remove ramnit

Type of file: exefile
Description: Random filename
Location: Startup Folder
Size: 101872 b
MD5: F3873258A4258A6761DC54D47463182F

What it does:

Starts with Windows
Infects exe, dll and html files
Worm spreads via the default web browser
Create 4 shortcuts on external drives
Create copies of itself at the RECYCLER folder on external drives

Manual removal instructions

These instructions are specific to this variant of Ramnit.

1. Terminate the malware process using Taskman or Taskkill

TASKKILL /F /IM FIREFOX.EXE*

* Replace filename with your default web browser

2. Delete the worm located at the Startup folder. Filename is random.exe.

3. Delete all shortcuts and RECYCLER folder on external drives.

4. Scan with an updated antivirus.

Note: DO NOT SCAN while malware is active in memory.
Do not use Smadav (Very low detection with high False Positive)

To GOD be the glory!

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2016 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

How to Remove Microsoft

by WinXPert

Analysis:

Type of file: exefile
Description:
Location: C:\WINDOWS\Microsoft\
Size: 3911179 b
MD5: 089D11B01A4C81EDEAB6C582D297D2E9
Attributes: Archive, Hidden, System, Read-Only
File Version: 1.00.0003
Company: By: Morgan Haueisen
Copyright: Copyright (c) 2003
Product Name: USA Quiz
Product Version: 1.00.0003
Original File Name: New.exe
Trademarks:
Internal Name: New
Comments:

Disables Registry Editor

Known system changes:

C:\Documents and Settings\Owner\Application Data\logs.dat
C:\Documents and Settings\Owner\Local Settings\Temp\UuU.uUu
C:\Documents and Settings\Owner\Local Settings\Temp\XxX.xXx
C:\WINDOWS\Microsoft\Microsoft.exe

C:\Documents and Settings\All Users\Application Data\TEMP
C:\WINDOWS\Microsoft

HKLM\SOFTWARE\Classes\CLSID\{24AA3079-047E-4182-047E-4182047E4182}
HKLM\SOFTWARE\Classes\CLSID\{24AA3079-047E-4182-047E-4182047E4182}\Implemented Categories
HKLM\SOFTWARE\Classes\CLSID\{24AA3079-047E-4182-047E-4182047E4182}\Implemented Categories\{00021492-0000-0000-C000-000000000046}
HKLM\SOFTWARE\Classes\CLSID\{24AA3079-047E-4182-047E-4182047E4182}\InProcServer32
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{FHC6186D-X430-3B61-3HFS-4K1554TSXEV6}
HKLM\SOFTWARE\Licenses
HKCU\Software\nagato

HKLM\SOFTWARE\Classes\CLSID\{24AA3079-047E-4182-047E-4182047E4182}\: "&Links"
HKLM\SOFTWARE\Classes\CLSID\{24AA3079-047E-4182-047E-4182047E4182}\MenuTextPUI: "@browselc.dll,-13138"
HKLM\SOFTWARE\Classes\CLSID\{24AA3079-047E-4182-047E-4182047E4182}\InProcServer32\: "%SystemRoot%\system32\SHELL32.dll"
HKLM\SOFTWARE\Classes\CLSID\{24AA3079-047E-4182-047E-4182047E4182}\InProcServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{FHC6186D-X430-3B61-3HFS-4K1554TSXEV6}\StubPath: "C:\WINDOWS\Microsoft\Microsoft.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\Policies: "C:\WINDOWS\Microsoft\Microsoft.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32: "C:\WINDOWS\Microsoft\Microsoft.exe"
HKLM\SOFTWARE\Licenses\{K7C0DB872A3F777C0}: random data
HKLM\SOFTWARE\Licenses\{I054347D90A928356}: 06 00 00 00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies: "C:\WINDOWS\Microsoft\Microsoft.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\System: "C:\WINDOWS\Microsoft\Microsoft.exe"
HKCU\Software\nagato\FirstExecution: "31/08/2014 -- 12:24"
HKCU\Software\nagato\NewIdentification: "nagato"

Visit WinXPert's BubbleWS Page

Manual Removal Instructions for Microsoft:

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Make sure you create a System Restore point before proceeding:

1. Download Kill_Microsoft.bat and copy it to your Startup folder

2. Log-off and log-on. The batch file will run in an endless loop. Allow it to run for a few second until no more Microsoft.exe processes are being terminated.

3. Delete the following files.

    del "%appdata%\\logs.dat" /f
    del "%\Temp%\UuU.uUu" /f
    del "%Temp%\XxX.xXx" /f
    del "%windir%\Microsoft\Microsoft.exe" /f

4. Repair the system registry using the following commands.

    reg delete "HKLM\SOFTWARE\Classes\CLSID\{24AA3079-047E-4182-047E-4182047E4182}" /f
    reg delete "HKLM\SOFTWARE\Licenses" /f
    reg delete "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{FHC6186D-X430-3B61-3HFS-4K1554TSXEV6}" /f
    reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /f
    reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System32" /f
    reg delete "HKCU\SOFTWARE\nagato" /f

5. Delete the following folder. Clean your temps using TFC or CCleaner

rd "%WINDIR%\Microsoft" /s /q

6. Update your antivirus/antimalware program and perform a full scan of the computer.

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

Friday, June 5, 2015

HyperAntivirus

The best antivirus modernity!

We worked hard for many years to develop a unique anti-virus different from all others. An anti-virus which will protect your computer much better then anything available up to date.

Download Link:

The best antivirus modernity!

We worked hard for many years to develop a unique anti-virus different from all others! An anti-virus which will protect your computer much better then anything currently available. We are so confident in what we have created that we are willing to pay a reward of up to $10,000 to anyone who gets effected by computer viruses while using our product! Learn more about how to get compensation here

Not only is it FREE, but we give you money.

We know our anti-virus can be of huge benefit to many people. Challenging prime AV software companies is a rat race so we have put a different strategy in place to let people know about us. We are so confident in our product that we are offering to pay you cash for distributing our software to prove to you it's the best on the market. Learn more about getting paid here.

A fundamentally new approach!

Our anti-virus was created on the basis of a huge distribution of computer networks. It radiates with true intellect and mimics the intelligence of leading robots and machines. At the heart of the anti-virus is the technology of neural nanoanalysis, which is used in a number of new technologies: "Technology vaccination" ®, "Technology VirusAntiterror " ®, "Technology nanobaiting" ®. Our anti-virus is the only free anti-virus which gives you full protection.

Technology of a new era available today!

Old technologies that are used by anti-virus software making companies have long outlived their usefulness. They do not work. These days by buying anti-virus software made by popular brands you are paying for nothing. Even worse, you get cheated! You can read more about this here. Only our free anti-virus will give you full protection.

Download Link:

Wednesday, August 6, 2014

Free Tools to Delete Currently Used, Locked, Undeletable, Busy Files

Unlocker tools are for situations where you have tried to delete, move or rename a file or folder under Windows only to receive a dialog box with an error message like "Cannot delete [filename]: It is being used by another person or program. Close any programs that might be using the file and try again." (or some other message about sharing violation or the file being in use). In some cases, closing "any programs that might be using the file" is easier said than done, since you might not be able to detect which program is locking that particular file. Sometimes the culprit is Windows Explorer, or some DLL loaded by it. The tools listed here work around this problem to delete undeleteable, locked, busy, or currently used file - some of them do this by scheduling the file to be deleted on the next reboot.

If the files are locked by Explorer you can run this at the CMD Prompt

TASKKILL /F /IM EXPLORER.EXE

Another solution is to Log-off and Log-on again on your account.

In case these two won't do the trick use this tools instead to help you delete stubborn files:

Proceed to download links:

Free Data Recovery Softwares

There are many free data recovery programs (undeleter) that can help recover your accidentally deleted or erased files. These file recovery programs can help you recover or undelete files on your PC.
Files that have deleted or recently emptied from your Recycle Bin are still present on your hard drive or external USB drives and can be recovered using free data recovery software.

Take not that you can greatly increase the chance of recovering a file by limiting your computer usage. For USB drives or memory cards do not use them until you are ready to do the recovery. If you want to recover from your HDD, better use a portable software like Recuva.