Friday, December 14, 2012

Junkware Removal Tool - Module Check Testing

This was beta, current version is 4.1.4 includes Modules check for all OS ;)

Thursday, November 01, 2012

Malware Removal and PC TuneUp Guide


I'm going to provide you a free guide to perform malware removal and a basic PC tuneup on practically any PC provided that it at least boots to the Windows desktop.

You may be wondering, why a tuneup too? Well, because 99% of the time you encounter a computer with malware related issues, it also needs some form of a tune up as well. In fact, I include a tuneup on all computers that come in with malware related issues.

A Tuneup, to me, entails:
  1. Removing expired anti-virus, anti-spyware programs
  2. Removing unrecommended programs
  3. You have to be pretty delicate on this one, because you don't want to piss off a customer that actually paid for "UniBlue Registry Booster 2013", "Spyware Doctor", or similar unrecommended programs. Ask the customer first before removing a program if you are unsure.
  4. Removing outdated versions of programs.
  5. We don't need to update every single program on the customer's computer, just the essential ones if they are present.
  6. These are the ones I will update for the customer if they were installed. Mozilla FireFox, Google Chrome, Java SE, Adobe Reader, Adobe Flash Player.
  7. Then, depending on time and necessity:
  8. 3 stage CheckDisk (chkdsk) and full defrag using Puran Defrag's Boot Defrag features.
  9. Note: Remember to clear the system restore points first!
  10. Windows Updates / Service Pack updates 

Ok that is enough about TuneUp, we'll go into more detail later on.
First, you just received a computer and it has a bunch of malware on it. It is so slow and needs your help!

First thing is first, and if we are allowed to, we want to uninstall any outdated antivirus and antispyware programs. These will just get in our way if they are expired and are spamming "You are not protected!" messages every 10 seconds.
Go ahead and begin uninstalling one and if you are Windows Vista, Windows Seven, or Windows Eight, turn off User Account Control (UAC) as that will slow us down as well. We will turn it back on when we are all finished. We are going to be running many programs pretty soon and we do not need a confirmation box every single time.
If you are currently uninstalling someone's expired antivirus, we will need to reboot the computer soon. UAC also requires that we reboot before the changes to take affect (not so true if on Windows Seven, but Vista always true).
Keep in ind that we will rebooting very soon, before we do, we want to remove unneeded start up items using Autoruns. Why? Well we do not want every single program the customer has installed trying to run yet again. In fact, we could have run Autoruns from Safe Mode where we could have avoided dealing with the majority of unnecessary startups, the only downside is, you won't be able to uninstall most programs due to them requiring Windows Installer Service.
I do have a little trick for that, starting Windows Installer Service while you are in Safe Mode.
You can save the following as a batch file or enter the commands one at a time from a command prompt window.
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer" /VE /T REG_SZ /F /D "Service"
net start msiserver
or, if you are in Safe Mode with Networking, use this one instead:

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MSIServer" /VE /T REG_SZ /F /D "Service"
net start msiserver
 You should have now at least run Autoruns by now. Removed unnecessary startups. If you did have an expired antivirus to uninstall, and you have turned UAC off, go ahead and reboot now and upon reboot, continue to uninstall unnecessary programs.
If you did NOT have an antivirus to uninstall, turn UAC off but continue to uninstall unnecessary programs. Remember, get permission from the customer. Usually, they won't have a clue as to what you are talking about, but you can at least say that you received permission to uninstall said program(s).

Depending on what type of infection you are dealing should dictate which order of tools you should be running. What if you weren't even able to go into Control Panel  to remove programs or to turn off UAC? In these cases, we need to perform some repairs on Windows first and/or stop/delete the most active malware.

RogueKiller is an all around good security application that can allow you to get some breathing room so to speak. It kills off bad processes that may be bogging the computer down and also works as a infection identifier and cleaner.

It also has a "Fix Shortcuts" button which will restore missing desktop / start menu items in case you ran into a Fake.HDD (hard drive) type of virus.

I typically will at least Scan with RogueKiller and then Delete almost everything it finds except for correcting the UAC entires that we just turned off.
They will appear as "ConsentPromptBehaviorAdmin" and "EnableLUA" in the registry tab of the  report. You can leave these unchecked and fix everything else by using the "Delete" button. A reboot may be required. Go ahead and reboot if prompted.

Just to recap, we've uninstalled any outdated antivirus programs and unrecommended and/or outdated programs. (Mozilla FireFox, Google Chrome, Java SE, Adobe Reader, Adobe Flash Player). We've also run a Delete with RogueKiller and our machine is coming back to life (maybe not so noticeable yet).

Now is a good time to kill off unnecessary processes. I typically just use the Task Manager although you may prefer a tool like Process Explorer. Task Manager is enough for what we are doing here, but feel free to use an alternative.

Now would be a good time to make a backup of the registry, just incase something goes bad from this point forward. I use ERUNT. Once you have successfully backed up the registry, now we can delete all the existing restore points. This will reduce scan times and we really only need 1 reliable restore point which we just created using ERUNT.

Next, let's run a scan of TDSSKiller . It should be a fairy quick scan. Reboot if threats were found, either way, continue on:

Next, we are going to install CCleaner Slim. Now run CCleaner Slim and also opt to delete Event Viewer Logs and Flush DNS. This is also a handy tool to use as an alternative "Add Remove Programs / Programs and Features". Removing any remaining unnecessary programs from here if you weren't able to access them normally before. Now go into the Registry tab of CCleaner. Click "Scan for Issues" and then "Fix Selected Issues". CCleaner is the only safe registry optimizer in my book. I've never ever encountered an issue, but just in case we did, we have our ERUNT backup ;)

Next, how about some malware removal?!?!
Download and install, and update MalwareBytes' Anti-Malware.
Now open the program and go into the "Settings" tab, from there, select the "Scanner Settings" sub-tab.
Change the following options to match the below:
Action for  potentially unwanted programs (PUP) : Show in results list and check for removal
Action for potentially unwanted modifications (PUM) : Show in results list and check for removal
Action for peer-to-peer software (P2P) : Show in results list and check for removal
 Now go back to the main Scanner tab and choose "Perform Quick Scan" and then click the "Scan" button.
Follow MBAM's prompts, if a reboot is needed, reboot!


Once MalwareBytes' Anti-Malware is finished, download and run HitmanPro.
Remember to opt to delete Potentially unwanted programs as well (it's in the Settings section).


At this point, the computer should be running pretty smoothly. Maybe there are some lingering issues which we'll address now.

Now's a pretty good time to download and run Junkware Removal Tool.
Read the description in the link provided as to what it does. It's basically a maintenance tool but also addresses some browser issues.

Then you can download and run a similar program called AdwCleaner (Adware Cleaner).

To be thorough, I like running a scan and deleting any leftovers found using OTL.


  1. If there are not any other issues, start uninstalling / removing the programs you installed / used.
  2. Create one more registry backup using ERUNT.
  3. If time allows, do some basic maintence, service pack updates, Windows Update, chkdsk and defrag
  4. Remove all traces of your tools - Note, you can use OTL CleanUp button for this.
  5. Turn System Restore back on for the systemdrive only.
  6. Turn on User Account Control.
The end. Will format this later and correct any errors I may have made.!

Friday, September 21, 2012

Junkware Removal Tool (JRT) Released - Freeware


Many of the infections we see on the forums and in the work environment nowadays involve a user that has an unwanted program, toolbar, or browser helper object (BHO) on their computer.

Some examples include (but not limited to):

  • Ask Toolbar
  • Babylon
  • Browser Manager
  • Claro / iSearch
  • Conduit
  • Coupon Printer for Windows
  • Crossrider
  • Facemoods / Funmoods
  • iLivid
  • IncrediBar
  • MyWebSearch
  • Searchqu
  • Web Assistant

The tool is designed to remove all traces of these types of programs which includes services, registry values, registry keys, files, and folders. The tool will also restore some default settings for Internet Explorer and Mozilla FireFox. Google Chrome is not supported (perhaps in future).

The tool is non-interactive so the user can simply open it by double-clicking and wait for the log report (JRT.txt) to open when the tool is finished. A copy of the log is saved to the user's desktop incase you want the user to attach the log.

The tool supports English versions of Windows XP, Windows Vista, and Windows Seven.

Here are some examples of the log output:

Example 1
Example 2
Example 3
Example 4

As you may have noticed, it's very straight-forward.

The application is also pretty small in size, currently 542 kilobytes. This is mostly due to the fact that the tool does not use any third party applications.


You can download Junkware Removal Tool from here:

I update it very often (multiple times a day) so please ensure you are using the latest version.

Friday, September 07, 2012

CrapRemover - Introduction and Demonstration

CrapRemover will remove unwanted browser hijacks such as Babylon, Facemoods, Funmoods, Searchqu, iClaro and many others that I see populating forums of the anti-malware community.

See the following demonstration video of how CrapRemover works against Facemoods

Saturday, June 02, 2012

Live Security Platinum (FakeAV) - 06.02.2012 - Analysis and Removal



¤¤¤ Bad processes: 1 ¤¤¤
[SUSP PATH] 529C538A0010DF0D672037BFD151FC4E.exe -- C:\Documents and Settings\All Users\Application Data\529C538A0010DF0D672037BFD151FC4E\529C538A0010DF0D672037BFD151FC4E.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 4 ¤¤¤
[SUSP PATH] HKCU\[...]\RunOnce : 529C538A0010DF0D672037BFD151FC4E (C:\Documents and Settings\All Users\Application Data\529C538A0010DF0D672037BFD151FC4E\529C538A0010DF0D672037BFD151FC4E.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-1454471165-492894223-854245398-1003[...]\RunOnce : 529C538A0010DF0D672037BFD151FC4E (C:\Documents and Settings\All Users\Application Data\529C538A0010DF0D672037BFD151FC4E\529C538A0010DF0D672037BFD151FC4E.exe) -> FOUND

Registry Keys Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Live Security Platinum (Trojan.LameShield) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|529C538A0010DF0D672037BFD151FC4E (Trojan.LameShield) -> Data: C:\Documents and Settings\All Users\Application Data\529C538A0010DF0D672037BFD151FC4E\529C538A0010DF0D672037BFD151FC4E.exe -> Quarantined and deleted successfully.

Files Detected: 2
C:\Documents and Settings\All Users\Application Data\529C538A0010DF0D672037BFD151FC4E\529C538A0010DF0D672037BFD151FC4E.exe (Trojan.LameShield) -> Quarantined and deleted successfully.
C:\Documents and Settings\thisisu\Desktop\Live Security Platinum.lnk (Rogue.LiveSecurityPlatinum) -> Quarantined and deleted successfully.
Other traces:

Folder: C:\Documents and Settings\All Users\Application Data\529C538A0010DF0D672037BFD151FC4E

Contains this file: 529C538A0010DF0D672037BFD151FC4E (no extension | 848 bytes)

Delete entire folder...

Tuesday, May 22, 2012

Weelsof - Metropolitan Police - United Kingdom (Ransom Trojan) - 05.22.2012 - Analysis and Removal



HKLM\...\Run: [voitjxghtvngqbu] C:\Documents and Settings\All Users\Application Data\jhdmxqskgvmtxilxyiwh.exe [64512 2012-05-22] ()
HKU\thisisu\...\Run: [voitjxghtvngqbu] C:\Documents and Settings\All Users\Application Data\jhdmxqskgvmtxilxyiwh.exe [64512 2012-05-22] ()
HKLM\...\Winlogon: [Shell] explorer_new.exe [64512 2012-05-22] ()
2012-05-23 02:17 - 2008-04-14 11:00 - 0064512 ____A C:\Windows\explorer_new.exe
2012-05-23 02:16 - 2012-05-22 12:34 - 0000000 ____D C:\Documents and Settings\All Users\Application Data\lwxnrakwwvtxgsd
2012-05-23 02:15 - 2012-05-20 21:43 - 0000016 ____A C:\Documents and Settings\All Users\Application Data\seaoeidlvppzkholfzrrrrvkdflprazo
2012-05-23 02:15 - 2012-05-19 04:09 - 0064512 ____A C:\Documents and Settings\All Users\Application Data\jhdmxqskgvmtxilxyiwh.exe
2012-05-23 02:15 - 2012-05-17 21:50 - 0064512 ____A C:\Windows\jhdmxqskgvmtxilxyiwh.exe

MD5: 1303adf0a0aa3ff3b4a7c818c452853c - VT

Misc Notes:

The folder in %allusersprofile%\appdata (C:\Documents and Settings\All Users\Application Data\lwxnrakwwvtxgsd) has about 10 pictures that compose the ransom screen.

Gimemo Ransom - Germany - "Please wait while the connection is beeing established" - Known File Names

This list will be maintained.
I will try to organize them in chronological order
flint4ytw.exe - 21e582cc765de5bb58191200e9f54e77 - VT
ram_reserver64.exe - f8eeecb3c9ea0ace4e485fd1611fa1ab - VT
soundblaster_fx648.exe - cffc2bfa4f74e2a0bb04427f1048b29f - VT
itunes_service01.exe - fd3f7aaef6b290ac4c1d6ebcb36209c9 - VT
itunes_service86.exe - 7944a9eaac350ae8c8a0d2ddfcc07201 - VT
BSI.bund.exe - d1f3c1efbc75d4cdc53241d85cbb8caf - VT
ksprskylabs1.exe - 520016557adaa13daed88d0e45f400f6 - VT
InfoServices_a.exe - 489284c7665739d79697aabda99f41a7 - VT
Game.exe - 489284c7665739d79697aabda99f41a7 - Seen with InfoServices_a.exe - VT
ServiceVBOX.exe - 09591584d659223c5e8733342d713c83 - VT
game_client.exe - VT
SboxService.exe - 5dd62ab5baa65ed9785d01b377622b75 - VT 
ArchiverforWin.exe [] - VT
Diablo_III.exe - d5f4f463d92d78ffbe8326da81b59b50 - VT
WhpAkc.exe - VT
ArchiverforWin.exe [thehrgergergeg] - VT
Apple_Store.exe [tfytfyffytf] - 2ae166c2abc5e380c35dea3ab7a8d7f1 - VT
Apple_Store.exe [Adobe Systems, Incorporated] - f28f9cb1ff043c109797454bde26e269 - VT
AMD_cpx.exe - VT
WinrarArchiver - 0fce6d3421f3f21e7d6214059fe5bad0 - VT
WinrarArchiver - 24a067e94f182a522bcd38c06b4b38d4 - VT
RarArchiverWin.exe [Nonprofit organization offering health, educational, and distance learning Internet broadcasting services] - VT
Apple_Store.exe - [Nonprofit organization offering health, educational, and distance learning Internet broadcasting services] - VT
TarArchiver.exe [SEIKO EPSON CORP.] - 61eceef56f8e8faf8b0a70d3326331e1 - VT
CodeArchiver.exe - 6562d74b5a93f8c8cb537be10d873f46 - VT
TarArchiver.exe - [CJSC "Computing Forces"] - VT
Dickemoepse.exe - a31e35aa09218d4254e4a0fbbd6364b - VT
Smoerrebroe.exe - VT
Warcraft.exe - 07dbb4542299a2a1b7480932f8a25d5b - VT
Schnarch.exe - c4f7a18db6aa1ef57c3f53a050d77ce9 - VT 


For help with removal, see the following pages:
If you need additional assistance, visit and create a topic in the Malware Removal forum.

Monday, May 14, 2012

Police Nationale Francaise - France (Ransom Trojan) - 05.14.2012 - Analysis and Removal


Easy way to defeat:

If on XP:
Press F8 upon boot to get to the Windows Advanced Options Menu
From the list, choose "Directory Services Restore Mode"

You should now be in a Windows Safe Mode with Networking capabilities. __________________________________________________________________________________

Download and install Malwarebytes from here.
Run a Quick Scan.
Ransom message should no longer appear.

Additional information:
This ransom does not extract additional files. It simply runs from itself hijacking this key:
Creates a bad value here like "vasja" which paths to the one bad ransom file.

Friday, May 04, 2012

Rannoh - Canada (Ransom Trojan) - 05.04.2012 - Analysis and Removal

Figure 1.a

This is very similar to Gendarmerie Nationale (French) in the sense that the bad files are practically located in the same directories.

For this one, look in these directories:
  • %userprofile%\local settings\temp\<random 10 letter folder> - For example: Mlqjqjqjq
  • %windir%\system32
The two bad .exe files in these folders are 20 alphanumeric characters long. For example: AE6B1A712C387EF4E4A7.exe

Note: The .exe in each folder listed is exactly the same in terms of MD5 hash, but the actual Name of the randomized .exe is different (both are randomized).

First step is remove the Windows lockout portion of this infection.
Boot off a diagnostic CD/DVD such as Hiren, or slave the hard drive to another PC with a bootable Windows OS.

Having seen this type of infection before, I just went into the suspected folders above and deleted the two bad .exe files from there. Once this is done, you should be able to boot to the Windows desktop again. If you'd like to use some type of scanning tool and know how to analyze the log, I'd recommend Farbar Recovery Scan Tool (FRST).

Back in Windows

Great, we are back to the Windows desktop! Wait... why are all my files encrypted?!

Similar to ACCDFISA, this type of ransom trojan has two main features.
1) Lock you out of Windows (See Figure 1.a above)
2) Encrypts the majority of your files

Do not fret, the expert personnel at Kaspersky have created a tool called RannohDecryptor designed to decrypt and restore your files with ease!

Kaspersky RannohDecryptor in action

Download it here or mirror

After decryption

Monday, April 16, 2012

GVU - Germany (Ransom Trojan) - 04.16.2012 - Analysis and Removal


HKLM\...\Run: [5kS43ADO0bzprWo] C:\Documents and Settings\thisisu\Application Data\soundblaster_fx648.exe [x]
HKU\thisisu\...\Run: [5kS43ADO0bzprWo] C:\Documents and Settings\thisisu\Application Data\soundblaster_fx648.exe [x]
HKU\thisisu\...\Policies\system: [DisableTaskMgr] 1
HKU\thisisu\...\Policies\system: [DisableRegistryTools] 1
HKU\thisisu\...\Winlogon: [Userinit] C:\Documents and Settings\thisisu\Application Data\soundblaster_fx648.exe,C:\WINDOWS\System32\userinit.exe, [26112 2008-04-14] (Microsoft Corporation)
HKU\thisisu\...\Winlogon: [Shell] C:\Documents and Settings\thisisu\Application Data\soundblaster_fx648.exe [x]
HKLM\...\Winlogon: [Userinit] C:\Documents and Settings\thisisu\Application Data\soundblaster_fx648.exe,C:\WINDOWS\System32\userinit.exe, [26112 2008-04-14] (Microsoft Corporation)
HKLM\...\Winlogon: [Shell] C:\Documents and Settings\thisisu\Application Data\soundblaster_fx648.exe [x ] ()

File to delete:
C:\Documents and Settings\thisisu\Application Data\soundblaster_fx648.exe

Registry entries to fix:
"NoDesktop"=dword:00000001   should be 0
"5kS43ADO0bzprWo"="C:\\Documents and Settings\\thisisu\\Application Data\\soundblaster_fx648.exe"
"5kS43ADO0bzprWo"="C:\\Documents and Settings\\thisisu\\Application Data\\soundblaster_fx648.exe"

Friday, April 13, 2012

WindowsSecurity (Ransom Trojan) - 04.13.2012 - Analysis and Removal

Creates this registry value:
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
points to the malicious that was run.

Creates a bad value under this key:
Look for a value similar to: "S112106111" which points to the malicious file that was run.

Main objective is to delete the one malicious file you ran. For example I ran a file from my desktop called be65d.exe. I would need to delete this file before I am able to get into Windows again.

Saturday, April 07, 2012

Tobfy - Germany (Ransom Trojan) - 04.07.2012 - Analysis and Removal

Hijacks HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run" "" "" ""
+ "(Default)" "" "" "File not found: C:\Documents and Settings\thisisu\Desktop\badfile.exe"
Does not extract any additional files (runs from itself only)
Locks you out of Windows including Safe Modes - Use boot CD or slave hard drive to fix
Delete the one bad exe you downloaded and executed and you should be back in Windows :)

VT - Thanks to rkhunter for uploading sample and thanks to Kafeine for proper classification

Saturday, March 31, 2012

Gimemo - France - Gendarmerie Nationale (Ransom Trojan) - 04.01.2012 - Analysis and Removal


HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows|Load
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit
"C:\WINDOWS\system32\09AE2D586052AD446FE6.exe," [53760 2012-03-31] (nJin
IMEO\msconfig.exe: [Debugger] P9KDMF.EXE
IMEO\regedit.exe: [Debugger] P9KDMF.EXE
IMEO\taskmgr.exe: [Debugger] P9KDMF.EXE

HKU\owner\...\Policies\system: [DisableRegistryTools] 1
HKU\owner\...\Policies\system: [DisableRegedit] 1

2012-03-31 18:48 - 2012-03-01 03:26 - 0960056 ____A C:\Windows\System32\winsh324
2012-03-31 18:48 - 2012-03-01 03:26 - 0960056 ____A C:\Windows\System32\winsh320
2012-03-31 18:48 - 2012-03-01 03:08 - 0960056 ____A C:\Windows\System32\winsh323
2012-03-31 18:48 - 2012-03-01 03:07 - 0960056 ____A C:\Windows\System32\winsh322
2012-03-31 18:48 - 2012-03-01 03:07 - 0960056 ____A C:\Windows\System32\winsh321


Thursday, March 29, 2012

GEMA - Germany (Ransom Trojan) - 03.29.2012 - Analysis and Removal

 Once you are infected with GEMA, you will be prompted a white screen with text that reads:
"Please wait while the connection is beeing established."
and then the German translation...
Do not bother trying Safe Mode(s), they will not work. You need to boot using a CD or slave the hard drive to a working computer to remove one file and a few bad registry values.

I used Farbar's Recovery Scan Tool (FRST) for this.
 Here are the items that need fixing:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\K3aRyluP6SiCkoR Value deleted successfully.
HKEY_USERS\owner\Software\Microsoft\Windows\CurrentVersion\Run\\K3aRyluP6SiCkoR Value deleted successfully.
HKEY_USERS\owner\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableTaskMgr Value deleted successfully.
HKEY_USERS\owner\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableRegistryTools Value deleted successfully.
HKEY_USERS\owner\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit Value deleted successfully.
HKEY_USERS\owner\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit Value was restored.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value was restored.
C:\Documents and Settings\owner\Application Data\flint4ytw.exe moved successfully.
The tool does not fix everything that needs to be corrected, but from here you can at least open Explorer again and the Please wait while the connection is beeing established screen is gone.

Even though you are still somewhat limited due to no desktop icons, you will be able to launch Windows Explorer so you can launch Malwarebytes' Anti-Malware.

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
Even after MBAM repaired this item and I rebooted, I was still missing my desktop icons.

I simply right-mouse clicked anywhere on the desktop and selected "Show Desktop Icons".
After that, everything was back to normal :-)
Misc notes:
You will be unable to right-mouse click the desktop and receive the pop-up menu until the above policy (NoDesktop) is fixed.

Update: April 28th, 2012 || file name is changed to ram_reserver64.exe (VirusTotal) Same location as listed above.

Update: May 5th, 2012 || file name is changed to itunes_service01.exe (VirusTotal) Same location as listed above.

Update: May 5th, 2012 || file name is changed to itunes_service86.exe (MajorGeeks) Same location as listed above.

Update: May 15th, 2012 || file name is changed to BSI.bund.exe (VirusTotal . MajorGeeks) Same location as listed above.

Thursday, March 15, 2012

Panda Security Creates ZeroAccess Cleaning Tool (Yorkyt.exe) - Removes Abnow Redirect

Panda Security has created an AntiZeroAccess tool that works very well compared to others I have tested in the past.

In fact, it practically removed every trace of ZeroAccess minus 2-3 dormant files. What really impressed me was that it was able to delete the heart of ZeroAccess, the $NtUninstallKBXXXXX$ folder.

I am posting my results from the scans and information I was able to gather.
I used a dropper from early March which fakes sys32 .DLLs using the Company Name: Iomega.

More details about this specific variant here in a previous post of mine.

After injection, I verify that I will be redirected to abnow after searching for anything in Google.

In this example, I wanted to try to get to the MajorGeeks website via Google.

I am being redirected to abnow.

Start looking for bad service and netsvcs data value using Autoruns.
Results in the screen to the right:

Excerpt from yorkyt.exe.log

2012-03-15 17:16:39: Bad Service: system32\csctl50.dll
2012-03-15 17:16:39: Found Service: Packet
2012-03-15 17:16:39: Display Name: AFGMp50
2012-03-15 17:16:39: Description: New service would allow parents to control their children's online activity.
2012-03-15 17:16:39: ServiceDLL: %systemroot%\system32\csctl50.dll
2012-03-15 17:16:39: MD5: B89CFBE8CB247B57D8C10ADAA66B462B (VT)
Start disinfection using yorkyt.exe

Yes, reboot

The tool does not actually delete the service. Instead, it "breaks" the service by changing the ServiceDll value of the service into a .DLL that does not exist.

This prevents the service from being able to run or start again.

For example, the tool changed the ServiceDll value of Packet to csctl50.dll.bad when it was previously csctl50.dll. See Below:

After the 2nd reboot

Finished! Now let's verify.

No longer getting redirected :-)



Files Detected: 3
C:\WINDOWS\system32\csctl50.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> Quarantined and deleted successfully.

"C:\Documents and Settings\thisisu\Local Settings\Application Data\"
02E7ABF0      Mar 15 2012              "02e7abf0" -> Empty folder

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\csctl50.dll.bad -- (Packet)
NetSvcs: Packet - %systemroot%\system32\csctl50.dll.bad File not found

Does not hurt to leave these broken entries, but I would recommend actually deleting both the non-functioning service and NetSvcs data value.
Misc notes:

The entire contents of the folder were removed by Panda Security's Yorkyt.exe. Impressive!

>>> Full Yorkyt.exe log here. <<<
>> Download Yorkyt.exe here. <<