Monday, April 16, 2012

GVU - Germany (Ransom Trojan) - 04.16.2012 - Analysis and Removal

__________________________________________________________________________________
FRST





HKLM\...\Run: [5kS43ADO0bzprWo] C:\Documents and Settings\thisisu\Application Data\soundblaster_fx648.exe [x]
HKU\thisisu\...\Run: [5kS43ADO0bzprWo] C:\Documents and Settings\thisisu\Application Data\soundblaster_fx648.exe [x]
HKU\thisisu\...\Policies\system: [DisableTaskMgr] 1
HKU\thisisu\...\Policies\system: [DisableRegistryTools] 1
HKU\thisisu\...\Winlogon: [Userinit] C:\Documents and Settings\thisisu\Application Data\soundblaster_fx648.exe,C:\WINDOWS\System32\userinit.exe, [26112 2008-04-14] (Microsoft Corporation)
HKU\thisisu\...\Winlogon: [Shell] C:\Documents and Settings\thisisu\Application Data\soundblaster_fx648.exe [x]
HKLM\...\Winlogon: [Userinit] C:\Documents and Settings\thisisu\Application Data\soundblaster_fx648.exe,C:\WINDOWS\System32\userinit.exe, [26112 2008-04-14] (Microsoft Corporation)
HKLM\...\Winlogon: [Shell] C:\Documents and Settings\thisisu\Application Data\soundblaster_fx648.exe [x ] ()

File to delete:
C:\Documents and Settings\thisisu\Application Data\soundblaster_fx648.exe

Registry entries to fix:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDesktop"=dword:00000001   should be 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"5kS43ADO0bzprWo"="C:\\Documents and Settings\\thisisu\\Application Data\\soundblaster_fx648.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"5kS43ADO0bzprWo"="C:\\Documents and Settings\\thisisu\\Application Data\\soundblaster_fx648.exe"
__________________________________________________________________________________

Friday, April 13, 2012

WindowsSecurity (Ransom Trojan) - 04.13.2012 - Analysis and Removal


Creates this registry value:
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
points to the malicious that was run.

Creates a bad value under this key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Look for a value similar to: "S112106111" which points to the malicious file that was run.


Main objective is to delete the one malicious file you ran. For example I ran a file from my desktop called be65d.exe. I would need to delete this file before I am able to get into Windows again.

Saturday, April 07, 2012

Tobfy - Germany (Ransom Trojan) - 04.07.2012 - Analysis and Removal


Hijacks HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run" "" "" ""
+ "(Default)" "" "" "File not found: C:\Documents and Settings\thisisu\Desktop\badfile.exe"
Does not extract any additional files (runs from itself only)
Locks you out of Windows including Safe Modes - Use boot CD or slave hard drive to fix
Delete the one bad exe you downloaded and executed and you should be back in Windows :)

VT - Thanks to rkhunter for uploading sample and thanks to Kafeine for proper classification