Tuesday, July 24, 2012

Gimemo: Another FBI Ransomware

This one looks almost exactly like Reveton, which I have posted about before, the behavior is a bit different though. Gimemo is capable of starting in safe mode so it makes removal just a bit trickier. The best way to remove this is always to do a system restore. If you do not have restore points, you can follow the instructions for manual removal below.

To perform the system restore method, reboot the PC and repeatedly tap the "f8" key at the top of the keyboard to get to the "Advanced Boot Options" menu. Select "Safe Mode with Command Prompt". Once it loads and gives you the command prompt, type "rstrui.exe" and follow the on-screen instructions for system restore.

If you have no restore points or are like me and want to do things the hard way :), you can also remove it manually. To do this, get into safe mode with command prompt using the instructions above. Once there we need to delete the exe files. Type the command "explorer.exe" which will bring up a folder to allow you to navigate through the file system.

Find "%appdata%\<random.exe> and delete it

Run the following command:

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v "DisableTaskMgr" /t REG_DWORD /d 0

Now you can reboot into normal mode and at least be able to do something. Once booted into normal mode, you may notice that you do not see your start menu, that gets fixed next, but the point is that now we can get some work done inside the PC. So open taskmgr using the key combination [Ctrl + Shift + Esc].

Go to File > New Task(Run) and type "iexplore.exe". You now have IE open, you want to download autoruns. Open autoruns once you have it downloaded. Delete all the values that have been marked in yellow:

Once you do all that, you can reboot the PC and explorer will launch correctly. You will notice that you are still missing all of the icons, and all of the files on the "C:\" drive are still hidden. Here is what to do about that:

Download Dial-A-Fix. If you are in Vista/7 you can use it still by running in compatibility mode for XP sp3. Launch DAF and go to the policies section. Remove all of the policies that have been found and restart the PC again.

That will enable your registry tools. Now open regedit, make sure you are at the top part ("computer") and go to edit > find. Type "nodesktop" into the search box.

Delete what you find:

Open taskmgr again and close explorer.exe:

Still in taskmgr, go to file > new task (run) > Type "explorer.exe" which will bring up your start menu again. Making sure that the start menu is up, right-click on the desktop > Arrange Icons By > Show Desktop Icons. You should now see your desktop icons. At this point, a malware scanner should be run to ensure that there are no other infections on the PC. My favorite, as always, is MalwareBytes' Anti-Malware. A quick scan should be good enough in this case. That's it! Ransomware removed!

No comments:

Post a Comment