tag:blogger.com,1999:blog-68801391557236645982024-03-19T03:57:09.965-07:00r0cket's malware blogMalware removal made easy.TeamRocketOpshttp://www.blogger.com/profile/14506660507770272702noreply@blogger.comBlogger18125tag:blogger.com,1999:blog-6880139155723664598.post-10242969841027776932013-12-16T11:01:00.000-08:002013-12-16T11:01:01.264-08:00Quick Registry SnapshotI came across a neat trick when looking into taking registry backups and would like to share what I found. This trick will work on Windows 7 and later operating systems.<br />
First a little background. Let's take a look at the folder that the registry resides in and the core registry files (DEFAULT, SAM, SECURITY, SOFTWARE, SYSTEM):<br />
<br />
<b>%systemroot%\system32\config </b><br />
<br /><div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8aolxzpxGWdfXjKKdjG4hcYkAoMnKvzTUouFL7CPChCFP_H89lncBt62q5rVYmSteWGC9F2O0Xe4s2Q5PEQJsSYg3zBrggiZQ0DeAKbgaZ8pabl4VRiWtJCdzsSo_1UsXv9gl6v1reFA/s1600/1_Config_Folder.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8aolxzpxGWdfXjKKdjG4hcYkAoMnKvzTUouFL7CPChCFP_H89lncBt62q5rVYmSteWGC9F2O0Xe4s2Q5PEQJsSYg3zBrggiZQ0DeAKbgaZ8pabl4VRiWtJCdzsSo_1UsXv9gl6v1reFA/s1600/1_Config_Folder.JPG" height="188" width="320" /></a></div>
<br />
There is one folder in particular that we are interested in:<br />
<br />
<b>%systemroot%\system32\config\RegBack</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXfslIaMkYo7NrfFW7ot2-QOXlx0ArbsS91frQCLI5ibP_wRdZI92EbqBQ89b_xv7h3wvMUb2i_bixl7rrQ8wTYJhsdx4Fd-irdoR2prEWqcdThnHpAy8f9OnNhIk0KksosYp7yJenFk4/s1600/2_RegBack.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXfslIaMkYo7NrfFW7ot2-QOXlx0ArbsS91frQCLI5ibP_wRdZI92EbqBQ89b_xv7h3wvMUb2i_bixl7rrQ8wTYJhsdx4Fd-irdoR2prEWqcdThnHpAy8f9OnNhIk0KksosYp7yJenFk4/s1600/2_RegBack.JPG" height="187" width="320" /></a></div>
<br />
We can see that the RegBack folder is a copy of each of the registry hives. This is really cool because it allows us have at least one good copy of the registry that we can use to restore in case Windows gets to a state where it is unable to boot.<br />
<br />
The question now is, how does this get backed up? There is a hidden scheduled task:<br />
<br />
"\Microsoft\Windows\Registry\RegIdleBackup"<br />
<br />
This is the task responsible for taking the snapshot that is saved in the RegBack folder. The problem is, this task in only scheduled to run once every 10 days. Some people might want to run it more often, or be able to run it on demand. Here is how to do it:<br />
<br />
Open CMD as administrator<br />
Type the following command:<br />
<br />
<b>schtasks.exe /run /TN "\Microsoft\Windows\Registry\RegIdleBackup"</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-zgNDZ2_VKJpyn3cgq-OWk3l1LbwhyphenhyphenzELy-dH2UEDQhr1YakdTzIThN0j5XeP75H2W7z5LwrsosH0uEUlRTQH-rZKkEJZzJiDEJ2T2r6VnFv2-khbv-0BT6xaw_nJSEQPuqBDvZU76xs/s1600/3_CMD.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-zgNDZ2_VKJpyn3cgq-OWk3l1LbwhyphenhyphenzELy-dH2UEDQhr1YakdTzIThN0j5XeP75H2W7z5LwrsosH0uEUlRTQH-rZKkEJZzJiDEJ2T2r6VnFv2-khbv-0BT6xaw_nJSEQPuqBDvZU76xs/s1600/3_CMD.JPG" height="163" width="320" /></a></div>
<br />
Now you have a current snapshot of the registry! This can be restored manually from any PE environment that allows access to the file system.TeamRocketOpshttp://www.blogger.com/profile/14506660507770272702noreply@blogger.com1tag:blogger.com,1999:blog-6880139155723664598.post-53379439097452581162012-11-14T22:15:00.001-08:002012-11-14T22:15:57.299-08:00FBI Online Agent<div style="text-align: left;">
Another day, another screenlocker. These things are getting on my nerves...</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIdc80Rmmd2da1COI_504QdTh02V5iRejpmFuvju_s_56HauNSandQpQ6zOKfae-vhcDVwzelkgUV6XWkHjcg_hiWG9Lfw7j2iVBqnOoA7gagLscfBDParaUGTANizgP3NWecaZncp3xY/s1600/Untitled.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="224" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIdc80Rmmd2da1COI_504QdTh02V5iRejpmFuvju_s_56HauNSandQpQ6zOKfae-vhcDVwzelkgUV6XWkHjcg_hiWG9Lfw7j2iVBqnOoA7gagLscfBDParaUGTANizgP3NWecaZncp3xY/s320/Untitled.png" width="320" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
This is a fairly straight-forward removal process. </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
</div>
<ol>
<li> Reboot the PC into Safe Mode with Networking by repeatedly pressing the 'f8' key at the top of the keyboard until you get to the "Advanced Boot Options" menu</li>
<li>Hold down Windows Key + R to get the run box open</li>
<li>Clear out the text inside the run box and type "regedit.exe" (without the quotes), click "Ok"</li>
<li>Navigate to the following key: <span style="color: #3d85c6;">HKLM\Software\Microsoft\Windows\CurrentVersion\Run</span> </li>
<li>Look for an exe running from the following folder: </li>
</ol>
<div style="text-align: center;">
<span style="color: #3d85c6;">%userprofile%\Local Settings\Application Data\Microsoft\Windows\<u><b>912\WSManHTTPConfig.exe</b></u></span></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
Keep in mind, the above exe name (WSManHTTPConfig.exe) and the folder that it is stored in (912 in my case) changes with each installation. I have underlined the part that changes with each installation. </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
All we need to do now is navigate to the folder and remove the exe itself. Here is how to do that:</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<ol>
<li>Open up the run box again the same way we did above.</li>
<li>Type "control folders" (without the quotes) and click "Ok"</li>
<li>Navigate to the "View" tab</li>
<li>Tick "Show hidden files, folders, drives" </li>
<li>UnTick "Hide Protected Operating System Files"</li>
<li>Open the run box again</li>
<li>Type "%userprofile%" (without the quotes) and click "Ok"</li>
<li>Navigate to "Local Settings\Application Data\Microsoft\Windows\"</li>
<li>Find the folder that was marked in the registry key that you found above (912 in my case)</li>
<li>Delete that folder entirely (be careful not to delete any others, open the folder to be sure it is correct) </li>
<li>Repeat steps 1-5 but tick the opposites (Hide files again)</li>
<li>Run a malware scanner on the PC to ensure that you are rid of any leftovers</li>
</ol>
</div>
<br />
<div style="text-align: left;">
<br /></div>
<div style="text-align: center;">
<br /></div>
TeamRocketOpshttp://www.blogger.com/profile/14506660507770272702noreply@blogger.com0tag:blogger.com,1999:blog-6880139155723664598.post-31360154718399128302012-08-01T17:55:00.000-07:002012-08-01T17:58:49.375-07:00Using Hiren's BootCD for Remote Support<br />
<div class="MsoNormal" style="text-align: left;">
Hiren's BootCD is used for various fixes that we need to perform outside of the Windows environment. It is an extremely useful set of tools and can be used for a wide variety of repair operations that would otherwise need a technician to have physical access to the PC. This tutorail is designed to give a general idea of what the BootCD can be used for when doing remote support, and to show you how to perform repiars using the BootCD. </div>
<br />
When should we send the BootCD out? If the PC is unable to boot, but the client gets an error message, it is time to send the CD out. These error messages include: <br />
<ul>
<li>Blue Screens </li>
<li>File Missing (such as hal.dll, c:\windows\system\config, etc) </li>
<li>Operating system not Found </li>
<li>the system boots to a blinking cursor in the upper-left hand corner
</li>
<li>and especially boot loops (unless you are in Vista/7, then follow <a href="http://rocketsecurity.blogspot.com/2012/07/repairing-mbr-in-vista7.html">my blog post</a>) </li>
</ul>
TheBootCD will not help us in situations where:<br />
<ul>
<li>the client gets the error "Unmountable boot volume" </li>
<li>when the PC cannot boot any further than the BIOS screen </li>
</ul>
<br />
So in a nut shell, if the PC can see AND access the hard drive, a BootCD would be useful for our remote repairs.<br />
<div>
<br /></div>
<div>
<h2 style="text-align: center;">
Booting Up Hiren's BootCD (Mini Windows XP)</h2>
<div>
Once the client has the BootCD, the PC needs to be configured to boot from the CD/DVD drive as the first device in the list. Since every BIOS is different, that is up to you to work out. Once configured properly, go ahead and boot the PC. We want to select "Mini Windows XP" from the first splash screen:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCyaSLX7cW3efKJsLfpnVU6Ga5jAjOqhXR0aodg3byeOClKed6DnD_BslFtk8S0JPKpT4WjoqSsSWUZ2nlsALBGACr6k-7R0ryMt4cO3OxnmKXcxehl_TfP7GyRaHKVLONyVHaLKlyfBc/s1600/1_Splash.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="148" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCyaSLX7cW3efKJsLfpnVU6Ga5jAjOqhXR0aodg3byeOClKed6DnD_BslFtk8S0JPKpT4WjoqSsSWUZ2nlsALBGACr6k-7R0ryMt4cO3OxnmKXcxehl_TfP7GyRaHKVLONyVHaLKlyfBc/s320/1_Splash.png" width="320" /></a></div>
<div>
<br /></div>
<div>
This usually takes about 5 mins to boot all the way up, depending on the speed of the PC. Once booted, the screen looks like this:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigWH-y7bQiMGZWTYJnYr0brEAjdUBsgaxiIQF8DQ9SNc5w6p1bgJrecRd0_0K2zaEJwmJ8FpFgv6xOu7XXyqdgqOzRwAtrpk01yCUUX8suxjTlZQNfbEBVqIsaSbP1tNdgTt88wGCCg3E/s1600/2_Mini_XP.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigWH-y7bQiMGZWTYJnYr0brEAjdUBsgaxiIQF8DQ9SNc5w6p1bgJrecRd0_0K2zaEJwmJ8FpFgv6xOu7XXyqdgqOzRwAtrpk01yCUUX8suxjTlZQNfbEBVqIsaSbP1tNdgTt88wGCCg3E/s320/2_Mini_XP.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Network support is already started by default. If the internet connection is hardwired, internet access takes no extra configuration. If the internet connection is wireless, the "Wireless Setup" Icon on the first screen will take you here:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBPlFfPXLSUqMw3Hx6dzJdSQZ7VZ4avlkuxjB6i6pQBq2Et8Ce7i8TCKV1iWx9vrkRMxjpwB_ABhFAKEUeVBIEIlAsjBbONw9UBFONEFZhgZS-9fnTj2eR2QgZNH2q3rs4qnaVeJN3bW4/s1600/4_Wireless_Config.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBPlFfPXLSUqMw3Hx6dzJdSQZ7VZ4avlkuxjB6i6pQBq2Et8Ce7i8TCKV1iWx9vrkRMxjpwB_ABhFAKEUeVBIEIlAsjBbONw9UBFONEFZhgZS-9fnTj2eR2QgZNH2q3rs4qnaVeJN3bW4/s320/4_Wireless_Config.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div>
Once here, the wireless adapter will need to be selected form the dropdown menu, then we will need to go into the "Wifi" tab and select the correct wireless network. This process is fairly straight-forward. Once internet is connected, we are able to get our remote connection via our "internet" icon in the lower-left hand corner of the desktop.</div>
<div>
<br /></div>
<div>
<h2 style="text-align: center;">
Repairing the Master Boot Record (MBR)</h2>
<div>
One of the most common reasons that Hiren's BootCD is sent out is for boot loops. When repairing the MBR, MbrFix is the most reliable tool. When opening up the BootCD menu, MbrFix can be found in Partition/Boot/MBR > Commandline > MbrFix:</div>
<br />
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6z6bQ5HV8JUZHAg9Af1AVFJn6803jHdzhdrMNfUkjZQAz0_7jJviprgE7bqis6eyh2BIVQeKLdfwqb7MDw-y0KTr8mIzw9wFnbpnr_-JqrZanmyUN4uCu_-CKaevmEU47901cBaRI4t8/s1600/5_MBR_Select.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6z6bQ5HV8JUZHAg9Af1AVFJn6803jHdzhdrMNfUkjZQAz0_7jJviprgE7bqis6eyh2BIVQeKLdfwqb7MDw-y0KTr8mIzw9wFnbpnr_-JqrZanmyUN4uCu_-CKaevmEU47901cBaRI4t8/s320/5_MBR_Select.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
As the menu selection implies, MbrFix is a command line tool. Use of the tool to fix a Windows XP MBR looks like this:</div>
<div class="separator" style="clear: both; text-align: center;">
<b><span style="color: #3d85c6;">MbrFix /drive 0 fixmbr</span></b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div>
This assumes that the disk that we want to repair the MBR on is mounted as disk 0. This can be checked using:</div>
<div style="text-align: center;">
<b><span style="color: #3d85c6;">MbrFix /drive 0 listpartitions</span></b></div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
For repairing Vista/7 MBR, my other blog post is recommended. In the event that the BootCD is needed, we can repair the MBR in these other operating systems using the associated switches:</div>
<div style="text-align: center;">
<b style="font-size: small;"><br /></b></div>
<div style="text-align: center;">
<b><span style="color: #3d85c6; font-family: inherit;">MbrFix /drive 0 fixmbr /vista</span></b></div>
<div style="text-align: center;">
<b><span style="color: #3d85c6; font-family: inherit;">MbrFix /drive 0 fixmbr /win7</span></b></div>
<div style="text-align: center;">
<b style="font-size: small;"><br /></b></div>
<div style="text-align: center;">
<b style="font-size: small;"><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVCmYspRxEVxyrEG4xELCMwEnjhAtkJPv_BV7aSLlCXwJ-9NL0jHwiYU6N_YAlNAl3sN5CTjzWqugFHD47VI6ShnggdkZcQ6SX9qNnrljsUJlf_TqIh87lqwV7zHmc18wTD-go6Se3yXQ/s1600/6_MBR_XPVista7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVCmYspRxEVxyrEG4xELCMwEnjhAtkJPv_BV7aSLlCXwJ-9NL0jHwiYU6N_YAlNAl3sN5CTjzWqugFHD47VI6ShnggdkZcQ6SX9qNnrljsUJlf_TqIh87lqwV7zHmc18wTD-go6Se3yXQ/s320/6_MBR_XPVista7.png" width="320" /></a></div>
<div style="text-align: center;">
<b style="font-size: small;"><br /></b></div>
</div>
<div style="text-align: left;">
That's it! Finish up any other tasks that we need to do before reboot, then reboot the PC and we should be able to boot the OS now.</div>
<div style="text-align: left;">
<br /></div>
<h2 style="text-align: center;">
Repairing the file system (chdksk)</h2>
<div>
When using Hiren's BootCD, the command prompt looks a bit different then when a PC is booted normally in Windows. The command prompt is usually set to the BootCD's file system (X:\). To perform various operations such as chkdsk on the system drive, the syntax just has to be changed around a bit. Open up command prompt and set your chkdsk command up like this:</div>
<div>
<br /></div>
<div style="text-align: center;">
<b><span style="color: #3d85c6;">chkdsk c: /x</span></b></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><b><br /></b></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4yFsiI7mEEqoUyF_HZ1i1EAweKNLzDzwr4li0iaPfy8KnWY9Eha81fbVjKmyb7h_b-VvvPUzUkCyIUMUuB1T6X9jEJPsGQOe6ZG6PBUaS8HXDwP6t7j9p-a1eetXQTSZ-Pp52Wrd26GA/s1600/5_CMD_Chkdsk.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4yFsiI7mEEqoUyF_HZ1i1EAweKNLzDzwr4li0iaPfy8KnWY9Eha81fbVjKmyb7h_b-VvvPUzUkCyIUMUuB1T6X9jEJPsGQOe6ZG6PBUaS8HXDwP6t7j9p-a1eetXQTSZ-Pp52Wrd26GA/s320/5_CMD_Chkdsk.png" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><b><br /></b></span></div>
<span style="font-weight: normal;"><span style="font-size: small;"> That's it! File system has been repaired. Reboot the PC and check your results.</span></span><br />
<span style="font-weight: normal;"><span style="font-size: small;"><br /></span></span><br />
<br />
<h2 style="text-align: center;">
Editing Startup Processes (Autoruns)</h2>
<div>
When using Hiren's BootCD to repair the MBR or fix severe malware, editing startup entries can be beneficial before rebooting the OS back into Windows. To do this, we need to open Autoruns from the Hiren's Menu > Startup > AutoRuns:</div>
</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7C_znKyMH7dxJMUHhh03lmyLTEs0tOh9UhiP3fI8Erj66JwNrD_g9vLIm3E9YaDJdBXm9z9tE8oKvSpdDtLdyyv8BVqS6hdQuJ2x0Np3sqYkxICXttGb3ywMm5tIjz08XYQKnUrJllmA/s1600/5_Autoruns_Select.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7C_znKyMH7dxJMUHhh03lmyLTEs0tOh9UhiP3fI8Erj66JwNrD_g9vLIm3E9YaDJdBXm9z9tE8oKvSpdDtLdyyv8BVqS6hdQuJ2x0Np3sqYkxICXttGb3ywMm5tIjz08XYQKnUrJllmA/s320/5_Autoruns_Select.png" width="320" /></a></div>
<div>
<br /></div>
<div>
When Autoruns loads, we will notice that it loads the default Hiren's startup info. We want to view/edit the startup info from the offline system. We now need to go to file > Analyze Offline System...</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3UBFkDiwJKdJWSVMc8Ffnvew91VVtIqw2ob41W_Z1_mumT9omn22RVEwUmcliUcz0NrIcIkDoYIY4Veqqx3LJ84K-mwl6B0VU-4RPAIG-wnBEme4Ar2tYNl1AFkKqrL994jRFZYHmXuA/s1600/6_Autoruns_Offline.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3UBFkDiwJKdJWSVMc8Ffnvew91VVtIqw2ob41W_Z1_mumT9omn22RVEwUmcliUcz0NrIcIkDoYIY4Veqqx3LJ84K-mwl6B0VU-4RPAIG-wnBEme4Ar2tYNl1AFkKqrL994jRFZYHmXuA/s320/6_Autoruns_Offline.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Next Autoruns will ask us to select the Windows directory of the offline system, as well as the user profile that we want to load. By default, just selecting the Windows directory will automatically load the default user profile. Since we want to make sure our client's profile is clear of malware, we need to find the "ntuser.dat" for the profile that we want to manipulate, then point the "User Profile" section to the folder that contains that file. In the example below, the user profile that I want to edit is the "Administrator" profile.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNQfHF3XsoVXu9kLYVwRoS3OML6oDGxT2kIQ64W97qwkl_mejQ4Nyg32wifMMhXw2rPdVi_HWZwq3KeSSrXTZ_wMMXHHu6wV8KQ8J9toBcj_FsRI5pQQl3ccCydSc993E8O7b2R9XJi0o/s1600/7_Autoruns_Paths.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNQfHF3XsoVXu9kLYVwRoS3OML6oDGxT2kIQ64W97qwkl_mejQ4Nyg32wifMMhXw2rPdVi_HWZwq3KeSSrXTZ_wMMXHHu6wV8KQ8J9toBcj_FsRI5pQQl3ccCydSc993E8O7b2R9XJi0o/s320/7_Autoruns_Paths.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
That's it! Now that Autoruns is loaded with the offline system, we can make the necessary changes to our startups.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<h2 style="text-align: center;">
Restoring the Registry (Reg Restore Wizard)</h2>
<div>
Sometimes we may find ourselves in a situation where we need to roll back some registry changes that were recently made and system restore is failing. In this case, as long as the PC has restore points available, we can use the Registry Restore Wizard. This will not do exactly what system restore does (since system restore restores some files as well), but if we need to roll back changes to the registry only, this is our tool. To open it, from the Hiren's BootCD menu > Registry > Registry Restore Wizard:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqsd7NkOjajHcr4N-g2spP7nQNc1JWnqcdb_8rBQJTzILnk-mZCeGi07-n4Tdiv8a2nz7BYnNGwVLy1AjMl5lJm82KrKruKDQ69LpWxNXkBr9c95WVLXGQaRe3t4ZEh66Xz2rFXarPSRQ/s1600/5_Reg_Restore_Select.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqsd7NkOjajHcr4N-g2spP7nQNc1JWnqcdb_8rBQJTzILnk-mZCeGi07-n4Tdiv8a2nz7BYnNGwVLy1AjMl5lJm82KrKruKDQ69LpWxNXkBr9c95WVLXGQaRe3t4ZEh66Xz2rFXarPSRQ/s320/5_Reg_Restore_Select.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The next step in this process is to select the Windows directory of the offline PC that we want to restore.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUFYT1ZNmUco0vNh5kf_wd6C2zn2DhJcVCkASyIcbrfFFGpQUNyix3ahyNtUKAHITF3rA3Sq8pNFXax8jcq7QQtT1qN4w4OxB1a7RbxPlsyw5iNnMy2hX1umwB-NucH3dLNaskCVVy2k4/s1600/6_Reg_Restore_Main.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUFYT1ZNmUco0vNh5kf_wd6C2zn2DhJcVCkASyIcbrfFFGpQUNyix3ahyNtUKAHITF3rA3Sq8pNFXax8jcq7QQtT1qN4w4OxB1a7RbxPlsyw5iNnMy2hX1umwB-NucH3dLNaskCVVy2k4/s320/6_Reg_Restore_Main.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Once we have selected our Windows directory, we should see a list of restore points. Select the restore point for the corresponding date that we want to restore to, then click next. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWojEq9nRWBWF2FkqTl_nxF-aMC4kqI0EysQQmsLyJOX_cx0I6ix_gAwud06fHHlSpBVpFy1S0N57odM8n_azOGGgHLqPt35qou5Df1Tu9atY44n1eOrwpEv-QKbJMWtT6rxbBNzT1BTc/s1600/7_Reg_Restore_Restore.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWojEq9nRWBWF2FkqTl_nxF-aMC4kqI0EysQQmsLyJOX_cx0I6ix_gAwud06fHHlSpBVpFy1S0N57odM8n_azOGGgHLqPt35qou5Df1Tu9atY44n1eOrwpEv-QKbJMWtT6rxbBNzT1BTc/s320/7_Reg_Restore_Restore.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div>
Registry Restore Wizard will then do the rest of the work and restore the registry. If our window looks like this after the operation has completed, then the restore was successful.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhR-TfPlUHeNAnejhip0J0S5-inO1f8IHqMzlaXrLfebttRjrUnLjCMYtaOQZSRaRInL-IOoyC_aM7JOWhHL_n0h_RtZjL2UGzhrPo853vJ6KvToPbffEYfKMg_bRdQ1ef5WYnrgW82q2g/s1600/8_Reg_Restore_Success.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhR-TfPlUHeNAnejhip0J0S5-inO1f8IHqMzlaXrLfebttRjrUnLjCMYtaOQZSRaRInL-IOoyC_aM7JOWhHL_n0h_RtZjL2UGzhrPo853vJ6KvToPbffEYfKMg_bRdQ1ef5WYnrgW82q2g/s320/8_Reg_Restore_Success.png" width="320" /></a></div>
<div>
<br /></div>
<br />
<div>
That's it! Reboot the PC and verify that the issue has been resolved.</div>
<div>
<br /></div>
<h2 style="text-align: center;">
Editing an Offline Registry (Registry Editor PE)</h2>
<div>
There are some times when we will need to manually edit the offline registry. This can be done using the Registry Editor PE. To open the Registry Editor PE, open up the Hiren's BootCD Menu > Registry > Registry Editor PE</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiy-dnu0DGUnmcLjFLPyMRLBN8hkOoMyHw0jcxRWmAJiHj7kFfLoJj_2PZdMLM0id64VMYjT9dhqpCw2D8daQDqgC4bIf5fSNMJe7MkbdBE0MuRtXN6Bk1awK8jYgoc9qPQrBQJR2ccCMU/s1600/5_Regedit_Select.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiy-dnu0DGUnmcLjFLPyMRLBN8hkOoMyHw0jcxRWmAJiHj7kFfLoJj_2PZdMLM0id64VMYjT9dhqpCw2D8daQDqgC4bIf5fSNMJe7MkbdBE0MuRtXN6Bk1awK8jYgoc9qPQrBQJR2ccCMU/s320/5_Regedit_Select.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
We will then be asked to load the remote Windows directory. Locate the directory like this:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihvQ8aZu9MZQKZAcgX_WNVozAVrQVSaQQI9rpJmGW7guJ2i0QwnBZv2Zqsjudx9EZVwy0JiU19ADqSrs9Mq04zVtGhkWQYkNNSwIylw2rFRXF8A-rlkmJ8rD7z9LKN3PeChRnAaOWIIp0/s1600/6_Regedit_Windows.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihvQ8aZu9MZQKZAcgX_WNVozAVrQVSaQQI9rpJmGW7guJ2i0QwnBZv2Zqsjudx9EZVwy0JiU19ADqSrs9Mq04zVtGhkWQYkNNSwIylw2rFRXF8A-rlkmJ8rD7z9LKN3PeChRnAaOWIIp0/s320/6_Regedit_Windows.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div>
Next we need to select our remote hives individually. They should all be located in the "C:\Windows\System32\Config" folder. Select each one by simply clicking "Open" when each new window pops up:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqw1aWeQiEXlGDcEzkXxxSrD4OoGevF12Ch0eV-IZgD_9uLU9r-VGJ6uotRlcYcXXUwLkQt7WegUJo7pgZpoIRlce96OW8FxHc3UXUR-pcT-xFdUu_GGBBwP0x4NLCBIuUZD3Vj8W4y-M/s1600/7_Regedit_Hives.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqw1aWeQiEXlGDcEzkXxxSrD4OoGevF12Ch0eV-IZgD_9uLU9r-VGJ6uotRlcYcXXUwLkQt7WegUJo7pgZpoIRlce96OW8FxHc3UXUR-pcT-xFdUu_GGBBwP0x4NLCBIuUZD3Vj8W4y-M/s320/7_Regedit_Hives.png" width="320" /></a></div>
<div>
<br /></div>
<div>
Now we need to load our offline users. After all, we cannot edit an offline user profile without loading it right? We need to manually locate the ntuser.dat file that is located in the root of the userprofile that we want to load. </div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDvxeMnmQhtKjHEShhQc370i9IqUyCaxaGbQH36zwTZymC9VLVDvQX17V3B9PMOZf_HzpQTYqiK6HpYfty2dMGU48Vl6HmkGNAlQuQACkxiyLtGmCy7Xfe3XDOj7mUUs4-e1T1CTSo1Nk/s1600/8_Regedit_Userprofile.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDvxeMnmQhtKjHEShhQc370i9IqUyCaxaGbQH36zwTZymC9VLVDvQX17V3B9PMOZf_HzpQTYqiK6HpYfty2dMGU48Vl6HmkGNAlQuQACkxiyLtGmCy7Xfe3XDOj7mUUs4-e1T1CTSo1Nk/s320/8_Regedit_Userprofile.png" width="320" /></a></div>
<div>
<br /></div>
<div>
In my case, the account that I want to edit is the Administartor account. So i locate the ntuser.dat here:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEElMZ0ZPslYHQwqIRSMrqNVwNUQpw9MCxLP3rBa-oXsOHgIixs5AitSLqggDhLtaYxIPRBf-joR5davuu2bfAzQTENmiCMFcjIRouVghg58eGteB47GgIvac9rk00aLWdwaFrft4Ao2k/s1600/9_Regedit_NTUSER.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEElMZ0ZPslYHQwqIRSMrqNVwNUQpw9MCxLP3rBa-oXsOHgIixs5AitSLqggDhLtaYxIPRBf-joR5davuu2bfAzQTENmiCMFcjIRouVghg58eGteB47GgIvac9rk00aLWdwaFrft4Ao2k/s320/9_Regedit_NTUSER.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Since we have an offline registry loaded, we need to edit different areas of the registry than we usually would. Keep in mind that Hiren's BootCD has it's own registry settings that are also loaded. We will find our target registry keys start with "_REMOTE_". If we came across a time that we needed to import a .reg file to the offline registry, the "_REMOTE_" will need to be appended into the .reg file before importing.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
A regular .reg file will look like this:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: #3d85c6;">Windows Registry Editor Version 5.00</span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: #3d85c6;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: #3d85c6;">[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework]</span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: #3d85c6;">"InstallRoot"="C:\\Windows\\Microsoft.NET\\Framework64\\"</span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: #3d85c6;">"Enable64Bit"=dword:00000001</span></div>
<div class="separator" style="clear: both;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
A .reg file that has been modified correctly for a remote registry import will look like this:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: #3d85c6;">Windows Registry Editor Version 5.00</span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: #3d85c6;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: #3d85c6;">[HKEY_LOCAL_MACHINE\</span><b><span style="color: red;">_REMOTE_</span></b><span style="color: #3d85c6;">SOFTWARE\Microsoft\.NETFramework]</span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: #3d85c6;">"InstallRoot"="C:\\Windows\\Microsoft.NET\\Framework64\\"</span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: #3d85c6;">"Enable64Bit"=dword:00000001</span></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
To edit the user profile, instead of it being located in HKEY_CURRENT_USER, it will now be located under HKEY_USERS. Below is a screenshot illustrating the different remote locations in Registry Editor PE:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihARVPBLCh9HLzqVhyphenhyphenDX0iTfcZzTnETUfUj0nNtx8dBR7RPvvmG6Zfq7_HU5rSlptjvtVu2on2mZdJVLEH_JERRPNjVvhT_gqDiL0uxZURKwhmMBJMmqSAKrDeZBpljFs9x_lwWybc8fA/s1600/10_Regedit_Remote.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihARVPBLCh9HLzqVhyphenhyphenDX0iTfcZzTnETUfUj0nNtx8dBR7RPvvmG6Zfq7_HU5rSlptjvtVu2on2mZdJVLEH_JERRPNjVvhT_gqDiL0uxZURKwhmMBJMmqSAKrDeZBpljFs9x_lwWybc8fA/s320/10_Regedit_Remote.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div>
That's it! We can now edit the offline registry and make all necessary adjustments.</div>
<div>
<br /></div>
<h2 style="text-align: center;">
Resetting a Windows Password (NTPWEdit)</h2>
<div>
There are some cases where a client forgets their Windows password. In these cases we have some really convenient tools that help quickly edit the user account passwords for Windows. To open NTPWEdit, got to the Hiren's BootCD Menu > Passwords/Keys > Windows Login > NTPWEdit:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL2tGj7i_B9jhhSDoBILre_YWn2E7K5q4wqhkcGSCoQ866zGqVbeLV948cKE2Kij7Z3cPZw3vueu7xNml8Z70Mu5Mb-VFNxrgvmANSmpq9y6zhF5tR26r_sKeyQRVFonLNEjpyDRXhs7w/s1600/5_PW_Select.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL2tGj7i_B9jhhSDoBILre_YWn2E7K5q4wqhkcGSCoQ866zGqVbeLV948cKE2Kij7Z3cPZw3vueu7xNml8Z70Mu5Mb-VFNxrgvmANSmpq9y6zhF5tR26r_sKeyQRVFonLNEjpyDRXhs7w/s320/5_PW_Select.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Next we will need to select our remote SAM hive. NTPWEdit will usually open right up to the correct folder that contains that SAM hive. If it does not, the SAM hive is located in the "C:\windows\system32\config" folder in the offline Windows hard drive:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWQUuuF1y-v-nf_yZKssicjr8rFYGz_1tBQnCwejSspGKEjdcsQn8nKOr5AXobAQ5k7aOb146iT-nzxng2JVjGzBb4BY8gtIWtzcSPkS74rhFGwedf54du7EDTkMkA6EDMjYeWLz16UtY/s1600/6_PW_SAM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWQUuuF1y-v-nf_yZKssicjr8rFYGz_1tBQnCwejSspGKEjdcsQn8nKOr5AXobAQ5k7aOb146iT-nzxng2JVjGzBb4BY8gtIWtzcSPkS74rhFGwedf54du7EDTkMkA6EDMjYeWLz16UtY/s320/6_PW_SAM.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div>
Once the SAM hive has been loaded, the options are fairly straight-forward. We select the offline user account that we want to modify, then enter the new password or unlock the account in the case of Vista/7 hidden Administrator accounts:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglEjdvHCfVS1IBnq3uoc28yT4iO0tZxr2O4wJ9br8rpK244plni9-ntbJxI0cJNNzrXmrnc623duBpzG37ORhjrQE0pMr0q3AihEC6QKKGcLo2bjWqAPSyblUVGOyKRLhBZ2Z05X1SHwg/s1600/7_PW_New.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglEjdvHCfVS1IBnq3uoc28yT4iO0tZxr2O4wJ9br8rpK244plni9-ntbJxI0cJNNzrXmrnc623duBpzG37ORhjrQE0pMr0q3AihEC6QKKGcLo2bjWqAPSyblUVGOyKRLhBZ2Z05X1SHwg/s320/7_PW_New.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
That's it! The password has been changed and we should be able to log in to the user account with our new password.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
That is the end of our tutorial for now, if you would like to request a tutorial on any other tools/fixes that you come across for the Hiren's BootCD, please email me and I will add to it.</div>
<div>
<br /></div>
TeamRocketOpshttp://www.blogger.com/profile/14506660507770272702noreply@blogger.com1tag:blogger.com,1999:blog-6880139155723664598.post-60053770140764496882012-07-24T13:58:00.000-07:002012-07-24T13:58:04.976-07:00Gimemo: Another FBI Ransomware<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6D-LHTY3nUgru9_LUCaJHHR-s7F_oJM_gaj2aOgwC4Lg43lY5nkpAkVzoM6PZ4OjGlfh_q88pb3dgQKWjdC1YRziGkJiLlZR6H-71RQ6e-YK4rQP1vIVrqaFOEID7q4epfTcELVphgtU/s1600/FBI.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6D-LHTY3nUgru9_LUCaJHHR-s7F_oJM_gaj2aOgwC4Lg43lY5nkpAkVzoM6PZ4OjGlfh_q88pb3dgQKWjdC1YRziGkJiLlZR6H-71RQ6e-YK4rQP1vIVrqaFOEID7q4epfTcELVphgtU/s320/FBI.png" width="320" /></a></div>
<br />
<br />
This one looks almost exactly like Reveton, which I have posted about before, the behavior is a bit different though. Gimemo is capable of starting in safe mode so it makes removal just a bit trickier. The best way to remove this is always to do a system restore. If you do not have restore points, you can follow the instructions for manual removal below.<br />
<br />
To perform the system restore method, reboot the PC and repeatedly tap the "f8" key at the top of the keyboard to get to the "Advanced Boot Options" menu. Select "Safe Mode with Command Prompt". Once it loads and gives you the command prompt, type "rstrui.exe" and follow the on-screen instructions for system restore.<br />
<br />
If you have no restore points or are like me and want to do things the hard way :), you can also remove it manually. To do this, get into safe mode with command prompt using the instructions above. Once there we need to delete the exe files. Type the command "explorer.exe" which will bring up a folder to allow you to navigate through the file system.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCROTO-jtIY1tJhTfbN81dNXYbxDQu68LnobQ8JoudCp5arBYBogXxGgGszv-q7agJY4wF1IpkLBPPpRV6jVaB9rJHwd4OP3njuH9ucE1eKWUBSGi_FDXoIYOx3VWS1zoefclKl_Z40XI/s1600/Explorer.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="237" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCROTO-jtIY1tJhTfbN81dNXYbxDQu68LnobQ8JoudCp5arBYBogXxGgGszv-q7agJY4wF1IpkLBPPpRV6jVaB9rJHwd4OP3njuH9ucE1eKWUBSGi_FDXoIYOx3VWS1zoefclKl_Z40XI/s320/Explorer.png" width="320" /></a></div>
<br />
<br />
Find "%appdata%\<random.exe> and delete it<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYCY-d8XQCUQhd9ohRzKFrO4pqGFSo5_L993Ar1ccK_FNzs4kdByc7RJrxiq_lWB4kegR69ZPEtG86wE8pixaLw_9MRl0FaSSQuinJaZBUhRTfUhXCayCMKLcD9g_hqJc4Zc3E8SaQuMk/s1600/FirstFile.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="237" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYCY-d8XQCUQhd9ohRzKFrO4pqGFSo5_L993Ar1ccK_FNzs4kdByc7RJrxiq_lWB4kegR69ZPEtG86wE8pixaLw_9MRl0FaSSQuinJaZBUhRTfUhXCayCMKLcD9g_hqJc4Zc3E8SaQuMk/s320/FirstFile.png" width="320" /></a></div>
<br />
<br />
Run the following command:<br />
<br />
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v "DisableTaskMgr" /t REG_DWORD /d 0<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQK4PZ8Dtt2x99CUGLytQVckpWjI_yynVHxhZoyq6nDPfcL9AVVufcl6bNLIKh3J3mUMFon8uUqAM-SUcwuhhOOpmD-C-J3qXX2KBzodZYoLBuu99FaJhYQ_ldOSTvzU_fwolLGpdayOk/s1600/TaskMgr.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQK4PZ8Dtt2x99CUGLytQVckpWjI_yynVHxhZoyq6nDPfcL9AVVufcl6bNLIKh3J3mUMFon8uUqAM-SUcwuhhOOpmD-C-J3qXX2KBzodZYoLBuu99FaJhYQ_ldOSTvzU_fwolLGpdayOk/s320/TaskMgr.png" width="320" /></a></div>
<br />
<br />
Now you can reboot into normal mode and at least be able to do something. Once booted into normal mode, you may notice that you do not see your start menu, that gets fixed next, but the point is that now we can get some work done inside the PC. So open taskmgr using the key combination [Ctrl + Shift + Esc].<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7LSuwXJjVHO0D9nil-VS-N5r72EAsGgII3g5Ai1ikUciEZxJKMj8oyGsLRi1eckIT0mnUCzgzNtcdOIkh5LFD-cpINSada7PZGXmzmCke5KtPEHd-CKmAVS4acHNc732WpV4qFdc6yPI/s1600/Iexplore.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7LSuwXJjVHO0D9nil-VS-N5r72EAsGgII3g5Ai1ikUciEZxJKMj8oyGsLRi1eckIT0mnUCzgzNtcdOIkh5LFD-cpINSada7PZGXmzmCke5KtPEHd-CKmAVS4acHNc732WpV4qFdc6yPI/s320/Iexplore.png" width="320" /></a></div>
<br />
<br />
Go to File > New Task(Run) and type "iexplore.exe". You now have IE open, you want to download autoruns. Open autoruns once you have it downloaded. Delete all the values that have been marked in yellow:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggvML6g3PXrmuK8jfIgpV2iO5m9gRv-rjAXzarNLS4raoWa8y7NDhkZk_CUtzQWFjuS0pEea2iN9iA-SEkwODTJ7VaRNZeGfUrXCd7OmLTmlRnC0EHbWlbdqWb342cB4qAEWX-NOVnaLU/s1600/AutoRuns.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="164" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggvML6g3PXrmuK8jfIgpV2iO5m9gRv-rjAXzarNLS4raoWa8y7NDhkZk_CUtzQWFjuS0pEea2iN9iA-SEkwODTJ7VaRNZeGfUrXCd7OmLTmlRnC0EHbWlbdqWb342cB4qAEWX-NOVnaLU/s320/AutoRuns.png" width="320" /></a></div>
<br />
Once you do all that, you can reboot the PC and explorer will launch correctly. You will notice that you are still missing all of the icons, and all of the files on the "C:\" drive are still hidden. Here is what to do about that:<br />
<br />
Download <a href="http://majorgeeks.com/Dial-a-fix_d4899.html">Dial-A-Fix</a>. If you are in Vista/7 you can use it still by running in compatibility mode for XP sp3. Launch DAF and go to the policies section. Remove all of the policies that have been found and restart the PC again.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1BFCkDckVNTebAFv8WxglaVcM8CYlQSu6I8q6CkbXLMafRLG_ZD3Z2SJm86uC8DEWJv-1MS3owSI_ygZ3qAi41wh6DM73gY4gPJ6bTKzo2JRA09VQ3F8mq05Lso25UDLOyMsDQAU7MyY/s1600/DAF1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="288" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1BFCkDckVNTebAFv8WxglaVcM8CYlQSu6I8q6CkbXLMafRLG_ZD3Z2SJm86uC8DEWJv-1MS3owSI_ygZ3qAi41wh6DM73gY4gPJ6bTKzo2JRA09VQ3F8mq05Lso25UDLOyMsDQAU7MyY/s320/DAF1.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBSagXxBIahQL3WDVaUqHFji1l_Aal-RkzOShwDhw2G92qZPOz1YoXeQoG4EYRIH1MjaFU1YGh4zHr2b8J0ddU_-pvaTAVXoFjpz9755dr5pC7zeUWmxq-CWCmeJHeUfidsx9ZJQeMCJ8/s1600/DAF2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="114" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBSagXxBIahQL3WDVaUqHFji1l_Aal-RkzOShwDhw2G92qZPOz1YoXeQoG4EYRIH1MjaFU1YGh4zHr2b8J0ddU_-pvaTAVXoFjpz9755dr5pC7zeUWmxq-CWCmeJHeUfidsx9ZJQeMCJ8/s320/DAF2.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
That will enable your registry tools. Now open regedit, make sure you are at the top part ("computer") and go to edit > find. Type "nodesktop" into the search box.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfQS4L1vrnm32tWc1VDe_FJzknzVJLBD6CbgxMUXugxc38CmjEHEH9iWdWDrYiy4HihMnicyUEAK_b2l_AqkTgmAStgpPVV-phNkQmlKv1RR5gBq351N96HtvvmK6GAMqvVXL-TteXGnQ/s1600/nodesktop.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="166" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfQS4L1vrnm32tWc1VDe_FJzknzVJLBD6CbgxMUXugxc38CmjEHEH9iWdWDrYiy4HihMnicyUEAK_b2l_AqkTgmAStgpPVV-phNkQmlKv1RR5gBq351N96HtvvmK6GAMqvVXL-TteXGnQ/s320/nodesktop.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Delete what you find:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh33T4IRMuytFCye1igU3LWTeGKfxGKIziWW_01lEfoj-sV_xfParp8o0yNddmgUfn4YAKbiG5OQCRKAsLyB-b5mU3eQBMtixtjLfpxaIpn1J_f_OkwKJtd2VE5rSvmMeLqVKCPijyfnuQ/s1600/nodesktop2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh33T4IRMuytFCye1igU3LWTeGKfxGKIziWW_01lEfoj-sV_xfParp8o0yNddmgUfn4YAKbiG5OQCRKAsLyB-b5mU3eQBMtixtjLfpxaIpn1J_f_OkwKJtd2VE5rSvmMeLqVKCPijyfnuQ/s320/nodesktop2.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
Open taskmgr again and close explorer.exe:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTUoCSwd6_8GJJsMsgHtsFT5mZCq3rPWUUz6Et5uVzdzhORMalRcVeF_a9BYiQm8Fk-ORyiPJ4ecS3gMmd3qJlFi-IssXvbwZ40aqpfqG1BRicBYMJCKulJ3Vs2BxwvrRymYruLg2SZnY/s1600/Kill_Explorer.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTUoCSwd6_8GJJsMsgHtsFT5mZCq3rPWUUz6Et5uVzdzhORMalRcVeF_a9BYiQm8Fk-ORyiPJ4ecS3gMmd3qJlFi-IssXvbwZ40aqpfqG1BRicBYMJCKulJ3Vs2BxwvrRymYruLg2SZnY/s320/Kill_Explorer.png" width="320" /></a></div>
<br />
Still in taskmgr, go to file > new task (run) > Type "explorer.exe" which will bring up your start menu again. Making sure that the start menu is up, right-click on the desktop > Arrange Icons By > Show Desktop Icons. You should now see your desktop icons. At this point, a malware scanner should be run to ensure that there are no other infections on the PC. My favorite, as always, is MalwareBytes' Anti-Malware. A quick scan should be good enough in this case. That's it! Ransomware removed!TeamRocketOpshttp://www.blogger.com/profile/14506660507770272702noreply@blogger.com0tag:blogger.com,1999:blog-6880139155723664598.post-27539083098799142652012-07-05T13:40:00.000-07:002012-07-05T13:40:00.652-07:00Repairing the MBR in Vista/7I have found that more and more often, I have to perform a repair on the MBR when removing some of the new bootkits from x64 platforms. It is a pretty straight-forward process, which Microsoft has documented well. I feel that putting it all in one place will help people out, so here it is:<br />
<br />
The first step towards repairing the MBR is to get into the "Advanced Boot Options" screen by repeatedly pressing the "f8" key on the keyboard just after powering the system on. That will take you here:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhS0y0yuMnY9mKcWP9aGpHPuZeKqY4Ct-zQUm9qfns3p5K508H3PnA_f65e-NH94bjbc8Joahlobaz6MszNHJ9GUVgLCxCSML1NlAE_rl1CmHaRnITTvm_kpm1Z9hevvnAVZ_2jtXb8x4o/s1600/1_Advanced_Boot_Options.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhS0y0yuMnY9mKcWP9aGpHPuZeKqY4Ct-zQUm9qfns3p5K508H3PnA_f65e-NH94bjbc8Joahlobaz6MszNHJ9GUVgLCxCSML1NlAE_rl1CmHaRnITTvm_kpm1Z9hevvnAVZ_2jtXb8x4o/s320/1_Advanced_Boot_Options.png" width="320" /></a></div>
<br />
Select "Repair Your Computer", wait for everything to load, select your keyboard layout and login. Once you login, you will see this screen:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9ZiUC20ifworotbTlNUR0NpAJ1Np3sODiQSiQClAtx257354ELrysCYk-Njt-ce90Gx7k2Gi_gcMsGKVoRL9tAXD8APN2YsBu6X10T9TiZYYhPJu09Xq8d94nI7DL2Vdug0TkLdClQEc/s1600/2_Command_Prompt.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9ZiUC20ifworotbTlNUR0NpAJ1Np3sODiQSiQClAtx257354ELrysCYk-Njt-ce90Gx7k2Gi_gcMsGKVoRL9tAXD8APN2YsBu6X10T9TiZYYhPJu09Xq8d94nI7DL2Vdug0TkLdClQEc/s320/2_Command_Prompt.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
You want to select "Command Prompt". Now that you have command prompt open, you can start fixing the MBR. Please follow the commands below in order:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
bootrec /fixboot</div>
<div class="separator" style="clear: both; text-align: left;">
bootrec /fixmbr</div>
<div class="separator" style="clear: both; text-align: left;">
bootrec /rebuildbcd</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
If all worked correctly, your screen will look like this:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdI6kuJ-48Ej3QPxCSYCqm7nY4oxdyXFlC2_cxCgPdaTJDe6UpRng2BNTqUCdDnSlWFnTwktJFFNraX5MSE0uGHa0sxN11_R531HAnWitQ_jLEMi8obu9NfFABPJzP0LHi-OGFw8asjhQ/s1600/3_Commands.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdI6kuJ-48Ej3QPxCSYCqm7nY4oxdyXFlC2_cxCgPdaTJDe6UpRng2BNTqUCdDnSlWFnTwktJFFNraX5MSE0uGHa0sxN11_R531HAnWitQ_jLEMi8obu9NfFABPJzP0LHi-OGFw8asjhQ/s320/3_Commands.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
If you run into an error with "bootrec /fixboot" or "bootrec /rebuildbcd" that states "element not found", it means that the OS partition is not set as active and you need to do that before running the fixes. For this example, I will be using diskpart to fix this error and set the correct partition to the active state. Here is a list of the commands and a short breakdown of what they do:<br />
<br />
<b>diskpart </b>- launches the diskpart utility<br />
<b>list disk</b> - lists the hard disks that are available, you need the OS disk (usually the c:\ drive)<br />
<b>select disk x </b>- once you find the disk you want to select, replace x with the correct disk number<br />
<b>list partition</b> - lists the partitions that are available, you need the OS partition (usually the biggest one)<br />
<b>select partition x </b>- once you find the OS partition, replace x with the correct partition number<br />
<b>active </b>- sets the currently selected partition to active<br />
<b>exit </b>- exit diskpart back to recovery console<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2GVaitX2m-qD3GLmbXMqgJUolPpqgesKtzhpiLIBKIh8OCrCGu8gjWGJ1kHLEQtFrRgHt-OJAdJbkvevTtDWJM1SIiaAoxi5Y7b8bd1Y-0MdNuI8gDZ3HDrM2cIDK6iCfdg_xSWnQXgA/s1600/4_Diskpart.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2GVaitX2m-qD3GLmbXMqgJUolPpqgesKtzhpiLIBKIh8OCrCGu8gjWGJ1kHLEQtFrRgHt-OJAdJbkvevTtDWJM1SIiaAoxi5Y7b8bd1Y-0MdNuI8gDZ3HDrM2cIDK6iCfdg_xSWnQXgA/s320/4_Diskpart.png" width="320" /></a></div>
<br />
Once you have the correct partition set as active, you can retry the bootrec commands and they should succeed this time. That is all there is to it!TeamRocketOpshttp://www.blogger.com/profile/14506660507770272702noreply@blogger.com0tag:blogger.com,1999:blog-6880139155723664598.post-15530494385688164782012-07-03T16:26:00.000-07:002012-07-03T16:26:57.444-07:00FBI Ransomware<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgmZCTTI8ah_J71iKKnyES8txK-DVn-5dwRNqd4spg49VW60vrzUfgH-hgmSAxLEGK0UcHX5bZetZtBe89KDyGWRDzjmWxmrknIH33UJ6WpIIYrddzD7aT9iHA6cELovpJJzn0Ts47hnw/s1600/FBI.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgmZCTTI8ah_J71iKKnyES8txK-DVn-5dwRNqd4spg49VW60vrzUfgH-hgmSAxLEGK0UcHX5bZetZtBe89KDyGWRDzjmWxmrknIH33UJ6WpIIYrddzD7aT9iHA6cELovpJJzn0Ts47hnw/s320/FBI.png" width="320" /></a></div>
<br />
This infection is called Reveton and is classified as Ransomware. It locks the screen in normal mode and tells you that if you pay some money ($100 US) in the form of a MoneyPak to unlock the PC. This can be defeated very easily. First, you need to boot into safe mode so that the rogue does not launch. Next, locate the startup folder in your start menu and look for a shortcut marked "ctfmon". This file has the same icon as the real ctfmon, but launches a shortcut that looks like this:<br />
<br />
<span style="font-size: x-small;"><b>%systemroot%\system32\rundll32.exe C:\users\<UserName>\AppData\Local\Temp\er_00_0_1.exe</b></span><br />
<span style="font-size: x-small;"><b><br /></b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgXGe61PDH82wB3JCgY0DOTnr10tzGJvlgnY1nszvuOhb1yhi-Gv_pMCVbsi5kTrhAsv5FsMdGE6vBlQxmJTS1QgXiE26b7WmeyC1LdNkO4-fq1TNy0KtikXEZo6ogBHSQNDDhmn_CMw8/s1600/ctfmon.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgXGe61PDH82wB3JCgY0DOTnr10tzGJvlgnY1nszvuOhb1yhi-Gv_pMCVbsi5kTrhAsv5FsMdGE6vBlQxmJTS1QgXiE26b7WmeyC1LdNkO4-fq1TNy0KtikXEZo6ogBHSQNDDhmn_CMw8/s320/ctfmon.png" width="191" /></a></div>
<span style="font-size: x-small;"><b><br /></b></span><br />
<span style="background-color: white;">Just delete the shortcut and the exe located in the temp folder and that part has been taken care of. Several of these infections have had a rootkit installed on the system as well. The one that I have seen the most with it is SST. SST has recently been updated and TDSSKiller no longer finds it when scanning with normal parameters. You should always run TDSSKiller with the "Detect TDLFS" option checked when working on a PC that has Reveton.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS1hbTM-z7OvVncBsmTFCPBV1IQfX1BqEBlbErAiTHDojGMwaUXi3CAY6ciax_XNmR7iTRYtqOajRzuL4hqC3I-hU0TVKTZjPpPZq5ZcJvsLxVY_w80rW3wF0AXh9SSMMZ9oZRNEIwa5E/s1600/Detect.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="293" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS1hbTM-z7OvVncBsmTFCPBV1IQfX1BqEBlbErAiTHDojGMwaUXi3CAY6ciax_XNmR7iTRYtqOajRzuL4hqC3I-hU0TVKTZjPpPZq5ZcJvsLxVY_w80rW3wF0AXh9SSMMZ9oZRNEIwa5E/s320/Detect.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Make sure that you have the option pictured above checked before running the scan. You will see a result that looks like this:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsl64YViOM5YBiKCTOqSBcNyUtRIMnFVLQWwMqs3BnXWRGTerXEtWoY7EJXzHbmZ0MMkfW_ImS77gmuupEeyiF5TZuXhg5hwjYur2_vuY8D_RyvWPUh90KWBL_1IJEJNLcwO3D-vidIiE/s1600/Untitled.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="39" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsl64YViOM5YBiKCTOqSBcNyUtRIMnFVLQWwMqs3BnXWRGTerXEtWoY7EJXzHbmZ0MMkfW_ImS77gmuupEeyiF5TZuXhg5hwjYur2_vuY8D_RyvWPUh90KWBL_1IJEJNLcwO3D-vidIiE/s320/Untitled.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select the "delete" option once you have found this and reboot. Run the scan again to ensure that the rootkit has been removed entirely. If it has not, repeat the above steps until it is gone.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div style="text-align: center;">
<br /></div>TeamRocketOpshttp://www.blogger.com/profile/14506660507770272702noreply@blogger.com0tag:blogger.com,1999:blog-6880139155723664598.post-75695075619696748812012-03-31T03:11:00.000-07:002012-04-28T11:48:26.739-07:00ZeroAccess x64 consrv.dll<br />
<div class="MsoNormal">
The consrv.dll infection has picked up a partner recently.
There is now a service that is paired with both the 32 and 64-bit version of
zaccess. We are able to see the infection easily on 64-bit already just by
searching for the dll via the start menu, now we can verify with TDSSKiller. </div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6vscpyLEKaPy4-TDgoDx-e402fk9XYUdkxaR2pJ8K59daDzH2E1yMRCIftebmcskRShvTy3ffBUe7fvhjjhpl21u9tc8NweMYw3XRboSHHNxwCKwKzQQDkQezsCyaEuumnWTboHJFE3s/s1600/Find.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6vscpyLEKaPy4-TDgoDx-e402fk9XYUdkxaR2pJ8K59daDzH2E1yMRCIftebmcskRShvTy3ffBUe7fvhjjhpl21u9tc8NweMYw3XRboSHHNxwCKwKzQQDkQezsCyaEuumnWTboHJFE3s/s320/Find.jpg" width="320" /></a></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<br /></div>
<div class="MsoNormal">
As
always, this is the time to create a system restore point. It is not advisable
to continue forward without creating a restore point.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Open up
the registry editor and navigate to: <b>HKEY_LOCAL_MACHINE\SYSTEM\Select</b>.
We want to look for the value "Default" - Do not confuse this with
the one on top which is "(Default)". This value will tell us which
control set will be loaded the next time Windows boots up. The "Current" value tells us which of the control sets are currently loaded. In my case, ControlSet002 is currently loaded (this will be different on each different PC). The rootkit is watching the current control set to ensure that no changes are made to it. This makes ControlSet002 impossible to modify, so I need to modify the other one. For example, If ControlSet002 is loaded, I need to modify either ControlSet001 or ControlSet003. If ControlSet001 is loaded, I need to modify either ControlSet002 or ControlSet003, etc.<br />
<br />
We will now navigate to:</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Session
Manager\SubSystems</b></div>
<div class="MsoNormal">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhInl_OCxyJNGswIgymGneTusc1fTm39QpmYBBtfHMDda48YnbwY_V_IdpFb1F8z9zsyXPzzEpyU6KGQJ6AlF-hKWTsBzOUxZ7WlFC7imCVxKYrm1G6uVisJQJDqx6iIHYdAk5FOOs-CUo/s1600/SubSystems.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhInl_OCxyJNGswIgymGneTusc1fTm39QpmYBBtfHMDda48YnbwY_V_IdpFb1F8z9zsyXPzzEpyU6KGQJ6AlF-hKWTsBzOUxZ7WlFC7imCVxKYrm1G6uVisJQJDqx6iIHYdAk5FOOs-CUo/s320/SubSystems.jpg" width="320" /></a></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<br /></div>
<div class="MsoNormal">
The value that we are interested in here is the
"Windows" value. It may or may not be modified. Here is what the data
will look like with an active infection:</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: 9pt; line-height: 115%;">%SystemRoot%\system32\csrss.exe
ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On
SubSystemType=Windows ServerDll=basesrv,1
ServerDll=winsrv:UserServerDllInitialization,3
ServerDll=<strong><span style="color: red;">consrv</span></strong>:ConServerDllInitialization,2 ServerDll=sxssrv,4
ProfileControl=Off MaxRequestThreads=16</span><br />
<span style="font-size: 9pt; line-height: 115%;"><br /></span><br />
The key should look like this when it is clean:<br />
<span style="font-size: 9pt; line-height: 115%;"><br /></span><br />
<span style="font-size: 9pt; line-height: 115%;">%SystemRoot%\system32\csrss.exe
ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On
SubSystemType=Windows ServerDll=basesrv,1
ServerDll=winsrv:UserServerDllInitialization,3
ServerDll=<strong><span style="color: red;">winsrv</span></strong>:ConServerDllInitialization,2 ServerDll=sxssrv,4
ProfileControl=Off MaxRequestThreads=16</span>
<span style="font-size: 9pt; line-height: 115%;"><br /></span></div>
<div class="MsoNormal">
<span style="font-size: 9pt; line-height: 115%;"><br /></span></div>
<div class="MsoNormal">
We are
particularly interested in the ServerDll part of this data. You may notice that
the order of the ServerDll data (if you omit the other data) is: <b>basesrv, winsrv, consrv, sxssrv</b>. We
want to change it back to the default configuration which is: <b>basesrv, winsrv, winsrv, sxssrv. </b>Once
you have changed the data, click ok and then press f5 on your keyboard to
refresh your view of the registry. Open the value back up to make sure that it
was not changed back by the rootkit. If it was, you will have to try another
control set such as ControlSet001. If your changes were successful, we can
refer to this control set as "fixed", go to the key: <b>HKEY_LOCAL_MACHINE\SYSTEM\Select. </b>We
will now change the "Default" value's data to match our
"fixed" control set, mine is ControlSet003 so my "Default"
value's data will be changed to "3".<br />
<br />
I recommend that you familiarize your self with the NT startup process to get a better understanding of what we are doing here and why. A good source of reading to better understand how this all works can be found here at wikipedia in the "Loading Windows NT Kernel" section of this article:<br />
<br />
<div style="text-align: center;">
<a href="http://en.wikipedia.org/wiki/Windows_NT_startup_process">http://en.wikipedia.org/wiki/Windows_NT_startup_process</a>
</div>
<div style="text-align: center;">
<br /></div>
</div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihGPdLscJNmmnAbALpUrzlf04mMmf8oGDaSPyJp949KtlbqFlydDn_wZo0KMppTxiAhR5u8cbpqPmuUw6kqfsTHXqrBL2sf9fO1aQWFNW4eVAAqA1eeyHghZkL7riOJ505OBTI-NToM7k/s1600/Default.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihGPdLscJNmmnAbALpUrzlf04mMmf8oGDaSPyJp949KtlbqFlydDn_wZo0KMppTxiAhR5u8cbpqPmuUw6kqfsTHXqrBL2sf9fO1aQWFNW4eVAAqA1eeyHghZkL7riOJ505OBTI-NToM7k/s320/Default.jpg" width="320" /></a></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<br /></div>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
We can
now delete <b>C:\Windows\system32\consrv.dll</b>.
The next step is to handle the service, we will need to open up a notepad and take a look at our TDSSKiller window again. Copy the name of the service into the notepad and then copy that to your clipboard. Open up your registry editor and make sure that 'Computer' is selected in the left pane. Go to Edit > Find and paste the service that you just copied into the find box. Click 'find next' and you should arrive at<br />
<br />
<b>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost</b><br />
<b><br /></b><br />
We are looking for the service listed in the 'netsvcs' value. Find the line that contains the service and delete that line only. Then press the 'f3' key on your keyboard to continue the search. You should get either 1 or 2 more results. Once you find the service registry keys, delete the entire key. Press 'f3' until you see the message "Finished searching through the registry." Close the registry editor and reboot. Run a full scan with MalwareBytes' Anti-Malware to remove any remaining files.</div>
<div class="MsoNormal">
<br />
A link to the html format of this video can be found <a href="https://www.box.com/s/4da75e29b8f74f24d5ea" target="_blank">here</a><br />
<br />
Unzip the folder and launch the html file that is contained inside.<br />
</div>
<iframe allowfullscreen="" frameborder="0" height="315" src="http://www.youtube.com/embed/CcV9Coej56c" width="560"></iframe>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<br /></div>TeamRocketOpshttp://www.blogger.com/profile/14506660507770272702noreply@blogger.com6tag:blogger.com,1999:blog-6880139155723664598.post-3809022945266791572012-03-04T18:37:00.001-08:002012-03-04T18:49:11.950-08:00Windows Telemetry Center<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3o0Aei-07LfGOGpLH_u4eVE0QqsKn2cd1DdJtulhgXtSh42GwUCROc-qc8YtvRxeaIa4IUNOEjPc2lqiFyWrDN4fkzythDROARqCAYdtNdFPSXPghLh6rjhzcUuLSzcG0pc1AOwdVcdI/s1600/Main.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3o0Aei-07LfGOGpLH_u4eVE0QqsKn2cd1DdJtulhgXtSh42GwUCROc-qc8YtvRxeaIa4IUNOEjPc2lqiFyWrDN4fkzythDROARqCAYdtNdFPSXPghLh6rjhzcUuLSzcG0pc1AOwdVcdI/s320/Main.jpg" width="320" /></a></div>
<span style="color: black;"></span><br />
<div>
<span style="color: black;"><span style="color: black;"><br /></span></span></div>
<div>
<span style="color: white;">Windows Telemetry Center has been renamed quite a few times. Here are some of the other names:</span></div>
<div>
<span style="color: white;"><br /></span></div>
<span style="color: white;">
Windows Attacks Defender, Windows Attacks Preventor, Windows Threats Destroyer,Windows Firewall Constructor, Windows Stability Guard, Windows Basic Antivirus, Windows PRO Scanner, Windows Shield Tool, Windows Trojans Inspector, Windows Performance Catalyst,Windows Smart Partner, Windows Smart Warden, Windows Functionality Checker, Windows Protection Master</span><br />
<div>
<br /></div>
<div>
This one in particular does not have any type of activation code. However, the sample that I tested was older, so there are activation codes that work with the newer iterations. Here is one of them thanks to <a href="http://xylibox.blogspot.com/">Xylitol</a>:</div>
<div>
<br /></div>
<div style="text-align: center;">
<b>0W000-000B0-00T00-E0020</b></div>
<div style="text-align: center;">
<b><br /></b></div>
<div style="text-align: left;">
This one is a bit harder to remove if you do not activate it. I had trouble with MalwareBytes' in particular, it kept freezing during removal. The best way that I found to remove this one is using Hitman Pro 3.6. Here are the links to this tool:</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
For 32-Bit: <a href="http://dl.surfright.nl/HitmanPro36.exe">http://dl.surfright.nl/HitmanPro36.exe</a></div>
<div style="text-align: left;">
For 64-Bit: <a href="http://dl.surfright.nl/HitmanPro36_x64.exe">http://dl.surfright.nl/HitmanPro36_x64.exe</a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
I found that running Hitman in Breach Mode was the way to go. To do this, you need to hold down the Ctrl key on your keyboard, and then double-click to open the program. You will see your explorer shell disappear and Hitman will be the only thing on the screen. Let it scan and remove. You will need to do a supplemental scan with MalwareBytes' after Hitman does his job. </div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQS1TmSZoqi-oHMpOqK7RjzfebmuX_1vrD7ARg889ssyr5Dj1bKToAclEBhtnoYWKMOIpH15-JhUUYGvVZscHUuSbjRMVHvrLjRXz14-zbrkro6rCTdjaftDRDh9Naejndc5IhI3WDT2c/s1600/FullScreen.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="255" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQS1TmSZoqi-oHMpOqK7RjzfebmuX_1vrD7ARg889ssyr5Dj1bKToAclEBhtnoYWKMOIpH15-JhUUYGvVZscHUuSbjRMVHvrLjRXz14-zbrkro6rCTdjaftDRDh9Naejndc5IhI3WDT2c/s320/FullScreen.jpg" width="320" /></a></div>
<div style="text-align: center;">
<br /></div>
<div>
Registry Keys (list shortened for relevance):</div>
<div>
<br /></div>
<div>
<span style="font-size: x-small;">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe (about 750 of these)</span></div>
<div>
<span style="font-size: x-small;">HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegedit</span></div>
<div>
<span style="font-size: x-small;">HKCU\Software\Microsoft\Windows\CurrentVersion\Run | Inspector</span></div>
<div>
<span style="font-size: x-small;"><br /></span></div>
<div>
Files:</div>
<div>
<span style="font-size: x-small;">C:\WINDOWS\system32\at.exe</span></div>
<div>
<span style="font-size: x-small;">C:\WINDOWS\system32\cmmon32.exe</span></div>
<div>
<span style="font-size: x-small;">C:\Documents and Settings\<User>\Application Data\Protector-<random>.exe</span></div>
<div>
<span style="font-size: x-small;"><br /></span></div>
<div>
<br />
<div>
<span style="color: black;"><br /></span></div>
<div>
<span style="color: black;"><br /></span></div>
</div>TeamRocketOpshttp://www.blogger.com/profile/14506660507770272702noreply@blogger.com0tag:blogger.com,1999:blog-6880139155723664598.post-81594079814069626262012-03-02T01:21:00.000-08:002012-03-02T01:21:02.079-08:00Personal Shield Pro<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiegdQSAaOCHOhLtunMmSd80JOJe45FbxqopRJHoQwk4diqk_bALqLNnSrIyKZIc8n-YWsUbmWrPJyTfSRAQDA-OVn_vKs9RNO6BOe-0WeAmHHHWLXgdmZYVKOueVmE7OpNNIGTsKCUaDM/s1600/Main.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiegdQSAaOCHOhLtunMmSd80JOJe45FbxqopRJHoQwk4diqk_bALqLNnSrIyKZIc8n-YWsUbmWrPJyTfSRAQDA-OVn_vKs9RNO6BOe-0WeAmHHHWLXgdmZYVKOueVmE7OpNNIGTsKCUaDM/s320/Main.jpg" width="320" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
Today we have Personal Shield Pro. To help removal, you can activate it with the following key:</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: center;">
<b>8945315-6548431</b></div>
<div style="text-align: center;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2kRSgjqto9e35mZKvACYtYOjRJbjou_ckU_SLDCw3_zki1nzne3MG27A4VmP48GY80kZPY-K1jUN35SgYalL1vxy8gMaOm7rIZg3ATD38qMOICp8XRMeH6CgRrS0ZPzhSDVwttbNDwAA/s1600/Registration.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="270" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2kRSgjqto9e35mZKvACYtYOjRJbjou_ckU_SLDCw3_zki1nzne3MG27A4VmP48GY80kZPY-K1jUN35SgYalL1vxy8gMaOm7rIZg3ATD38qMOICp8XRMeH6CgRrS0ZPzhSDVwttbNDwAA/s320/Registration.jpg" width="320" /></a></div>
<div style="text-align: center;">
<b><br /></b></div>
<div style="text-align: left;">
This one stops other processes from running by telling us that we are "infected". To counteract this, locate "C:\Windows\System32\taskmgr.exe". Copy to the desktop and then rename to "explorer.exe". </div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5Wqd4V6bJzASdDuGtPHRXDQYIfBmynIoOuBM4lvFgGFZyK7dPhHlU0sjHBuKae9DT9mAQz_GVEiKTszqScTgdfWkbUwjQkTE66VyDECo23l60cS4la8sXPX0fsoD_SV53aleWRGgn_sg/s1600/FullScreen.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5Wqd4V6bJzASdDuGtPHRXDQYIfBmynIoOuBM4lvFgGFZyK7dPhHlU0sjHBuKae9DT9mAQz_GVEiKTszqScTgdfWkbUwjQkTE66VyDECo23l60cS4la8sXPX0fsoD_SV53aleWRGgn_sg/s320/FullScreen.jpg" width="320" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
Find and kill the process.
</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7H9y98DwLyJuhlwyxcYNv88EFIldPbiopM8W3gCsM1yUlI7Kaep5zi8JhynlvvMmPca-AyR3OzoSut7hJDb_YMCmtzM0iaiK1z7K_sTdeMboImmB8ULx-Ja58SvHLqKYod8uaqSwJRaI/s1600/TaskMgr.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7H9y98DwLyJuhlwyxcYNv88EFIldPbiopM8W3gCsM1yUlI7Kaep5zi8JhynlvvMmPca-AyR3OzoSut7hJDb_YMCmtzM0iaiK1z7K_sTdeMboImmB8ULx-Ja58SvHLqKYod8uaqSwJRaI/s320/TaskMgr.jpg" width="284" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Run MalwareBytes' quick scan to finish removal. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Registry Keys:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: x-small;">HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | <random></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
Files:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: x-small;">C:\Documents and Settings\All Users\Application Data\<random>\<random>.exe</span></div>
<div style="text-align: center;">
<br /></div>TeamRocketOpshttp://www.blogger.com/profile/14506660507770272702noreply@blogger.com0tag:blogger.com,1999:blog-6880139155723664598.post-78104822963061696282012-02-29T17:08:00.000-08:002012-03-04T22:24:58.512-08:00Smart Fortress 2012<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfaxnQCudUPh9SV0waVhjK7qy84gHyIpWbxkzJvzOSoU4nfa5T5ipH2MkV2FBhMggRR_CeYdxyzw8WpOjNAnnbPwodkUTs4AYvsqPOERjYb3-d5OqPG0mWj8wmmITMt2_pmq2ed7zAReE/s1600/Main.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfaxnQCudUPh9SV0waVhjK7qy84gHyIpWbxkzJvzOSoU4nfa5T5ipH2MkV2FBhMggRR_CeYdxyzw8WpOjNAnnbPwodkUTs4AYvsqPOERjYb3-d5OqPG0mWj8wmmITMt2_pmq2ed7zAReE/s320/Main.jpg" width="320" /></a></div>
<div style="text-align: center;">
<br /></div>
<br />
This rogue is pretty easy to remove. First, it is sometimes easier to have the aid of a product key, so here it is: <br />
<br />
<div style="text-align: center;">
<b>AA39754E-715219CE</b> </div>
<br />
<br />
If you are unable to register it, you can stop it with little work. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiQQvG62aZ0zsUrKxLLnsPowqxxVc-mhitelNu_Jz4HXxOSs2LKilwJeQYH11YIVFGiq49LNWeDGLAZj8bikDbxPD8EN1FwWi8FW-60LNHt4t0699eGXt7hTbvKPYSJMS6pZOLSbUOma8/s1600/Warning.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="275" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiQQvG62aZ0zsUrKxLLnsPowqxxVc-mhitelNu_Jz4HXxOSs2LKilwJeQYH11YIVFGiq49LNWeDGLAZj8bikDbxPD8EN1FwWi8FW-60LNHt4t0699eGXt7hTbvKPYSJMS6pZOLSbUOma8/s320/Warning.jpg" width="320" /></a></div>
<div style="text-align: center;">
<br /></div>
<br />
<br />
Copy "C:\Windows\regedit.exe" to the desktop <br />
<br />
Copy "C:\Windows\System32\taskmgr.exe" to the desktop <br />
<br />
Rename "regedit.exe" to "explorer.exe" <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXzLqJq7UYfaRxpy7Vjb5A51fvq85JkSrtlZZWUqi8ZuF1gzaTxsmF3dXfqNzdkb65HcdTKqhE5fqrkLlPPiSLKl1dqIZ7fqVaJj-VvpW5Fqd6Yi_E0JWyzVidviW45aseDLtSlSKpkEQ/s1600/Renaming+Screenshot.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXzLqJq7UYfaRxpy7Vjb5A51fvq85JkSrtlZZWUqi8ZuF1gzaTxsmF3dXfqNzdkb65HcdTKqhE5fqrkLlPPiSLKl1dqIZ7fqVaJj-VvpW5Fqd6Yi_E0JWyzVidviW45aseDLtSlSKpkEQ/s320/Renaming+Screenshot.jpg" width="320" /></a></div>
<div style="text-align: center;">
<br /></div>
<br />
<br />
Launch your renamed regedit and locate and delete: <br />
<br />
HKCU\Software\Classes\.exe <br />
HKCU\Software\Classes\%s <br />
HKCU\Software\Classes\529C5 <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNG_vC0X-4vWR_yugTCuxDgsr-cVCGQE0XbOztm9_pUHlpcO0_a9mqLLz8cgEnM-Y6uSPJX3YMaTRpSfipZ_Fe_-1AvR6pxW2Q5sxxdJs-TAlwkZnYyXU2hJBuNoP0OeoXcc3fV38W6sk/s1600/RegEdit.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNG_vC0X-4vWR_yugTCuxDgsr-cVCGQE0XbOztm9_pUHlpcO0_a9mqLLz8cgEnM-Y6uSPJX3YMaTRpSfipZ_Fe_-1AvR6pxW2Q5sxxdJs-TAlwkZnYyXU2hJBuNoP0OeoXcc3fV38W6sk/s320/RegEdit.jpg" width="320" /></a></div>
<div style="text-align: center;">
<br /></div>
<br />
Close regedit and delete or rename the "regedit.exe" that you renamed to "explorer.exe".<br />
<br />
Rename "taskmgr.exe" to "explorer.exe" and then open it <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgP6lMmuujUwWBVKnN0hnJSrtRo9lXIkqVRx80kY1NEDTR-cRTAkOHQgHGXbMLFeSWXfhpcbiT7o8aLrhEIxl0OPyTe4FSwjoizmKY_a_bEVotc_0GGiIiHJ7C9rUnMJ62LpSylL-MBtUA/s1600/Kill+Process.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgP6lMmuujUwWBVKnN0hnJSrtRo9lXIkqVRx80kY1NEDTR-cRTAkOHQgHGXbMLFeSWXfhpcbiT7o8aLrhEIxl0OPyTe4FSwjoizmKY_a_bEVotc_0GGiIiHJ7C9rUnMJ62LpSylL-MBtUA/s320/Kill+Process.jpg" width="284" /></a></div>
<div style="text-align: center;">
<br /></div>
<br />
Find the process and kill it. Then run a full scan with MalwareBytes'. This one puts a file in system restore so you can avoid a full scan by clearing the restore points before scanning. Remember, make sure system restore is enabled once removal is completed to protect yourself.<br />
<div>
<br /></div>
<div>
Registry Keys:</div>
<div>
<span style="font-size: x-small;"><br /></span></div>
<div>
<span style="font-size: x-small;">HKCR\Software\Classes\.exe<br />HKCR\Software\Classes\%s<br />HKCR\Software\Classes\529C5 </span></div>
<div>
<span style="font-size: x-small;">HKLM\Software\Microsoft\Security Center | AntiVirusDisableNotify</span></div>
<div>
<span style="font-size: x-small;">HKLM\Software\Microsoft\Security Center | FirewallDisableNotify</span></div>
<div>
<span style="font-size: x-small;">HKLM\Software\Microsoft\Security Center | UpdateDisableNotify</span></div>
<div>
<span style="font-size: x-small;">HKCU\Software\Microsoft\Windows\Currentversion\Uninstall\Smart Fortress 2012</span></div>
<div>
<br /></div>
<div>
Files:</div>
<div>
<br /></div>
<div>
<span style="font-size: x-small;">C:\Documents and Settings\All Users\Application Data\<random>.exe</span></div>
<div>
<span style="font-size: x-small;">C:\System Volume Information\_restore{random}\RP1\<random>.exe</span></div>
<div>
<span style="font-size: x-small;">C:\Documents and Settings\<User>\Desktop\Smart Protection 2012.lnk</span><br />
<div class="MsoListParagraphCxSpLast" style="margin-left: 0in; mso-add-space: auto;">
<o:p><span style="font-size: x-small;"><br /></span></o:p></div>
</div>TeamRocketOpshttp://www.blogger.com/profile/14506660507770272702noreply@blogger.com0tag:blogger.com,1999:blog-6880139155723664598.post-45950932408502935492012-01-31T10:42:00.000-08:002012-01-31T10:42:27.927-08:00Security Shield<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcETjKNCQtMBTTYtFolX7Sl8P0uhclPaDta8E6bO2Ra7PldVNGv9xPDBTE0o7r36NZlPwccTnAk0Jb5Ar7cyU_H_j6FbOI_K8ZqqC5h4AIWvR-A3TkcZBGWHdMpGmNZ9wIDa82e2KgX2Q/s1600/Warning.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcETjKNCQtMBTTYtFolX7Sl8P0uhclPaDta8E6bO2Ra7PldVNGv9xPDBTE0o7r36NZlPwccTnAk0Jb5Ar7cyU_H_j6FbOI_K8ZqqC5h4AIWvR-A3TkcZBGWHdMpGmNZ9wIDa82e2KgX2Q/s1600/Warning.JPG" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Security Shield is pretty straight-forward to remove. You can either use the serial number :</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div style="text-align: center;">
<b>64C665BE-4DE7-423B-A6B6-BC0172B25DF2</b></div>
<div style="text-align: left;">
<span style="color: red; font-family: Verdana; font-size: x-small;"><span style="line-height: 15px;"><b><br /></b></span></span></div>
Or you can remove it the old-fashioned way. Start by renaming the taskmgr so that we can kill the process. I renamed mine to "explorer.exe" and it seemed to work well enough. find and kill the process:<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHETv42ZDF1O8122djHqIR6FgWA-j7fPNbGGyOggoPsz_cBkE3gUF8hPvClKYUpfZRCAM76FsLGFt6gGAyCWyZPUwsMD_y8YBOoQc8LfzIoO7fn6VnRFHA5OESKhv_qbPA4slZZ7gMyzU/s1600/Kill+Process.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHETv42ZDF1O8122djHqIR6FgWA-j7fPNbGGyOggoPsz_cBkE3gUF8hPvClKYUpfZRCAM76FsLGFt6gGAyCWyZPUwsMD_y8YBOoQc8LfzIoO7fn6VnRFHA5OESKhv_qbPA4slZZ7gMyzU/s320/Kill+Process.JPG" width="282" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Run a quick scan with your favorite anti-malware utility. (MalwareBytes' is mine) You are all set. This one only left 1 file in "%userprofile%\Local Settings\Application Data\<random.exe>" I found no registry entries or anything weird in startup. Here are some more screenshots:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSjoj7OMydfhEyARp3VH2Oj1hAuWog75yVS7yDGf9Na65YqBIIuLabeMUJtq8i-Y7rS_Spb9qp10zo8zbZ1CBBaOLpU8YXJb7GFJXXSh7YSqdVzKOrBkqe9K9n7bRJ8qfsMBylS8xbUWw/s1600/Main.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="257" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSjoj7OMydfhEyARp3VH2Oj1hAuWog75yVS7yDGf9Na65YqBIIuLabeMUJtq8i-Y7rS_Spb9qp10zo8zbZ1CBBaOLpU8YXJb7GFJXXSh7YSqdVzKOrBkqe9K9n7bRJ8qfsMBylS8xbUWw/s320/Main.JPG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKoibQrHc5M421YrGqAA7DHUw3pFZlahU4OkCf5DTdfgPVYhLvShT08faW_BvoAFMviOGF21HHbXr71pje9ZuKBIj2zL5YYtAJ4UvUEnYZPyqILjU9_5qDyA5u-OT0xHDyuSC8XpIMzZ4/s1600/Found.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="296" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKoibQrHc5M421YrGqAA7DHUw3pFZlahU4OkCf5DTdfgPVYhLvShT08faW_BvoAFMviOGF21HHbXr71pje9ZuKBIj2zL5YYtAJ4UvUEnYZPyqILjU9_5qDyA5u-OT0xHDyuSC8XpIMzZ4/s320/Found.JPG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGxQtp331WBhyphenhyphenbeh2uLnZ1gZD8DDW7sWYDHCMA6MZauT8CplXfPkFOc4f9XuUtGp6pwiOMysMrque74xCAjy16bNdsKBq_1By6PHRqgxNSRUPzLB24JnJpwZ7MDpjLF8fYeih4OCufa8M/s1600/AreYouSure.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="106" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGxQtp331WBhyphenhyphenbeh2uLnZ1gZD8DDW7sWYDHCMA6MZauT8CplXfPkFOc4f9XuUtGp6pwiOMysMrque74xCAjy16bNdsKBq_1By6PHRqgxNSRUPzLB24JnJpwZ7MDpjLF8fYeih4OCufa8M/s320/AreYouSure.JPG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhN_K1MC7hbY1K1zw8sBesk6HV_b32TJ8qaGNWS0psFCXDQVavSHCNiQB2zb0Cv2tr801ugZY7Ccfapke8wWYhD5q2PwcUutt0ubOOdELMrAn_q6NnA4JNIiP_r4aqivWH6GDCQ31SjG5A/s1600/Security+Center.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="258" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhN_K1MC7hbY1K1zw8sBesk6HV_b32TJ8qaGNWS0psFCXDQVavSHCNiQB2zb0Cv2tr801ugZY7Ccfapke8wWYhD5q2PwcUutt0ubOOdELMrAn_q6NnA4JNIiP_r4aqivWH6GDCQ31SjG5A/s320/Security+Center.JPG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiO9-y9VCT4tin5NuEwxbjINQLLd3wtxzHKJljNC0mKtpOrsQInZxiSSCqhioLa1qa0eXGKTcGLdzePvubV22X3_yACAtvFs1o1_8yDRUAS-ByIkU6DXPjBxAQXVjfYdger36DWAGAEhyphenhypheng/s1600/Purchase.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiO9-y9VCT4tin5NuEwxbjINQLLd3wtxzHKJljNC0mKtpOrsQInZxiSSCqhioLa1qa0eXGKTcGLdzePvubV22X3_yACAtvFs1o1_8yDRUAS-ByIkU6DXPjBxAQXVjfYdger36DWAGAEhyphenhypheng/s320/Purchase.JPG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbvgFl8k7sqEZAuXbhwI_F5GlSE2gQXizTj_oIYQbbLWEH7RTJ_BH3_PquPU0QAcooI2RyjgZSdm-rZOj4fddg5IY1WixSP9VsSqh6LBJ2KwW2JLq74BNpaW9u7dR22069UyUiizXqnPk/s1600/Update.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="167" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbvgFl8k7sqEZAuXbhwI_F5GlSE2gQXizTj_oIYQbbLWEH7RTJ_BH3_PquPU0QAcooI2RyjgZSdm-rZOj4fddg5IY1WixSP9VsSqh6LBJ2KwW2JLq74BNpaW9u7dR22069UyUiizXqnPk/s320/Update.JPG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="text-align: center;">
<br /></div>TeamRocketOpshttp://www.blogger.com/profile/14506660507770272702noreply@blogger.com0tag:blogger.com,1999:blog-6880139155723664598.post-75634199394396700222012-01-18T23:55:00.000-08:002012-07-12T20:32:45.764-07:00Fixing Security Center<br />
Some of you have experienced the Windows Security Center failing to start after the removal of the ZeroAccess rootkit. Here is how you fix it:<br />
<br />
Always be sure to double check by running a firewall reset, you can do this by opening command prompt as administrator and typing the following command: <br />
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
netsh firewall reset</div>
<br />
You should see something like this if it is working:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhP-MPBcbXyCQGICupqyF2odqudD3Gh_-KGYk92RU0OEWQLTUGiE5hXyr888D7whP1j0sBkq_sxEe7ZyUzzHQzMQU6gjkCrBiI5n-nCg89GVwqDI0HQtPai-knbEvmbcrM1VH8isBQSUcs/s1600/Firewall+reset+working.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhP-MPBcbXyCQGICupqyF2odqudD3Gh_-KGYk92RU0OEWQLTUGiE5hXyr888D7whP1j0sBkq_sxEe7ZyUzzHQzMQU6gjkCrBiI5n-nCg89GVwqDI0HQtPai-knbEvmbcrM1VH8isBQSUcs/s320/Firewall+reset+working.jpg" /></a></div>
<br />
<br />
If it is off or broken by the infection, you will see an error that says “The Service has not been Started.” Here is what you need to do:<br />
<br />
1. Download the missing registry entries <a href="https://dl.dropbox.com/u/17659346/FixServices.zip">here</a> and extract the .reg files to the desktop. You need to restore all of the registry entries for the following services:<br />
<br />
<br />
<br />
Base Filtering Engine - HKLM\System\CurrentControlSet\Services\BFE <br />
<br />
Windows Security Center Service - HKLM\System\CurrentControlSet\Services\WscSvc <br />
<br />
Windows Shared Access - HKLM\System\CurrentControlSet\Services\SharedAcccess <br />
<br />
Windows Defender Service - HKLM\System\CurrentControlSet\Services\WinDefend <br />
<br />
Windows Firewall Service - HKLM\System\CurrentControlSet\Services\MpsSvc <br />
<br />
IP Helper Service - <span style="background-color: white;">HKLM\System\CurrentControlSet\Services\iphlpsvc</span><br />
<br />
<br />
<br />
You can find these service registry keys in the downloaded zip file or you can export them from a machine in which these services are functioning correctly. Just importing these registry entries is not enough to get all of these services back and running correctly, some of these entries need special permissions to run.<br />
<br />
Import the registry keys by double-clicking each of the files for their respective service. Reboot the PC once you have all of the registry keys imported.<br />
<br />
<b>Important Note:</b> After importing registry keys for these services, you need to reboot so that they can start correctly.<br />
<br />
2. Now that you have all of the registry entries imported, you can start the Windows Security Center Service and the Windows Defender Service. In order to start the firewall service, you need to have the Base Filtering Engine Service up and running correctly. You’ll notice when you try to start “BFE” that you will get an error with error code 5 which means “Access Denied”. To fix this, you need to allow access to the proper account. Open up regedit and navigate here:<br />
<br />
HKLM\System\CurrentControlSet\Services\BFE\Parameters.<br />
<br />
Right-click and select “Permissions”. Click “Add…” <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgY_0poRtNZHg6uu8VVsjy4s350kIxv8f4amGHV-6xsnn1RgB85-P4dXy0FClInNc3gio9i4g5gJihW1D45AmEx1ET515rHtdgOvTPIoDBmrng8j282Qb_e_9x3IjAj33iy1G1jx7Rvi6Q/s1600/BFE+Perms.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgY_0poRtNZHg6uu8VVsjy4s350kIxv8f4amGHV-6xsnn1RgB85-P4dXy0FClInNc3gio9i4g5gJihW1D45AmEx1ET515rHtdgOvTPIoDBmrng8j282Qb_e_9x3IjAj33iy1G1jx7Rvi6Q/s320/BFE+Perms.JPG" /></a></div>
<br />
You want to add the account “NT Service\BFE” like this:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgM0xRGad9sjhjAc__7VhqWprIa7LySyXiyD2w_Tg_td9FecFsaXs6KaBYtmvz95T89ndR7_ePJDdUuoKFOpya3VmqRzmKyrjP0r_Fg1bOKjiOroiUBurx-Qu3dCexx2fhyphenhyphenUNogd2YhXU4/s1600/BFE+Perms2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgM0xRGad9sjhjAc__7VhqWprIa7LySyXiyD2w_Tg_td9FecFsaXs6KaBYtmvz95T89ndR7_ePJDdUuoKFOpya3VmqRzmKyrjP0r_Fg1bOKjiOroiUBurx-Qu3dCexx2fhyphenhyphenUNogd2YhXU4/s320/BFE+Perms2.JPG" /></a></div>
<br />
Once added, you should allow the “BFE” account “Full Control” as pictured above. Do not edit any of the other permissions for that service, you will do that next. <br />
<br />
3. Run CMD as Administrator and copy/paste the following command (or have fun typing it out) You need to make sure that the command is all on one line and that there are no spaces between the sets of brackets (sorry for the word wrap but I only have so much space...)<br />
<br />
<span style="font-size: xx-small;">sc sdset bfe D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWRPWPDTLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) </span><br />
<br />
This command resets the default security descriptors for the service and set all the permissions according to factory specs.<br />
<br />
4. Now you need to do the same for the Windows SharedAccess Service. So, in regedit, navigate to HKLM\System\CurrentControlSet\Services\SharedAccess. There are 4 subkeys that need to have permissions reset, as well as some sub-subkeys (yea, it’s a word now, I just made it up) Here are the keys that you need to set permissions on:<br />
<br />
<div style="text-align: left;">
<span style="font-size: x-small;">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Defaults\FirewallPolicy </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2 </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy</span> </div>
<br />
For each of the above keys, right-click and click “Permissions” than click on “Add…” just like you did above.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRbElqPxJsbRI2XtaWew_1oHPedBP47iKEV-1cd-CxdWuVpdpMr7Ga9BEklyzcIfAYBrEyovjAc5wC7KTq4dcBvkHn4FLD9kjAKTHMAc3KVgkhREAvnJi_0T0m80FHjOGq4obGSep5KWg/s1600/MPS+Perms.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRbElqPxJsbRI2XtaWew_1oHPedBP47iKEV-1cd-CxdWuVpdpMr7Ga9BEklyzcIfAYBrEyovjAc5wC7KTq4dcBvkHn4FLD9kjAKTHMAc3KVgkhREAvnJi_0T0m80FHjOGq4obGSep5KWg/s320/MPS+Perms.JPG" width="264" /></a></div>
<br />
<br />
For the SharedAccess service, you need to add a different account which is called “NT Service\MpsSvc” <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4XuDa-2JR0ihihU5bhobOIZcLFENElWEirY6K50wYpktcNLHj4P-GwfWSm2YDLrZZ77BOGRwetDySDiYTwEN2TzlSyZE6dyRdC37J-NTPtiQFlcrIuVjgxUMaMDwcczqqAfanyrzff2c/s1600/MPS+Perms2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="175" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4XuDa-2JR0ihihU5bhobOIZcLFENElWEirY6K50wYpktcNLHj4P-GwfWSm2YDLrZZ77BOGRwetDySDiYTwEN2TzlSyZE6dyRdC37J-NTPtiQFlcrIuVjgxUMaMDwcczqqAfanyrzff2c/s320/MPS+Perms2.JPG" width="320" /></a></div>
<br />
<br />
Also just like the BFE service, add “Full Control” and click “Apply” You will need to run another command to ensure that all other permissions are correct. Run CMD as Administrator and copy\paste this command to do it automatically: <br />
<br />
<span style="font-size: xx-small;">sc sdset sharedaccess D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWRPWPDTLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) </span><br />
<br />
You should be able to start the all of the services correctly now. If not, check your dependencies and make sure all dependent services are started. You may also want to check your ICS service. For some reason, it helps me get the firewall running in some cases. Disable it again after you get the firewall service running. I recommend rebooting to make sure that all of the services are starting up Automatically as they should. Email me if you have any questions/comments.TeamRocketOpshttp://www.blogger.com/profile/14506660507770272702noreply@blogger.com6tag:blogger.com,1999:blog-6880139155723664598.post-84199103696469435682012-01-18T23:21:00.000-08:002012-05-24T12:44:42.600-07:00ZeroAccess Rootkit<br />
<div class="MsoNormal">
<br class="Apple-interchange-newline" /> ZeroAccess behavior has changed lately. Now it installs an extra service. This service seems to act as a protection mechanism for the rootkit to help it survive reboots. TDSSKiller seems to do a good job of finding both the infection and the service. Some of you may have seen the service some up as Backdoor.Multi.ZAccess.gen in TDSSKiller. TDSSKiller shouold not be used on ZeroAccess as anything more than a detection tool if you want to be 100% safe.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Tools you will need:</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoListParagraphCxSpFirst" style="margin-left: 1in; text-indent: -0.25in;">
<span style="font-family: 'Courier New';">o<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span>XueTr by linxer - <a href="http://www.xuetr.com/download/XueTr.zip">http://www.xuetr.com/download/XueTr.zip</a></div>
<div class="MsoListParagraphCxSpLast" style="margin-left: 1in; text-indent: -0.25in;">
<span style="font-family: 'Courier New';">o<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span>Avenger by SwanDog64 - <a href="http://swandog46.geekstogo.com/avenger2/avenger2.html">http://swandog46.geekstogo.com/avenger2/avenger2.html</a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
First, you will need to run XueTr. Once you open it up, you may or may not see a message like this:</div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiJB4J7lhMEL_9Hm2l0JSNdfBJC7CoMoFMlBqQL5N80-22-4w8n6l84Pp_xndRp5Re1z8MIad_qQPrk00C2Ha8ruutAAjpJeC54PtUON04spitUziLZreZyZJAiD_t0NlYzQxLbSsQWNW9/s1600/Find.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiJB4J7lhMEL_9Hm2l0JSNdfBJC7CoMoFMlBqQL5N80-22-4w8n6l84Pp_xndRp5Re1z8MIad_qQPrk00C2Ha8ruutAAjpJeC54PtUON04spitUziLZreZyZJAiD_t0NlYzQxLbSsQWNW9/s1600/Find.JPG" /></a></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<br /></div>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The first thing we want to look for is the Object Hijack in the Kernel tab. This tab will help us verify that the infection is active and which system file is being affected. With an active infection, you should have 4 objects in the Object Hijack tab: 2 hijacks on the MBR, 1 Abnormal Driver, and 1 Hijacked Kernel Module. By looking at the Kernel Module that has been hijacked, we can determine which file needs to be replaced.</div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEF-OxTNYGIEqMuNazriwNNs1XR86mfU5TxGV8xFeL5P2UDL-6BrM_xXEgHEABbO3Nqnl5dGSovVnx-C9dd0rH057zK3M0GlDKOtVyckiSV5IKi4jGoqTb7uzWnUHDWaBf2gRnCScBj5U4/s1600/ObjectHijack.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEF-OxTNYGIEqMuNazriwNNs1XR86mfU5TxGV8xFeL5P2UDL-6BrM_xXEgHEABbO3Nqnl5dGSovVnx-C9dd0rH057zK3M0GlDKOtVyckiSV5IKi4jGoqTb7uzWnUHDWaBf2gRnCScBj5U4/s320/ObjectHijack.JPG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<br /></div>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
Everything needs to be done in a specific order or this will not work properly. Additionally, we want to make sure all other programs are closed and that any AV software is deactivated before moving forward. We also need to make 100% sure that system restore is enabled and in a working state, and that we create a restore point prior to moving any further into the disinfection process.</div>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
Our next step is to find a good copy of the driver, I will leave that part to you. Once you have your clean driver, place it onto the C:\ drive of the infected PC. We will now need to open up our Avenger tool and write a script for it. The script for ZeroAccess is fairly straight-forward but if you would like to read more about Avenger and how the scripting is done, you can find the information on the SwanDog64 website noted above. Assuming that the infected driver is ipsec.sys, the script should read as follows:</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: 'Courier New';">Files to Move:<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: 'Courier New';"> C:\ipsec.sys | C:\Windows\System32\Drivers\ipsec.sys<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGxun9tPU3hiiJJ6OSd_mFZ6Y7uJ_fIoLNJPPHy3ugOwLJHJKXGkmBC_ZnTJiZjowvVbzKARNFhgfIVw5Mu1_LiIivETRkQLX21Xwj-j8k6V4OYtU3x92dkGMEcRKxqVLigknjYMMnuvHd/s1600/AvengerScript.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="276" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGxun9tPU3hiiJJ6OSd_mFZ6Y7uJ_fIoLNJPPHy3ugOwLJHJKXGkmBC_ZnTJiZjowvVbzKARNFhgfIVw5Mu1_LiIivETRkQLX21Xwj-j8k6V4OYtU3x92dkGMEcRKxqVLigknjYMMnuvHd/s320/AvengerScript.JPG" width="320" /></a></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<span style="font-family: 'Courier New';"><br /></span></div>
<div class="MsoNormal">
We want to run the script. Select Yes.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQ0SoE803a-h1znh9Z3q632GDTA09FlM2gmQw9h8OB9HHtx5J2y8rdMxhtMsKOraIae5ptdqZ2dFJjps4d6nBVPfmrhVEIUDu5mJAizIOWLcRJzZoEcH-P6IcsNMDj0gP45sW0XFGMNGYg/s1600/AvengerConfirm.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="118" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQ0SoE803a-h1znh9Z3q632GDTA09FlM2gmQw9h8OB9HHtx5J2y8rdMxhtMsKOraIae5ptdqZ2dFJjps4d6nBVPfmrhVEIUDu5mJAizIOWLcRJzZoEcH-P6IcsNMDj0gP45sW0XFGMNGYg/s320/AvengerConfirm.JPG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="text-align: center;">
<br /></div>
<div class="MsoNormal">
We want to make sure that we do not reboot when asked by Avenger. We will reboot later once we have the rest of the infection taken care of. Select No.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj09VzPhfrJ2bdWa8aRPDhyphenhyphenKA40dC0msboKdLHnYpVO_atWJqDis0rQ4KUd6e_IRSA33_nduFa7DXKporJok1bCjsmXMM-QNxAE7k8so527nX0SrmBKnWqjaTZB9W4SBnFvxevxWTNtn0tq/s1600/AvengerReboot.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="71" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj09VzPhfrJ2bdWa8aRPDhyphenhyphenKA40dC0msboKdLHnYpVO_atWJqDis0rQ4KUd6e_IRSA33_nduFa7DXKporJok1bCjsmXMM-QNxAE7k8so527nX0SrmBKnWqjaTZB9W4SBnFvxevxWTNtn0tq/s320/AvengerReboot.JPG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="text-align: center;">
<br /></div>
<div class="MsoNormal">
Leave Avenger open and just minimize it. Next, we go back to XueTr and remove our MBR Hijack. Select the Ring0 Hooks tab, then the Disk tab. You will see a message saying "Existed DR0 AttachToDevice Hijack, Do you restore it..." Yes you do :)<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmReHwlHkRSeFuX3E9VsQTIASIxokjytlPe79F34jdaUJm7gQQ9ZVHF0Fvm5JuRj9Jj5edQyfX2pg2YY1O0J0Kx5I5FCNPMqE95PfqxbedNK1DvmmXhTl5Oy_8o62X4hQdF1B3cj_PYtc_/s1600/Disk0.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="224" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmReHwlHkRSeFuX3E9VsQTIASIxokjytlPe79F34jdaUJm7gQQ9ZVHF0Fvm5JuRj9Jj5edQyfX2pg2YY1O0J0Kx5I5FCNPMqE95PfqxbedNK1DvmmXhTl5Oy_8o62X4hQdF1B3cj_PYtc_/s320/Disk0.JPG" width="320" /></a></div>
<div style="text-align: center;">
<br /></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
We have so far addressed the hijack on the kernel module(our Avenger script), and we have removed the MBR hijack, so we have 2 more steps to go. Next, we will deal with the service. You may find that some samples do not have the service, please skip this step if you do not have the service installed. You can find this by running <a href="http://support.kaspersky.com/downloads/utils/tdsskiller.exe" target="_blank">TDSSKiller</a> (it shows up as
Backdoor.Multi.ZAccess.gen ) Go to the Services tab. This one can be a bit tricky because it is named differently each time. The main things to look for here is that it is always abnormal, so XueTr will show up with blue highlighting on those services, it is always started by svchost.exe, File Corporation is Iomega or Oak Technologies, and it either has random letters and words for the description, or has the description:<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div align="center" class="MsoNormal" style="text-align: center;">
"New service would allow parents to control their children's online activity".<o:p></o:p></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgg2ECimeYs1WliGRYEtSdeKXUldoqBaxBMjoqOxrsRPKDzioSpPzwgOI44JxhjSMns7L_lB6E4VRhADlgYq4nG5gtjT2mVtZMUPexfBBqE6r4xZANmTvgNnlN2-PkvMVfiwMDoGXowiES2/s1600/DeleteService.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgg2ECimeYs1WliGRYEtSdeKXUldoqBaxBMjoqOxrsRPKDzioSpPzwgOI44JxhjSMns7L_lB6E4VRhADlgYq4nG5gtjT2mVtZMUPexfBBqE6r4xZANmTvgNnlN2-PkvMVfiwMDoGXowiES2/s320/DeleteService.JPG" width="320" /></a></div>
<div style="text-align: center;">
<br /></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
There may be more than one of these services so you need to look carefully through this tab. Once you have found the service(s), right click and select delete. Please do not stop the service first, deleting it is enough and stopping usually has adverse effects.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
We are now onto the last part, the Driver. Navigate to the Kernel Module tab. Scroll all the way to the bottom and you can see a Suspicious DriverObject that is highlighted in red. Right-click and select Delete Driver (File and Reg). Then we want to unload the driver. As XueTr tells us, this is dangerous and should always be the last step before reboot. Try to be quick when you reboot after unloading or you have the possibility of getting BSOD. Please keep that in mind and be cautious when performing this last step.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjUFN67xa3_D03-BwwzMXKs498386kNMd2d46uid435nr-di8uIiKlSvO-Ce91HHTlJRZ4C6LEldtScwzRms7VG6JZaIqg_VcC0I5G3-unZoSFp9m-q8KTMnUOBU1wu0Q7-j_Y-NvZKbCa/s1600/KernelModule.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="224" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjUFN67xa3_D03-BwwzMXKs498386kNMd2d46uid435nr-di8uIiKlSvO-Ce91HHTlJRZ4C6LEldtScwzRms7VG6JZaIqg_VcC0I5G3-unZoSFp9m-q8KTMnUOBU1wu0Q7-j_Y-NvZKbCa/s320/KernelModule.JPG" width="320" /></a></div>
<div style="text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi76-YcitJnfqlNNc4-XuA9BHfrJ7qCK8zVMnyVRsCUQku14HQNHJpkRVHEIqqA9SNXZ5W_-nKQ6aSTgyAdh1BXDKAbDjtBvKm4pM-0ClDip_Ir77iKHQqDeI4FF4isFZv9jcNW4evECliz/s1600/DeleteDriver.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="224" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi76-YcitJnfqlNNc4-XuA9BHfrJ7qCK8zVMnyVRsCUQku14HQNHJpkRVHEIqqA9SNXZ5W_-nKQ6aSTgyAdh1BXDKAbDjtBvKm4pM-0ClDip_Ir77iKHQqDeI4FF4isFZv9jcNW4evECliz/s320/DeleteDriver.JPG" width="320" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQgYEEfDhqE65jcrUOk8bN4gXVJDOm_hpTTM0Jnnh24s50wAkXi6nWvGSck-Ja-cLY9v7OVTseN1OM4GxU3O6s-VUt1WvR4YlEnuewYx9tZ6rwRNpEUxpt4B8ZkNxSxWB6kC1nqH4Ood-Y/s1600/UnloadModule.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="224" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQgYEEfDhqE65jcrUOk8bN4gXVJDOm_hpTTM0Jnnh24s50wAkXi6nWvGSck-Ja-cLY9v7OVTseN1OM4GxU3O6s-VUt1WvR4YlEnuewYx9tZ6rwRNpEUxpt4B8ZkNxSxWB6kC1nqH4Ood-Y/s320/UnloadModule.JPG" width="320" /></a></div>
<div style="text-align: center;">
<br /></div>
<div class="MsoNormal">
Yes you are sure you want to continue.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjryQLZY5iOP3PghvBN1bogJmWQnV1GxE8KAt9JOPOpHNy_7GOa65YNycrSEej5aCenz8umJlnulm_6KZ-RxyJ2wJCJXJ4lhaA-uqI_mBsxD_5bm14quLpHc6dEXZgVFGVd-HDo2Y-bJ2Mi/s1600/Dangerous.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjryQLZY5iOP3PghvBN1bogJmWQnV1GxE8KAt9JOPOpHNy_7GOa65YNycrSEej5aCenz8umJlnulm_6KZ-RxyJ2wJCJXJ4lhaA-uqI_mBsxD_5bm14quLpHc6dEXZgVFGVd-HDo2Y-bJ2Mi/s1600/Dangerous.JPG" /></a> </div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
Once the driver has been unloaded, quickly move to the Setting tab and select Force System Reboot. Click Yes on the confirmation and wait for the system to reboot.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimBn196Bs9DZpkvUZ_n9P19AgO6C2k1nulokH4NFKqvggy14Hy3A6-U4Yt1VtUV5OH48aoAaBm25IFH_AapiJupbNYp9lRG_FaME2H4kPOx1fU2zEHVfi70k27xHNFCe_zgQMFOy5joViM/s1600/Reboot.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimBn196Bs9DZpkvUZ_n9P19AgO6C2k1nulokH4NFKqvggy14Hy3A6-U4Yt1VtUV5OH48aoAaBm25IFH_AapiJupbNYp9lRG_FaME2H4kPOx1fU2zEHVfi70k27xHNFCe_zgQMFOy5joViM/s320/Reboot.JPG" width="320" /></a></div>
<div style="text-align: center;">
<br /></div>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
On successful reboot, you should see the Avenger results on the screen. If all went well, it will say that your file was successfully replaced. Now time to double check with XueTr, TDSSKiller is also fine to double check. Open it back up and navigate to the Kernel tab, then Object Hijack.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYK3HRAtReXGMS8oR13RsMj61GaXwzA8RjcmBGk-MmEFIhNNTpRpmt23DafrwX36kmjoLcpjPTzwO453ctbsFEwLdc7KeSU1upmJmk2gfSdRnVSjG8lXDMCrKOgYLmJ6M5CnTOBhXqD27r/s1600/Completed.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYK3HRAtReXGMS8oR13RsMj61GaXwzA8RjcmBGk-MmEFIhNNTpRpmt23DafrwX36kmjoLcpjPTzwO453ctbsFEwLdc7KeSU1upmJmk2gfSdRnVSjG8lXDMCrKOgYLmJ6M5CnTOBhXqD27r/s320/Completed.JPG" width="320" /></a></div>
<div style="text-align: center;">
<br /></div>
<div class="MsoNormal">
If there are 0 objects, then PC is clean.</div>TeamRocketOpshttp://www.blogger.com/profile/14506660507770272702noreply@blogger.com0tag:blogger.com,1999:blog-6880139155723664598.post-45247366413287513792012-01-18T22:55:00.000-08:002012-04-28T17:41:23.226-07:00SST Rootkit<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgexU5-k82SaoPwP7IpsXIBpNfF5D3D7u4NexLbFODgbKYjwZ3MVKpRyT3MbCY5DYOahOYp-GyE3N9EwGzVt9JAO-S1J8GX14191CnTI8A6dWPdyeyfM6f13b0yg_xzuF4mXqtPOqqKCN4/s1600/Step+1+-+FixTDSS.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgexU5-k82SaoPwP7IpsXIBpNfF5D3D7u4NexLbFODgbKYjwZ3MVKpRyT3MbCY5DYOahOYp-GyE3N9EwGzVt9JAO-S1J8GX14191CnTI8A6dWPdyeyfM6f13b0yg_xzuF4mXqtPOqqKCN4/s1600/Step+1+-+FixTDSS.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<div class="MsoNormal">
Just wanted to share with you the steps to take to remove the SST rootkit. It
is also knows as Backboot.Gen by <a href="http://support.kaspersky.com/downloads/utils/tdsskiller.exe" target="_blank">TDSSKiller</a>. The best way to determine if you
have this rootkit or not is to download and run the latest TDSSKiller. If the
program does not launch at all, you likely are dealing with an SST infection. Make sure that you are running at least Windows XP Service Pack 2 for TDSSKiller to work. If you have sp1, TDSSKiller will not launch and you need to update your service pack before using TDSSKiller. You can also check the partitions on the PC, if any of the system drive's partitions are FAT format, you may have the infection as well. Here are the step you need to take to remove this rootkit:</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoListParagraph" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
Open up <a href="http://www.xuetr.com/download/XueTr.zip" target="_blank">XueTr</a> and navigate to the Kernel Tab > Notify Routine. You will see this:</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbzRbOZYdxzOkJZ-xedlmtzLq9l3WF1yzjrhVt9IFJFHCb7c0YziupX7k-xFgk-nXCU_K9Q2NXWIfOg0OHFOB727TCALqIo53DM21BIQ6UMrY5vBMEsfXtWYIiRGOW0yjYbTs0xmZPvsg/s1600/SST+1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbzRbOZYdxzOkJZ-xedlmtzLq9l3WF1yzjrhVt9IFJFHCb7c0YziupX7k-xFgk-nXCU_K9Q2NXWIfOg0OHFOB727TCALqIo53DM21BIQ6UMrY5vBMEsfXtWYIiRGOW0yjYbTs0xmZPvsg/s320/SST+1.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="MsoListParagraph" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<br /></div>
<div class="MsoListParagraph">
You will notice that 2 of the items show up in <span style="color: red;">red</span>. We need to remove both of the ones here that have the module "unknown image". Right-Click on them and select delete on CreateProcess like this:</div>
<div class="MsoListParagraph">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="MsoListParagraph">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX3U87YQfEmVzZGkUV2p8ilhnpbsdU5iAkokXeTI9EPpUjVGpgRooXt1HYLVbtyHC87urRgK6AeqK2PUIHh56IOX6xCFJ6WER_oPsHcpDoYUHQF5gg4knDxpZuYm8bLH-hrlt-51ocles/s1600/SST+2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX3U87YQfEmVzZGkUV2p8ilhnpbsdU5iAkokXeTI9EPpUjVGpgRooXt1HYLVbtyHC87urRgK6AeqK2PUIHh56IOX6xCFJ6WER_oPsHcpDoYUHQF5gg4knDxpZuYm8bLH-hrlt-51ocles/s320/SST+2.JPG" width="320" /></a></div>
<div style="text-align: center;">
<br /></div>
</div>
<div class="MsoListParagraph">
<v:shape alt="" id="Picture_x0020_2" o:spid="_x0000_i1026" style="height: 95.25pt; width: 462.75pt;" type="#_x0000_t75">
<v:imagedata o:href="cid:image002.png@01CCBA7F.BF610040" src="file:///C:\DOCUME~1\CJOHNS~1\LOCALS~1\Temp\msohtmlclip1\01\clip_image003.png">
</v:imagedata></v:shape></div>
<div class="MsoListParagraph">
<br /></div>
Then again for LoadImage:<br />
<div class="MsoListParagraph">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="MsoListParagraph">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhC8wdSTMeqIhMl8skHmF2kFgzBoNzpW_QoOL90DSeJEQjRppkAwZiEwsoFtQ4L7_Cx0IFwzAYiFHQvnjESkySLGLbCRt_EN5HCigSm1YgmHJ0wIU2OhtovyN13LiiaIFywC0Q2881yBcA/s1600/SST+3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhC8wdSTMeqIhMl8skHmF2kFgzBoNzpW_QoOL90DSeJEQjRppkAwZiEwsoFtQ4L7_Cx0IFwzAYiFHQvnjESkySLGLbCRt_EN5HCigSm1YgmHJ0wIU2OhtovyN13LiiaIFywC0Q2881yBcA/s320/SST+3.JPG" width="320" /></a></div>
<div style="text-align: center;">
<br /></div>
</div>
<div class="MsoListParagraph">
<v:shape alt="" id="Picture_x0020_3" o:spid="_x0000_i1027" style="height: 126pt; width: 359.25pt;" type="#_x0000_t75">
<v:imagedata o:href="cid:image003.png@01CCBA8A.DC6AC620" src="file:///C:\DOCUME~1\CJOHNS~1\LOCALS~1\Temp\msohtmlclip1\01\clip_image005.png">
</v:imagedata></v:shape></div>
<div class="MsoListParagraph">
<br /></div>
<div class="MsoListParagraph" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
Open up TDSSKiller and make sure that it is the
latest version. Once you scan, you should come up with “Rootkit.Boot.SST.x” –
Cure the infection:<br />
<br />
Please note that you may have SST.b in TDSSKiller, all of the same steps apply to the "SST.b" variant. Also, it is <b><span style="color: red;">VERY IMPORTANT</span></b> that you do not cure any other infections at this point. If you have SST, you need to cure that but <b>skip all other infections</b> that tdsskiller might find. If you find that you are infected with ZeroAccess as well, please refer to the ZeroAccess section of this blog for further instructions once you have cleared out SST. </div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjT1zLyH7YA2vFqe86leMc0NCF1S_UYIrwP1-ZkxYNGC3s5exEIugQq3oMzSHMMHykESC7rnXlE8GMcY_coMrkJ2KhLh44nvf7eU8YOGKaLJbSOEupMKecyZvvW4KTeZ4ZE0VuQ6t8HSTs/s1600/Step+4+-+TDSSKiller.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="318" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjT1zLyH7YA2vFqe86leMc0NCF1S_UYIrwP1-ZkxYNGC3s5exEIugQq3oMzSHMMHykESC7rnXlE8GMcY_coMrkJ2KhLh44nvf7eU8YOGKaLJbSOEupMKecyZvvW4KTeZ4ZE0VuQ6t8HSTs/s320/Step+4+-+TDSSKiller.JPG" width="320" /></a></div>
<div class="MsoNormal" style="margin-left: .25in;">
<v:shape alt="" id="Picture_x0020_4" o:spid="_x0000_i1028" style="height: 324pt; width: 325.5pt;" type="#_x0000_t75">
<v:imagedata o:href="cid:image005.jpg@01CCBA8C.283B6270" src="file:///C:\DOCUME~1\CJOHNS~1\LOCALS~1\Temp\msohtmlclip1\01\clip_image007.jpg">
</v:imagedata></v:shape> </div>
<div class="MsoNormal" style="margin-left: .25in;">
<br /></div>
<div class="MsoListParagraph" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
You will be prompted to overwrite the MBR code
due to TDSSKiller not being able to “Cure” it, as long as the infected PC does <b>not</b> have a setup running a custom boot loader, select “Yes” </div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2M3g11-ff0ag75HAQP9IRZpgwhmONTu6qsrj6-xWRiAEXYUdxY7hIExD8-d03UnhuP7EEwJAzn-fLLPAe_NAcHDuSb10N-8ks3yeAd-P-4vdlV7nUHfU7a1TJARl8Vy6tvo5SJNLHueM/s1600/Step+5+-+TDSSKiller.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="130" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2M3g11-ff0ag75HAQP9IRZpgwhmONTu6qsrj6-xWRiAEXYUdxY7hIExD8-d03UnhuP7EEwJAzn-fLLPAe_NAcHDuSb10N-8ks3yeAd-P-4vdlV7nUHfU7a1TJARl8Vy6tvo5SJNLHueM/s320/Step+5+-+TDSSKiller.JPG" width="320" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .25in;">
<v:shape alt="" id="Picture_x0020_5" o:spid="_x0000_i1029" style="height: 147.75pt; width: 361.5pt;" type="#_x0000_t75">
<v:imagedata o:href="cid:image007.png@01CCBA8C.1A328CD0" src="file:///C:\DOCUME~1\CJOHNS~1\LOCALS~1\Temp\msohtmlclip1\01\clip_image008.png">
</v:imagedata></v:shape></div>
<div class="MsoNormal" style="margin-left: .25in;">
<br /></div>
<div class="MsoListParagraph" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<span style="font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;"> </span><span style="font-family: 'Times New Roman'; font-size: 7pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;"> </span>Reboot with TDSSKiller and you are all set. </div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYKHHEsJAIuMKkWqWBbY4OvnV3Kp72ZrBkxycXo9Qe8X6CyUboc8nfCKuKF57lviWf2wGQoM0RgqZf0iyZvVzKD3rC1M54qy8CjSkVQyTO9oX2Jx8cGKp-uDcF8yhD7-L9tf0LnAG8KBE/s1600/Step+6+-+TDSSKiller.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="292" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYKHHEsJAIuMKkWqWBbY4OvnV3Kp72ZrBkxycXo9Qe8X6CyUboc8nfCKuKF57lviWf2wGQoM0RgqZf0iyZvVzKD3rC1M54qy8CjSkVQyTO9oX2Jx8cGKp-uDcF8yhD7-L9tf0LnAG8KBE/s320/Step+6+-+TDSSKiller.JPG" width="320" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .25in;">
<v:shape alt="" id="Picture_x0020_6" o:spid="_x0000_i1030" style="height: 336pt; width: 367.5pt;" type="#_x0000_t75">
<v:imagedata o:href="cid:image008.png@01CCBA8C.1A328CD0" src="file:///C:\DOCUME~1\CJOHNS~1\LOCALS~1\Temp\msohtmlclip1\01\clip_image010.png">
</v:imagedata></v:shape></div>
<div class="MsoNormal" style="margin-left: .25in;">
<br /></div>
Make sure to remove all other infections after removing SST. A good mbam full scan should do the trick. Email me if you have questions/comments. <br />
<span style="font-family: Calibri, sans-serif; font-size: 11pt;"></span>TeamRocketOpshttp://www.blogger.com/profile/14506660507770272702noreply@blogger.com1tag:blogger.com,1999:blog-6880139155723664598.post-23502610676289440862012-01-18T12:52:00.000-08:002012-01-18T12:52:27.652-08:00Security Defender<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4TJwPG3wb8DWOo_-oWPfUlWTY2iM3BsrzPGrSWFPeFSz8ohA68FXaPZ1_c19onTj2xegSHWogJgZ1jZcvEA8FU-fXSxXQVuTthw1i4iSt8Cmkv7yOc7j4bVv-ewRoAPWY3IRMt7YFM50/s1600/Top+Banner.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4TJwPG3wb8DWOo_-oWPfUlWTY2iM3BsrzPGrSWFPeFSz8ohA68FXaPZ1_c19onTj2xegSHWogJgZ1jZcvEA8FU-fXSxXQVuTthw1i4iSt8Cmkv7yOc7j4bVv-ewRoAPWY3IRMt7YFM50/s1600/Top+Banner.png" /></a></div>
<div align="center" class="separator" style="margin-bottom: .0001pt; margin: 0in; text-align: center;">
<span style="font-size: medium;"><br /></span></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<br /></div>
Security Defender runs a bit differently than normal rogues. It places its dll files in different folders and launches using rundll32.exe instead of using an executable.
<div style="margin-bottom: .0001pt; margin: 0in;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidK7pRWGTWO_gy9Arg-84anDenlGl06GiyygtfvlK2DCUaxdewVuB2Zbblqjeouzh6woCmV7jLNf91F_joY2ev7IqV4CzedAauhlYWXaNnCxb8TZG36wDWJ0Emp0WJbouBEQF_hF8Tl-0/s1600/Security+Defender+1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="264" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidK7pRWGTWO_gy9Arg-84anDenlGl06GiyygtfvlK2DCUaxdewVuB2Zbblqjeouzh6woCmV7jLNf91F_joY2ev7IqV4CzedAauhlYWXaNnCxb8TZG36wDWJ0Emp0WJbouBEQF_hF8Tl-0/s320/Security+Defender+1.JPG" width="320" /></a></div>
<div align="center" class="separator" style="margin-bottom: 0.0001pt; margin-left: 0in; margin-right: 0in; margin-top: 0in; text-align: center;">
<span style="font-size: medium;"><br /></span></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<br /></div>
This rogue is contracted by the user getting redirected to a website which will run a "malware scan". This scan will always show that the user is "infected" and has a popup window with the option to "remove" infections. A file download follows and, if run, the user is infected with Security Defender.
<div style="margin-bottom: .0001pt; margin: 0in;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTn8xS2BCqZLOm6KZL65BsGy3wH2i8yQUISBkgIEyTgvSKl-fm-zAzhsxoUrDyXEb8HXHlTftfj0Efz-H-bmFTPYzO16qxVwt7KPtD8WUDY3axn2jYWB8cZaLnTNMR-9lRvj77EPwyklA/s1600/Security+Defender+Website.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="244" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTn8xS2BCqZLOm6KZL65BsGy3wH2i8yQUISBkgIEyTgvSKl-fm-zAzhsxoUrDyXEb8HXHlTftfj0Efz-H-bmFTPYzO16qxVwt7KPtD8WUDY3axn2jYWB8cZaLnTNMR-9lRvj77EPwyklA/s320/Security+Defender+Website.JPG" width="320" /></a></div>
<div align="center" class="separator" style="margin-bottom: 0.0001pt; margin-left: 0in; margin-right: 0in; margin-top: 0in; text-align: center;">
<span style="font-size: medium;"><br /></span></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<br /></div>
The removal process is fairly simple, kill rundll32.exe and use your favorite malware scanner (MalwareBytes' is mine).
<div style="margin-bottom: .0001pt; margin: 0in;">
<br /></div>
<br /><br /><b><u>Files </u></b><br /><br /> <span style="font-size: x-small;">C:\Windows\System32\53D4813B-6A65-17DC-1AA7-DABF1A67D772.avi <br />C:\Windows\System32\53D4813B-6A65-17DC-1AA7-DABF1A67D772.ico <br />C:\Documents and Settings\<User Name Here>\Application Data\53D4813B-6A65-17DC-1AA7-DABF1A67D772.avi <br />C:\Documents and Settings\<User Name Here>\Application Data\53D4813B-6A65-17DC-1AA7-DABF1A67D772.ico <br />C:\Documents and Settings\<User Name Here>\Application Data\Security Defender\{55134541-8195-4710-C5AD-EF3E5B78ED6C}.pst <br />C:\Documents and Settings\<User Name Here>\Application Data\Security Defender\{DE4B19BB-A312-44B5-F8AF-B20C20C8DF0C}.pst <br />C:\Documents and Settings\<User Name Here>\Local Settings\Application Data\53D4813B-6A65-17DC-1AA7-DABF1A67D772.avi <br />C:\Documents and Settings\<User Name Here>\Local Settings\Application Data\53D4813B-6A65-17DC-1AA7-DABF1A67D772.ico <br />C:\Documents and Settings\All Users\Application Data\53D4813B-6A65-17DC-1AA7-DABF1A67D772.avi <br />C:\Documents and Settings\All Users\Application Data\53D4813B-6A65-17DC-1AA7-DABF1A67D772.ico <br />C:\Program Files\Security Defender\Security Defender.dll <br />C:\Program Files\Security Defender\Security Defender.ico <br />C:\Documents and Settings\<User Name Here>\Desktop\Security Defender.lnk <br />C:\Documents and Settings\<User Name Here>\Application Data\Microsoft\Internet Explorer\Quick Launch\Security Defender.lnk <br />C:\Documents and Settings\<User Name Here>\Start Menu\Programs\Startup\53D4813B-6A65-17DC-1AA7-DABF1A67D772.lnk <br />C:\Documents and Settings\All Users\Start Menu\Programs\Startup\53D4813B-6A65-17DC-1AA7-DABF1A67D772.lnk </span><br /><br /> <br /><br /><b><u>Notable Registry Keys </u></b><br /><br /> <span style="font-size: x-small;">[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run] <br /><br />@53D4813B-6A65-17DC-1AA7-DABF1A67D772 <br /><br /> [HKEY_CUURENT_USER\Software\Microsoft\Windows\Currentversion\Run] <br /><br />@53D4813B-6A65-17DC-1AA7-DABF1A67D772 </span><br /> <br /> VirusTotal: <br /><br /><a href="http://www.virustotal.com/file-scan/report.html?id=e2fb5ed4c9b3983e318d6638986adafe11209ae333e682814a1edc920fb2247a-1320738744">Security Defender.dll</a> VT: 2/42 (4.8%) <br /><br />TeamRocketOpshttp://www.blogger.com/profile/14506660507770272702noreply@blogger.com0tag:blogger.com,1999:blog-6880139155723664598.post-23695239737009323222012-01-18T12:40:00.000-08:002012-03-29T17:58:26.271-07:00System Check<br />
<div align="center" class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: center;">
<br /></div>
<div align="center" class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXpeK5CSpQfhC26xJjcCAlqb4K0hG_Sq9dqhCEf1nHCbnVfQDXorOfXh_gB1CeODsU4klebMUZI8z1uHGpYjz7exp1awJR18DY2At48vgunjf25nkGSP37_Fk-maUy5_RfWCEhJzngHm8/s1600/First+Warning.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXpeK5CSpQfhC26xJjcCAlqb4K0hG_Sq9dqhCEf1nHCbnVfQDXorOfXh_gB1CeODsU4klebMUZI8z1uHGpYjz7exp1awJR18DY2At48vgunjf25nkGSP37_Fk-maUy5_RfWCEhJzngHm8/s1600/First+Warning.png" /></a></div>
<div align="center" class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: center;">
<span style="color: blue; font-family: 'Times New Roman', serif; font-size: medium;"><br /></span></div>
<div align="center" class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: center;">
<br /></div>
<div align="center" class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: center;">
<br /></div>
I’m sure we have all been wondering where the fake HDD scanner malware has gone. Well, it’s back and a bit better than before. So let’s get started. First, let’s take a look at what the infection actually does to the system. There are 3 major changes that this rogue makes:
<br />
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuvzs1s3X-VP1rHms961aRidiSZx_Z41dIuzXZiC8vvf7WMuUeJyu5MJMFzA9OLxcyyber7Q77fCsIr5iCtJE1rC0D-iHeHXkEl9WS1R3V3vPNJi9axinfyBShmTTy99MTT9hjDGGorbY/s1600/Delayed+Write+Failed.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuvzs1s3X-VP1rHms961aRidiSZx_Z41dIuzXZiC8vvf7WMuUeJyu5MJMFzA9OLxcyyber7Q77fCsIr5iCtJE1rC0D-iHeHXkEl9WS1R3V3vPNJi9axinfyBShmTTy99MTT9hjDGGorbY/s1600/Delayed+Write+Failed.JPG" /></a></div>
<div align="center" class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: center;">
<span style="color: blue; font-family: 'Times New Roman', serif; font-size: medium;"><br /></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<br />
<br />
1. It immediately disables task manager and registry tools when launched. <br />
2. It hides all files in the HDD, starting at the root directory. <br />
3. It moves certain shortcuts from the start menu, the desktop, and quick launch folders into a temp folder. Path is %temp%\smtmp
<br />
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs1QByy0xzZkKTUWgxuyDcAp-8bn7bz3u6eBdvcDuMx2OAaqeGNnWPKDBXY8SnoElR8dMQNGZcNTb2VdunwojA9X962Ah_IlGeE4pfTBcR8R-gWpBKa7F_RZlOdeiJWJX2C09MAd0wKO8/s1600/Master+Utilities+UnRegistered.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs1QByy0xzZkKTUWgxuyDcAp-8bn7bz3u6eBdvcDuMx2OAaqeGNnWPKDBXY8SnoElR8dMQNGZcNTb2VdunwojA9X962Ah_IlGeE4pfTBcR8R-gWpBKa7F_RZlOdeiJWJX2C09MAd0wKO8/s1600/Master+Utilities+UnRegistered.JPG" /></a></div>
<div align="center" class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: center;">
<span style="color: blue; font-family: 'Times New Roman', serif; font-size: medium;"><br /></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
This guy is easily removed with very little effort using an activation code courtesy of <a href="http://www.blogger.com/xylibox.blogspot.com">Xylitol</a>. The activation code is: 1203978628012489708290478989147. All you need to do is let the program complete its scan and then enter the activation code into the activation window along with whatever email address you choose. The email address does not have to be valid and I highly recommend that you do not use any real email address in this activation window. I found that you do not necessarily need to go through the activation dialogue box to activate it. When activated, the rogue creates a text file which is placed onto the desktop. All that you need to do is move a copy of that file onto the desktop while the rogue is actively running and it will activate itself. You can find the text at the bottom of this post.
<br />
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDyigKfVINjQMkk89HzWeQH4uE8VeNJ4UyJFZJ50-EgFkON_bNl1I_aJ5BUxmetZKdw13qbF_eDhgtihJx5nSwCofl5FHRkMmuQO6BjI1d4vdeOVa8U0u-MrXSc1BWj2ozUuLADdlcHYA/s1600/Activated+Screenshot.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDyigKfVINjQMkk89HzWeQH4uE8VeNJ4UyJFZJ50-EgFkON_bNl1I_aJ5BUxmetZKdw13qbF_eDhgtihJx5nSwCofl5FHRkMmuQO6BjI1d4vdeOVa8U0u-MrXSc1BWj2ozUuLADdlcHYA/s1600/Activated+Screenshot.JPG" /></a></div>
<div align="center" class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: center;">
<span style="color: blue; font-family: 'Times New Roman', serif; font-size: medium;"><br /></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
Once activated, he is very easy to remove. Process can be killed from the system tray icon and then removed with your favorite Anti-Malware product (I prefer MalwareBytes’ Anti-Malware). Once the process is killed, you can decide to take it a step further and use the uninstall icon found in the start menu to remove the desktop icon and executable if you’d like.
<br />
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgs5bZMiaUcAUe0IMq9pH99msRsTVy7uj444DoHA7l7m2-JbOlobjWJSwky2M1JMgY0iufCDdmPYRmofBQAJyUcZKPYUNd8ZwZxu2fvdGEnlSlIO9eE6F0zaqYhX1txufo2C560zaE6euU/s1600/Master+Utilities+Uninstall.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgs5bZMiaUcAUe0IMq9pH99msRsTVy7uj444DoHA7l7m2-JbOlobjWJSwky2M1JMgY0iufCDdmPYRmofBQAJyUcZKPYUNd8ZwZxu2fvdGEnlSlIO9eE6F0zaqYhX1txufo2C560zaE6euU/s1600/Master+Utilities+Uninstall.JPG" /></a></div>
<div align="center" class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: center;">
<span style="color: blue; font-family: 'Times New Roman', serif; font-size: medium;"><br /></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<br />
<br />
If you have already killed and deleted the process, and have not removed the temp files yet, don’t worry, there is still an easy way to get all of your stuff back. I wrote a small tool that will unhide all of the files that were hidden on the drive, and then move all of the shortcuts back to their original locations. It can be found here: <a href="http://dl.dropbox.com/u/17659346/Recover%20XP%20Vista%207.exe" target="_blank">Shortcut Recovery Tool</a> <br />
<br />
<br />
<br />
More images:
<br />
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmIvX5CjG3o3tXylcDQtFM0xSU6USTDnGaF7xrGWlTmOZqJmQodNg8Fq4HGkofkNowQnkhHuOFOBLCq0c9CKhxmFBLxsmIEg18ocfsKmh3Yw4nfN3FBLBIjFj2O08NxERk8arcTdqzk-c/s1600/Activated+Scan.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmIvX5CjG3o3tXylcDQtFM0xSU6USTDnGaF7xrGWlTmOZqJmQodNg8Fq4HGkofkNowQnkhHuOFOBLCq0c9CKhxmFBLxsmIEg18ocfsKmh3Yw4nfN3FBLBIjFj2O08NxERk8arcTdqzk-c/s1600/Activated+Scan.JPG" /></a></div>
<div align="center" class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: center;">
<span style="color: blue; font-family: 'Times New Roman', serif; font-size: medium;"><br /></span></div>
<div align="center" class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDkGrDGCE9VzJIbSthE5PI1fSt-SeXz8NJ6lAPnQJAg6gN9PVXs8WgOschWX7E0mBBKf9vy-7Rubhd9lRCf2ScdPmHmgTMslWNREpmJNctxfbT5nJvuoo6vn7_roY3TCICnku9XTvQ6g4/s1600/Activated+Reboot.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDkGrDGCE9VzJIbSthE5PI1fSt-SeXz8NJ6lAPnQJAg6gN9PVXs8WgOschWX7E0mBBKf9vy-7Rubhd9lRCf2ScdPmHmgTMslWNREpmJNctxfbT5nJvuoo6vn7_roY3TCICnku9XTvQ6g4/s1600/Activated+Reboot.JPG" /></a></div>
<div align="center" class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: center;">
<span style="color: blue; font-family: 'Times New Roman', serif; font-size: medium;"><br /></span></div>
<div align="center" class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: center;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
Here is a copy of the text file created by the rogue during activation. All you need to do is paste the below text into notepad and save it as "System Check License.txt" (without the quotes) onto your desktop, wait for your icons to be displayed again, and then reboot and move on with removal. :)
<br />
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<blockquote class="tr_bq">
<span style="font-size: x-small;"><span style="font-family: 'Times New Roman', serif;">Thank you for purchase, System
Check!</span><span style="font-family: 'Times New Roman', serif;">Your activation code:
1203978628012489708290478989147</span><span style="font-family: 'Times New Roman', serif;">Please use this download
link to install Master Utilities if your software copy has been removed or
lost. http://yourlicenseactivate.com/license/download/master.exe</span><span style="font-family: 'Times New Roman', serif;">Contact us through Help&Support section in
the Master Utilities menu or by phone +1.877.2357459</span></span></blockquote>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<br />
<br />
VirusTotal: <a href="http://www.virustotal.com/file-scan/report.html?id=46c6d88a45847cfe6c228d3f424e5bd9fafcd86cf22bb57026abfbe0c6d607bb-1318740992">System Check</a> <br />
<br />
<br />
15/43 (34.9%) <br />
<br />
MD5: fd58ad7cc72e9286a618f127fa241946
<br />
<div class="MsoNormal">
<br /></div>TeamRocketOpshttp://www.blogger.com/profile/14506660507770272702noreply@blogger.com1tag:blogger.com,1999:blog-6880139155723664598.post-1636252164550773202012-01-18T12:23:00.000-08:002012-01-18T12:23:46.214-08:00Internet Security Guard<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKrXFAIgqYu4OFhrt12xYt1aqaW_g-Ui7IKuq857yd8FEzsD3LLb3NbB5IS-vfA2-dvAFq0Zyb1KGu4b1HWW6fP1tFuQJpAy0QFEitHwx890HTpPEPM4wT43Td1GIunaFvmy0ASmr5D2Y/s1600/Main2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKrXFAIgqYu4OFhrt12xYt1aqaW_g-Ui7IKuq857yd8FEzsD3LLb3NbB5IS-vfA2-dvAFq0Zyb1KGu4b1HWW6fP1tFuQJpAy0QFEitHwx890HTpPEPM4wT43Td1GIunaFvmy0ASmr5D2Y/s320/Main2.JPG" width="320" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
</div>
<div class="MsoNormal">
To help get connected remotely and to help remove this rogue
enter this key (thanks to <a href="http://siri-urz.blogspot.com/">S!ri</a>):</div>
<div class="MsoNormal">
<b><span style="color: red;">U2FD-S2LA-H4KA-UEPB</span></b></div>
<div class="MsoNormal">
<span style="color: red; font-family: 'Trebuchet MS', sans-serif; font-size: x-small;"><span style="line-height: 14px;"><b><br /></b></span></span></div>
<div class="MsoNormal">
<b><u><br /></u></b></div>
<div class="MsoNormal">
<b><u>Manual Instructions</u></b></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Another fake MSE...
Internet Security Guard this time. This one is fairly straight-forward
to remove. It disables task manager using an <a href="http://blogs.msdn.com/b/greggm/archive/2005/02/21/377663.aspx">image file execution option</a>. To get around this, we must rename taskmgr to something
that Windows needs running to operate such as "winlogon.exe". The
following command from the run box should suffice:</div>
<div class="MsoNormal">
<b><br /></b></div>
<div class="MsoNormal">
<b>cmd /k copy
"C:\windows\system32\taskmgr.exe"
"%userprofile%\desktop\winlogon.exe" </b></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
This will copy the task manager to the desktop and rename it
to "winlogon.exe" which will allow it to run. Now kill the process.
Run your favorite malware scanner (MalwareBytes' is mine) and you are all set. </div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7yS07Yn28_-WwfuASryNEJKXznMyBmYdXmyOCMPwHbrXopf0waLp9WNwHizPwrByStObg-jCRZ4nIrV_gAm2-2iMR9EYHU_VlqrEUbVscRMZucCfPF5zxO3SXI3PLEriBqEKHJoNkUYc/s1600/Kill+Process.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="287" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7yS07Yn28_-WwfuASryNEJKXznMyBmYdXmyOCMPwHbrXopf0waLp9WNwHizPwrByStObg-jCRZ4nIrV_gAm2-2iMR9EYHU_VlqrEUbVscRMZucCfPF5zxO3SXI3PLEriBqEKHJoNkUYc/s320/Kill+Process.JPG" width="320" /></a></div>
<div class="MsoNormal" style="text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjj__YrBiz_ryEQPuvxy1-wKqrrdHuHcR-gwlFKDb-4yTvii71aAcoE-6JDFqT3AqkZJlbPCG8ecU-7r93MWoahyphenhyphenVjJfqp2iXpUUSUYQ1HG6_eT2ex_3FqzikZ8SJKtUIJI7WhKhLgLpeg/s1600/Main.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="234" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjj__YrBiz_ryEQPuvxy1-wKqrrdHuHcR-gwlFKDb-4yTvii71aAcoE-6JDFqT3AqkZJlbPCG8ecU-7r93MWoahyphenhyphenVjJfqp2iXpUUSUYQ1HG6_eT2ex_3FqzikZ8SJKtUIJI7WhKhLgLpeg/s320/Main.JPG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAaaZCp-N6IKe_WhR9DPVc1TWQO5dSm9HWZVR0I338Q3LKyC26ViUV_empgI9c34WACc0XBix01bLVMhA5ms9ftL2SbD0sjv6BeZmwfFt42AOVawfq8YymI_yKrnTDnw50rjO2oyEIz8w/s1600/Secondary.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="219" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAaaZCp-N6IKe_WhR9DPVc1TWQO5dSm9HWZVR0I338Q3LKyC26ViUV_empgI9c34WACc0XBix01bLVMhA5ms9ftL2SbD0sjv6BeZmwfFt42AOVawfq8YymI_yKrnTDnw50rjO2oyEIz8w/s320/Secondary.JPG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjWDMi_3OLNVFuxq-rnLOyYEZsCat3ZSbV8LmlSnep5K23dCx6nvLaWhouaZtC-zQ6qEQeR7kNzy_gDNa-inn6B1GMPz7naWwDUg6qwhU2D-VzwTsJu3nkvUBhhmJjzlFPHSNPtQSrhXY/s1600/Buy+Now.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjWDMi_3OLNVFuxq-rnLOyYEZsCat3ZSbV8LmlSnep5K23dCx6nvLaWhouaZtC-zQ6qEQeR7kNzy_gDNa-inn6B1GMPz7naWwDUg6qwhU2D-VzwTsJu3nkvUBhhmJjzlFPHSNPtQSrhXY/s320/Buy+Now.JPG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="MsoNormal">
<b><u>Files Created<o:p></o:p></u></b></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: x-small;">C:\Documents and Settings\All Users\Application
Data\<random>\<random>.exe </span></div>
<div class="MsoNormal">
<span style="font-size: x-small;">C:\Documents and Settings\Administrator\Desktop\Internet
Security Guard.lnk </span></div>
<div class="MsoNormal">
<span style="font-size: x-small;">C:\Documents and Settings\Administrator\Application
Data\Microsoft\Internet Explorer\Quick Launch\Internet Security Guard.lnk </span></div>
<div class="MsoNormal">
<span style="font-size: x-small;">C:\Documents and Settings\Administrator\Start
Menu\Programs\Internet Security Guard.lnk C:\Documents and
Settings\Administrator\Start Menu\Internet Security Guard.lnk </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><u>Notable Registry
Keys Infected<o:p></o:p></u></b></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: x-small;">HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Internet
Security Guard</span></div>
<div class="MsoNormal">
<span style="font-size: x-small;">HKCR\SOFTWARE\Microsoft\Internet Explorer\SearchScopes | URL
(Hijack.SearchPage) -> </span></div>
<div class="MsoNormal">
<span style="font-size: x-small;">Bad: (hxxp://findgala.com/?&uid=8027&q={searchTerms})</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
There are 760 more keys made and 30 more values infected but
they are all image file execution options or policies to disable either real AV
or other fake AV so I will not be listing all of them here. :)</div>
<br />
<div class="MsoNormal" style="text-align: center;">
<br /></div>TeamRocketOpshttp://www.blogger.com/profile/14506660507770272702noreply@blogger.com0tag:blogger.com,1999:blog-6880139155723664598.post-80830289942890941192012-01-15T20:18:00.000-08:002012-01-15T20:18:43.203-08:00Multi-Rogue 2012<br />
<div align="center" class="MsoNormal" style="text-align: center;">
<span style="font-size: 16.0pt; line-height: 115%;"><br /></span></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDKhQgZJz3Il55TAUjZYvT9shmhj_Ob4q-Z3qPyBKIc5yV1DihbAu47QeXOJqr9FpGUy7pMUBPU8BW3YUXmZw_cAHgE2gn40VjiQ7hjEuthT9v4lkSxc8hQAWcSEWDlFMaOkj7G5ArJv8/s1600/New+2012.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="229" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDKhQgZJz3Il55TAUjZYvT9shmhj_Ob4q-Z3qPyBKIc5yV1DihbAu47QeXOJqr9FpGUy7pMUBPU8BW3YUXmZw_cAHgE2gn40VjiQ7hjEuthT9v4lkSxc8hQAWcSEWDlFMaOkj7G5ArJv8/s320/New+2012.JPG" width="320" /></a></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<span style="font-size: 12.0pt; line-height: 115%;"><br /></span></div>
Thanks to <a href="http://xylibox.blogspot.com/">Xylitol</a>, here are a few registration keys that you can try to help get remote connection and removal before following the steps below:<br /><div class="MsoNormal" style="text-align: left;">
<span style="font-size: 12.0pt; line-height: 115%;"><br /></span></div>
<div class="MsoNormal" style="text-align: left;">
<b style="color: red;">3425-814615-3990</b>
<span style="font-size: 12.0pt; line-height: 115%;"><br /></span></div>
<div class="MsoNormal" style="text-align: left;">
<b><span style="color: red;">9443-077673-5028</span></b>
<b style="color: red;"><br /></b></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<span style="font-size: 12.0pt; line-height: 115%;"><br /></span></div>
I have seen a few of these rogues that have not been accepting the registration keys lately. Today I would like to go over with you the method that I use to connect remotely when the registration key does not work properly.
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGhVJj5KtjaVQFEaEG-Feda5v3vZQndh99UTIODJ2ZT1e6muTKGVGYEp0PQPu1YZ_WRt8rl6jhnsRehqVhgV36QzMxLOxdV8fzhsofkzSfCfPDpxu3LvxOPNXVOw-rF8ocOG2CxtDH7SI/s1600/2012+Invlaid+Key.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="234" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGhVJj5KtjaVQFEaEG-Feda5v3vZQndh99UTIODJ2ZT1e6muTKGVGYEp0PQPu1YZ_WRt8rl6jhnsRehqVhgV36QzMxLOxdV8fzhsofkzSfCfPDpxu3LvxOPNXVOw-rF8ocOG2CxtDH7SI/s320/2012+Invlaid+Key.JPG" width="320" /></a></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<span style="font-size: 12.0pt; line-height: 115%; mso-no-proof: yes;"><v:shape id="Picture_x0020_2" o:spid="_x0000_i1029" style="height: 227.25pt; mso-wrap-style: square; visibility: visible; width: 309.75pt;" type="#_x0000_t75">
<v:imagedata o:title="" src="file:///C:\DOCUME~1\CJOHNS~1\LOCALS~1\Temp\msohtmlclip1\01\clip_image003.png">
</v:imagedata></v:shape></span></div>
<div class="MsoNormal">
<br /></div>
The first thing that we need to do is get the task manager open. To do this, you will need to use the key combination: <strong>ctrl + shift + esc</strong> – this will bypass the rogue’s process killing mechanism.
<div align="center" class="MsoNormal" style="text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGhbxw_8968ZpopXQIbBUMpiskEkWWIiM3AjkfE4TqWX1atLg4D2dXU28vwq1vmaENHqxqcWGM7m9DZSvAeGg_35zuYGnvn4lEJ1ppht_kUFPOmCErCWIiaHae7LzooFxg3pB4-TVCJzY/s1600/Ctrl+TaskMgr.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGhbxw_8968ZpopXQIbBUMpiskEkWWIiM3AjkfE4TqWX1atLg4D2dXU28vwq1vmaENHqxqcWGM7m9DZSvAeGg_35zuYGnvn4lEJ1ppht_kUFPOmCErCWIiaHae7LzooFxg3pB4-TVCJzY/s320/Ctrl+TaskMgr.JPG" width="282" /></a></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<span style="font-size: 12.0pt; line-height: 115%; mso-no-proof: yes;"><v:shape id="Picture_x0020_3" o:spid="_x0000_i1028" style="height: 228pt; mso-wrap-style: square; visibility: visible; width: 201pt;" type="#_x0000_t75">
<v:imagedata o:title="" src="file:///C:\DOCUME~1\CJOHNS~1\LOCALS~1\Temp\msohtmlclip1\01\clip_image005.png">
</v:imagedata></v:shape></span></div>
<strong>Hold down Ctrl and click “New Task”</strong> – This will open a command prompt window for you. Launch regedit.exe from the command prompt window.
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh3mDu8X0HNkE6VxNWfUEJJ_2nCp8WGwaRYS3uEaGt8cgSIa3cXpt6fvHacIJCzDaSepUgLLbZBiWgfRzu4_qP6RDoHl1g-E7UZPeZR_pY7WQ-YrajLGXl3fyk-7Gg_M2Bwsbyay0RM-o/s1600/RegEdit+CMD.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="203" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh3mDu8X0HNkE6VxNWfUEJJ_2nCp8WGwaRYS3uEaGt8cgSIa3cXpt6fvHacIJCzDaSepUgLLbZBiWgfRzu4_qP6RDoHl1g-E7UZPeZR_pY7WQ-YrajLGXl3fyk-7Gg_M2Bwsbyay0RM-o/s400/RegEdit+CMD.JPG" width="400" /></a></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<span style="font-size: 12.0pt; line-height: 115%; mso-no-proof: yes;"><v:shape id="Picture_x0020_4" o:spid="_x0000_i1027" style="height: 148.5pt; mso-wrap-style: square; visibility: visible; width: 289.5pt;" type="#_x0000_t75">
<v:imagedata o:title="" src="file:///C:\DOCUME~1\CJOHNS~1\LOCALS~1\Temp\msohtmlclip1\01\clip_image007.png">
</v:imagedata></v:shape></span></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<br /></div>
Remove the exe file association that is created by the rogue. This can be found at <strong>HKEY_CURRENT_USER\Software\Classes\.exe</strong> - This file association is created by the rogue for the rogue’s use only so just delete the key.<div class="MsoNormal">
<span style="font-size: 12.0pt; line-height: 115%;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQ7ghCvFD9scHSB9ipiTC7RogWPn6ElAaN0Cz2CzPv0UX4Hoh2__8v-lahtPgSjWcPXhnAFzxWPm09FA13LP3e92r0tcJESBImWvKd1uGfxMOaoNh9du15qH-ZqJS4ueRZUtDOLExLuaU/s1600/File+Associations.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQ7ghCvFD9scHSB9ipiTC7RogWPn6ElAaN0Cz2CzPv0UX4Hoh2__8v-lahtPgSjWcPXhnAFzxWPm09FA13LP3e92r0tcJESBImWvKd1uGfxMOaoNh9du15qH-ZqJS4ueRZUtDOLExLuaU/s320/File+Associations.JPG" width="320" /></a></div>
<div class="MsoNormal" style="text-align: center;">
<span style="font-size: 12.0pt; line-height: 115%;"><br /></span></div>
<div class="MsoNormal">
<span style="font-size: 12.0pt; line-height: 115%;"><br /></span></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<span style="font-size: 12.0pt; line-height: 115%; mso-no-proof: yes;"><v:shape id="Picture_x0020_6" o:spid="_x0000_i1026" style="height: 234pt; mso-wrap-style: square; visibility: visible; width: 309.75pt;" type="#_x0000_t75">
<v:imagedata o:title="" src="file:///C:\DOCUME~1\CJOHNS~1\LOCALS~1\Temp\msohtmlclip1\01\clip_image009.png">
</v:imagedata></v:shape></span></div>
After the file association has been removed, the rogue can no longer launch when trying to launch normal applications, so it is ok to kill the process now. I like to have the customer kill the process from the “Applications” tab as shown below.
<div class="MsoNormal">
<br /></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<span style="font-size: 12.0pt; line-height: 115%; mso-no-proof: yes;"><v:shape id="Picture_x0020_7" o:spid="_x0000_i1025" style="height: 229.5pt; mso-wrap-style: square; visibility: visible; width: 204pt;" type="#_x0000_t75">
<v:imagedata o:title="" src="file:///C:\DOCUME~1\CJOHNS~1\LOCALS~1\Temp\msohtmlclip1\01\clip_image011.png">
</v:imagedata></v:shape></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL-palAjOvnCpSjhjCfvorTvgyaUoox7YFbzrGhfX4BeJB83EDdvuDblwE85abhyphenhypheneyLiPVKd4HSX6UlpHEfCHrhl4frDnxhKcZ51c0bMvl_F5FuIrON2hyjyIOZ4kgXl3g59YK5tezW5I/s1600/Kill+Process.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL-palAjOvnCpSjhjCfvorTvgyaUoox7YFbzrGhfX4BeJB83EDdvuDblwE85abhyphenhypheneyLiPVKd4HSX6UlpHEfCHrhl4frDnxhKcZ51c0bMvl_F5FuIrON2hyjyIOZ4kgXl3g59YK5tezW5I/s320/Kill+Process.JPG" width="284" /></a></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<br /></div>
At this point you can get your remote session up. Note that the file association has also been corrupted when launching the default browser from the start menu, so keep that in mind. From here, I recommend checking for any rootkit infections by using <a href="http://support.kaspersky.com/downloads/utils/tdsskiller.exe">TDSSKiller</a>.<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUVRF5_fgrhzvNyeRINzM25f-a_bjJvYfSDxYTfBjdNBKtqLN9NGKU-Mtb_BA2PPZ1AdEBm6iQ8WNb2CitvJKgVVgiiiIl1hu7jzT1uXOkpvNQrW3-rZ4HgBuvKrPUc9bHVCZFGncynDg/s1600/tdsskillerpng.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="293" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUVRF5_fgrhzvNyeRINzM25f-a_bjJvYfSDxYTfBjdNBKtqLN9NGKU-Mtb_BA2PPZ1AdEBm6iQ8WNb2CitvJKgVVgiiiIl1hu7jzT1uXOkpvNQrW3-rZ4HgBuvKrPUc9bHVCZFGncynDg/s320/tdsskillerpng.png" width="320" /></a></div>
<div class="MsoNormal" style="text-align: center;">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
If any infections are found in TDSSKiller, please follow the instructions and reboot when asked. I will go over removal methods of the rootkits commonly associated with this infection in other posts. </div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Last step is to use your favorite malware scanner to ensure all traces have been removed. <a href="http://malwarebytes.org/">MalwareBytes' Anti-Malware</a> is my favorite. Make sure that you run a full scan to ensure that you have removed items from all user accounts and system restore. </div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Some of these have a worm infection called <a href="http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fParite.B">Parite</a>. You will find the infection in the log file of the MalwareBytes' scan that you just ran if it is present. This can be removed by using the <a href="http://www.softpedia.com/get/Antivirus/Parite-Removal-Tool.shtml">BitDefender Parite Removal Tool</a>.</div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi09udLHNSJEwBAor4Em74hSobTQ9o9TRWBxxjNcI3TlSUXWf8Dy1DPxXNZbq-j2LXVnIb2gSmLe8KdWSNVy4BywLpj3SmNhNVbz-1ZRhij94IfF0zaG0pNnBzANx2r9OH92xPqElpkKIw/s1600/Parite-Removal-Tool_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="219" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi09udLHNSJEwBAor4Em74hSobTQ9o9TRWBxxjNcI3TlSUXWf8Dy1DPxXNZbq-j2LXVnIb2gSmLe8KdWSNVy4BywLpj3SmNhNVbz-1ZRhij94IfF0zaG0pNnBzANx2r9OH92xPqElpkKIw/s320/Parite-Removal-Tool_1.png" width="320" /></a></div>
<div class="MsoNormal" style="text-align: center;">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Finally, do yourself a favor and create a restore point ;)</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="text-align: center;">
<strong><span style="font-size: large;"><u>Advanced Information</u></span></strong></div>
<div class="MsoNormal" style="text-align: center;">
<strong><span style="font-size: large;"><u><br /></u></span></strong></div>
<div class="MsoNormal" style="text-align: left;">
<strong><u>Registry Keys Modified</u></strong><strong><span style="font-size: large;"><u><br /></u></span></strong></div>
<div class="MsoNormal" style="text-align: left;">
<strong><u><br /></u></strong></div>
<span style="font-size: x-small;">HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command</span><span style="font-size: x-small;">
HKEY_CURRENT_USER\Software\Classes\.exe</span><br />
<span style="font-size: x-small;">HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</span><br />
<span style="font-size: x-small;"><br /></span><br />
<strong><u>Files Modified</u></strong><br />
<strong><u><br /></u></strong><br />
<span style="font-size: x-small;">%CommonAppData%\<random characters><br />
%LocalAppData%\<random characters><br />
%LocalAppData%\<random 3 chars>.exe<br />
%Temp%\<random characters><br />
%UserProfile%\Templates\<random characters>
</span><strong><u><br /></u></strong>TeamRocketOpshttp://www.blogger.com/profile/14506660507770272702noreply@blogger.com0