Malware name: Trojan Winlock Win32 Blocker
Detection rate: 21/44
Detected by Malwarebytes: Yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll


Introduction:

This type of trojan is called a ransomware since it forces the user to pay an amount of money for a code to remove the program off the computer.
The program itself blocks your screen completely and prevents you from doing anything with your computer.
All shortcut keys are disabled (ctrl+alt+del, winkey, alt+f4... etc) so you cannot remove it this way.
The screen is set as always on top so you can't see your desktop or open any programs.
It kills all other running processes while executed.
Most of the time, even if you pay for the removal, they won't give you the code to remove it. Giving your credit card number to them is the last thing you want to do.
This trojan is usually installed on your computer by downloading "fake porn".
There isn't many English versions of this trojan, most of them are Russian/German and they will mostly infect those users.


Symptoms:

Computer restarting after execution of the malware.
Program blocking your screen asking you for money.


Files deleted:

C:\Windows\Explorer.exe
C:\Windows\System32\Dllcache\Explorer.exe


Files created:

C:\Windows\Explorer.exe
C:\Windows\System32\Dllcache\Explorer.exe
As you can see, it replaces the real explorer.exe with the ransomware.


Registry keys created:

None, although HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell will automatically run the infected explorer.exe


Removal:

I've had a very difficult time trying to figure out a way to remove this ransomware, but I finally found one.

First, we will need to boot up our computer in safemode WITH command prompt. This will prevent the infected explorer.exe from running.
To do this, restart your computer and before the windows splash screen appears, press F8.
This will open a black screen with a few options, use the arrow keys to navigate to Safemode with command prompt then press enter.

Once you've done this, only command prompt will open.
Type in "Del c:\windows\explorer.exe" without the quotes and press enter.
Then type "Del c:\windows\system32\dllcache\explorer.exe" without the quotes.
Note that these aren't the real explorer.exe, the real ones were already deleted by the trojan.


Now we will need to recover the deleted explorer.exe, to do this we will either need access to another computer with the same version of windows or your windows CD.

With the windows cd, place it in the cd drive and open command prompt.
Note that this will not work in safemode, therefor we will need to restart the computer normally.
After restarting the computer normally, press ctrl+alt+del to open task manager, then click on New Task... and type in "cmd" without the quotes and press enter.
This will open the command prompt.
Simply type in "sfc /scannow" without the quotes and press enter.
This will scan your windows folder for any files that has been deleted and will replace them with the files on your Windows CD.

Another method is to copy C:\Windows\explorer.exe from another computer onto a USB or a CD and to paste it on the computer with the file missing.
To paste it into the windows folder, open task manager (ctrl+alt+del) and click on New task... and type in Iexplore.exe.
Then in the URL bar, you can type in c:\windows and you'll be able paste explorer.exe this way.


Tips:

This trojan starts in safemode and it will block your screen so you won't be able to do anything. But I've found out that it doesn't execute while in safemode with command prompt.

Other variations will put a startup key in the registry editor in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
If this is the case, start your computer in safemode with command prompt, type in Regedit then navigate yourself to that key and delete it.
You will also need to delete the file associated with that startup key, the location should be in the ValueData of the startup key. Use explorer.exe to navigate there and delete it.

If your Anti-virus or Anti-malware detects explorer.exe as this trojan, make sure to let it delete it then recover the file with the methods mentioned above.

Malware name: Backdoor Cycbot
Newest version detection rate: 8/43
Detected by Malwarebytes: No
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll


Introduction:

This malware allows the attacker to control the infected computer by connecting to a specific remote server.
He can also download more malware on your computer, usually fake anti-virus software.
Backdoor Cycbot is usually installed on your computer by drive-by-downloads.


Symptoms:

Google redirects to malicious sites.
Sites not loading or taking a long time to load.


Files created:

C:\Documents and Settings\Administrator\Application Data\4055A\DDFDE.exe
C:\Documents and Settings\Administrator\Application Data\4055A\A66A.055
C:\Program Files\5A66A\lvvm.exe
C:\Program Files\LP\DE24\F0.exe
C:\Program Files\LP\DE24\F1.tmp
C:\Program Files\LP\DE24\EF.exe
C:\Program Files\LP\DE24\C29.exe


Registry key created:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Value = explorer.exe,C:\Documents and Settings\Administrator\Application Data\4055A\DDFDE.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\C29.exe
Value = C:\Program Files\LP\DE24\C29.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
Value = http=127.0.0.1:XXXXX (XXXXX = Port number, it can vary)


Removal:

Note that this malware causes google redirects and it's better not to use google until you've removed this infection.

The removal is quite simple if you follow these steps.
First, we will need to download Malwarebytes Anti-Malware located here:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
Install the program and do the full scan.
When it's done scanning and if it detected something, click on Remove selected.

Now, from what I've experienced, malwarebytes doesn't remove all of the files and I haven't found a program that does so.
Because of this, we'll have to remove it manually.

Open task manager (ctrl+alt+delete) and click on the process tab.
End task to DDFDE.exe, C29.exe (name may vary) and lvvm.exe

Next, open My computer and go to C:\Documents and Settings\Administrator\Application Data\4055A\ or %appdata%\4055A
Delete both files DDFDE.exe, A66A.055 and the folder.
Then go in C:\Program Files\5A66A\ and delete all of the files and the folder itself.
Do the same for C:\Program Files\LP\DE24\.

After deleting the files, we will need to delete the registry keys created.
Click on Start - Run and type "regedit" without the quotes.
Locate HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon and delete Shell on the right side by rightclicking it.
Then locate HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and delete C29.exe on the right side.

To remove the google redirects, we will need to delete this registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
Locate it in regedit and delete it.
After this, you will need to access your browser and click on
For Firefox: Tools - Options - Advanced - Connection - Settings and check Auto-detect proxy settings for this network
For Internet explorer: Tools - Internet Options - Connections - LAN Settings - Uncheck Use a proxy server for your LAN and check Automatically detect settings.
I haven't tried it for other browsers, although it's the same method as the other two.


Tips:

As i previously said, this malware tends to download more malware on your computer so it's always good to do a full anti-virus and anti-malware scan of your computer to make sure nothing else has been installed.

All the files aren't set as hidden so you won't need to go in the folder options and check the option View all hidden files and folders.

Malware name: Trojan-Dropper.W32.Mudrop.siz (Kaspersky) Trojan:Win32/Sirefef.J (Microsoft)
Newest version detection rate: 1/44
Detected by Malwarebytes: No
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll



Introduction:

This malware downloads various other viruses/rootkits/rogues which makes the removal that much harder.
It can installs both the zeroaccess rootkit (Sirefef) and the TDL4 rootkit (TDSS).
Those rootkits can then install other malware like rogue anti-viruses.
Because of the low detection rate, many people have been getting this trojan on their computer by the blackhole exploit kit or other exploits.


Symptoms:

Constant pop-ups to malicious sites or just random sites when browsing.
Google search redirects
Other malware being downloaded on your computer.
Iexplorer.exe's process keeps opening and closing


Files created:

C:\Documents and Settings\Administrator\Local Settings\Application Data\a095bb36\X
C:\Documents and Settings\Administrator\Local Settings\Application Data\a095bb36\@
C:\Documents and Settings\Administrator\Local Settings\Application Data\a095bb36\Loader.tlb
C:\Documents and Settings\Administrator\Local Settings\Application Data\a095bb36\U\000000c0.@
C:\Documents and Settings\Administrator\Local Settings\Application Data\a095bb36\U\000000cb.@
C:\Documents and Settings\Administrator\Local Settings\Application Data\a095bb36\U\000000cf.@
C:\Documents and Settings\Administrator\Local Settings\Application Data\a095bb36\U\00000001.@
C:\Documents and Settings\Administrator\Local Settings\Application Data\a095bb36\U\80000000.@
C:\Documents and Settings\Administrator\Local Settings\Application Data\a095bb36\U\800000cb.@
C:\Documents and Settings\Administrator\Local Settings\Application Data\a095bb36\U\800000cf.@
C:\Documents and Settings\Administrator\Local Settings\Application Data\a095bb36\U\800000c0.@
C:\Windows\Assembly\GAC_MSIL\Desktop.ini


Process created:

C:\Windows\System32\Svchost.exe (used for executing .job files and connects to multiple TCP/IP)
C:\Program Files\Internet Explorer\iexplore.exe (backdoor) can create more than one.


Files modified

C:\Windows\System32\Drivers\Serial.sys (file may vary but it's usually a driver picked at random)
This driver has been modified by zeroaccess rootkit which is installed a few minutes after having this malware.

It also modifies the called modules when your computer boots up. (zeroaccess)
(It calls ntkrnlpa.exe CLASSPNP.SYS and disk.sys)


Registry key created:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
{C:\Documents and Settings\Administrator\Local Settings\Application Data\a095bb36\X}


Services created:

Name: Serial (file/name can vary) Unsigned file (zeroaccess)


Removal:

The removal for this malware is quite hard, so make sure to follow these steps carefully.

First, we will need to boot our computer in safemode.
To do this, restart your computer and before the windows splash screen appears, press F8. (or just spam F8 when your computer boots)
This will open a black screen with a few options, use the arrow keys to navigate to Safemode then press enter.

After this, click on start and open the Control Panel and then open Folder Options
Click on the View tab and select Show hidden files and folder and uncheck Hide protected operating system files.

Then, open my computer and locate the following folder:
C:\Documents and Settings\Administrator\Local Settings\Application Data\a095bb36\
Delete everything in the folder and the folder itself.
If and error message comes up saying one of the files is in use, try deleting every other file then restart your computer in safemode and try deleting it again.

Now, we will need to delete the startup registry key.
Click on start - run and type "regedit" without the quotes.
Locate yourself to HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
Then look on the right side for the key named Shell. Rightclick and DELETE it.

Now we will need to remove the infected Desktop.ini that installs the Zeroaccess rootkit.
To do this, click on start - run - type "cmd" without the quotes
This will open command prompt, type in "del C:\Windows\Assembly\GAC_MSIL\Desktop.ini" without the quotes then press enter.
If it says the file cannot be found, this probably means the zeroaccess rootkit has already been installed on your computer.
If it says nothing, this means it delete the file successfully.
(you can't access the folder normally using explorer)

If this malware installed either the zeroaccess rootkit or the TDL4 rootkit, read the guides below to remove them.
Zeroaccess removal: http://forums.d2jsp.org/topic.php?t=57598269&f=276&p=385736446
TDL4 removal: http://forums.d2jsp.org/topic.php?t=57598269&f=276&p=389101491


Additional information:

This trojan can install many other malware on your computer so it's always good to do a full scan with your current anti-virus and anti-malware program.

It's always good to keep your add-ons/browser and anti-virus software up to date to prevent having this trojan installed on your computer in the first place.

Most of the files in the folder a095bb36 are unencrypted and can be opened with notepad (not by default), the code showed me how this malware functionned and made it easier to make this guide.

Malware name: Trojan-Dropper.W32.Mudrop.siz (Kaspersky) Trojan:Win32/Sirefef.J (Microsoft) for Windows vista and Windows 7
Newest version detection rate: 1/44
Detected by Malwarebytes: No
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll


Introduction:

The vista/7 version is a bit different than the XP version and this one is a bit harder to remove.
This malware downloads various other viruses/rootkits/rogues which makes the removal that much harder.
Because of the low detection rate, many people have been getting this trojan on their computer by the Blackhole Exploit Kit or other exploits without even noticing it.


Symptoms:

Constant pop-ups to malicious sites or just random sites when browsing.
Google search redirects
Other malware being downloaded on your computer.
Iexplorer.exe's process keeps opening and closing


Files created:

C:\Windows\Assembly\Temp\X
C:\Windows\Assembly\Temp\@
C:\Windows\Assembly\Temp\Loader.tlb
C:\Windows\Assembly\Temp\U\000000c0.@
C:\Windows\Assembly\Temp\U\000000cb.@
C:\Windows\Assembly\Temp\U\000000cf.@
C:\Windows\Assembly\Temp\U\00000001.@
C:\Windows\Assembly\Temp\U\80000000.@
C:\Windows\Assembly\Temp\U\800000cb.@
C:\Windows\Assembly\Temp\U\800000cf.@
C:\Windows\Assembly\Temp\U\800000c0.@

C:\Windows\Assembly\GAC_MSIL\Desktop.ini

And/Or

C:\Windows\Assembly\GAC_32\Desktop.ini

And/Or

C:\Windows\Assembly\GAC_64\Desktop.ini

And usually comes with PUP.BitMiner:
C:\Windows\assembly\temp\kwrd.dll


Process created:

C:\Windows\System32\Svchost.exe (used for executing .job files and connects to multiple TCP/IP)
(not sure if it's present in this version)


Files modified

None, Zeroaccess can't infect drivers on Windows Vista or Windows 7


Registry key created:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
{C:\Windows\Assembly\Temp\X}

HKEY_CURRENT_USER\Software\f6dcfecc (randomly named)
{qid = 0x519CAE0A}


Services created:

None, Zeroaccess can't be installed on Windows Vista or Windows 7


Removal:

The removal of this malware is a bit different than the one for Windows XP.

First, we will need to boot our computer in safemode.
To do this, restart your computer and before the windows splash screen appears, press F8. (or just spam F8 when your computer boots)
This will open a black screen with a few options, use the arrow keys to navigate to Safemode then press enter.

After this, click on start and open the Control Panel and then open Folder Options
Click on the View tab and select Show hidden files and folder and uncheck Hide protected operating system files.

Then click on start and type in the search bar "cmd" without the quotes to open command prompt.
In command prompt, type in "cd /d c:\Windows\assembly" without the quotes.
Then type "attrib -r -h -s desktop.ini" and then "ren desktop.ini desktop.bak"
This will make the folder Assembly a "normal" folder so we can view the files correctly.

Then, open My Computer and locate the following folder:
C:\Windows\Assembly\Temp\
Delete all the files mentioned above in the folder.
If and error message comes up saying one of the files is in use, try deleting every other file then restart your computer in safemode and try deleting it again.
After this, open the folder C:\Windows\Assembly\GAC_MSIL\ and delete Desktop.ini.
Do the same for the folders C:\Windows\Assembly\GAC_32\ and C:\Windows\Assembly\GAC_64\
You can also delete the desktop.ini with command promp by doing the following:
Click on start and type "cmd" without the quotes in the search bar.
This will open command prompt, type in "del C:\Windows\Assembly\GAC_MSIL\Desktop.ini" without the quotes then press enter.
Do the same with GAC_32 and GAC_64.

Now, we will need to delete the startup registry key.
Click on start - run and type "regedit" without the quotes.
Locate yourself to HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
Then look on the right side for the key named Shell. Rightclick and DELETE it.
If the registry key isn't there, look in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
If the value in that key is different than Explorer.exe, modify it so it's Explorer.exe (do not delete this registry key).
Then locate the key HKEY_CURRENT_USER\Software\f6dcfecc (can be named something else, it should contain a key with the value data "qid = 0x519CAE0A") and delete it.


Additional information:

This trojan can install many other malware on your computer so it's always good to do a full scan with your current anti-virus and anti-malware program.

It's always good to keep your add-ons/browser and anti-virus software up to date to prevent having this trojan installed on your computer in the first place.

Other common files that can be infected or created by this malware are usually found in the %temp% folder. There's also the file C:\windows\system32\consrv.dll created by the Zeroaccess rootkit that can be deleted.

Malware name: Spammer:Win32/Tedroo.gen!B (microsoft)
Newest version detection rate: 37/41 (old sample)
Detected by Malwarebytes: Yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll


Introduction:

This trojan sends spam emails to other people from your email address. It also connects to a remote server which the hacker can execute commands or download other malware.


Symptoms:

Slow internet connection.
Sending spam email to other people.
In the presence of the files and registry keys below.


Files created:

c:\windows\system32\userini.exe
c:\windows\explorer.exe:userini.exe (hidden rootkit)


Process created:

3 c:\windows\explorer.exe:userini.exe all connecting to multiple TCP/IP including hotmail, gmail and yahoo mail.


Registry key created:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Userini
{C:\Windows\explorer.exe:userini.exe}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
{C:\Windows\explorer.exe:userini.exe}

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Userini
{C:\Windows\explorer.exe:userini.exe}

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
{C:\Windows\explorer.exe:userini.exe}


Removal:

Manual removal:

The removal is a bit tricky.
First, we will need to open the task manager by pressing ctrl+alt+delete. Then click on the process tab and end task to all of the explorer.exe:userini.exe.
Then, open My Computer and go in C:\Windows\System32 and delete the file named Userini.exe (note: DO NOT delete Userinit.exe, they are not the same file).
Make sure to delete the file from the recycle bin after.

After we've delete the file, we will need to delete the registry keys.
Click on start - run and type "regedit" without the quotes and press enter.
Locate the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ and look on the right side for Userini. Rightclick and delete this entry.
Then locate HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ and delete the whole key Run by rightclicking it and clicking on delete.
Do the same for HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Userini
and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (this registry key may not be present on all variations of this malware).

Now, there is still the rootkit file Explorer.exe:Userini.exe on our computer. To remove it we will need to download Gmer anti-rootkit.
Download it here: http://gmer.net Scroll down and click on Download exe (it should download a randomly named executable file).
Save it on your desktop and open it.
It should do a quickscan of your computer. Do not move or click on the window while it's scanning, it should only take a few seconds to complete.
After it's done, click on the "> > >" tab then click on the Files tab.
Go in C:\Windows and locate the file called Explorer.exe:Userini.exe (it should be in red)
Click on the file and select delete in the top right corner.


Removal with Malwarebytes

Malwarebytes Anti-Malware can detect and remove most of the variations of this malware, but not all.
When the malware is running in the process, it lags your internet badly and it may become unusable so you won't be able to download malwarebytes or you won't be able to update the program.
To fix this, you will need to end the processes of the malware mentionned in the Manual removal above.
Download Malwarebytes Anti-Malware here:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html


Additional information:

Since this malware uses your email to make spam mail, your email account may be tagged as compromised. You'll probably need to contact your email's tech support.

Malware name: Vobfus Worm (Worm:Win32/Vobfus.gen!O)
Newest version detection rate: 31/41
Detected by Malwarebytes: yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll


Introduction:

This malware is a worm that copies itself into flash drives attached to the infected computer.
This worm will also download other malware like Alueron, Trojan Renos and Trojan virut.
When you plug the infected USB into a computer, the Autorun.inf file will automatically run the worm on the computer.
It is possible to disable autorun on external devices, but it's set as default On which is why this worm is effective.


Symptoms:

Flash drive containing weird files like the ones below.
Error message saying T00zE2q has encountered a problem and needs to close when executed.


Files created:

%HOMEPATH%\beupal.com (randomly named)
%HOMEPATH%\jeotox.exe (randomly named) (Hidden rootkit)

On flash drives:
(drive):\Autorun.Inf (Hidden rootkit)
(drive):\jeotox.exe (randomly named) (Hidden rootkit)
(drive):\Passwords.exe
(drive):\Porn.exe
(drive):\Secret.exe
(drive):\Sexy.exe
The 4 files above are obviously created for the user to open them by curiosity, the files contains the worm and nothing else.

(drive):\x.mpeg (0 byte file, won't be detected by anti-viruses but it's not harmful)


Process created::

jeotox.exe (randomly named)
beupal.com (randomly named) (only stays for a few seconds, this is the trojan dropper)


Registry key created:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\jeotox (randomly named)
{C:\Documents and Settings\"Username"\jeotox.exe /O} (randomly named)


Removal:

Malwarebytes Anti-malware can remove this infection.
Simply download the program here:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
Install/update Malwarebytes then click on Fullscan. (The quickscan won't scan your USB devices).
Let it finish scanning and when it detects the threats, click on remove selected and restart your computer if asked.


If Malwarebytes doesn't detect the files, you can follow these steps to remove it manually:
This worm protects itself from "end process" from task manager so we will need another program to kill the process.
Download gmer anti-rootkit here:
http://gmer.net
Open it. It should do a quickscan, wait until it's finished then click on the "> > >" tab then click on the Process tab.
Rightclick the process and select Kill Process. A warning message should appear, click on OK.
Next, click on the Files tab (still in gmer) and look for c:\documents and settings\"user"\jeotox.exe (randomly named).
Select the file and click on Delete on the top right of the program.

Now we can delete the rest of the files and registry keys.
Open My Computer and go to %HOMEPATH%\ and delete the file (random).com.
Then click on Start - run and type "Regedit" without the quotes and press enter.
This will open the registry editor, simply locate HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ then look on the right side for the name of the key that you deleted with Gmer.
Rightclick that key and select Delete.


To remove the infected files from the USB, you can format your USB to delete everything on it at once. Simply plug your USB in your computer, open My Computer and rightclick on the drive name (example: F:\) and select Format...
Select FAT32 (or FAT) as the File system then click on Start (this will delete EVERTHING on the USB, if you have something important on it, copy only that file on your computer).


Extra information:

The task manager was unable to end the process of the file, I'm still unsure why. Process explorer kept crashing when I was trying to end the process of that file.

If your USB has been infected by this worm (or any worm) you should disinfect it (with the methods above) before you plug it in another computer or that computer might get infected.

Malware name: Brontok Worm
Newest version detection rate: 13/41
Detected by Malwarebytes: Yes
Difficulty of removal once installed: lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll



Introduction:

This has to be the most annoying malware out there right now... But probably not.
This worm places an autorun.inf file on every USB plugged in your computer and is executed every time you plug in that infected USB device.
It also sends mail with the worm attached to all your contacts.
When executed, this worm disables almost everything on your computer.
When you run an executable file (.exe, .com, .scr and .pif) it creates a file with the same name but with a space after the name. This file also contains the worm.
It hides the original file that you've created and disables "Show hidden files and folders" so you won't be able to see the original file that you executed. It also disables folder options in the control panel so you can't change the option to view the hidden files.
When you execute any file, it also executes the worm again (hijacks the shell open command).
It also disables My Computer so you won't be able to access it, task manager, the registry editor, task bar, run, help, system restore and most services to protect itself and make it harder to remove.
After you restart your computer, it kills almost all processes and services related to anti-viruses.


Symptoms:

Unable to open executable files or files disappearing after executing it and being replaced with a file with the icon below:

"This operation has been disabled by the administrator" Error when trying to access My computer, or any drive (C:\, D:\, E:\, etc..)
Task bar hidden.
Services and drivers not working properly.
Computer randomly shuts down when executing a program.


Files created:

c:\Film.exe
c:\Puisi.txt
c:\Desktop.ini
c:\Data Administrator.exe
c:\4K51K4\Folder.htt
C:\Windows\System32\IExplorer.exe
C:\Windows\System32\MrHalloween.scr
C:\WINDOWS\system32\shell.exe
C:\WINDOWS\system32\trz1.tmp
C:\WINDOWS\system32\trz3.tmp
C:\Windows\4k51k4.exe
C:\Windows\trz2.tmp
C:\Windows\SYSTEM.INI
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Empty.pif (file name and extention can vary)
%Homepath%\Local Settings\Application Data\WINDOWS\CSRSS.EXE
%Homepath%\Local Settings\Application Data\WINDOWS\LSASS.EXE
%Homepath%\Local Settings\Application Data\WINDOWS\SERVICES.EXE
%Homepath%\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
%Homepath%\Local Settings\Application Data\CSRSS.EXE
%Homepath%\Local Settings\Application Data\LSASS.EXE
%Homepath%\Local Settings\Application Data\SERVICES.EXE
%Homepath%\Local Settings\Application Data\WINLOGON.EXE
(FILE NAME EXECUTED)+(space).exe (example, if you execute IExplorer.exe, it will create a file called IExplorer .exe in the same folder)

On USB:
Autorun.inf
Data Administrator.exe
Film.exe
\4K51K4\Folder.htt
\4K51K4\New Folder.exe


Process Created:

C:\Windows\4k51k4.exe - When you open an executable.
C:\Windows\System32\IExplorer.exe
%Homepath%\Local Settings\Application Data\WINDOWS\CSRSS.EXE
%Homepath%\Local Settings\Application Data\WINDOWS\LSASS.EXE
%Homepath%\Local Settings\Application Data\WINDOWS\SERVICES.EXE
%Homepath%\Local Settings\Application Data\WINDOWS\WINLOGON.EXE


Registry keys created:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS
{C:\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\WINLOGON.EXE}

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdministrator
{C:\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\SERVICES.EXE}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LogonAdministrator
{C:\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\CSRSS.EXE}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Monitoring
{C:\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\LSASS.EXE}


Registry keys Modified:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
{1}

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig
{1}


Removal:

Note: this malware infects safemode so it's pointless to start it in safemode unless your computer can't boot up normally.

The removal is quite hard since it disables a lot of options and files.
The faster you try to remove this virus, the easier it will be and if you restart your computer after you've been infected, the removal will be even harder.

At the "first stage" of this malware, you will still be able to access most of your programs/tools.
(You will only have about 10 minutes when you're in this stage, your computer will restart (it usually randomly restarts when executing a program) and reach the "second stage")
Manual removal for the first stage:
First click on start - run and type "gpedit.msc" without the quotes then press enter.
Click on User Configuration - Administrative Templates - System then click on Ctrl+alt+del Options
On the right side, double click Remove Task Manager and select Disable then click OK.

If gpedit.msc doesn't work:
Click on start - run and type Regedit
Find the key named HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr and delete it.

Press ctrl+alt+delete and go in the process tab.
Kill all the process named above (MAKE SURE THE PROCESS IS CREATED FROM YOUR USERNAME (or administrator) AND NOT FROM THE SYSTEM. IF YOU END TASK TO THE WRONG PROCESS IT WILL GIVE YOU A BLUE SCREEN OF DEATH.)
Then, delete all of of the files mentioned above.
After this, click on start - run - type Regedit and press enter.
Find all of the "Registry key created" mentioned above and delete them (rightclick and delete)
For the "Registry keys Modified, do the same as the above but double click the key and change value data from 1 to 0 then close the box.
Once you're done this, skip the second and third stage and follow the rest of the removal guide. (to remove the test of the files)


Second stage:
Gpedit.msc and regedit won't work and you won't be able to end task to the files.
For this stage, we will need to download process explorer.
First, open your browser (if you can't open it, skip to stage 3) (if your browser randomly closes, keep trying to download it)
Download process explorer here:
http://technet.microsoft.com/en-us/sysinternals/bb896653
Save it on your desktop.
Extract the zip file on your desktop.
Open the program (note, when you open it the program will "disappear". If it randomly closes, you will need to extract it back from the zip file and over-wright it on your desktop)
Find all the process mentioned above and rightclick and end task.
If the program closes to quickly and can't end task to them, skip to the third stage.
After deleting the process, locate the files mentioned above and delete all of them.
After this, click on start - run - type Regedit and press enter.
Find all of the "Registry key created" mentioned above and delete them (rightclick and delete)
For the "Registry keys Modified, do the same as the above but double click the key and change value data from 1 to 0 then close the box.
Once you're done this, skip the third and follow the rest of the removal guide. (to remove the test of the files)


Third stage:
Won't be able to access your drives, services and most drivers won't work. Won't be able to use the run command or system restore.
Now, we will need to open your browser and download combofix here
http://download.cnet.com/Combofix/3000-8022%5F4-75221073.html
Usually there should be a shortcut to your browser on your desktop/quick launch bar or start menu.
If there isn't and you can't access your drive, rightclick your desktop and click on New - Shortcut
In the location of the item, put the location of the browser (example, C:\Program files\Mozilla firefox\Firefox.exe or c:\program files\internet explorer\IExplorer.exe) then double click to open it.
Once you've downloaded combofix, close ALL of your programs and disable your anti-virus (google: how to disable "anti-virus name") (if you have AVG, you will need to uninstall it using add/remove in the control panel. If you do not wish to uninstall AVG, skip combofix.
Open combofix and it may ask to download updates, click on Yes.
The scan should take 10-20 minutes (it can be more).
Once it's done, it should have deleted all the running processes from the malware and most of the files and registry keys and it should restore most of your settings.


To remove the rest of the files:
There should still be files containing the malware on your computer. To remove them, download Malwarebytes Anti-Malware here:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
Make sure to do the full scan and not just the quick scan.
If your USB was infected, make sure to run a scan with an anti-virus or malwarebytes to remove the infected files.

To fix the "This operation has been disabled by the administrator" Error, do the following:
Click on start - run - type gpedit.msc and press enter
Click on User Configuration - Administrative Templates - Windows Components, and then click Windows explorer.
In the right pane, right-click Prevent access to drives from my Computer, and then click Properties.
Click Disable, and then click OK.


How to unhide the files that has been hidden:
Click on start - run and type "cmd" without the quotes then press enter.
Then in the command prompt, type in "attrib -s -h /s /d" without the quotes
Wait a few seconds and it should unhide all your files on the c:\ drive.


Additional information:

When you first execute the program, a notepad file comes up with the following:

(Google translator from Indonesian to english)
(aksika is another malware created by someone else)



It also creates about 10 random notepads/document files named (location of file (e.i. desktop) + random letter).doc/.txt in random directories with the following content:

Google translator:



And

Google translator:



These files are not malicious but you can remove them on your computer if you want.

Malware name: W32.Sality
Newest version detection rate: 24/43
Detected by Malwarebytes: Yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll


Introduction:

Sality is a virus that infects most executable (.exe and .scr).
When you run an infected file, it will run the virus, recreates the files for running the virus (if they have been deleted) and continue to infect your other files.
It infects your executable files in local and remotely shared drives.
It will also scan your registry to infect your startup programs to make it most effective.
It creates a service to run itself on each reboot and to make it harder to detect and remove.
It injects threads into most non-windows process to connect to a server and download more malware (usually botnets).
It also has a worm component, it places an autorun.inf file on every removable devices with the files for the virus.


Symptoms:

Switches from show all hidden files and folders to hide all files and folders in folder options every few minutes.
Constantly kills/closes your anti-virus process and service.
Can't access common anti-virus websites.
Disables anti-virus/firewall/automatic update notifications.
Can't boot in safemode.
Disabled task manager and registry editor.


Files created:

c:\etjs.exe (random)
c:\autorun.inf
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\miqjg.exe (random)
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nnkgro.exe (random)
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winwmbdn.exe (random)
c:\windows\system32\drives\(random).sys (Hidden)
(usb drive):\Autorun.inf
(usb drive):\(random).exe


Registry key created:

HKEY_CURRENT_USER\Software\(random)
KEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\Legacy_amsint32
KEY_LOCAL_MACHINE\System\CurrentControlSet\Services\amsint32


Registry key modified:

HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\AntiVirusDisableNotify
{1}

HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify
{1}

HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\UpdatesDisableNotify
{1}


Registry key deleted:

HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
To prevent safemode.


Services created:

amsint32


Removal:

Kaspersky created a nice program designed to remove Sality and to clean all of your files.
The program can be found here:
http://support.kaspersky.com/viruses/solutions?print=true&qid=208279889
Simply open the program and it will scan and clean your computer automatically.
The scan's time may increase if the number of infected files is high so it may take some time to clean your whole computer.
It will delete all the files, registry keys and services related to this malware and other variants.
If you can't download the program because it says Problem loading page (the virus is blocking the site) try downloading it on another computer and placing it on a USB. Leave the USB plugged in while doing the scan.
If the program closes right after you tried opening it, it's probably because Sality is killing the process named SalityKiller.exe.
To fix this, rename SalityKiller.exe in the zip file to 123.exe then extract it onto your desktop then open it.

Sometimes SalityKiller won't detect and remove all of the files or registry keys.
Because of this, it's always good to do a scan with Malwarebytes after.
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

If Malwarebytes doesn't pick up the rest of the files, you can remove them manually.
Since most of them are hidden, you'll have to go in start - control panel - folder options - view tab - show hidden files and folder.
Then deleted the files mentioned above.
You can also remove all of the keys created by opening the registry editor (start - run - type "regedit" without the quotes then navigate to the keys mentioned above, rightclick and delete them.


Tips:

If you want to fix safemode, download Sality_RegKeys.zip here:
http://support.kaspersky.com/viruses/solutions?print=true&qid=208279889
Save it on your desktop and double click on Safebootwin(operating system).reg
Only open the registry key corresponding to your operating system.

Manual removal is not recommended. Even if you remove all of the files/registry keys/services related to this malware, once you open an infected file it will reinfect your machine.
This is why you need a program to cure the infected files like Sality Killer from Kaspersky.

You can see which file the service uses by looking for the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ansint32\ImagePath
Mine was \??\C:\WINDOWS\system32\drivers\jmuimn.sys

Malware name: Backdoor QakBot.Gen!c | Qakbot
Newest version detection rate: 16/43
Detected by Malwarebytes: Yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll


Introduction:

This malware is a backdoor, therefor connects to a server and waits instructions.
It is also a keylogger which records your key strokes. It also steals cookies/certificates and passwords from your browser, MSN, outlook, yahoo messanger, IRC and skype.
It also attempts to download additional malware on your computer from malicious sites.
A cool part of this malware is that it scans all your registry keys in HKCU\software\microsoft\windows\currentversion\run and modifies all the values of the keys to include the executable for the malware.
It prevents popular debuggers from executing by ending task to the process.
Prevents a lot of programs from running or working properly.


Symptoms:

Startup program not launching when starting your computer.
Unable to access certain sites, mostly anti-virus sites.


Files created:

%HomePath%\File.exe - deletes itself after launching
C:\Documents and Settings\Administrator\Application Data\Microsoft\Efsfh\efsfh.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Efsfh\efsfh32.dll
C:\Documents and Settings\Administrator\Application Data\Microsoft\Efsfh\efsf.dll
C:\Documents and Settings\Administrator\Application Data\Microsoft\Efsfh\efsfh.dll


Registry key created:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Original program name" (hidden rootkit)
{"C:\Documents and Settings\Administrator\Application Data\Microsoft\Efsfh\efsfh.exe" /c Original program path}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Random" (hidden rootkit)
{"C:\Documents and Settings\Administrator\Application Data\Microsoft\Efsfh\efsfh.exe"}


Process created:

C:\Documents and Settings\Administrator\Application Data\Microsoft\Efsfh\efsfh.exe (hidden rootkit)


Threads created:

efsfh.exe injects efsfh.dll into every browser when launched.
It also injects efsfh.dll into most process.


Removal:

The removal can be a bit hard since it hides most of its process/registry keys.

First, we will need to download Gmer Anti-Rootkit here:
http://www.gmer.net/
Scroll down and click on Download EXE.
Open the program and wait until the quickscan finishes. It should say that it found a hidden process and ask you to do a full scan, click No.
Click on the > > > tab and then on the processes tab.
Find the red process (it should be efsfh.exe) click it and click on Kill process.

Next, open My Computer and go in C:\Documents and Settings\Administrator\Application Data\Microsoft\Efsfh\ and delete efsfh.exe, efsfh32.dll and efsf.dll (you won't be able to delete efsfh.dll now)

After this, download Malwarebytes Anti-malware here:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
Install it and open it. Then click on the tab named More tools.
Click on FileASSASSIN - Run Tool
Find the file named C:\Documents and Settings\Administrator\Application Data\Microsoft\Efsfh\efsfh.dll and click on Open.
It will ask to you restart your computer, click on Ok.
This should delete the file named efsfh.dll.

Now to delete the registry keys, click on start - run and type "regedit" without the quotes and press enter.
Navigate to the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Look on the right side and rightclick - delete the key called "random" that contains the value of the path of the malware (efsfh.exe)
Then double click on every other key on the right and delete the code that the malware injected ("C:\Documents and Settings\Administrator\Application Data\Microsoft\Efsfh\efsfh.exe") but leave the path of the program.

Since this malware can download other malware, it's always good to do a full scan with Malwarebytes anti-malware and your current anti-virus program.


Additional information:

You need to end task to efsfh.exe and remove all the efsfh.dll threads before you can delete or see the registry key.

Malware name: Trojan Vundo / Trojan:Win32/Vundo.ME (Microsoft)
Newest version detection rate: 30/43
Detected by Malwarebytes: Yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll


Introduction:

This trojan usually causes a lot of pop-ups advertisements (usually from rogue anti-virus sites) and it can also download and execute other malware.
It hides most of its files and process making the removal process a bit harder than normal.
It also creates a BHO (Browser Helper Object) without the users consent.


Symptoms:

Unable to start some anti-virus programs. (kills the process)
Disables notifications from Microsoft Security Center.
Disables Windows Updates.


Files created:

C;\Windows\System32\neniweja.dll (Hidden Rootkit)
C;\Windows\System32\wivagoge.dll (Hidden Rootkit)
C;\Windows\System32\yodubiba (Hidden Rootkit)
C;\Windows\System32\judopuje.dll (Hidden Rootkit)
(all names are usually random)


Threads injected:

C;\Windows\System32\wivagoge.dll
Injects into every process executed by the user and also injects into winlogon.exe and explorer.exe

C;\Windows\System32\neniweja.dll
Injects into most process executed by the user.


Registry key created:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"random"
{Rundll32.exe ""Random".dll",s}

HKEY_CLASSES_ROOT\CLSID\"random"\InprocServer32\(Default)
{judopuje.dll}

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\"random"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\"random"


Registry key modified:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\UptadesDisableNotify
{1}


Removal:

First, you will need to do a quickscan with Malwarebytes Anti-Malware located here:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
Once it finishes scanning, click on Remove selected and click on Yes when it asks to reboot your computer.

Malwarebytes will remove most of the files but to remove the rest, we might need to remove it manually if your anti-virus doesn't detect it.
To remove the remaining files, we will need to download Gmer anti-rootkit to detect the hidden files:
http://www.gmer.net/
Scroll down and click on Download EXE.
Open the program and it should do a quickscan automatically, let it finish.
When it's done scanning, click on the > > > tab then on Rootkit/Malware tab
On the right side, uncheck all except Files then click on Scan.
The scan should take a couple of minutes.
It should find the files mentioned above, all of them are in c:\windows\system32
Rightclick them and select Delete File.


Tips:

Do a full scan with an anti-virus and anti-malware program after since it can download other malware on your computer.