Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I got lucky, can I recreate what I did next time?


  • Please log in to reply
2 replies to this topic

#1 Evolution13

Evolution13

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 24 November 2013 - 08:00 PM

Earlier today I was trying to remove the Homeland Security Ransomware from a windows 7 laptop. It was one of the cleverer variants that forced a reboot even when trying to boot into Safe Mode with Command Prompt. I booted up off the Kaspersky Rescue Disk and proceeded to try and clean it that way. After I rebooted, the infection was still there, but I noticed that if I hit the windows key or tried to  launch task manager I would get a couple seconds to try and do something before it yanked me to the Ransom screen. While I was fiddling this way, the malware itself crashed! I was then able to run Malwarebytes and Combofix to thoroughly scrub the machine clean.

 

So, does anyone know a reliable way to force-close a ransomware infection when not even scanning from a bootable disk will clean it? or is there something better than Kaspersky that I should be using for this sort of thing? Thanks!



BC AdBot (Login to Remove)

 


#2 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:02:24 PM

Posted 24 November 2013 - 11:10 PM

Earlier today I was trying to remove the Homeland Security Ransomware from a windows 7 laptop. It was one of the cleverer variants that forced a reboot even when trying to boot into Safe Mode with Command Prompt. I booted up off the Kaspersky Rescue Disk and proceeded to try and clean it that way. After I rebooted, the infection was still there, but I noticed that if I hit the windows key or tried to launch task manager I would get a couple seconds to try and do something before it yanked me to the Ransom screen. While I was fiddling this way, the malware itself crashed! I was then able to run Malwarebytes and Combofix to thoroughly scrub the machine clean.

So, does anyone know a reliable way to force-close a ransomware infection when not even scanning from a bootable disk will clean it? or is there something better than Kaspersky that I should be using for this sort of thing? Thanks!

Since these malware are always evolving, this new variant now forces a reboot when 'Safe Mode with Command Prompt' is accessed. It seems the bootable 'Kaspersky Rescue Disk' didn't remove all of the exe's and run keys.

Save this batch script below to the bootable Kaspersky Rescue Disk, so you can use the NTFS navigator (included in the Kaspersky Rescue Disk) to copy this batch file to;

"%userprofile%\Start Menu\Programs\Startup" folder
or
explorer "%userprofile%\Start Menu\Programs\Startup"

Then boot in normal mode, so the malware and batch file run. The batch file output will be located at C:\

@echo off
title Gathering Startup and Network Info
echo FOR COMPUTER SYSTEM: %computername%
tasklist > c:\%computername%.txt
echo.
tasklist /svc >> c:\%computername%.txt
echo.
netstat -ae >> c:\%computername%.txt
echo.
netstat -ao >> c:\%computername%.txt
echo.
netstat -abv >> c:\%computername%.txt
echo.
query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /s >> C:\%computername%.txt
Gather as much info on the malware as possible, like PID, paths, image names. When you have this info, you can use taskkill to kill the malware in a looping batch file called 'taskkill.bat'

taskkill.bat
:BeginLoop
taskkill /f /t /pid 1234
taskkill /f /t /pid 2057
taskkill /f /t /im vjhbc487tcfg7cg7.exe
goto beginloop
The malware might stop taskkill.exe from running, so create another batch file called 'task-kill.bat' with task-kill.exe in the systems32 folder as well.

task-kill.bat
:BeginLoop
task-kill /f /t /pid 1234
task-kill /f /t /pid 2057
task-kill /f /t /im vjhbc487tcfg7cg7.exe
goto beginloop

Edited by Crazy Cat, 24 November 2013 - 11:43 PM.

 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#3 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:02:24 PM

Posted 24 November 2013 - 11:35 PM

An alternative to 'tasklist' is StartupList.exe Download from Internet.

StartupList.bat
C:\StartupList.exe /verbose /complete /full /forceall
Copy 'StartupList.bat' to "%userprofile%\Start Menu\Programs\Startup" folder and StartupList.exe to C:\

Output is located at C:\StartupList.txt
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users