Earlier today I was trying to remove the Homeland Security Ransomware from a windows 7 laptop. It was one of the cleverer variants that forced a reboot even when trying to boot into Safe Mode with Command Prompt. I booted up off the Kaspersky Rescue Disk and proceeded to try and clean it that way. After I rebooted, the infection was still there, but I noticed that if I hit the windows key or tried to launch task manager I would get a couple seconds to try and do something before it yanked me to the Ransom screen. While I was fiddling this way, the malware itself crashed! I was then able to run Malwarebytes and Combofix to thoroughly scrub the machine clean.
So, does anyone know a reliable way to force-close a ransomware infection when not even scanning from a bootable disk will clean it? or is there something better than Kaspersky that I should be using for this sort of thing? Thanks!
Since these malware are always evolving, this new variant now forces a reboot when 'Safe Mode with Command Prompt' is accessed. It seems the bootable 'Kaspersky Rescue Disk' didn't remove all of the exe's and run keys.
Save this batch script below to the bootable Kaspersky Rescue Disk, so you can use the NTFS navigator (included in the Kaspersky Rescue Disk) to copy this batch file to;
"%userprofile%\Start Menu\Programs\Startup" folder
explorer "%userprofile%\Start Menu\Programs\Startup"
Then boot in normal mode, so the malware and batch file run. The batch file output will be located at C:\
title Gathering Startup and Network Info
echo FOR COMPUTER SYSTEM: %computername%
tasklist > c:\%computername%.txt
tasklist /svc >> c:\%computername%.txt
netstat -ae >> c:\%computername%.txt
netstat -ao >> c:\%computername%.txt
netstat -abv >> c:\%computername%.txt
query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /s >> C:\%computername%.txt
Gather as much info on the malware as possible, like PID, paths, image names. When you have this info, you can use taskkill to kill the malware in a looping batch file called 'taskkill.bat'
taskkill /f /t /pid 1234
taskkill /f /t /pid 2057
taskkill /f /t /im vjhbc487tcfg7cg7.exe
The malware might stop taskkill.exe from running, so create another batch file called 'task-kill.bat' with task-kill.exe in the systems32 folder as well.
task-kill /f /t /pid 1234
task-kill /f /t /pid 2057
task-kill /f /t /im vjhbc487tcfg7cg7.exe
Edited by Crazy Cat, 24 November 2013 - 11:43 PM.