The G DATA SecurityLabs have analyzed persistent malware which resides in the registry only and therefore does not create any file on the infected system. An overview of this mechanism was firstly described quite recently in the KernelMode.info forum. The analyzed sample is dropped by a Microsoft Word document which exploits the vulnerability described in CVE-2012-0158. The document was reported to be found as an attachment of fake Canada Post and/or USPS email which claims to hold information about ordered items for the recipient of the spam.

Source

I connected to a customer’s computer the other day. The laptop’s CPU usage was near 100% and had all kinds of crazy processes running. One process in particular was named inobbcrsb.exe. This process was posing as a Google Chrome process. Also fixmapi.exe and msfeedssync.exe were using up an incredible amount of processing power.

First off download Process Explorer. You can see way more information on what is exactly happening with the processes on your computer. I knew inobbcrsb.exe had to be no good! I right-clicked on the process tree and suspended the process. I checked the path where this executable was

launching from. It was launching from a really weird path underneath, C:\Users\{username}\Appdata\LocalLow\AskToolbar\bshycmeply\Hwexraefdcm . In the

Hwexraefdcm folder was the inobbcrsb.exe file. I decided to rename the executable to something different- ( inobbcrsb.exe5). You may need to use this program to rename this file if it is running on your computer.

In the Hwexraefdcm folder I found a executable, called rundll32.exe. I decided to check the properties of this executable. I found underneath the details tab the original file name was rundll.exe instead of rundll32.exe. This confirmed my suspicion that this file was bad. I renamed this file as well.

I checked process explorer and task manager. The processes had cleared up somewhat but the CPU usage was still quite high. I noticed Power Shell would randomly start up and use processor power. I also noticed msfeedssync.exe, dvdupgrd.exe, and dllhst3g.exe processes were uploading all kinds of traffic to the web.

Another suspicious file I found was stored under C:\users\{username}\AppData\LocalLow . There was a dll named juxcini.dll .

Again, I checked the original file name under details. The original file name was SDL_net.dll .

I renamed this dll as well. If you can’t rename this file because it is in use, download Unlocker and you will be able to rename the file.

After watching processes and finding files that I knew were malicious I was still grasping at straws on where exactly the virus was starting from.

I then downloaded Rogue Killer. I never used the program before, but I am sold on it now. I ran a scan and it found a couple processes that the virus was using. I cleaned the computer and rebooted. I took a look at the processes but they were still a couple eating up CPU ( most notably fixmapi.exe and msfeedssync.exe processes).

I visited adlice.com and found the solution. I ran Rogue Killer once more. Rogue Killer detected malicious processes and registry files. However, before I clicked clean computer I went to Process Explorer. In Process Explorer, I killed the dllhost.exe process tree. I then clicked clean computer. I rebooted the computer. Presto, the virus was removed!! This tool saved me lots of time. I then ran Malwarebytes to make sure everything was removed.

You will also find this on the adlice website, but my Internet Explorer wouldn’t allow me to download any files. Click on the gear icon in Internet Explorer and then Internet Options.   

Next go to the Advanced tab. Click Reset Internet Explorer settings.

Once you reset the browser go to the Security tab and select Reset all zones to default level.

You will want to reset all zones to default level for Internet, Local intranet, Trusted Sites, and Restricted Sites. This virus messes with your security settings and won’t allow you to download anything.

This enabled me to initiate a download in Internet Explorer. Something is still wrong with Internet Explorer since it will start a download and then say “Download couldn’t be completed”. If anyone else runs into this problem I would be glad to hear what you did to fix it.

I monitored the computer for a while and no weird processes started up and everything was fine. Thanks so much to the adlice website and Rogue Killer tool for making my day easier.

Here is some more additional reading about this virus.

Gdatasoftware  ;  KernelMode

I hope this helps. Let me know by posting in the comments.

This was posted by techspeeder.

Microsoft Antivirus has found critical process activity on your PC. You need to clean your computer to prevent the system breakage.

Before I got a chance to email him back, he hit OK on that pop-up. He then received this pop-up.

Take note of the misspelling of the word, might.

I quickly emailed him back and told him that it was a fake anti-virus message. If he would have clicked clean computer, he would probably have gotten infected. I told him to run a full scan with his antivirus software. Thankfully, he wasn’t infected.

I decided I would have a little fun with this virus. I have a virtual machine for technical purposes, so I decided I would try to infect my virtual machine with this virus. I found the website that was infected. 

I soon downloaded a malicious script from the website and I was infected with the virus. Here are a couple screenshots of the Windows Accelerator Pro virus.

It tried to pose as a legit anti-virus, security software.     

The virus tries to force you to pay for its “anti-virus protection”

Here is how I removed Windows Accelerator Pro. 

Step One: I started the computer and hit F8 until I got to the screen that I chose Safe Mode with Command Prompt.  Note: Safe Mode and Safe Mode with Networking will still allow the virus to work and you can’t get around it.

Step Two: I typed explorer in the command prompt.

I have met a couple other viruses similar to this one and a common place to store the executable file is C:\ Users\<Username\AppData\Roaming. I decided to browse to that location using Windows Explorer and sure enough there was a weird file called guard-sald there. I removed that file and another file called GDIPFONTCACHEV1.DAT.  I then browsed to C:\ Users\<Username\AppData\Local and removed a file called result1.

Attn: Your virus file names may be different than these. I am just stating what worked for me. To make sure you don’t mess up the Windows file structure, by deleting something good, I would encourage you to cut and paste your virus files to the desktop. I pasted my viruses to the desktop and they didn’t start, at start-up since they weren’t in their correct folders.

I then rebooted the computer.

Step Three: I started Windows normally and it came up fine. I downloaded Malwarebytes and Malwarebytes Anti-RookitBeta.  

I removed the viruses and malware these programs found and I was back in business. 

This was posted by techspeeder.

Here is how I removed it.

Download  Autoruns for Windows on a flash drive .

Step One: Reboot and press F8 until you get to the Advanced Boot Options screen. Select Safe Mode with Networking. Then log into your account. Stick your flash drive in your computer and run Autoruns.

Click the “Everything” tab. I scrolled down till I saw the following entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Step Two: I unchecked AS2014 entry (Antivirus Security 2014). You will notice the executable file is 7advrrps.exe – that doesn’t sound very legit.  You can delete the AS2014 entry. I just unchecked the AS2014 entry since I wasn’t sure if it was the virus.  Close out of the program and reboot your computer and log normally into Windows.

Step Three: I then ran Malwarebytes, SuperAntispyware, and Windows Intune. I also started a scan with Malwarebytes Anti-Rootkit but that scan froze before it completed.  The scans found the viruses and successfully removed them.  (Note) You will want to reboot your computer after removing those viruses.

Super Antispyware found the 7advrrps.exe (that I unchecked using Autoruns). It turned out to be the Antivirus Security Pro virus.

Malwarebytes Anti-Rootkit found a Trojan.Agent.rfz

Update: Monday Evening

Apparently Windows Intune is missing this virus because another customer called in with the same virus. This one was removed with much of the same troubleshooting steps. One difference was that the executable file was called hVrVnngp.exe instead of 7advrrps.exe.

This was posted by techspeeder.

Here are the steps I used to remove this virus.

Step One: Download Autoruns to a flash drive.

Step Two: Start the computer up and hit you F8 key on your keyboard continually until you get the following screen:

Safe mode with Command Prompt

then boot into Windows by selecting Safe Mode with Command Prompt.

Step Three: Type Explorer in Command Prompt.

Step Four: Use the Windows interface to browse to your flash drive that has autoruns.

Step Five:  Run autoruns. Then select Options > Filter Options on the menu bar to filter out all Microsoft and Windows entries. Once that is done look for these files, if any show up, delete them by right-clicking on the file and hitting delete.

1: Under HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run   Delete the VProtect Application

2:Under HKLM\SOFTWARE\Microsoft\Active Setup\Installed Component  Delete the Internet Explorer file that is there.

3: Under HKCU\Software\Microsoft\Windows\CurrentVersion\Run Delete the DisplaySwitch executable file. If you browse to the location of the Display Switch File, you will find the United States Department of Justice images and the virus file.

Viruses Spotted

Once these files are deleted the virus should be mostly removed. Reboot and boot into Windows normally.

Step Seven: Run a virus scan with Malwarebytes and SuperAntiSpyware to ensure all viruses and malware is removed.

This worked for me. If this helped you or you were not able to use this method to remove this virus please leave a comment below. Thank you. This was posted by techspeeder.

Trojan:Win32/Urausy.C

This virus pops up with a dialogue box saying that your computer has been locked because you were viewing adult material that potentially breaches the Obscene Publications Act in the U.S., your computer contains images of child abuse, and so on. This virus holds your computer ransom till you send them money through MoneyPak. (When they get the money they won’t unlock it!) Here are the REAL instructions for removing this nasty virus.

Step One: Tap the F8 key on your keyboard to boot into Safe Mode with Command Prompt.

Safe mode with Command Prompt

Step Two: In command prompt type explorer .

Type Explorer

Step Three: Browse to drive C:\Users\<YourUsername>\AppData\Roaming. Once in the Roaming folder you will find a file named skype.dat and skype. These files are the viruses that start when your computer boots up. Select those two files and delete them permanently.(Make sure to remove them from your recycle bin). (Revision) 7/19/2013 You may also find a windows update and/or a defender file. Remove them also. Reboot.

Virus Spotted

Step Four: Boot into Windows normally and run a scan for viruses with Malwarebytes, Microsoft Security Essentials and SuperAntiSpyware. Run these scans till they return clean. After they return clean you will be virus-free and back in business!

Trojan:Win32/Urausy.C

Thank you for reading this post. If this helped you please leave a comment.

The Security Protection virus is an exceptionally brilliant virus. Once this virus is installed it will do a “full PC scan for viruses” when in fact, it is infecting your computer. This virus will block all other programs from running, even the calculator (smiles).

Fake Security Protection

Activate for Security Protection

After the scan is done, the Security Protection virus says that you need to activate its software to remove all the viruses.

If you select “Activate Now”, you will get a very official looking pop-up asking for your email address and a registration key.  Warning: Do not activate! It will only install more viruses and now the hackers know your email address.

Bogus: DO NOT ACTIVATE

At this point, your computer is nearly useless, you can’t uninstall the program and neither can you run programs. However, there is still a way to remove this virus. Here are the steps I used to remove the virus.

Step One: Restart your computer and boot into ‘Safe Mode with Networking’ by tapping the F8 key. Once you are in Safe Mode you will have basic Windows functionality.

Step Two: Download Autoruns for Windows.

Autoruns for Windows

Step Three: Run the Autoruns tool and you will see all the processes that start up when you boot into Windows. Select the ‘Everything’ tab and wait for all the processes to load. When all the process are loaded, click on ‘Options>Filter’ and select Hide Microsoft and Windows entries.

Filter Options for Autoruns

Step Four: With all the Microsoft and Windows entries filtered out, start browsing down the list of all the programs that start up. You will find Security Protection starting up. Deselect that box and reboot.

Security Protection Virus Spotted

Step Five: Boot into Windows normally and download Malwarebytes and TDSSKiller. Run full system scans with both softwares. These scans will find the virus files and then you can remove them.

Malwarebytes found Viruses. Remove Them.

Run these scans until they both come back without any results.

Step Seven: After all the viruses are removed, download and run CCleaner to remove any registry keys that the virus left behind. Make sure to install an antivirus software to protect against future attacks.

You now should be virus-free and good-to-go! Thank you for reading this post. If this helped you please leave a comment.