Tuesday 20 December 2011

Ping.exe Removal

 

Ping.exe shows up in the list of processes after a braviax family infection

Ie. Win7 antivirus 2012, vista antispyware 2012 etc… To remove the FAKEAV use the following codes to manually activate:

clip_image001

3425-814615-3990: Win7 antispyware 2012, XP security 2012, vista ||||

Y76REW-T65FD5-U7VBF5A: Privacy Protector…

LIC2-00A6-234C-B6A9-38F8-F6E2-0838-F084-E235-6051-18B3: Security monitor 2012…

remove manually and run the following as a reg file to fix shell corruption.

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.exe]

@="exefile"

"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]

@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\exefile]

@="Application"

"EditFlags"=hex:38,07,00,00

"FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,\

00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,\

32,00,5c,00,73,00,68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,\

00,2c,00,2d,00,31,00,30,00,31,00,35,00,36,00,00,00

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]

@="%1"

[HKEY_CLASSES_ROOT\exefile\shell]

[HKEY_CLASSES_ROOT\exefile\shell\open]

"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]

@="\"%1\" %*"

"IsolatedCommand"="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runas]

"HasLUAShield"=""

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]

@="\"%1\" %*"

"IsolatedCommand"="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runasuser]

@="@shell32.dll,-50944"

"Extended"=""

"SuppressionPolicyEx"="{F211AA05-D4DF-4370-A2A0-9F19C09756A7}"

[HKEY_CLASSES_ROOT\exefile\shell\runasuser\command]

"DelegateExecute"="{ea72d00e-4960-42fa-ba92-7792a7944c1d}"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers]

@="Compatibility"

[HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers\Compatibility]

@="{1d27f844-3a1f-4410-85ac-14651078412d}"

[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]

@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]

@="{86F19A00-42A0-1069-A2E9-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]

@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command]

@="C:\Program Files\Mozilla Firefox\firefox.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command]

@="C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]

@="C:\Program Files\Internet Explorer\iexplore.exe"

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice]

[-HKEY_CURRENT_USER\Software\Classes\.exe]

[-HKEY_CURRENT_USER\Software\Classes\pezfile]

[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

clip_image003

After removal Open windows\system32 locate ping.exe change ownership to everyone. Right click ping.exeàPropertiesàsecurityàadvancedàowner and edit ownership to make the current user the owner. Close the properties windows and reopen them again….

Edit security as shown below to grant full permissions to current user from trustedinstaller. Then delete ping.exe.

This sort of infection can download anything from a hacktool to a rootkit. Use broad spectrum scanners to get rid of any other threats. This one has proved particularly useful..

http://normanasa.vo.llnwd.net/o29/public/Norman_Malware_Cleaner.exe

clip_image005

at 1 comment:
Subscribe to: Posts (Atom)

Detect autopilot session

  Ensuring that some apps only install during autopilot is not easily accomplished, you can use the below powershell script as a requiremen...